The world of Information Security this week (w/e Apr 30 2010) April 30, 2010
Posted by Michael Stephenson in Cloud Computing, Cloud Computing Security, Data Loss Prevention, Information Security.Tags: Accenture, Acquisition, Cisco, Cloud Computing, Cloud Industry Forum, Cloud security, HP, InfoSecurity Exhibition, Mergers, PCI, PGP, Symantec
add a comment
A quick look at the highlights of the news in the world of Information Security this week for busy Security people.
Topics Covered:
Cloud Security
Merger and Acquisition
Data Losses
PCI
Cloud Security
Cisco show new cloud security at Infosecurity Europe exhibition. The always-on, cloud-based IronPort Email Data Loss Prevention and Encryption and Cisco ScanSafe Web Intelligence Reporting products resulting from the acquisition of ScanSafe last year are launched at the exhibition. http://www.scmagazineuk.com/infosecurity-europe-cisco-makes-first-steps-into-cloud-based-security-after-scansafe-acquisition/article/168818/
The Cloud Industry Forum (CIF) has launched its draft Code of Practice for public consultation. The CIF is now seeking feedback on the code, which has been in development since October 2009, and is asking for end-users, providers and other stakeholders to participate in the consultation process by downloading the draft code. The code will embody 3 simple principles. Transparency of public information, Capability in having documented management systems and Accountability for operational practice. http://www.scmagazineuk.com/cloud-industry-forum-launches-draft-code-of-practice/article/168670/
Merger and Acquisition
Symantec will acquire PGP and GuardianEdge PGP for a purchase price of approximately $300 million in cash and GuardianEdge for a purchase price of approximately $70 million in cash. Earlier this week PGP was named as information security vendor of the year at the SC awards, and also won best encryption solution for PGP Whole Disk Encryption and the innovation award for PGP Portable. http://www.scmagazineuk.com/symantec-confirms-acquisition-of-pgp-winner-of-sc-magazines-information-security-vendor-of-the-year/article/169064/
HP acquires Palm but rumours have circulated around Infosec that HP is close to a deal that will see it acquire McAfee. The anti-virus vendor declined to comment on speculation, with a spokesperson claiming that the vendor ‘had nothing of value to say on the matter’. http://www.scmagazineuk.com/hp-acquires-palm-in-a-week-when-rumours-about-a-takeover-of-a-major-security-vendor-persist/article/168890/
Data Losses
Businesses ‘vastly overconfident’ on security A Study, commissioned by Accenture, which interviewed 5,500 executives and 15,500 consumers globally shows that nearly three quarters, 73 percent, of firms believe they have adequate policies and technology in place to protect sensitive data, but 58 percent have lost sensitive data in the past two years. Six in 10 say it is a continually reoccurring problem. In the UK alone, 76 percent of firms have suffered data breaches, yet 74 percent are convinced they have the right policies in place. http://www.networkworld.com/news/2010/042710-businesses-vastly-overconfident-on.html?source=NWWNLE_nlt_security_identity_2010-04-28
PCI
UK Businesses lag behind US counterparts in PCI Compliance. A new white paper released by CIO Business Technology Leadership reveals that U.K. businesses lag far behind their U.S. colleagues in meeting PCI security standards, with only 11 percent of U.K. organizations currently certified as PCI compliant. http://www.nacsonline.com/NACS/News/Daily/Pages/ND0422106.aspx
The world of Information Security this week (w/e Apr 23 2010) April 23, 2010
Posted by Michael Stephenson in Cloud Computing, Cloud Computing Security, Data Loss Prevention, Identity Management, Information Security.Tags: ♦, Cloud Computing, Cloud security, Data Loss Prevention, Identity Management, Information Security Breaches Survey, Information Security Forum, ISF, IT Security, passwords, RSA, Twitter
add a comment
A quick look at the highlights of the news in the world of Information Security this week for busy Security people.
Topics Covered:
Cloud Security
Data Losses
New Security Products
ISF
Identity Management
Cloud Security
Data at increased risk in the cloud A preview of the Information Security Breaches Survey from PricewaterhouseCoopers (PwC) that will be launched at Infosec indicates, among other things, that less than 17% of companies who have external organisations handling their data have it encrypted. http://www.v3.co.uk/v3/news/2261765/cloud-computing-breach-risks
Data Losses
Gwent Police accidentally emails a file containing the personal details of over 10,000 people. This is the first major UK data loss has been reported since the Information Commissioner’s fines were introduced. It will be interesting to see what the Commissioner does! It is claimed that the file, was not encrypted or password protected. It contained the full names and dates of birth of 10,006 people in jobs or applying for jobs where a Criminal Records Bureau (CRB) disclosure is required.
9 year old steals password. Another example of a security breach due to human error and not technology. Someone was changing teacher passwords on the Falls Church, Virginia, school district’s Blackboard system, which is used to give teachers, students and parents a way to communicate and stay on top of homework assignments and class announcements over the Web. The incident was traced to the home of a 9-year-old student at the school. It turned out that a student had simply taken a teacher’s password from a desk and used it to change enrolment lists and other teachers’ passwords. http://www.computerworld.com/s/article/9175699/Police_called_after_9_year_old_steals_password?source=CTWNLE_nlt_security_2010-04-19
CIOs tighten the screw on what Twitterers can do. A new survey shows that many CIOs are reacting to the rise of social networking by implementing stricter IT policies, according to a survey published this week. Use of social networking websites such as Facebook and microblogging service Twitter has mushroomed in recent years – leading some companies to become concerned about the potential security risks of social networking.
