By Brian Fonseca , Computerworld , 06/11/2008
University of Utah officials this week acknowledged that a metal box of backup tapes containing billing records of some 2.2 million patients was stolen early this month from the car of a courier who left it in a parked car overnight outside his home.
The missing tapes were taken on June 2 from the car of an employee of Perpetual Storage, an independent storage company hired by the university to transport its computer tapes to off-site facilities, said school officials. The tapes contained names, demographic information and Social Security numbers of patients of the University of Utah Hospitals & Clinics healthcare system.
The healthcare system has suspended all backup tape deliveries to Perpetual Storage pending a full review of the company's protocols and procedures, said a university spokeswoman.
The spokeswoman confirmed that Perpetual Storage fired the individual involved with the data breach for violating company data security transportation protocols. The driver had been employed by Perpetual Storage for 18 years, she said.
Related Content
The spokeswoman said the driver informed his employer immediately upon discovering that the tapes were lost. Perpetual Storage informed the University of Utah Hospitals & Clinics officials within 24 hours of the breach, she added.
Perpetual Storage did not immediately return calls by Computerworld seeking comment.
The university spokeswoman declined to say whether any of the missing data storage tapes were encrypted.
Lorris Betz, senior vice-president for Health Sciences and CEO of University of Utah Health & Clinics, said in a posted alert ?that it's unlikely that any information on the backup tapes will be exposed to thieves. "Although it is unlikely that information on the tapes will be compromised, we are nevertheless taking aggressive steps to protect our patients' confidentiality," Betz said in the post.
The university plans to mail notification letters to all patients whose data was held on the stolen tapes and offer them free credit monitoring services. The missing tapes did not hold any credit card information, noted school officials.
The university is offering a reward of $1,000 for the return of the stolen tapes with "no questions asked." The Salt Lake County Sherriff's Department, the FBI and U.S. Postal Service are investigating the theft.
For more enterprise computing news, visit Computerworld. Story copyright Computerworld, Inc.
All contents copyright 1995-2008 Network World, Inc. http://www.networkworld.com
zondag 29 juni 2008
Top five compliance challenges in a virtualized world (Source: SCMagazine)
By Chris Farrow, director of product strategy, Fortisphere
March 28 2008
News flash! Virtualization is here to stay. Despite the naysayers, virtualization is showing some extremely compelling ROI and transforming the way corporate IT provisions and administers not only the data center but also the user desktop experience. Big businesses, analyst firms and the vendor community all point towards virtualization continuing to enjoy huge growth in adoption as a core IT strategy. However, recent studies have shown that organizations frequently get enamored by the hot technology of the day (such as VOIP or SOA) and begin to deploy virtualization before the complexities and impact to security and compliance are well understood. Significant challenges to IT compliance are introduced when you consider the mappings of policy, guidance and the resulting controls that now have to be considered through the layers of virtualization. Here are five challenging aspects of IT compliance when dealing with virtualization:
Discovery and inventory: You can't measure what you can't see (or for that matter, don't even know exists). Determining which virtual machines (VMs) are active, which are abandoned or dormant and what data they are accessing is a fundamental part of defining your scope of compliance and applying the appropriate IT controls. Perhaps of a greater concern is how organizations cope with unapproved or rogue VMs.
Chain of custody: Can you provide an audit trail for critical VMs as they move from development to testing to production? Are only approved changes occurring and are they made by the appropriate personnel? Due to the dynamic and mobile nature of virtualization, keeping track of where the VMs are, who touched them and what changed is key for audit documentation and a true lifesaver in incident response scenarios.
Separation of critical assets (especially in a hosted environment): How do you know that customer A VMs are properly segregated from customer B VMs? Are low risk, non-critical VMs being hosted on the same box as high risk, mission critical VMs? Add features like VMotion and DRS in plus some modern storage solutions and there is good chance that things are not so cleanly separated. Having the ability to make VMs aware of their risk profile and location is going to be critical as more organizations adopt virtualization.
