jump to navigation

The world of Information Security this week (w/e Apr 30 2010) April 30, 2010

Posted by Michael Stephenson in Cloud Computing, Cloud Computing Security, Data Loss Prevention, Information Security.
Tags: , , , , , , , , , , ,
add a comment

A quick look at the highlights of the news in the world of Information Security this week for busy Security people.

Topics Covered:

Cloud Security

Merger and Acquisition

Data Losses

PCI

Cloud Security

Cisco show new cloud security at Infosecurity Europe exhibition. The always-on, cloud-based IronPort Email Data Loss Prevention and Encryption and Cisco ScanSafe Web Intelligence Reporting products resulting from the acquisition of ScanSafe last year are launched at the exhibition.                              http://www.scmagazineuk.com/infosecurity-europe-cisco-makes-first-steps-into-cloud-based-security-after-scansafe-acquisition/article/168818/

The Cloud Industry Forum (CIF) has launched its draft Code of Practice for public consultation. The CIF is now seeking feedback on the code, which has been in development since October 2009, and is asking for end-users, providers and other stakeholders to participate in the consultation process by downloading the draft code. The code will embody 3 simple principles. Transparency of public information, Capability in having documented management systems and Accountability for operational practice.                   http://www.scmagazineuk.com/cloud-industry-forum-launches-draft-code-of-practice/article/168670/

Merger and Acquisition

Symantec will acquire PGP and GuardianEdge PGP for a purchase price of approximately $300 million in cash and GuardianEdge for a purchase price of approximately $70 million in cash. Earlier this week PGP was named as information security vendor of the year at the SC awards, and also won best encryption solution for PGP Whole Disk Encryption and the innovation award for PGP Portable.        http://www.scmagazineuk.com/symantec-confirms-acquisition-of-pgp-winner-of-sc-magazines-information-security-vendor-of-the-year/article/169064/

HP acquires Palm but rumours have circulated around Infosec that HP is close to a deal that will see it acquire McAfee. The anti-virus vendor declined to comment on speculation, with a spokesperson claiming that the vendor ‘had nothing of value to say on the matter’.          http://www.scmagazineuk.com/hp-acquires-palm-in-a-week-when-rumours-about-a-takeover-of-a-major-security-vendor-persist/article/168890/

Data Losses

Businesses ‘vastly overconfident’ on security A Study, commissioned by Accenture, which interviewed 5,500 executives and 15,500 consumers globally shows that nearly three quarters, 73 percent, of firms believe they have adequate policies and technology in place to protect sensitive data, but 58 percent have lost sensitive data in the past two years. Six in 10 say it is a continually reoccurring problem.  In the UK alone, 76 percent of firms have suffered data breaches, yet 74 percent are convinced they have the right policies in place.     http://www.networkworld.com/news/2010/042710-businesses-vastly-overconfident-on.html?source=NWWNLE_nlt_security_identity_2010-04-28

PCI

UK Businesses lag behind US counterparts in PCI Compliance. A new white paper released by CIO Business Technology Leadership reveals that U.K. businesses lag far behind their U.S. colleagues in meeting PCI security standards, with only 11 percent of U.K. organizations currently certified as PCI compliant.       http://www.nacsonline.com/NACS/News/Daily/Pages/ND0422106.aspx

The world of Information Security this week (w/e Apr 23 2010) April 23, 2010

Posted by Michael Stephenson in Cloud Computing, Cloud Computing Security, Data Loss Prevention, Identity Management, Information Security.
Tags: , , , , , , , , , , ,
add a comment

A quick look at the highlights of the news in the world of Information Security this week for busy Security people.

Topics Covered:

Cloud Security

Data Losses

New Security Products

ISF

Identity Management

Cloud Security

Data at increased risk in the cloud A preview of the Information Security Breaches Survey from PricewaterhouseCoopers (PwC) that will be launched at Infosec indicates, among other things, that less than 17% of companies who have external organisations handling their data have it encrypted.   http://www.v3.co.uk/v3/news/2261765/cloud-computing-breach-risks

Data Losses

Gwent Police accidentally emails a file containing the personal details of over 10,000 people. This is the first major UK data loss has been reported since the Information Commissioner’s fines were introduced. It will be interesting to see what the Commissioner does! It is claimed that the file, was not encrypted or password protected. It contained the full names and dates of birth of 10,006 people in jobs or applying for jobs where a Criminal Records Bureau (CRB) disclosure is required.