New Security Products
Symantec announced an upgrade to their Data Loss Prevention Suite 10.5 and the availability of other new software products. http://www.infosecurity-us.com/view/8708/symantec-upgrades-key-products/
Information Security Forum ISF
The ISF is to extend its membership to small and medium sized enterprises (SMEs) in a move which could help them address an ever-growing range of threats. http://www.v3.co.uk/v3/news/2261641/isf-opens-smes
Identity Management
RSA has introduced an identity verification service that is designed to confirm user identities and authenticate transactions in real-time. It is a knowledge-based authentication solution, that the company claim can be used during automated self-service activities such as credit card activations, account updates and password resets to mitigate fraud on high risk transactions such as funds transfer with customers online, on the phone with a call centre or in-person at point-of-sale (POS) terminals. The system works by scanning public records and commercially available databases to ask questions of the user it is trying to verify.
It seems to me that as it is based on public information, a well researched fraudster could well use the information to fool the system into authentication them as the person they are pretending to be.
http://www.scmagazineuk.com/rsa-introduces-real-time-identity-verification-service/article/168597/
More detail from RSA here: http://www.rsa.com/node.aspx?id=3347
The world of Information Security this week (w/e Apr 16 2010) April 16, 2010
Posted by Michael Stephenson in Cloud Computing, Cloud Computing Security, Data Loss Prevention, Risk Mamagement.Tags: Check Point, Cloud Computing, Cloud security, Data Loss Prevention, IT Security, Jericho Forum, Panda, risks of cloud computing, RSA, SC Magazine, top security people
add a comment
A quick look at the highlights of the news in the world of Information Security this week for busy Security people.
Topics Covered:
Cloud Security
New Security Products
Are you influential?
Jericho Forum Self Assessment
Cloud Security
Risks outweigh benefits? The first annual survey from the Information Systems Audit and Control Association (ISACA) revealed that more than 45 percent of respondents feel the risks of cloud computing outweigh the lower total cost of ownership (TCO), high return on investment (ROI), increased efficiency and pay-as-you-go services. Thirty-eight percent of respondents, however, indicated that the risks and benefits of cloud computing are equally balanced, while only 17 percent said the benefits achieved with cloud computing outweigh the risks. http://www.crn.com/security/224202475
New Security Products
RSA announced enhancements to their DLP suite. RSA, the Security Division of EMC, has announced enhancements to the RSA Data Loss Prevention (DLP) Suite with Version 8. http://www.itweb.co.za/index.php?option=com_content&view=article&id=31906:rsa-data-loss-prevention-suite-helps-global-corporations-collaborate-securely&catid=234:security
Check Point Unveils DLP Solution a link to details of the new product can be found in the article link here: http://www.darkreading.com/insiderthreat/security/management/showArticle.jhtml?articleID=224202003
Panda Security introduces cloud-based internet protection solution Panda Security has introduced the third pillar of its protection services with the introduction of Panda Cloud Internet Protection. The cloud-based, Software-as-a-Service (SaaS) security solution protects against web-based attacks such as botnets, phishing, cross-site scripting and advanced Web 2.0 attacks, according to the company. http://www.pandasecurity.com/homeusers/media/press-releases/viewnews?noticia=10136
More detail can be found on the Panda web site here: http://cloudprotection.pandasecurity.com/what/
Are you influential?
SC Magazine will find out! SC Magazine is to introduce a top 50 most influential security people for 2010. The ‘SC Most Influential 2010′ will be an accurate and detailed reflection of who the industry sees as the most influential information security practitioners in the UK. http://www.scmagazineuk.com/sc-magazine-introduces-most-influential-2010/article/167920/
Jericho Forum Self Assessment?
Jericho Forum’s self assessment questionnaire explained. The video at the link below discusses the Jericho Forum’s new self assessment questionnaire that allows users to assess vendors who are selling them security solutions. http://searchsecurity.techtarget.co.uk/video/0,297151,sid180_gci1507839,00.html?track=NL-988&ad=760893&asrc=EM_NLT_11334733&uid=1457049
The world of Information Security this week (w/e Apr 2 2010) April 1, 2010
Posted by Michael Stephenson in Cloud Computing, Cloud Computing Security, Data Loss Prevention, Government Security Strategy, Humour, Information Security.Tags: Capgemini, Cloud Computing, Cloud security, Cyber Crime Strategy, Data Leak, data loss, Data Loss Prevention, Data Protection, Durex, ISC2, IT Security, password humour, passwords, PCI, Security
add a comment
The world of Information Security this week (w/e Apr 2 2010)
A quick look at the highlights of the news in the world of Information Security this week for busy Security people.