Software license violations: Push-button provisioning has become a huge contributor to virtual sprawl and major corporate licensing violations. This one seems simple but take the case of a software development shop. The vendor tools make it quick and easy to build a server for coding or testing purposes but then you can clone it, copy it and move it and before long there are numerous copies of the OS, applications and development tools floating around. Software inventory and metering will have to learn some new tricks in the context of products like VMware's Lab Manager.
Subject Matter Expertise (SME): Virtualization is being rolled out faster than IT audit staff is being trained. IT compliance and audit professionals have just not had the training and time they need to appropriately understand the role virtualization plays in regulatory compliance. This is an area that can be solved but it will take effort from the vendor community working alongside organizations like ISACA, ISSA, IIA and SANS. Virtualization offers enterprises unprecedented opportunities to increase agility, reduce costs and operate more efficiently. But, it also adds new challenges to IT, security and risk management for organizations when defining, deploying and enforcing IT policies. If not managed properly, the benefits that virtualization promises can actually add to the pressure of compliance mandates. It is clear that organizations are facing serious challenges that require an intelligent, controlled and well planned approach to delivering secure and sustainable growth of their virtual environments.
March 28 2008
News flash! Virtualization is here to stay. Despite the naysayers, virtualization is showing some extremely compelling ROI and transforming the way corporate IT provisions and administers not only the data center but also the user desktop experience. Big businesses, analyst firms and the vendor community all point towards virtualization continuing to enjoy huge growth in adoption as a core IT strategy. However, recent studies have shown that organizations frequently get enamored by the hot technology of the day (such as VOIP or SOA) and begin to deploy virtualization before the complexities and impact to security and compliance are well understood. Significant challenges to IT compliance are introduced when you consider the mappings of policy, guidance and the resulting controls that now have to be considered through the layers of virtualization. Here are five challenging aspects of IT compliance when dealing with virtualization:
Discovery and inventory: You can't measure what you can't see (or for that matter, don't even know exists). Determining which virtual machines (VMs) are active, which are abandoned or dormant and what data they are accessing is a fundamental part of defining your scope of compliance and applying the appropriate IT controls. Perhaps of a greater concern is how organizations cope with unapproved or rogue VMs.
Chain of custody: Can you provide an audit trail for critical VMs as they move from development to testing to production? Are only approved changes occurring and are they made by the appropriate personnel? Due to the dynamic and mobile nature of virtualization, keeping track of where the VMs are, who touched them and what changed is key for audit documentation and a true lifesaver in incident response scenarios.
Separation of critical assets (especially in a hosted environment): How do you know that customer A VMs are properly segregated from customer B VMs? Are low risk, non-critical VMs being hosted on the same box as high risk, mission critical VMs? Add features like VMotion and DRS in plus some modern storage solutions and there is good chance that things are not so cleanly separated. Having the ability to make VMs aware of their risk profile and location is going to be critical as more organizations adopt virtualization.
Software license violations: Push-button provisioning has become a huge contributor to virtual sprawl and major corporate licensing violations. This one seems simple but take the case of a software development shop. The vendor tools make it quick and easy to build a server for coding or testing purposes but then you can clone it, copy it and move it and before long there are numerous copies of the OS, applications and development tools floating around. Software inventory and metering will have to learn some new tricks in the context of products like VMware's Lab Manager.
Subject Matter Expertise (SME): Virtualization is being rolled out faster than IT audit staff is being trained. IT compliance and audit professionals have just not had the training and time they need to appropriately understand the role virtualization plays in regulatory compliance. This is an area that can be solved but it will take effort from the vendor community working alongside organizations like ISACA, ISSA, IIA and SANS. Virtualization offers enterprises unprecedented opportunities to increase agility, reduce costs and operate more efficiently. But, it also adds new challenges to IT, security and risk management for organizations when defining, deploying and enforcing IT policies. If not managed properly, the benefits that virtualization promises can actually add to the pressure of compliance mandates. It is clear that organizations are facing serious challenges that require an intelligent, controlled and well planned approach to delivering secure and sustainable growth of their virtual environments.