9 year old steals password. Another example of a security breach due to human error and not technology. Someone was changing teacher passwords on the Falls Church, Virginia, school district’s Blackboard system, which is used to give teachers, students and parents a way to communicate and stay on top of homework assignments and class announcements over the Web. The incident was traced to the home of a 9-year-old student at the school. It turned out that a student had simply taken a teacher’s password from a desk and used it to change enrolment lists and other teachers’ passwords. http://www.computerworld.com/s/article/9175699/Police_called_after_9_year_old_steals_password?source=CTWNLE_nlt_security_2010-04-19

CIOs tighten the screw on what Twitterers can do. A new survey shows that many CIOs are reacting to the rise of social networking by implementing stricter IT policies, according to a survey published this week. Use of social networking websites such as Facebook and microblogging service Twitter has mushroomed in recent years – leading some companies to become concerned about the potential security risks of social networking.

New Security Products

Symantec announced an upgrade to their Data Loss Prevention Suite 10.5 and the availability of other new software products.   http://www.infosecurity-us.com/view/8708/symantec-upgrades-key-products/

Information Security Forum ISF

The ISF is to extend its membership to small and medium sized enterprises (SMEs) in a move which could help them address an ever-growing range of threats. http://www.v3.co.uk/v3/news/2261641/isf-opens-smes

Identity Management

RSA has introduced an identity verification service that is designed to confirm user identities and authenticate transactions in real-time. It is a knowledge-based authentication solution, that the company claim can be used during automated self-service activities such as credit card activations, account updates and password resets to mitigate fraud on high risk transactions such as funds transfer with customers online, on the phone with a call centre or in-person at point-of-sale (POS) terminals. The system works by scanning public records and commercially available databases to ask questions of the user it is trying to verify.

It seems to me that as it is based on public information, a well researched fraudster could well use the information to fool the system into authentication them as the person they are pretending to be.

http://www.scmagazineuk.com/rsa-introduces-real-time-identity-verification-service/article/168597/

More detail from RSA here:  http://www.rsa.com/node.aspx?id=3347

The world of Information Security this week (w/e Apr 16 2010) April 16, 2010

Posted by Michael Stephenson in Cloud Computing, Cloud Computing Security, Data Loss Prevention, Risk Mamagement.
Tags: , , , , , , , , , ,
add a comment

A quick look at the highlights of the news in the world of Information Security this week for busy Security people.

Topics Covered:

Cloud Security

New Security Products

Are you influential?

Jericho Forum Self Assessment

Cloud Security

Risks outweigh benefits? The first annual survey from the Information Systems Audit and Control Association (ISACA) revealed that more than 45 percent of respondents feel the risks of cloud computing outweigh the lower total cost of ownership (TCO), high return on investment (ROI), increased efficiency and pay-as-you-go services. Thirty-eight percent of respondents, however, indicated that the risks and benefits of cloud computing are equally balanced, while only 17 percent said the benefits achieved with cloud computing outweigh the risks.    http://www.crn.com/security/224202475

New Security Products

RSA announced enhancements to their DLP suite. RSA, the Security Division of EMC, has announced enhancements to the RSA Data Loss Prevention (DLP) Suite with Version 8.        http://www.itweb.co.za/index.php?option=com_content&view=article&id=31906:rsa-data-loss-prevention-suite-helps-global-corporations-collaborate-securely&catid=234:security

Check Point Unveils DLP Solution a link to details of the new product can be found in the article link here:    http://www.darkreading.com/insiderthreat/security/management/showArticle.jhtml?articleID=224202003

Panda Security introduces cloud-based internet protection solution Panda Security has introduced the third pillar of its protection services with the introduction of Panda Cloud Internet Protection. The cloud-based, Software-as-a-Service (SaaS) security solution protects against web-based attacks such as botnets, phishing, cross-site scripting and advanced Web 2.0 attacks, according to the company.    http://www.pandasecurity.com/homeusers/media/press-releases/viewnews?noticia=10136

More detail can be found on the Panda web site here: http://cloudprotection.pandasecurity.com/what/

Are you influential?

SC Magazine will find out!  SC Magazine is to introduce a top 50 most influential security people for 2010. The ‘SC Most Influential 2010′ will be an accurate and detailed reflection of who the industry sees as the most influential information security practitioners in the UK.  http://www.scmagazineuk.com/sc-magazine-introduces-most-influential-2010/article/167920/

Jericho Forum Self Assessment?