Topics Covered:
Cloud Security
Passwords
Data Protection
Data Losses
Government & Security
Cloud Security
ISC(2) starts cloud security working group. ISC(2) is a non-profit organisation dedicated to good security in the IT space, and supports qualifications such as CISSP, and SSCP. The idea of the group is to focus primarily on the government space and see if they can address the issues that have been raised on this over the last six months to a year, and come up with some recommendations or some best practices to try to address the issues. http://www.federalnewsradio.com/index.php?nid=249&sid=1917420
Capgemini launches new Infostructure Transformation Services, and adds a new word to the technical dictionary. The new group will help companies make the move to the cloud, offering four services, Data Centre Optimisation, Virtualisation, Unified Communications and Collaboration (UCC)and Cloud Computing and Services,in either public or private clouds, or a mix of the two. http://www.computerworld.com/s/article/9167298/Capgemini_to_offer_cloud_help_with_new_unit?source=CTWNLE_nlt_cloud_2010-03-29
Slightly more detailed information from Capgemini here: http://www.uk.capgemini.com/news/pr/pr2081/
Passwords
I can’t claim the credit for this which I found on Jeff Bardin’s blog, “The Brave new World of Infosec”, but I found it amusing so I am including it here.
During a company’s recent password audit, it was found that one employee was using the following password:
“MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento”
When asked why they had such a long password, the person said they were told that it had to be at least 8 characters long and include at least one capital! http://blogs.csoonline.com/1178/the_lighter_side_of_passwords?source=CSONLE_nlt_update_2010-03-30
Data Protection
London’s city workers ignorant of impending data security penalties. Almost two-thirds of London’s city workers are unaware that businesses can be fined up to £500,000 for serious data breaches after 6 April, a survey by Cyber-Ark has revealed. Some 65% of the 500 city workers said they have not been informed of the new fines for breaches of personal data. The fines are part of new powers granted to the Information Commissioner’s Office that were confirmed in January to help enforce UK data protection laws
Data Losses
Quite a few reports this week of people losing sensitive information.
Durex springs a leak – is not the kind of news story you want to hear if you are a customer of theirs. It could have life changing consequences in more ways than one.
A website selling Durex condoms in India suffered a data breach that revealed customers’ names and orders. Databreaches.net reported that on 5th March, a customer discovered that anyone could view his and other customers’ orders on the kohinoorpassion.com website by simply inserting a different order ID number in the URL without any login required. Available information included names, addresses, phone numbers and the type of products ordered. http://www.scmagazineuk.com/durex-leak-reveals-customer-details-in-a-week-where-data-loss-has-risen-to-incredible-levels/article/166993/
Stoke-on-Trent City Council loses a USB stick that contained social services’ confidential information about children in care. The Sentinel , a local Staffordshire newspaper, reported that the USB stick had been found on a pavement in Stoke-on-Trent. It contained dozens of sensitive documents including records of foster carers, family court proceedings, parenting assessments, child custody arrangements and the psychological history of youngsters. http://www.scmagazineuk.com/usb-stick-containing-social-services-information-found-on-a-pavement/article/166783/
US student loans guarantor confirms data loss of records of 3.3 million people The Educational Credit Management Corporation (ECMC), which guarantees federal student loans, reported on Friday that personal data on about 3.3 million people nationwide has been stolen from its headquarters in Minnesota. The American equivalent of the student loan company reported that the data included names, addresses, Social Security numbers and dates of birth of borrowers, but no financial or bank account information. ECMC confirmed that the data was on ‘portable media’ that was stolen sometime last weekend. http://www.scmagazineuk.com/us-student-loans-guarantor-confirms-data-loss-of-records-of-33-million-people-with-names-addresses-and-social-security-numbers-and-dates-of-birth-included/article/166853/
Perhaps part of the reason for all this data loss is this
More than a third of companies fail to deploy data loss prevention technology Research by DeviceLock found that a third of companies are failing to deploy data loss prevention (DLP), while less than half of small-to-medium sized businesses install the technology. – Good news for DLP vendors as there must be plenty of people out there to sell their solutions to. http://www.scmagazineuk.com/more-than-a-third-of-companies-fail-to-deploy-data-loss-prevention-technology/article/166920/
Government and Security
US States start incorporating PCI into law. On March 22, 2010, Washington state became the third state to incorporate the Payment Card Industry Data Security Standard (“PCI”) into law (the other two are Nevada and Minnesota). The Washington House and Senate have passed HB 1149 by substantial margins, and it has now been signed into law by the governor. http://www.infolawgroup.com/2010/03/articles/payment-card-breach-laws/faq-on-washington-states-pci-law/
UK Government announce proposals their ‘Cyber Crime Strategy’ The proposals have been detailed in a brief House of Commons statement. The parliamentary under-secretary of state for the Home Department, Alan Campbell, claimed that cyber crime is a large and growing problem and is responsible for a significant amount of social and economic harm, both financially and through threats to children and in the move of government services online.