Worth the upgrade (Source: SCMagazine)
April 01 2008
Million of retail customers are no doubt still troubled by the massive 2005 data breach at TJX Companies and the cost of monitoring their accounts. However, security professionals, especially those using outdated wireless encryption, are likely more anguished about the attack method used than the mountains of lost data. That's because, nearly two years after the attack occurred, it's apparent that the malicious hackers used simple technology – a laptop and a telescope-shaped antenna – to crack the obsolete wireless connection at a Marshalls outlet in Minnesota. That St. Paul branch – like other retail outlets – was, according to investigators, running the Wired Equivalent Privacy (WEP) encryption standard, which was superseded nearly five years ago by the more robust Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2) guidelines.The use of WEP encryption by retail chains was, in retrospect, a massive data breach waiting to happen, say wireless experts. Although the more recently created WPA and WPA2 offer stronger protection and meet most of the requirements of the IEEE 802.11 encryption standard -- as well as being recommended by the Wi-Fi Alliance, a wireless industry trade group -- many retailers are still comfortable with WEP, in use since 1999. However, the aging standard is rife with problems, and has been from the start, says David King, chairman and chief executive officer at AirTight, a wireless security vendor. “Even from its earliest inception, WEP was controversial because it was behind other existing standards. WEP had already been hacked, but what the standards groups were thinking about was how important was security going to become, and they wanted something that was as cheap as possible,” he says. “By about 2000, there were already all these academic articles about people exploiting WEP vulnerabilities, man-in-the-middle attacks and cracking attacks.”The newer WPA features 128-bit key encryption and a 48-bit initialization server and is certified on all laptops and wireless devices. Required for mobile PCs since 2003, WPA and WPA2 are the suitable security standards for the corporate world, says Kelly David-Felner, senior marketing manager at the Wi-Fi Alliance, who calls WEP “broken and absolutely not acceptable for enterprises.”“WEP was widely known to have security flaws by late 2000 and early 2001, and by that point [developers] were already working on IEEE 802.11i. April 2003 was when we announced the first version of WPA and that was in response to a market need for a security Wi-Fi that had not been cracked. WPA2 encompasses the entire [802.11] standard,” she says. “WPA has yet to be cracked and any enterprise should absolutely be using WPA2 security.”An acceptable investmentAlthough the specter of massive data breaches – and costs ranging in the millions to repair the damage – hangs over every enterprise that stores consumer data, an upgrade from WEP to WPA is not as simple as downloading new software. Due to the proliferation of handheld wireless devices, such as barcode scanners and registers at use in grocery stores and high-end clothing outlets, an upgrade to WPA can cost millions of dollars in new equipment and training for employees, says David Thomas, vice president of product strategy at AirDefense. WEP is a protocol of the past, as far as its cryptography strength goes, but unfortunately wireless being the physical thing that it is, it's very difficult for people to migrate. So it's extremely unlikely that there would be a WEP deployment again. There might be some smaller businesses that, due to a lack of education, might use WEP because they used it recently and they don't know the difference – it's actually harder to configure and use,” he says. “It all boils down to cost at the end of the day – and another thing is training. When you deploy many different handheld devices, there is a lot of training involved and it might be quite a migration.” While some corporate executives see headlines describing data breaches and feel an extreme sense of urgency, others must answer to a higher power: business cycles. With WPA nearing its five-year anniversary as the wireless encryption standard of choice, enterprises not scheduled to implement the technology for years risk upgrading on the eve of the introduction of another security yardstick. They also lay their businesses bare to vulnerable endpoints, says Michael Argast, analyst at anti-virus vendor Sophos. “Legacy equipment can be a big challenge here. For example, I run WPA2 at my house, but often visitors with older laptops are unable to connect because their wireless network interface cards aren't new enough to support the stronger crypto requirements. If you extend that to a retail environment, it could mean changing hardware in endpoints, which can be quite time-consuming and expensive, and devices may not be due to be replaced due to business cycles,” he says. “So, the security manager was often asking the business to break into an upgrade cycle early due to a vulnerability.”In the case of a wireless encryption upgrade, compliance standards – usually an ally to security officers