Mike Stephenson's Blog

The world of Information Security This Week -Jan 25th to 29th 2010 January 29, 2010

A quick look at the highlights of this week‘s news in the world of Information and Cloud Computing Security for busy people.

I have always found that keeping up with what is happening in the world of information security was very time consuming. There are lots of newsletters and publications to read through. If you tried read it all thoroughly and pick out what is really interesting and relevant it would leave little time to get on with the day job.

In this blog I have picked out what I think are the highlights of this week’s newsletters and publications and given a brief summary and the links to the sources so you can get more detail on each of them if you want it.

I will appreciate your comments on whether you find this valuable and worth my time continuing. Do you think I have missed anything important, is this  still too long  for busy executives and consultants to get through. Please  let me know what you think in the comments.

New Releases

Facebook Security Suite A security suite for Facebook has been launched by Websense. Working as a Facebook application it allows you to configure your protection level and block URLs and content being posted and use keywords to block.                                                                                                                                                 <http://www.readwriteweb.com/archives/websense_launches_first_ever_security_suite_for_facebook.php>

HP Security Services announcement Hewlett-Packard Co. today announced an extensive security-services portfolio that includes more than 90 basic offerings for application, identity and access management security to business continuity, cloud computing and managed services aimed at businesses and government. http://www.computerworld.com/s/article/9147999/HP_unveils_extensive_security_services_package?source=CTWNLE_nlt_security_2010-01-25>

Virtualisation Security Cisco, NetApp and VMware Tuesday announced a project to improve the security of virtualization deployments, with a focus on isolating applications that use the same physical network, server and storage resources in multi-tenant systems. The collaboration is designed to help customers to link the Cisco, NetApp and VMware products together in a way that protects them from dangers that crop up in multi-tenant environments  http://www.networkworld.com/news/2010/012610-cisco-netapp-vmware-security.html?source=NWWNLE_nlt_security_identity_2010-01-27>

Apple iPad Last, but by no means least, is the announcement of the Apple iPad which gives another mobile device for which security needs to be considered as people bring them into the enterprise and migrate corporate business information onto them.                                                                                                                                               http://www.scmagazineuk.com/apple-launches-the-ipad-to-huge-fanfare-but-questions-are-asked-about-its-capability-and-security/article/162537/>

Cloud Computing

The G-Cloud Whitehall has unveiled plans for a government cloud computing environment which will see applications moving from data centres allowing the government to reduce the number of data centres it has to support. It should also allow the sharing of applications between government departments. The whole project is expected (hoped) to cut hundreds of millions from the public sector’s IT spend. Let’s hope it does that and doesn’t become one more government project for the taxpayer to pour our hard earned money into.     http://www.silicon.com/management/public-sector/2010/01/28/inside-the-g-cloud-whitehalls-grand-cloud-computing-plan-unveiled-39745380/?s_cid=931>

10 Questions to ask about Cloud security CA cloud security expert, Tim Brown, gives ten questions you should think about before you make the move into Cloud Computing. These questions focus on the business risks of cloud computing and form an excellent base to build your plans for any cloud computing project to ensure that it will not adversely impact the business.                                                                                                                                    http://www.cio.com/article/524214/Cloud_Security_Ten_Questions_to_Ask_Before_You_Jump_In?page=1&taxonomyId=3024>

Identity and Access Management

Microsoft passes SAML 2.0 test Microsoft’s federated identity platform passed its first SAML 2.0 interoperability test this week with favourable marks. The tests are  part of the Liberty Alliance and Kantara Initiative multivendor interoperability testing. This should mean an end to the vendor’s resistance to the standard.     http://carolynramon376.blogspot.com/2010/01/microsoft-passes-its-first-saml-20.html>

CA and others take part in Kantara workshop CA, NTT, Ping Identity, Oracle Corporation among others will be taking part in the Kantara Initiative’s annual workshop at the RSA Conference, March 1, 2010, http://kantarainitiative.org/wordpress/2010/01/kantara-initiative%e2%80%99s-annual-workshop-march-1-2010-promises-to-be-educational-packed-day/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+kantarainitiative+%28Kantara+Initiative+Blog%29&utm_content=My+Yahoo>

The Kantara Initiative for those who haven’t come across it is a non profit organisation set up to address the harmonisation and interoperability challenges that exist between enterprise identity systems, Web 2.0 applications and services, and Web-based initiatives. Its Mission Statement can be seen at the link below. http://kantarainitiative.org/confluence/display/GI/Mission>

PCI

The Payment Card Industry Security Standards Council (PCI SSC), announces plans to improve the training and oversight of PCI QSA certification of individuals who conduct PCI Data Security Standard (DSS) compliance. This should give more consistency in the implementation of PCI initiatives by companies who need to meet this standards, hopefully improving the protection these organisations give to their card holder data.