Jericho Forum’s self assessment questionnaire explained. The video at the link below discusses the Jericho Forum’s new self assessment questionnaire that allows users to assess vendors who are selling them security solutions.     http://searchsecurity.techtarget.co.uk/video/0,297151,sid180_gci1507839,00.html?track=NL-988&ad=760893&asrc=EM_NLT_11334733&uid=1457049

The world of Information Security this week (w/e Apr 9 2010) April 9, 2010

Posted by Michael Stephenson in compliance, Government Security Strategy, Information Security.
Tags: , , , , , ,
1 comment so far

Topics Covered:

Email Privacy

Business and Security

Government & Security

A slow week this week for news items, presumably because a lot of people are taking holidays over the Easter period and while we have a little bit of good weather here in the UK.

Email Privacy

It had been accepted that privacy of personal email at work could not be expected, but this may be changed due to a legal ruling. In a legal case that came to it under appeal, the New Jersey Supreme Court last week decided an employee should have had an expectation of e-mail privacy and confidentiality because she used a personal Webmail account, in this case Yahoo, not the corporate e-mail system.       http://www.computerworld.com/s/article/9174820/Ruling_suggests_limits_on_employer_s_access_to_personal_e_mail?source=CTWNLE_nlt_security_2010-04-05

In this case you would think that the employee concerned would have expected problems and not used a work computer to contact her legal team.

Business and Security

Involve top business executives in security projects –A new report called “The Financial Management of Cyber Risk,” sponsored by, among others, the American National Standards Institute (ANSI), says that organizations with top executives who aren’t involved in cybersecurity decisions face a serious problem — a major hit to their bottom lines.

This is something those of us involved with security projects have been saying for years, but here it is in an official report. http://www.csoonline.com/article/589131/Top_Execs_Need_to_be_Involved_in_Cybersecurity_Study_Says?source=CSONLE_nlt_update_2010-04-06

Government and Security

The Data Accountability and Trust Act (H.R. 2221) passes through Congress and is on its way to the Senate. A step on the way to its adoption into US law when it will add to the regulations that need to be followed by US companies, and probably those trading with the US.     http://www.govtrack.us/congress/bill.xpd?bill=h111-2221&tab=summary

A video at the link below explains some of the implications of the bill   http://searchsecurity.techtarget.com/video/0,297151,sid14_gci1506685,00.html?track=NL-430&ad=759583&asrc=EM_NLT_11279789&uid=1457049

The world of Information Security this week (w/e Apr 2 2010) April 1, 2010

Posted by Michael Stephenson in Cloud Computing, Cloud Computing Security, Data Loss Prevention, Government Security Strategy, Humour, Information Security.
Tags: , , , , , , , , , , , , , ,
add a comment

The world of Information Security this week (w/e Apr 2 2010)

A quick look at the highlights of the news in the world of Information Security this week for busy Security people.

Topics Covered:

Cloud Security

Passwords

Data Protection

Data Losses

Government & Security

Cloud Security

ISC(2) starts cloud security working group. ISC(2) is a non-profit organisation dedicated to good security in the IT space, and supports qualifications such as CISSP, and SSCP. The idea of the group is to focus primarily on the government space and see if they can address the issues that have been raised on this over the last six months to a year, and come up with some recommendations or some best practices to try to address the issues.    http://www.federalnewsradio.com/index.php?nid=249&sid=1917420

Capgemini launches new Infostructure Transformation Services, and adds a new word to the technical dictionary.  The new group will help companies make the move to the cloud, offering four services, Data Centre Optimisation, Virtualisation, Unified Communications and Collaboration (UCC)and  Cloud Computing and Services,in either public or private clouds, or a mix of the two.   http://www.computerworld.com/s/article/9167298/Capgemini_to_offer_cloud_help_with_new_unit?source=CTWNLE_nlt_cloud_2010-03-29

Slightly more detailed information from Capgemini here: http://www.uk.capgemini.com/news/pr/pr2081/

Passwords

I can’t claim the credit for this which I found on Jeff Bardin’s blog, “The Brave new World of Infosec”, but I found it amusing so I am including it here.