making the case for additional funding – are not necessarily a talking point of choice. The Payment Card Industry Data Security Standard, which has spurred retailers and merchants to improve their data security out of fear of fines from Visa and other credit giants, leaves a considerable gray area in reference to wireless security, says Josh Wright, senior security analyst at Aruba Networks. “From our position, we see different issues. When we talk about WPA and WPA2 we can also talk about WPA enterprise and WPA personal. When we start dealing with PCI, it says everyone should use WPA, but it doesn't differentiate between enterprise and personal,” he says.To make matters more complicated, some enterprises use WEP – in coordination with other anti-intrusion technologies – to meet their PCI DSS requirements, which mandates that businesses rotate encryption keys on a regular basis. That routine does not present much of a hurdle for practiced cyberattackers, says Wright. “I've read a number of reports and empirical analysis and realized that some stores out there are still running WEP. Apparently a lot of people still haven't made the transition,” he says. “The PCI standard doesn't actually require WPA or WPA2, but you can use WEP as long as you rotate the keys, at least quarterly. It takes a hacker at least 10 minutes tops to break a web key.”TXJ as selling pointThe massive TJX data breach – which sent millions of American, Canadian and British shoppers scurrying to protect their credit – may have a silver lining when it comes to wireless security. Although WEP's vulnerabilities were already on the minds of executives before news of the data loss broke, the threat of a copycat intrusion has given security professionals extra ammunition to sell upgraded encryption to the corporate boardroom, says Argast. The media coverage of the TJX breach has helped increase visibility to the executive levels of these businesses, but largely the security departments in retailers were already quite aware of the vulnerabilities associated with WEP,” says Argast. “What this coverage has done is help the security and network departments push through and prioritize projects to upgrade their infrastructure.”Steve Alexander, information security architect at Circuit City, says that his company had zero doubt it would employ WPA2, as opposed to an earlier standard. Costly data breaches only reinforced that WEP was no longer useful, he says. “On hearing about the TJX breach I wasn't surprised it happened, but I was surprised that it wasn't noticed for such a long period of time,” he says. “If you haven't yet replaced WEP, you have to understand that the cost of replacing it is unparalleled by the cost of not replacing it.” [sidebar]
INSECURE RETAIL:
By the statisticsWhen wireless security vendor AirDefense conducted a survey of retail outlets prior to January's National Retail Federation Convention and Expo in New York, the supplier found that an alarming 81 percent of 887 devices in all five boroughs could be compromised.
Nearly 40 percent of the surveyed devices were unencrypted;
Almost 30 percent of equipment were encrypted with Wired Equivalent Privacy protection, which can be compromised in minutes;
35 percent of service set identifications listed the store's name, revealing retailers' identities;
23 percent of devices had data leakage occur;
50 percent of retailers offered free Wi-Fi service Source: AirDefense, “2008 New York City Retail Wireless Security Survey”
Million of retail customers are no doubt still troubled by the massive 2005 data breach at TJX Companies and the cost of monitoring their accounts. However, security professionals, especially those using outdated wireless encryption, are likely more anguished about the attack method used than the mountains of lost data. That's because, nearly two years after the attack occurred, it's apparent that the malicious hackers used simple technology – a laptop and a telescope-shaped antenna – to crack the obsolete wireless connection at a Marshalls outlet in Minnesota. That St. Paul branch – like other retail outlets – was, according to investigators, running the Wired Equivalent Privacy (WEP) encryption standard, which was superseded nearly five years ago by the more robust Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2) guidelines.The use of WEP encryption by retail chains was, in retrospect, a massive data breach waiting to happen, say wireless experts. Although the more recently created WPA and WPA2 offer stronger protection and meet most of the requirements of the IEEE 802.11 encryption standard -- as well as being recommended by the Wi-Fi Alliance, a wireless industry trade group -- many retailers are still comfortable with WEP, in use since 1999. However, the aging standard is rife with problems, and has been from the start, says David King, chairman and chief executive officer at AirTight, a wireless security vendor. “Even from its earliest inception, WEP was controversial because it was behind other existing standards. WEP had already been hacked, but what the standards groups were thinking about was how important was security going to become, and they wanted something that was as cheap as possible,” he says. “By about 2000, there were already all these academic articles about people exploiting WEP vulnerabilities, man-in-the-middle attacks and cracking attacks.”The newer WPA features 128-bit key encryption and a 48-bit initialization server and is certified on all laptops and wireless devices. Required for mobile PCs since 2003, WPA and WPA2 are the suitable security standards for the corporate world, says Kelly David-Felner, senior marketing manager at the Wi-Fi Alliance, who calls WEP “broken and absolutely not acceptable for enterprises.”