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1379712,00.html>

Passwords

Users still bad at choosing passwords An analysis of 32 million passwords shows that users still are not very good at picking secure passwords. “12345” is the most popular along with “password” which is often a default just left in place.                                                                                                                                                                            http://www.computerworld.com/s/article/9147138/Users_still_make_hacking_easy_with_weak_passwords?source=CTWNLE_nlt_security_2010-01-22>

To help solve the problem I came across this set of tips on creating more secure passwords which I thought was very useful. Something you could pass on to users as part of a security awareness training session.     http://www.networkworld.com/news/2010/012210-creating-secure-passwords-you-can.html?page=1>

Mergers and Acquisitions

Oracle’s acquisition of Sun comes neared now they have gained approval for the take over from the European Union.                                                                                                                                                                               http://www.scmagazineuk.com/oracle-moves-closer-to-sun-microsystems-acquisition-after-eu-approval/article/162047/>

As the combining of these two organisations comes nearer it is obviously making its potential competitors begin to think about what sort of competition they are going to face as we see from the announcement by HP and Microsoft of investment to integrate their hardware and software systems.                                                       http://www.informationweek.com/cloud-computing/blog/archives/2010/01/hp_and_microsof.html?cid=RSSfeed_IWK_ALL>

Security Risks and data losses

Facebook launches a new platform feature that will enable developers to request email addresses from their users, increasing the security risk to users as email information is stored.                                                                              http://www.scmagazineuk.com/facebook-changes-to-its-application-platform-could-lead-to-security-nightmare-as-users-email-addresses-will-be-collected-and-stored/article/162052/>

Users less inclined to share on social networking sites In a survey of 4,500 consumers worldwide conducted by the RSA division of EMC, 65 percent of the respondents said that they are now less likely to share information via online social networks due to security concerns.                                                              http://www.itbusinessedge.com/cm/blogs/vizard/rsa-survey-online-security-confidence-crisis-coming/?cs=38826>

MoD Security breaches The MoD has admitted that security breaches have occurred due to the use by their staff of social networking sites, raising the question again of whether businesses should allow their staff access to these sites from work.                                                                                                                                                       http://www.computerweekly.com/blogs/tony_collins/2010/01/mod-admits-16-breaches-of-secu.html>

Data loss at the cleaners Other ways of people losing data and leaking confidential information continue to be high on the list of security risks that having people in the system introduce. A UK Survey shows that in the past year 4,500 flash drives were left at the cleaners and 12,500 mobile devices were left in cabs.                               http://www.computerworld.com/s/article/9147100/Storage_wrinkle_4_500_flash_drives_left_at_the_cleaners?source=CTWNLE_nlt_security_2010-01-22>

Ladbrokes data  risk Ladbrokes is investigating the loss of thousands of customer details from one of its databases, but is reassuring gamblers that the information did not include bank details or passwords. The information on this suspected leak was given to the Information Commissioner’s Office.                                                        http://www.theregister.co.uk/2010/01/25/ladbrokes_data_fail/>

500K Fines for data loss These sort of incidents become more critical to UK organisations as the Information Commissioner’s Office take powers expected to come into force from April that mean that Companies that lose individuals’ sensitive personal data will face a fine of up to £500,000.                                                           http://www.silicon.com/technology/security/2010/01/13/500k-data-loss-fine-could-hit-from-april-39745328/>

http://www.computerweekly.com/Articles/2010/01/27/240089/report-data-breaches-or-risk-tougher-sanctions-warns.htm>

Security ROI

The Cyber Security Watch survey, conducted by CSO Magazine with the U.S. Secret Service, Carnegie Mellon University CERT and Deloitte & Touche, shows organisations are beginning to wonder if they are getting any return on their security investments. One reason this may arise is because very rarely do organisations take any measures of the benefits of a project. They fail to take reference statistics before the project is initiated and if the project completes reasonably successfully they do not take any measurements of the expected improvements, so I think these findings are likely to be very subjective, but certainly will be of concern to security vendors as perception is as good as reality in the way customers feel about a project’s success.                                                                                                              http://www.csoonline.com/article/518764/Companies_on_IT_Security_Spending_Where_s_the_ROI_?source=CSONLE_nlt_update_2010-01-26>