Sunday, March 4, 2007

Dynamic Security is the ultimate tool for physical and IT security convergence

Study: Convergence fears are in decline

Finds three biggest concerns for CIOs are network cost reduction, security and bandwidth

Bryan Betts   

 March 02, 2007 (TechWorld.com) -- Voice/data convergence is no longer a major worry for CIOs. They are more likely to worry about Multiprotocol Label Switching (MPLS) integration -- both within their own networks and with those of multiple suppliers -- according to a survey by virtual network operator Vanco Plc.

WANs are on average getting easier to manage, said Vanco marketing manager Michael Piddock. The survey found fewer managers spend more than a day a week managing WAN issues compared with last year, but fewer also spent no time managing them. WAN management needs appear to be converging on two to six hours a week.

The survey asked CIOs what the three biggest priorities would be for their networks over the next two years. It queried 276 companies, all of which spend at least $330,442 a year on networks. It included six large European economies, the U.S., Singapore and Australia.

The three biggest concerns for CIOs are much the same as a year ago: network cost reduction, security and bandwidth, Piddock said. However, there were two notable new entries on the chart, in the shape of MPLS migration and wireless/remote network access, while voice/data convergence fell from No. 4 last year to No. 5.

The issues move around depending on which region you look at, he added. If only European CIOs are asked, migration to MPLS is last year's worry and has drastically tailed off now. Piddock said that this year's survey also showed a big rise in concerns about "softer" issues such as flexibility, manageability, ease of service and relationship management.

"Enterprises have come to terms with issues such as the financial stability of network suppliers, and now service capability is more important," he said.

 

typical another role inshead fo simple deplitment of Dynamic Security

Feds hope to boost business role in slowing cyberattacks

Private sector seeks more intelligence on potential strikes, needs asset tallies

Patrick Thibodeau   

 March 02, 2007 (Computerworld) -- WASHINGTON -- As reports of cybersecurity incidents grow, U.S. Department of Homeland Security officials plan to improve their ability to work on the problem face to face with private-sector experts.

The DHS plans to collocate private-sector employees from the communications and IT industries with government workers at the U.S. Computer Emergency Readiness Team (US-CERT) facility here, said Gregory Garcia, assistant secretary of cybersecurity and telecommunications at the DHS. The teams will work jointly on improving US-CERT's information hub for cybersecurity, Garcia said. The agency didn't specify a starting date for the program but said it will begin soon.

US-CERT is a four-year-old DHS-run joint effort of the public and private sectors to protect the nation's Internet infrastructure. "It's through this collocation that we are going to build a strong trust relationship, an information-sharing relationship," said Garcia.

Such collaboration programs will improve the monitoring of suspicious Internet activity "so we will be able to better analyze [in] real time what is happening and take steps to mitigate it and have a synchronized and instantaneous response capability," he said.

Garcia outlined the efforts to improve cooperation between the public and private sectors at the Armed Forces Communications and Electronics Association's Homeland Security Conference held here this week.

Garcia and other speakers at the conference said that the need to improve such cooperation, as well as the need to improve IT security overall, is becoming more urgent daily. "What we are seeing among our adversaries is increasing sophistication in terms of their capabilities, in terms of the threats that they impose upon our networks," Garcia said.

In all of 2006, 23,000 incidents -- 75% of them in the private sector -- were reported to US-CERT. According to the DHS, an incident can be an attempt to gain unauthorized access into a system, a denial of service or any other kind of Internet disruption.

In the first quarter of the federal fiscal year, which began Oct. 1, 19,000 incidents were reported, said Jerry Dixon, who heads the DHS's National Cyber Security Division.

The number of incidents is growing, Dixon said, but many firms and government entities still aren't prepared to deal with threats because they don't know what they have in their compute environments.

"How can you manage risk if you don't have a good handle on what your environment looks like?" asked Dixon, who noted that he has made on-site visits to large private companies as well as to state and federal agencies.

Karl Brondell, a strategic consultant at State Farm Insurance, added that industry and government "really aren't prepared today to address that significant attack that will come to us, potentially, through cyber." He cited a Business Roundtable report that identified gaps in private-sector cybersecurity. The Washington-based Business Roundtable is an association of CEOs from large companies.

Although Brondell said that efforts to improve cybersecurity have been somewhat successful, he noted that the U.S. "lacks an adequate and truly comprehensive system of early warning of impending attacks."

Brondell said that private-sector businesses could improve security with better access to "chatter" about potential attacks heard by government security agencies.

Garcia said that as US-CERT gains visibility and effectiveness, officials hope to expand its membership to more business sectors.

"We will then have a truly national capability across critical infrastructures, sharing information, and [responding] to incidents as they are [happening] -- that is one of the key priorities," said Garcia.

 

ID theft prevention help comes with IDentiWall by Made4Biz security

VA slow to strengthen IT security

Jaikumar Vijayan

 

March 02, 2007 (Computerworld) The U.S. Department of Veterans Affairs still hasn't adequately addressed many of the internal IT security shortcomings cited following the loss last May of a laptop with personal data about 26.5 million veterans and active-duty personnel, according to government and agency auditors.

As a result, sensitive data is still at risk of being accidentally or deliberately misused across the VA, the auditors warned this week at a <Bcongressional hearing on the agency's information and security management processes.

In response, VA Deputy Secretary Gordon Mansfield said the agency is working hard to implement a series of recommended changes and has made "substantial progress in a relatively short time frame." He acknowledged, though, that the VA has yet to achieve its overall goal of becoming a security role model for other federal agencies. "We have done a lot of work and come a long way since last May's major incident occurred," Mansfield said. "But we still have an awful long way to go."