During a company’s recent password audit, it was found that one employee was using the following password:

“MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento”

When asked why they had such a long password, the person said they were told that it had to be at least 8 characters long and include at least one capital!     http://blogs.csoonline.com/1178/the_lighter_side_of_passwords?source=CSONLE_nlt_update_2010-03-30

Data Protection

London’s city workers ignorant of impending data security penalties. Almost two-thirds of London’s city workers are unaware that businesses can be fined up to £500,000 for serious data breaches after 6 April, a survey by Cyber-Ark has revealed. Some 65% of the 500 city workers said they have not been informed of the new fines for breaches of personal data. The fines are part of new powers granted to the Information Commissioner’s Office that were confirmed in January to help enforce UK data protection laws

Data Losses

Quite a few reports this week of people losing sensitive information.

Durex springs a leak – is not the kind of news story you want to hear if you are a customer of theirs. It could have life changing consequences in more ways than one.

A website selling Durex condoms in India suffered a data breach that revealed customers’ names and orders. Databreaches.net reported that on 5th March, a customer discovered that anyone could view his and other customers’ orders on the kohinoorpassion.com website by simply inserting a different order ID number in the URL without any login required. Available information included names, addresses, phone numbers and the type of products ordered. http://www.scmagazineuk.com/durex-leak-reveals-customer-details-in-a-week-where-data-loss-has-risen-to-incredible-levels/article/166993/

Stoke-on-Trent City Council loses a USB stick that contained social services’ confidential information about children in care.  The Sentinel , a local Staffordshire newspaper, reported that the USB stick had been found on a pavement in Stoke-on-Trent. It contained dozens of sensitive documents including records of foster carers, family court proceedings, parenting assessments, child custody arrangements and the psychological history of youngsters. http://www.scmagazineuk.com/usb-stick-containing-social-services-information-found-on-a-pavement/article/166783/

US student loans guarantor confirms data loss of records of 3.3 million people The Educational Credit Management Corporation (ECMC), which guarantees federal student loans, reported on Friday that personal data on about 3.3 million people nationwide has been stolen from its headquarters in Minnesota.   The American equivalent of the student loan company reported that the data included names, addresses, Social Security numbers and dates of birth of borrowers, but no financial or bank account information. ECMC confirmed that the data was on ‘portable media’ that was stolen sometime last weekend. http://www.scmagazineuk.com/us-student-loans-guarantor-confirms-data-loss-of-records-of-33-million-people-with-names-addresses-and-social-security-numbers-and-dates-of-birth-included/article/166853/

Perhaps part of the reason for all this data loss is this

More than a third of companies fail to deploy data loss prevention technology Research by DeviceLock found that a third of companies are failing to deploy data loss prevention (DLP), while less than half of small-to-medium sized businesses install the technology.  –  Good news for DLP vendors as there must be plenty of people out there to sell their solutions to.   http://www.scmagazineuk.com/more-than-a-third-of-companies-fail-to-deploy-data-loss-prevention-technology/article/166920/

Government and Security

US States start incorporating PCI into law. On March 22, 2010, Washington state became the third state to incorporate the Payment Card Industry Data Security Standard (“PCI”) into law (the other two are Nevada and Minnesota). The Washington House and Senate have passed HB 1149 by substantial margins, and it has now been signed into law by the governor. http://www.infolawgroup.com/2010/03/articles/payment-card-breach-laws/faq-on-washington-states-pci-law/

UK Government announce proposals their ‘Cyber Crime Strategy’ The proposals have been detailed in a brief House of Commons statement. The parliamentary under-secretary of state for the Home Department, Alan Campbell, claimed that cyber crime is a large and growing problem and is responsible for a significant amount of social and economic harm, both financially and through threats to children and in the move of government services online.

The new strategy has five key elements:

Co-ordination to tackle cyber crime across government,

Provision of an effective law enforcement response,

Raise public confidence,

Work with industry,

Work internationally.

http://www.scmagazineuk.com/government-details-key-points-of-its-cyber-crime-strategy-as-it-acknowledges-that-it-is-a-large-and-growing-problem/article/167086/

The strategy document can be found here: http://www.cabinetoffice.gov.uk/reports/cyber_security.aspx

The world of Information Security this week (Mar 22nd to Mar 26th, 2010) March 26, 2010

Posted by Michael Stephenson in Cloud Computing, Cloud Computing Security, Data Loss Prevention, Identity Management, Information Security.
Tags: , , , , , , , , , , , , , , , , , , , ,
add a comment

A quick look at the highlights of the news in the world of Information Security this week for busy Security people.