The new strategy has five key elements:
Co-ordination to tackle cyber crime across government,
Provision of an effective law enforcement response,
Raise public confidence,
Work with industry,
The strategy document can be found here: http://www.cabinetoffice.gov.uk/reports/cyber_security.aspx
The world of Information Security this week (Mar 22nd to Mar 26th, 2010) March 26, 2010
Posted by Michael Stephenson in Cloud Computing, Cloud Computing Security, Data Loss Prevention, Identity Management, Information Security.Tags: Application Security, Avatier, CAM, Cloud Computing, Cloud security, Cloud Security Alliance, Common Assurance Metric, Courion, data loss, Data Loss Prevention, EMC, Identity Management, IT Security, McAfee, Novell, Provisioning, Role Management, RSA, SailPoint, Security, Skipfish
add a comment
A quick look at the highlights of the news in the world of Information Security this week for busy Security people.
Topics Covered:
Cloud Security
Application Security
New Security Releases
including
Data Loss Prevention
Identity Management
Role Management
Cloud Security
McAfee will offer service to secure the cloud McAfee Cloud Secure combines cloud security certification services with automated auditing, remediation and reporting capabilities to bring extra security to the cloud. http://www.channelinsider.com/c/a/Security/McAfee-Forms-Cloud-Security-Program-102498/
Details from MacAfee at: http://www.mcafee.com/uk/enterprise/products/hosted_security/
The Cloud Security Alliance push towards cloud security standard. They are working with other organisations and suppliers, to push towards a cloud security standard, or at least some consistency, across cloud infrastructures to ensure security is tight and right. They have been working with the MashSSL Alliance, an organization that evangelizes the use of a next generation SSL standard for cloud computing, and Novell. http://www.crn.com/security/224000080;jsessionid=1W0AGTPNSJIH5QE1GHPSKH4ATMY32JVN
Details of Novell’s cloud security offerings are here: http://www.novell.com/products/cloud-security-service/
Common Assurance Metric (CAM) A 24-strong consortium of service providers, vendors, government organisations and consultants has begun work on a set of measurements designed to make it easier for businesses to compare the security features offered by cloud-computing providers. The project, launched on Monday, aims to provide metrics that will consist of objective, quantifiable measurements, the as-yet unnamed consortium said in a statement. It will draw from existing standards, which are often industry specific. http://www.zdnet.co.uk/news/it-strategy/2010/02/09/group-aims-to-set-standard-for-cloud-security-40032011/
Not much detail of what is planned for this initiative yet, but it is something that is very much needed for organisations who are moving into cloud computing to enable them to measure the effectiveness of the security of the services they will be providing to their customers. Until they get such metrics then they don’t really know how secure a service is until they get a breach which could damage them beyond repair.
For members of Linkedin there is a discussion on this topic at this link: http://www.linkedin.com/groupAnswers?viewQuestionAndAnswers&discussionID=15718500&gid=1864210&commentID=13504742&trk=view_disc
Application Security
Google has introduced security testing tool called Skipfish. It is an open source, fully automated, active web application security reconnaissance tool called ‘Skipfish’. Google described Skipfish as an active web application security reconnaissance tool that prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments. http://www.scmagazineuk.com/google-introduces-open-source-security-testing-tool/article/166207/
Details of the tests included in the software can be found here: http://code.google.com/p/skipfish/wiki/SkipfishDoc
New Security Releases
SailPoint adds provisioning to IdentityIQ SailPoint has added end-to-end provisioning capabilities to its identity governance solution, SailPoint IdentityIQ™, and can now automate the entire user access request and fulfilment process. http://www.prnewswire.com/news-releases/sailpoint-releases-next-generation-provisioning-solution-88806867.html
Details of the provisioning engine can be found at the SailPoint web site here: http://www.sailpoint.com/product/provisioning-engine/
Updates to Avatier Identity Management Suite (AIMS) 8.0 have been announced. Avatier’s Identity and Access Management solution adds several new enterprise features as well as a new module, Compliance Auditor, for integration of governance management with access validation and SOX remediation. It also added a new module, Identity Analyzer, that includes bottom up role mining, identity correlation and advanced analytics. http://www.businesswire.com/portal/site/home/permalink/?ndmViewId=news_view&newsId=20100317005497&newsLang=en
Details of Compliance Auditor can be found here: http://www.avatier.com/compliance-auditor.html
Details of Identity Analyzer are here: http://www.avatier.com/identity-analyzer.html
RSA, EMC’s security arm, has enhanced its Data Loss Prevention Suite with more than 70 new features for scanning, workflow, reporting, and global content processing. Version 8.0 of the RSA DLP Suite allows discovery and remediation of more data types and sources, including native scanning of Microsoft® SharePoint® and IBM Lotus Notes®. The product can also scan and fingerprint IBM DB2 databases. The new release also includes enhanced capabilities for Chinese, Japanese and Korean languages. http://www.channelinsider.com/c/a/Security/RSA-Upgrades-DLP-Suite-Capabilities-276902/
Details of the RSA DLP Software can be found here: http://www.rsa.com/node.aspx?id=3426
McAfee has announced McAfee Data Loss Prevention (DLP) to help to secure sensitive data on internal systems and removable storage media. The tool is designed to run through McAfee’s ePolicy Orchestrator platform. http://www.v3.co.uk/v3/news/2259973/mcafee-unveils-loss-prevention
Details can be found here: http://www.mcafee.com/uk/enterprise/products/data_protection/data_loss_prevention/network_data_loss_prevention_manager.html
Courion® Corporation, announced the integration of its Access Assurance Suite 8.0 with Symantec Data Loss Prevention 10 to create a content-aware identity and access management (IAM) solution. This integration will enable organisations to not only discover sensitive data, but also who has access to it and if that access is appropriate, providing a picture of end-to-end data security and compliance. http://www.courion.com/company/press_release.html?id=616
Details of Courion’s Access Assurance are here: http://www.courion.com/solutions/access-assurance.html
The world of Information Security this week (Mar 8th to Mar 12th, 2010) March 12, 2010
Posted by Michael Stephenson in Cloud Computing, Identity Management, Information Security.Tags: banking fraud, CA, CISO, Cloud Computing, data loss, IAM, IT Budgets, Mergers and Acquisitions, Nimsoft, Security
add a comment
A quick look at the highlights of the news in the world of Information Security this week for busy Security people.