“WEP was widely known to have security flaws by late 2000 and early 2001, and by that point [developers] were already working on IEEE 802.11i. April 2003 was when we announced the first version of WPA and that was in response to a market need for a security Wi-Fi that had not been cracked. WPA2 encompasses the entire [802.11] standard,” she says. “WPA has yet to be cracked and any enterprise should absolutely be using WPA2 security.”An acceptable investmentAlthough the specter of massive data breaches – and costs ranging in the millions to repair the damage – hangs over every enterprise that stores consumer data, an upgrade from WEP to WPA is not as simple as downloading new software. Due to the proliferation of handheld wireless devices, such as barcode scanners and registers at use in grocery stores and high-end clothing outlets, an upgrade to WPA can cost millions of dollars in new equipment and training for employees, says David Thomas, vice president of product strategy at AirDefense. WEP is a protocol of the past, as far as its cryptography strength goes, but unfortunately wireless being the physical thing that it is, it's very difficult for people to migrate. So it's extremely unlikely that there would be a WEP deployment again. There might be some smaller businesses that, due to a lack of education, might use WEP because they used it recently and they don't know the difference – it's actually harder to configure and use,” he says. “It all boils down to cost at the end of the day – and another thing is training. When you deploy many different handheld devices, there is a lot of training involved and it might be quite a migration.” While some corporate executives see headlines describing data breaches and feel an extreme sense of urgency, others must answer to a higher power: business cycles. With WPA nearing its five-year anniversary as the wireless encryption standard of choice, enterprises not scheduled to implement the technology for years risk upgrading on the eve of the introduction of another security yardstick. They also lay their businesses bare to vulnerable endpoints, says Michael Argast, analyst at anti-virus vendor Sophos. “Legacy equipment can be a big challenge here. For example, I run WPA2 at my house, but often visitors with older laptops are unable to connect because their wireless network interface cards aren't new enough to support the stronger crypto requirements. If you extend that to a retail environment, it could mean changing hardware in endpoints, which can be quite time-consuming and expensive, and devices may not be due to be replaced due to business cycles,” he says. “So, the security manager was often asking the business to break into an upgrade cycle early due to a vulnerability.”In the case of a wireless encryption upgrade, compliance standards – usually an ally to security officers making the case for additional funding – are not necessarily a talking point of choice. The Payment Card Industry Data Security Standard, which has spurred retailers and merchants to improve their data security out of fear of fines from Visa and other credit giants, leaves a considerable gray area in reference to wireless security, says Josh Wright, senior security analyst at Aruba Networks. “From our position, we see different issues. When we talk about WPA and WPA2 we can also talk about WPA enterprise and WPA personal. When we start dealing with PCI, it says everyone should use WPA, but it doesn't differentiate between enterprise and personal,” he says.To make matters more complicated, some enterprises use WEP – in coordination with other anti-intrusion technologies – to meet their PCI DSS requirements, which mandates that businesses rotate encryption keys on a regular basis. That routine does not present much of a hurdle for practiced cyberattackers, says Wright. “I've read a number of reports and empirical analysis and realized that some stores out there are still running WEP. Apparently a lot of people still haven't made the transition,” he says. “The PCI standard doesn't actually require WPA or WPA2, but you can use WEP as long as you rotate the keys, at least quarterly. It takes a hacker at least 10 minutes tops to break a web key.”TXJ as selling pointThe massive TJX data breach – which sent millions of American, Canadian and British shoppers scurrying to protect their credit – may have a silver lining when it comes to wireless security. Although WEP's vulnerabilities were already on the minds of executives before news of the data loss broke, the threat of a copycat intrusion has given security professionals extra ammunition to