Topics Covered:

Cloud Security

Application Security

New Security Releases

including

Data Loss Prevention

Identity Management

Role Management

Cloud Security

McAfee will offer service to secure the cloud McAfee Cloud Secure combines cloud security certification services with automated auditing, remediation and reporting capabilities to bring extra security to the cloud. http://www.channelinsider.com/c/a/Security/McAfee-Forms-Cloud-Security-Program-102498/

Details from MacAfee at: http://www.mcafee.com/uk/enterprise/products/hosted_security/

The Cloud Security Alliance push towards cloud security standard. They are working with other organisations and suppliers, to push towards a cloud security standard, or at least some consistency, across cloud infrastructures to ensure security is tight and right. They have been working with the MashSSL Alliance, an organization that evangelizes the use of a next generation SSL standard for cloud computing,  and Novell. http://www.crn.com/security/224000080;jsessionid=1W0AGTPNSJIH5QE1GHPSKH4ATMY32JVN

Details of Novell’s cloud security offerings are here: http://www.novell.com/products/cloud-security-service/

Common Assurance Metric (CAM) A 24-strong consortium of service providers, vendors, government organisations and consultants has begun work on a set of measurements designed to make it easier for businesses to compare the security features offered by cloud-computing providers. The project, launched on Monday, aims to provide metrics that will consist of objective, quantifiable measurements, the as-yet unnamed consortium said in a statement. It will draw from existing standards, which are often industry specific. http://www.zdnet.co.uk/news/it-strategy/2010/02/09/group-aims-to-set-standard-for-cloud-security-40032011/

Not much detail of what is planned for this initiative yet, but it is something that is very much needed for organisations who are moving into cloud computing to enable them to measure the effectiveness of the security of the services they will be providing to their customers. Until they get such metrics then they don’t really know how secure a service is until they get a breach which could damage them beyond repair.

For members of Linkedin there is a discussion on this topic at this link: http://www.linkedin.com/groupAnswers?viewQuestionAndAnswers&discussionID=15718500&gid=1864210&commentID=13504742&trk=view_disc

Application Security

Google has introduced security testing tool called Skipfish. It is an open source, fully automated, active web application security reconnaissance tool called ‘Skipfish’. Google described Skipfish as an active web application security reconnaissance tool that prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments. http://www.scmagazineuk.com/google-introduces-open-source-security-testing-tool/article/166207/

Details of the tests included in the software can be found here:  http://code.google.com/p/skipfish/wiki/SkipfishDoc

New Security Releases

SailPoint adds provisioning to IdentityIQ SailPoint has added end-to-end provisioning capabilities to its identity governance solution, SailPoint IdentityIQ™, and can now automate the entire user access request and fulfilment process. http://www.prnewswire.com/news-releases/sailpoint-releases-next-generation-provisioning-solution-88806867.html

Details of the provisioning engine can be found at the SailPoint web site here: http://www.sailpoint.com/product/provisioning-engine/

Updates to Avatier Identity Management Suite (AIMS) 8.0 have been announced. Avatier’s Identity and Access Management solution adds several new enterprise features as well as a new module, Compliance Auditor, for integration of governance management with access validation and SOX remediation. It also added a new module, Identity Analyzer, that includes bottom up role mining, identity correlation and advanced analytics. http://www.businesswire.com/portal/site/home/permalink/?ndmViewId=news_view&newsId=20100317005497&newsLang=en

Details of Compliance Auditor can be found here: http://www.avatier.com/compliance-auditor.html

Details of Identity Analyzer are here: http://www.avatier.com/identity-analyzer.html

RSA, EMC’s security arm, has enhanced its Data Loss Prevention Suite with more than 70 new features for scanning, workflow, reporting, and global content processing. Version 8.0 of the RSA DLP Suite  allows discovery and remediation of more data types and sources, including native scanning of Microsoft® SharePoint® and IBM Lotus Notes®. The product can also scan and fingerprint IBM DB2 databases. The new release also includes enhanced capabilities for Chinese, Japanese and Korean languages. http://www.channelinsider.com/c/a/Security/RSA-Upgrades-DLP-Suite-Capabilities-276902/

Details of the RSA DLP Software can be found here: http://www.rsa.com/node.aspx?id=3426