Topics Covered:
Cloud Computing
Identity and Access Management (IAM)
Merger & Acquisition
IT Market Trends
Security Losses
Not such a busy week this week, perhaps everyone is having a rest after RSA 2010 and getting over the rigours of the conference. All that working to improve themselves – well into the night!
Please let me have your views – Should I continue with this? Does it provide value to anyone?
Cloud Computing
CSIOs worry about cloud computing at RSA a discussion panel of CISOs seemed to be very wary of moving into cloud computing. They are happy with a few non critical apps in the cloud but wary of going much further because of security issues and the need to understand and provide solutions for security in the cloud.
Hopes that early attention to security will boost cloud usage on a more upbeat note this report from RSA 2010 talks about work being done on security before the technology is widely used. RSA President Art Coviello observed that this may be the first time the industry has started working on the security problems before the technology is mainstream. http://www.computerworld.com/s/article/9166258/Hoping_that_early_attention_to_security_will_bolster_cloud_offerings?source=CTWNLE_nlt_security_2010-03-05
Identity and Access Management (IAM)
Gartner Says Worldwide Identity And Access Management Market Will Grow 8 Per Cent In 2010 To Reach $9.9B Good news for the IAM world as Gartner sees continuing growth in this area. As more people move into cloud computing the reach of ID Management services is going to be extended to help with the need to have good security for people working in the cloud. http://www.bsminfo.com/article.mvc/Gartner-Says-Worldwide-Identity-And-Access-0001?VNETCOOKIE=NO
Merger & Acquisition
CA is to acquire Nimsoft, a provider of IT performance and availability monitoring solutions for emerging enterprises and managed service providers. As with last week’s acquisition for CA of 3Tera this strengthens CA’s move to become a leader in the management of cloud computing. http://www.scmagazineuk.com/ca-set-to-complete-another-acquisition-with-performance-and-availability-monitoring-solutions-provider-in-sight/article/165494/
IT Market Trends
IT budgets are on the rise according to a survey by Ovum companies are expecting IT budgets to rise this year and this is likely to be lead by financial services organisation. http://www.silicon.com/management/cio-insights/2010/03/09/it-budgets-are-on-the-rise-but-dont-expect-a-full-recovery-39745568/?s_cid=545
IT security professionals ‘recession-proof’. Another survey this time by ISC2 says less than 5% of IT professionals lost their jobs. If you are of the 95% who didn’t lose their jobs then I guess you are recession proof, but those in the 5% won’t feel very ‘recession proof’, although some of them are now getting back into employment. http://www.computerweekly.com/Articles/2010/03/05/240518/IT-security-professionals-39recession-proof39-survey.htm
Security Losses
Online banking fraud cost the UK nearly £60m last year after a sharp rise in the number of criminals using malware to harvest people’s bank details. Losses from online banking fraud rose 14 per cent in 2009 year-on-year to reach a total of £59.7m, according to the trade body for the payment cards industry, the UK Cards Association. There is still work to be done in educating users and making online transactions safer. http://www.silicon.com/technology/security/2010/03/10/online-bank-fraud-costs-uk-60m-as-malware-merchants-hit-pay-dirt-39745572/?s_cid=545
The world of Information Security this week (Mar 1st to Mar 5th, 2010) March 5, 2010
Posted by Michael Stephenson in Cloud Computing, Cloud Computing Security, Identity Management, Information Security.Tags: 3Tera, application provisioning, CA, CISO, Cloud Computing, Cloud security, Cloud Security Alliance, HP, Identity Management, IT Security, Kantara, Mergers and Acquisitions, Microsoft, RSA Conference 2010, VPN
add a comment
A quick look at the highlights of the news in the world of Information Security this week for busy Security people.
In this post I have picked out what I think are the highlights of this weeks infosec news. Links to the sources are included so you can get more detail if you want it.
Please let me have your views – Should I continue with this? Does it provide value to anyone?
The RSA conference has been an important event this week and many of the news items, and probably more next week will come out of that conference.