sell upgraded encryption to the corporate boardroom, says Argast. The media coverage of the TJX breach has helped increase visibility to the executive levels of these businesses, but largely the security departments in retailers were already quite aware of the vulnerabilities associated with WEP,” says Argast. “What this coverage has done is help the security and network departments push through and prioritize projects to upgrade their infrastructure.”Steve Alexander, information security architect at Circuit City, says that his company had zero doubt it would employ WPA2, as opposed to an earlier standard. Costly data breaches only reinforced that WEP was no longer useful, he says. “On hearing about the TJX breach I wasn't surprised it happened, but I was surprised that it wasn't noticed for such a long period of time,” he says. “If you haven't yet replaced WEP, you have to understand that the cost of replacing it is unparalleled by the cost of not replacing it.” [sidebar]
INSECURE RETAIL:
By the statisticsWhen wireless security vendor AirDefense conducted a survey of retail outlets prior to January's National Retail Federation Convention and Expo in New York, the supplier found that an alarming 81 percent of 887 devices in all five boroughs could be compromised.
Nearly 40 percent of the surveyed devices were unencrypted;
Almost 30 percent of equipment were encrypted with Wired Equivalent Privacy protection, which can be compromised in minutes;
35 percent of service set identifications listed the store's name, revealing retailers' identities;
23 percent of devices had data leakage occur;
50 percent of retailers offered free Wi-Fi service Source: AirDefense, “2008 New York City Retail Wireless Security Survey”
Responding to a financial security breach (source: SCMagazine)
Inno Eroraha, president, NetSecurity Corp.
May 14 2008
Financial institutions are heavily regulated. They are required to implement security programs following regulations such as SOX, GLBA, SEC, NASD, etc. In fact, most of these organizations are required to execute an annual security assessment as a key compliance measure. Because an annual assessment may not discover all vulnerabilities, these organizations should be prepared to deal with security incidents involving physical facilities, network infrastructures, systems, applications, and most importantly, data.Obviously, an entity that has no proactive mechanism to detect data, information, or system compromise wastes enormous amounts of time and money addressing an actual compromise without a response plan. To be able to deal with computer or IT related compromises, certain measures should be implemented by the institution. The following outlines example precautionary steps recommended for a bank, but some of the measures are valid for any institution.Preparing for the inevitableA banking institution must involve all of its resources in its security operation, including people, process and technology. Consider the following:Planning: This involves identifying the financial institution's business assets, identifying the risks, and developing plans for mitigation. Planning here involves determining what security measures need to be in place. Example of planning activities include developing a security policies and procedures document, developing change management plans, instituting a contingency plan and incident response plan (forensics), etc. This phase of the security process also requires the identification of security technologies that need to be in place to meet business requirements. Implementation: This stage requires the actual installation or deployment of a security technology that would provide secure communication end-to-end, as may be required. Technologies offering various levels should be in place – firewalls, proxies, content filtering, VPNs, IPDS, etc. Once implemented, these technologies must be constantly reviewed and tested following best practices for the banking business.Monitoring and response: Active monitoring is an absolute requirement. Having the best security protection technologies serve no purpose unless each of those devices is proactively monitored. While banks sometime cover the monitoring of networks and systems, back-end and other applications may not be too vigilantly monitored. Monitoring any device that stores, processes, or transmits information is crucial for after-the-fact investigation or other root-cause analysis. Adequate personnel need to be staffed and charged with the monitoring activity. Monitoring means logging critical data or events, including affected network, email, system, application applications, and everyone's activity – with no exception. In fact, recent requirements by NASD, SEC, GLBA, SOX, etc. require that banks and other financial entities perform archiving of communication, such as emails. Logging everyone's activity satisfies this requirement and keeps bank officials out of trouble.Further, logs should be proactively reviewed. Automated mechanisms should be implemented to disseminate summarized reports of log events.An area that is often overlooked is the monitoring of applications and operations performed by banking application software. At