McAfee has announced McAfee Data Loss Prevention (DLP) to help to secure sensitive data on internal systems and removable storage media.  The tool is designed to run through McAfee’s ePolicy Orchestrator platform. http://www.v3.co.uk/v3/news/2259973/mcafee-unveils-loss-prevention

Details can be found here:  http://www.mcafee.com/uk/enterprise/products/data_protection/data_loss_prevention/network_data_loss_prevention_manager.html

Courion® Corporation, announced the integration of its Access Assurance Suite 8.0 with Symantec Data Loss Prevention 10 to create a content-aware identity and access management (IAM) solution. This integration will enable organisations to not only discover sensitive data, but also who has access to it and if that access is appropriate,  providing a picture of end-to-end data security and compliance. http://www.courion.com/company/press_release.html?id=616

Details of Courion’s Access Assurance are here: http://www.courion.com/solutions/access-assurance.html

The world of Information Security this week (Mar 15th to Mar 19th, 2010) March 19, 2010

Posted by Michael Stephenson in Information Security, Identity Management, Data Loss Prevention, compliance.
Tags: , , , , , , , , , ,
add a comment

A quick look at the highlights of the news in the world of Information Security this week for busy Security people.

Topics Covered:

Jericho Forum

Identity Cards

Security Losses

Compliance

Security Market

Please let me have your views – Should I continue with this? Does it provide value to anyone?

Jericho Forum

Awkward questions for Vendors? A self-assessment tool to check the effectiveness of an IT security product has been developed by the Jericho Forum. It is a tool to help buyers assess the security attributes of the products they are buying, so vendors will need to be aware of the contents so they are prepared for the questions.             http://www.scmagazineuk.com/jericho-forum-introduces-self-assessment-tool-to-meet-with-its-eleven-commandments/article/165771/

Get a copy of the checks here:       https://www.opengroup.org/jericho/SAS_Guide.pdf

Identity Cards

ID cards to get more features. The government is considering introducing a new generation of ID cards for British citizens in 2012, complete with a raft of new features. Among the various technical improvements being looked at are fitting the new cards with a chip that would include the EMV technology standard that underpins chip and PIN transactions in UK credit and debit cards or a digital encryption and signature capability.     http://www.silicon.com/technology/security/2010/03/17/exclusive-next-generation-super-id-card-on-the-cards-for-2012-39745599/3/

StorkOne step closer to the sharing of electronic identities across EU borders. An EU co-funded scheme to implement EU-wide interoperability of electronic identities (eIDs) called Stork, has released e-ID common specifications together with draft planning for forthcoming pilot projects. Launched in 2008, Secure identity across borders linked (Stork) is a three-year pan-EU initiative aimed at enabling businesses, citizens and government employees to use their national electronic identities (e-ID) in any member state.             https://www.eid-stork.eu/index.php?option=com_content&task=view&id=237&Itemid=69

Security Losses

FBI says internet fraud more than doubled last year. The Federal Bureau of Investigation’s annual wide-ranging look at Internet crime found that online crime is indeed paying off – for the criminals as it cost users $559.7 million, up from $265 million in 2008.                                               http://www.networkworld.com/community/node/58496?source=NWWNLE_nlt_security_identity_2010-03-15

Verisign Survey also shows rise in online fraud. Online fraud is continuing to prove a major headache for e-commerce firms and banks, with 11 per cent of the online UK population falling victim in the past 12 months, according to new research from VeriSign. The secure web authentication firm’s biannual Online Fraud Barometer report estimated that average loss for individuals totalled £352, with 12 per cent of victims still waiting to be fully reimbursed for the money they lost.             http://www.v3.co.uk/v3/news/2259649/online-fraud-shows-signs

Compliance

No let up in compliance requirements. The year 2010 will be an interesting one from a compliance perspective, as more regulations take effect. There are three different federal identity theft protection bills working their way through Congress, and certain provisions of the Health Information Technology for Economic and Clinical Health Act (HITECH), which updates HIPAA, will go into effect February 17th.     http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1379078,00.html?track=NL-430&ad=745041&asrc=EM_NLT_10698285

Security Market

Cisco losing security market share.   According to market analyst Canalys, in the fourth quarter of last year Cisco’s share of the market for a wide basket of security products, including hardware, software and services, dropped a staggering 22 percent year-on-year.              http://www.networkworld.com/news/2010/031710-cisco-battered-by-large-fall.html?source=NWWNLE_nlt_compliance_2010-03-19

The world of Information Security this week (Mar 8th to Mar 12th, 2010) March 12, 2010

Posted by Michael Stephenson in Cloud Computing, Identity Management, Information Security.
Tags: , , , , , , , , ,
add a comment

A quick look at the highlights of the news in the world of Information Security this week for busy Security people.