Cloud Computing
Top threats to Cloud Computing research has been released by HP and The Cloud Security Alliance The document is a companion to the CSA’s “Security Guidance for Critical Areas in Cloud Computing,” which was updated in December. The document can be downloaded at http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf
CA announces ID Management for Salesforce.com. At RSA 2010 CA announces additions to its enterprise identity management product that will allow customers to extend access and provisioning controls to the Salesforce.com Sales Cloud 2 application. http://www.networkworld.com/news/2010/030310-ca-salesforce.html>
You can see comment on this at Tom Mellor’s blog http://vintage1951.wordpress.com/2010/03/03/news-from-the-rsa-show-ca-provisions-to-salesforce-com-app/>
RSA 2010
Microsoft planning universal network access control The corporate vice president of Microsoft’s Trustworthy Computing Group used his keynote at RSA 2010 to outline plans for universal network access controls. Scott Charney said that there is a case to be made for computers being scanned before going online to make sure that no malware is present and that applications are patched properly. A discussion is needed in the industry to decide the appropriate action to take to safeguard the internet, he said.
<http://www.v3.co.uk/v3/news/2258832/rsa-2010-microsoft-planning>
Cisco beefs up VPN and cloud security Cisco has announced new tools as part of a drive to make security more invisible for users and easier to manage for IT administrators. The Cisco Secure Borderless Network architecture promises simple security policy measures that can be used on the road and allow IT managers to monitor and report from both sides of the firewall.
http://www.v3.co.uk/v3/news/2258760/rsa-2010-cisco-beefs-vpn-cloud>
Microsoft announces new Identity Management software Microsoft announced that it has begun shipping Forefront Identity Manager 2010, server software for provisioning and de-provisioning user access and privileges for network and database resources.
Forefront Identity Manager 2010, the successor to Microsoft’s Identity Lifecycle Manager 2007, can be used to establish policy-based access controls tied to the user’s role in the organization. It features more end user self-service and automated IT administration features than the earlier product, according to Microsoft.
http://www.networkworld.com/news/2010/030310-rsa-microsoft-identity-management.html>
Identity and Access Management (IAM)
Kantara Initiative Identity Assurance Certification Program) granted Provisional Approval by US Government. On Friday February 26th, 2010 the US Federal Government’s Identity, Credential, and Access Management (ICAM) Trust Framework Evaluation Team (TFET) reviewed Kantara Initiative’s latest submission and granted it Provisional Approval as a Trust Framework Provider at Levels 1, 2 & non-crypto Level 3 under the Open Identity Solutions for Open Government program. The removal of the provisional status will hinge on the release by TFET of additional guidance for assessors concerning privacy and Kantara’s adoption of this guidance. http://kantarainitiative.org/wordpress/2010/03/a-windfall-for-identity-assurance/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+kantarainitiative+%28Kantara+Initiative+Blog%29&utm_content=My+Yahoo>
Details of the Kantara ID Assurance Framework can be found at http://kantarainitiative.org/confluence/download/attachments/38371432/Kantara+IAF-1000-Overview.pdf
Merger & Acquisition
CA acquired cloud start-up 3Tera Whilst not a security acquisition this indicates further that CA is positioning itself as the management company for the cloud providing service provisioning, system management and security management for cloud environments. 3Tera enables enterprises and service providers to provision, deploy and scale public and private cloud computing environments while maintaining full control, flexibility and reliability. 3Tera also makes it easy for service providers to offer application stacks on demand by adding applications to the AppLogic catalog, where they can be deployed to a low-cost, shared cloud infrastructure. http://www.informationweek.com/cloud-computing/blog/archives/2010/03/cas_omalley_clo.html?cid=RSSfeed_IWK_ALL>
More information from CA here http://www.ca.com/us/press/release.aspx?CID=229531
The world of Information Security this week (Feb. 12th to 19th, 2010) February 19, 2010
Posted by Michael Stephenson in Cloud Computing, Cloud Computing Security, compliance, Data Loss Prevention, Identity Management, Information Security, Risk Mamagement.Tags: botnets, Chip and Pin, Cloud Computing, Cloud security, data loss, ENISA, IBM, Identity Management, Information Security News, Intelliden, ISC2, IT Security, Microsoft, News Highlights, Office of Fair Trading, regulation, Security, Smart IAM, US Air Force
add a comment
A quick look at the highlights of the news in the world of Information Security this week for busy Security people.
If you don’t have the time to scan through lots of newsletters and news feeds to pick up the interesting Information Security news of the week then read on.
In this post I have picked out what I think are the key news items and included the links to the sources at the end of each piece so you can get more detail on them if you need it.
Please let me have your views – Do you find this valuable and worth my time continuing? Will it save you time? Please let me know if you think anything should be added or I have missed something.
This weeks topics include Cloud Computing; Government; Security Risks; IAM and M&A
Cloud Computing
The Shortcut Guide to Prioritizing Security Spending, This provides some useful information on security requirements for cloud computing from Realtime Nexus. Author Dan Sullivan reviews the data security and compliance benchmarks that must be established between you and your cloud provider.
ISC2 says IT security professionals must work out how to implement cloud computing securely before it is too late. If they don’t it will go ahead anyway insecurely and put business data at risk so it is important that professionals encourage their businesses to consider the security implications of moving into the cloud, and be ready to provide solutions to the security problem.