The hearing was held by the oversight and investigations subcommittee of the House Committee on Veterans' Affairs. U.S. Rep. Harry Mitchell (D-Ariz.), the subcommittee's chairman, said the panel originally planned to review the VA's information security efforts later this year. But the review was accelerated after the VA disclosed last month that a portable hard drive with information on up to 1.8 million veterans and doctors had been reported missing from its medical center in Birmingham, Ala., on Jan. 22.

Gregory Wilshusen, director of information security issues at the U.S. Government Accountability Office, said at the hearing that the VA has taken several "important steps" to improve its IT security practices. That includes an ongoing centralization of security functions and personnel under the CIO's office and the establishment of "a data security corrective plan" to serve as a guideline for some of the planned changes, he said.

But many of those changes have yet to be fully implemented, Wilshusen added. For example, policies for assessing risks and implementing enterprise patch management capabilities haven't been developed. Nor does the VA have a plan for proactively mitigating known vulnerabilities across all of its systems, he said.

In addition, of the 24 agencies covered under the Federal Information Security Management Act, the VA is the only one that didn't submit a report for 2006 on its compliance with FISMA to the White House Office of Management and Budget, Wilshusen said.

Maureen Regan, counselor for the VA's inspector general, said at the hearing that there now is a greater awareness of the need for change within the agency. But there is still a lack of effective internal controls and accountability, she added.

An ongoing audit of the VA's FISMA compliance has shown that none of the 17 security recommendations made in previous reports has been implemented thus far, Regan said. She also said that the inspector general's office expects to cite "several new high-risk areas," including remote access and the ability of non-employees to gain access to sensitive data.

Ten months after the laptop was stolen from the home of a VA employee, the agency has yet to determine how many of its employees and contractors are using personally owned systems to access VA networks and data, said Regan.

The agency also doesn't have any way of knowing what data is being downloaded and stored on such devices, she said. In addition, much of the agency's sensitive data remains unencrypted, as do many e-mail transmissions.

Mansfield pointed to the ongoing centralization of the VA's IT organization and the establishment of a security operations center as examples of the changes being made by the agency. He also noted that at an off-site meeting of senior managers on Feb. 21, VA Secretary R. James Nicholson reiterated his order that all supervisors take responsibility for protecting information.

But progress at the VA has been slow because of the enormous scope of the work involved, Mansfield said. "We still have out there a largely decentralized system," he said. "It is nonstandardized. So there are no simple fixes."

Robert Howard, the VA's assistant secretary for information and technology, said the agency is on track to complete the centralization of all IT operations by July 2008. All software development programs will be shifted to the central IT unit by the start of next month, according to Howard.

Meanwhile, the search is on again to find a chief information security officer, a position that has been vacant since the former CISO resigned last June. Mansfield said the hiring process has been delayed because a candidate who had been chosen for the job accepted another offer at the last minute.

 

it's never eoufg for Dynamic Security

Why your Web apps are sitting ducks

Lousy code, PHP and search engine hacking tools lead to vulnerabilities, study says

Bob Brown   

 March 02, 2007 (Network World) -- Despite improvements in code quality, Web servers remain at high risk of being hacked, according to a new paper from researchers who use honeypot technologies to examine how hackers tick.

The Honeynet Project, which provides real systems for unwitting attackers to interact with, says Web applications remain vulnerable for host of reasons. These include poor quality code, the fact that attacks can be performed using PHP and shell scripts (which is generally easier than using buffer overflow exploits), and the emergence of search engines as hacking tools.

What's more, Web servers can be a gold mine for hackers, in that they have higher bandwidth connections than most desktops and often link to an organization's databases. The group's findings are outlined in a paper titled "Know Your Enemy: Web Application Threats." Researchers involved in honeynet projects in Chicago, Germany and New Zealand collaborated on the paper.

The report reads at one point: "Web applications commonly face a unique set of vulnerabilities due to their access by browsers, their integration with databases and the high exposure of related Web servers. The modern Web server setup commonly presents multiple applications running on one host and available via a single port, creating a large surface area for attack."

Code injection, remote code-inclusion, SQL injection and cross-site scripting are cited as common attack modes. Search, spider and IP-based scanning are cited as typical of the discovery techniques used by hackers seeking vulnerable applications.

Hackers attempt to disguise their identities using proxy servers, the Google Translate service, onion routers and other systems, the researchers write.

Defacement, phishing attacks, e-mail spam, blog spam, botnet recruitment and hosting of files were found to be among the hackers' goals.

"By becoming a tool for an attacker to inflict harm on other systems, a site may be opening itself up to liability issues if they have not been paying sufficient attention to security," according to the report. "For example, if a machine is joined to a botnet, it may be a participant in a denial-of-service attack against an external site, or may be used to recruit other machines into the botnet."

While the researchers said more of the same is in store for organizations using Web servers and applications, they did offer security recommendations. These include keeping an inventory of applications on Web servers and maintaining patch levels for them, as well as correctly configuring Web servers. Network and host-based intrusion-detection systems can also help, the researchers said.

 

Made4biz Security Translating real-world security knowhow into state of the art security systems.
Made4biz Security

Turn on Sound for Demos:
Bill Gates Demo (Location-based)
Elvis Demo (Location/Context-based)
Clint Eastwood Demo (Temporal-based)

Powered by Blogger

Subscribe to
Posts [Atom]

Technorati Profile

RSS Syndication

Made4Biz Security Inc