Topics Covered:

Cloud Computing

Identity and Access Management (IAM)

Merger & Acquisition

IT Market Trends

Security Losses

Not such a busy week this week, perhaps everyone is having a rest after RSA 2010 and getting over the rigours of the conference. All that working to improve themselves – well into the night!

Please let me have your views – Should I continue with this? Does it provide value to anyone?

Cloud Computing

CSIOs worry about cloud computing at RSA a discussion panel of CISOs seemed to be very wary of moving into cloud computing. They are happy with a few non critical apps in the cloud but wary of going much further because of security issues and the need to understand and provide solutions for security in the cloud.

http://www.computerworld.com/s/article/9166318/CISOs_rain_on_cloud_computing_parade_at_RSA?source=CTWNLE_nlt_security_2010-03-05

Hopes that early attention to security will boost cloud usage on a more upbeat note this report from RSA 2010 talks about work being done on security before the technology is widely used. RSA President Art Coviello observed that this may be the first time the industry has started working on the security problems before the technology is mainstream.       http://www.computerworld.com/s/article/9166258/Hoping_that_early_attention_to_security_will_bolster_cloud_offerings?source=CTWNLE_nlt_security_2010-03-05

Identity and Access Management (IAM)

Gartner Says Worldwide Identity And Access Management Market Will Grow 8 Per Cent In 2010 To Reach $9.9B Good news for the IAM world as Gartner sees continuing growth in this area. As more people move into cloud computing the reach of ID Management services is going to be extended to help with the need to have good security for people working in the cloud.    http://www.bsminfo.com/article.mvc/Gartner-Says-Worldwide-Identity-And-Access-0001?VNETCOOKIE=NO

Merger & Acquisition

CA is to acquire Nimsoft, a provider of IT performance and availability monitoring solutions for emerging enterprises and managed service providers. As with last week’s acquisition for CA of 3Tera this strengthens  CA’s  move to become a leader in the management of cloud computing. http://www.scmagazineuk.com/ca-set-to-complete-another-acquisition-with-performance-and-availability-monitoring-solutions-provider-in-sight/article/165494/

IT Market Trends

IT budgets are on the rise according to a survey by Ovum companies are expecting IT budgets to rise this year and this is likely to be lead by financial services organisation. http://www.silicon.com/management/cio-insights/2010/03/09/it-budgets-are-on-the-rise-but-dont-expect-a-full-recovery-39745568/?s_cid=545

IT security professionals ‘recession-proof’. Another survey this time by ISC2 says less than 5% of IT professionals lost their jobs. If you are of the 95% who didn’t lose their jobs then I guess you are recession proof, but those in the 5% won’t feel very ‘recession proof’, although some of them are now getting back into employment. http://www.computerweekly.com/Articles/2010/03/05/240518/IT-security-professionals-39recession-proof39-survey.htm

Security Losses

Online banking fraud cost the UK nearly £60m last year after a sharp rise in the number of criminals using malware to harvest people’s bank details. Losses from online banking fraud rose 14 per cent in 2009 year-on-year to reach a total of £59.7m, according to the trade body for the payment cards industry, the UK Cards Association. There is still work to be done in educating users and making online transactions safer. http://www.silicon.com/technology/security/2010/03/10/online-bank-fraud-costs-uk-60m-as-malware-merchants-hit-pay-dirt-39745572/?s_cid=545

The world of Information Security this week (Mar 1st to Mar 5th, 2010) March 5, 2010

Posted by Michael Stephenson in Cloud Computing, Cloud Computing Security, Identity Management, Information Security.
Tags: , , , , , , , , , , , , , ,
add a comment

A quick look at the highlights of the news in the world of Information Security this week for busy Security people.

In this post I have picked out what I think are the highlights of this weeks infosec news. Links to the sources are included so you can get more detail if you want it.

Please let me have your views – Should I continue with this? Does it provide value to anyone?

The RSA conference has been an important event this week and many of the news items, and probably more next week will come out of that conference.