The U.S. Air Force and IBM have teamed up to develop and demonstrate a secure cloud computing infrastructure capable of supporting defence and intelligence networks. This is bound to put IBM in an excellent position to gain defence contract around the world and the experience will also position them well for provision of cloud solutions to everyone.
http://gcn.com/articles/2010/02/04/air-force-ibm-cloud-computing.aspx>
Microsoft recently called for Cloud Computing laws. Microsoft have called for greater government oversight for the fast-growing, yet largely unregulated, cloud computing sector, citing the need to protect business and consumer information.
Government Both UK and US governments are taking steps to tackle computer crime.
The US Department of Justice today set up a task force to battle computer crime. The task force will focus exclusively on battling US and international intellectual property crimes. It will also bolster efforts to combat crimes through close coordination with state and local law enforcement partners as well as international counterparts.
http://www.networkworld.com/community/node/57486?source=NWWNLE_nlt_security_identity_2010-02-15
The UK Office of Fair Trading team and trading standards officers to get £4.3m funding over three years for a taskforce to tackle online crime. The money will go to a team within the Office of Fair Trading (OFT) that will focus on fake product suppliers and ticket scams. Some funds will also be directed to improve the capabilities of Trading Standards Officers to deal with such scams.
http://www.computing.co.uk/computing/news/2257862/unit-tackle-online-consumer
New Hampshire House of Representatives are considered a bill to ban the use of biometric data for either state or privately issued IDs. The legislation would forbid the use of biometric data coupled with IDs as a condition to obtain services from businesses or government agencies. The lone exception to the ban would include employee identification cards.
http://www.infosecurity-us.com/view/7360/new-hampshire-seeks-to-outlaw-biometric-ids/>
UK provides largest new intake of security boffins for ENISA , which has chosen 30 leading security experts for Permanent Stakeholders’ Group (PSG). Seven UK boffins have been chosen as part of the new intake.
http://www.computing.co.uk/computing/news/2258009/uk-provides-largest-contingent
Security Risks and data losses
Major flaw discovered in Chip and PIN technology that could allow a fraudster to make purchases with a dummy login. A report by security researchers at Cambridge University has described a flaw in Chip and PIN technology. It said that the flaw would allow a fraudster to use a genuine card to make a payment without knowing the card’s PIN, and to remain undetected even when the merchant has an online connection to the banking network.
http://www.theregister.co.uk/2010/02/12/chip_pin_security_unpicked/
Over 75,000 systems compromised in cyberattack Security researchers at Herndon, Va.-based NetWitness Corp. have unearthed a massive botnet affecting at least 75,000 computers at 2,500 companies and government agencies worldwide. The Kneber botnet, named for the username linking the affected machines worldwide, has been used to gather login credentials to online financial systems, social networking sites and e-mail systems for the past 18 months. A 75GB cache of stolen data discovered included 68,000 corporate login credentials, login data for user accounts at Facebook, Yahoo and Hotmail.
Identity and Access Management (IAM)
Gartner talk about (IAM) Intelligence: Smart IAM for smart governance. They believe IAM intelligence represents the ability of IAM tools and process to (a) build effective repositories of identity information for IAM systems to use, (b) collect and correlate information about the IAM events that occur throughout the system with other important security events and information, and (c) provide a means to monitor, analyze and report on what is happening within the IAM world for a number of constituents.
Merger & Acquisition
IBM has acquired network management vendor Intelliden for an undisclosed sum. Intelliden’s intelligent network automation is seen as an important addition to IBM’s portfolio to extend automation across all business and IT assets. It will be integrated into the IBM software Group as part of the Tivoli Software arm.
http://www.computing.co.uk/computing/news/2258008/big-blue-strengthens-network
Please let me have your views –add a comment below
Do you find this valuable? Will it save you time? Should I continue to publish?
Please let me know if you think anything should be added or I have missed something.
The world of Information Security this week (Feb. 1st to 5th, 2010) February 5, 2010
Posted by Michael Stephenson in Cloud Computing, compliance, Data Loss Prevention, Identity Management, Information Security.Tags: apple, CA, Cloud Computing, compliance, data loss, DataSeal, EDS, HP, Infosec jobs, iPad, ISO, IT Security, Jobs, Oracle, PCI, SaaS, Standards, Sun
2 comments
A quick look at the highlights of the news in the world of Information Security this week for busy Security people.
I have always found that keeping up with what is happening in the world of information security was very time consuming. There are lots of newsletters and publications to read through leaving no time to get on with the day job if you read it all thoroughly and try to pick out what is really interesting and relevant.
I have picked out what I think are the highlights and include links to the sources so you can get more detail if you want it.
Please let me have your views – Do you find this valuable and worth my time continuing? Have I missed anything important? Will it save you time?
Cloud Computing
The SaaS market for Business Intelligence -A New IDC report predicts this specific market will make triple the growth of the cloud computing market as a whole, growing at a compound annual growth rate of 22 percent through 2013 http://www.infoworld.com/d/cloud-computing/saas-bi-growth-will-soar-in-2010-511>
Identity and Access Management
Oracle – Sun ongoing strategy – This week we get more details of Oracle’s plans for its merger with Sun. Sun Directory Server Enterprise Edition (DSEE) and Oracle Internet Directory (OID) will co-exist as strategic products. Oracle Access Manager will be the strategic product for web single sign-on. Oracle Identity Manager will be the strategic identity administration and provisioning product and Sun Role Manager will be re-branded as Oracle Identity Analytics and will become the strategic identity governance product http://blog.talkingidentity.com/2010/01/expanding-on-the-oracle-sun-idm-strategy.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TalkingIdentity+%28Talking+Identity%29&utm_content=My+Yahoo>
PCI
The next revision of PCI DSS due in October. It will contain clarifications but no major changes to the standard. http://pindebit.blogspot.com/2010/01/no-major-pci-dss-revision-expected-in.html>
Mergers and Acquisitions
CA seeks Cloud Computing, Security Deals William McCracken, CA’s new chief executive officer, said he will probably buy a company in the next two months to compete with larger rivals IBM and Oracle. He expects to spend at least $300 million a year on cloud computing and security software acquisitions this fiscal year and next. http://www.businessweek.com/news/2010-01-29/ca-s-mccracken-seeks-cloud-computing-security-software-deals.html>
PGP acquired TC TrustCenter and its US parent company, ChosenSecurity. The companies provide an on-demand platform for managing trusted identities used for encryption, authentication and secure collaboration. http://www.scmagazineuk.com/pgp-announces-acquisitions-to-enable-add-electronic-transaction-capability/article/162915/>
Standards
DataSeal security standard launched The Direct Marketing Association (DMA) has launched DataSeal, a standard for companies that use consumer data for marketing and third-party marketing services suppliers. DataSeal is backed by the British Standards Institution, which administers the ISO standards. It is seen as a “cost-effective” alternative for those that do not need to meet the full requirements of ISO 27001. http://www.printweek.com/postpress/news/980777/DMA-launches-DataSeal-security-standard/>
The DataSeal standard can be found at http://www.dma.org.uk/_attachments/resources/5750_S4.pdf
Data losses
Wigan Metropolitan Borough Council lose memory stick A memory stick that contains sensitive and confidential information of more than 200 disabled residents has been reported lost in Wigan. http://www.scmagazineuk.com/memory-stick-that-contained-personal-details-of-disabled-people-lost-by-wigan-metropolitan-borough-council-staff/article/163045/>
People
E-DMZ Security appoint new EMEA VP – Andrew Clarke has been appointed as vice president and managing director EMEA at e-DMZ Security. http://www.scmagazineuk.com/e-dmz-security-target-emea-region-with-new-appointment/article/162899/>
CA names William McCracken as its new chief executive. McCracken was standing in as CEO following the retirement of John Swainson, but he has now been confirmed as the new CEO. He will keep his old position as chairman and serve in both roles. http://www.v3.co.uk/v3/news/2257042/ca-appoints-chief-executive>
Upsurge in Infosec jobs for 2010 Private companies are starting to hire security staff again, According to the 2010 market report from Barclay Simpson Associates Ltd., private sector companies have begun recruiting for many of the vacancies that they were prevented from filling last year because of the recession. http://searchsecurity.techtarget.co.uk/news/article/0,289142,sid180_gci1380319,00.html?track=sy920&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+920+%28SearchSecurityUK%3A+Security+UK+News%29&utm_content=My+Yahoo>
Legal
US Courts move to ban juror use of Blackberry, iPhone, Twitter and Facebook This item suggests that US jurors have been allowed to play with phones and mobile devices whilst deciding the fate of their peers. These things are already banned in UK – no laptops, mobile phones, cameras or other recording devices are allowed so UK jurors will hopefully concentrate more on the matter in hand. http://www.networkworld.com/community/node/56940?source=NWWNLE_nlt_security_identity_2010-02-03>
HP-EDS ordered to pay BSkyB £200m-worth of damages in an interim payment after being found guilty of fraudulent misrepresentation in a legal battle over a failed IT system. http://www.computing.co.uk/computing/news/2257319/hp-eds-ordered-pay-200m-bskyb>
This case will have consequences for all IT suppliers whose sales teams will need to be much more careful over the claims they make for any solutions they are offering. http://www.computing.co.uk/computing/analysis/2257145/eds-defeat-puts-vendors-guard
iPad
iPad tablet UK availability announced. Apple revealed the wi-fi only version of the iPad will be available in the UK from March. The more expensive 3G version will follow in April. http://www.silicon.com/technology/hardware/2010/02/02/apples-ipad-uk-release-date-revealed-39745419/?s_cid=103>
Apple iPad for business. Silicon.com’s exclusive panel of CIOs and IT directors say that with the right applications the iPad will have a strong future for business use. http://www.silicon.com/management/cio-insights/2010/02/03/apple-ipad-for-business-yes-please-say-cios-39745417/?s_cid=103>
iPad scams begin Security firm WebSense reported in a security alert that attacks began to appear within hours of the iPad’s unveiling. Specially crafted sites have been loaded with keywords in order to appear on Google searches for terms such as ‘Apple Tablet’. http://www.v3.co.uk/v3/news/2256982/security-firms-warn-ipad-scams>
Mike Stephenson's Blog 