Cloud Computing

Top  threats to Cloud Computing research has been released by HP and The Cloud Security Alliance The document is a companion to the CSA’s “Security Guidance for Critical Areas in Cloud Computing,” which was updated in December.  The document can be downloaded at http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf

CA announces ID Management for Salesforce.com.  At RSA 2010 CA announces additions to its enterprise identity management product that will allow customers to extend access and provisioning controls to the Salesforce.com Sales Cloud 2 application. http://www.networkworld.com/news/2010/030310-ca-salesforce.html>

You can see comment on this at Tom Mellor’s blog http://vintage1951.wordpress.com/2010/03/03/news-from-the-rsa-show-ca-provisions-to-salesforce-com-app/>

RSA 2010

Microsoft planning universal network access control The corporate vice president of Microsoft’s Trustworthy Computing Group used his keynote at RSA 2010 to outline plans for universal network access controls. Scott Charney said that there is a case to be made for computers being scanned before going online to make sure that no malware is present and that applications are patched properly. A discussion is needed in the industry to decide the appropriate action to take to safeguard the internet, he said.

<http://www.v3.co.uk/v3/news/2258832/rsa-2010-microsoft-planning>

Cisco beefs up VPN and cloud security Cisco has announced new tools as part of a drive to make security more invisible for users and easier to manage for IT administrators. The Cisco Secure Borderless Network architecture promises simple security policy measures that can be used on the road and allow IT managers to monitor and report from both sides of the firewall.

http://www.v3.co.uk/v3/news/2258760/rsa-2010-cisco-beefs-vpn-cloud>

Microsoft announces new Identity Management software Microsoft announced that it has begun shipping Forefront Identity Manager 2010, server software for provisioning and de-provisioning user access and privileges for network and database resources.

Forefront Identity Manager 2010, the successor to Microsoft’s Identity Lifecycle Manager 2007, can be used to establish policy-based access controls tied to the user’s role in the organization. It features more end user self-service and automated IT administration features than the earlier product, according to Microsoft.

http://www.networkworld.com/news/2010/030310-rsa-microsoft-identity-management.html>

Identity and Access Management (IAM)

Kantara Initiative Identity Assurance Certification Program) granted Provisional Approval by US Government. On Friday February 26th, 2010 the US Federal Government’s Identity, Credential, and Access Management (ICAM) Trust Framework Evaluation Team (TFET) reviewed Kantara Initiative’s latest submission and granted it Provisional Approval as a Trust Framework Provider at Levels 1, 2 & non-crypto Level 3 under the Open Identity Solutions for Open Government program.  The removal of the provisional status will hinge on the release by TFET of additional guidance for assessors concerning privacy and Kantara’s adoption of this guidance.  http://kantarainitiative.org/wordpress/2010/03/a-windfall-for-identity-assurance/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+kantarainitiative+%28Kantara+Initiative+Blog%29&utm_content=My+Yahoo>

Details of the Kantara ID Assurance Framework can be found at http://kantarainitiative.org/confluence/download/attachments/38371432/Kantara+IAF-1000-Overview.pdf

Merger & Acquisition

CA acquired cloud start-up 3Tera Whilst not a security acquisition this indicates further that CA is positioning itself as the management company for the cloud providing service provisioning, system management and security management for cloud environments.    3Tera enables enterprises and service providers to provision, deploy and scale public and private cloud computing environments while maintaining full control, flexibility and reliability. 3Tera also makes it easy for service providers to offer application stacks on demand by adding applications to the AppLogic catalog, where they can be deployed to a low-cost, shared cloud infrastructure.                                     http://www.informationweek.com/cloud-computing/blog/archives/2010/03/cas_omalley_clo.html?cid=RSSfeed_IWK_ALL>

More information from CA here     http://www.ca.com/us/press/release.aspx?CID=229531

The world of Information Security March 2, 2010

Posted by Michael Stephenson in Uncategorized.
Tags: , ,
6 comments

The reason I did not post a news summary on Friday last week was not that there was no news worth noting, which may have been the case, but that I wasn’t watching because I was away lazing around in the sunshine in Gran Canaria getting a reasonable tan.

We had a great week with warm, not too hot, sunshine with a cooling breeze, in a very comfortable hotel overlooking the sea on the south coast of the island. I can honestly say I did not think of information security at all and I didn’t take my mobile or laptop with me – didn’t even get a newspaper or watch TV so everything passed us by.

I hope you guys all had a good week – if I missed anything interesting do let me know. Look out for next week’s News summary.