a minimum, a summarized list of actions of interest may be desired – delivered through email or other manual process execution.Measurement: This involves identifying the weakness in the security process or program, which may be accomplished through risk assessment, vulnerability assessment, penetration testing exercises, testing of the contingency planning, incident response plan, and so forth, on a proactive basis. The result of this effort is used to determine what areas of the bank's security operation need to be enhanced.Education and training: To get the bank employees involved in the security process, they must be provided user awareness training at least twice yearly. Through this process, employees are informed of the risks associated with computers and the internet, and their roles and responsibilities to protect data.Here are some other best practices that a bank can implement to fortify its security posture:Synchronize systems time: It's important to synchronize all systems with some trusted time server internal to the organization. This is required should a security incident occur and events from different systems need to be correlated. Besides, correctly setting system time helps your case should you end up in civil or criminal litigation.Collect and preserve log data: Collecting and preserving the financial institution's log data is crucial when an after-the-fact investigation is warranted. When properly collected, with accurate time stamps of each entry, your organization would be covered when questioned by authority or other investigative bodies. Data can be collected centrally to a server – there are pros and cons to this approach. Due to the discrepancies between systems and the fact that a common central logging server cannot be implemented in the real-world, each medium that captures log data must follow these guidelines:
Physically secure the device
Log access to it
Allow only the auditing team to read the data
Prevent direct modification to the log data Institute an incident response plan: The real question is what happens when an organization is under attack – covert, overt, and stealth operations? How would an organization be able to detect and respond to an intrusion or a security breach?While the implementation of the techniques listed above helps in the fortification of an organization's security process, a key element that is often missed and should be included into any security process is an incident response plan. A security incident is a breach that compromises confidential information, alters information, or makes data or information inaccessible. An incident response plan is the process of monitoring for and detecting security events on an information system while implementing appropriate responses to these incidents. Formulating a bank's incident response plan is an absolute requirement to enable the bank to monitor, detect, and contain a potential compromise of its assets.The following are benefits of a sound incident response plan:
Provides a method to monitor and quickly identify a potential security breach
Specifies a step-by-step process of how to handle an incident – i.e., specifies what to do when a security incident occurs
Specifies how to contain and reduce the risk of damage to an organization There is no one-size-fits-all incident response plan for banks. Each institution should develop a plan that addresses its core business. The plan should be specific to the environment. For instance, if AS/400, JD Edwards, or Jack Henry, Oracle software, Centrix Safe Deposit Box, CASHplus, ImageVision, 4Sight, and other banking applications are used, then the plan must address potential incidents to these applications and the data they process or store. Form a security incident response team: While a formal Security Incident Response Team (SIRT) team is recommended, it must be championed by an incident response manager or coordinator. This manager need not be an executive within the organization, and can be a staff member whose primary role is to coordinate and manage the incident response process. Members of the forensics team in a bank may include representatives from the following departments: risk management, IT, legal, PR (if outside communication would be required), security, compliance department, internal audit, operations, and other groups relevant to the financial institution.Once a team has been formed, each member needs to be adequately trained on their role in recognizing security incidents, reporting, and containment.Train all users about incident and reporting: All users of a financial institution, as part of their security awareness training, should be trained on detecting and responding to security incidents. In other words, if a bank's employee detects an incident, what should they do? Incident response should be everyone's responsibility -- everyone should be thought of as a member of the SIRT.Reward employees for participating in the program: Employees should be rewarded for detecting and reporting security incidents in order to encourage employee participation in the program.Thoroughness of the incident response planIt is recommend that an incident response plan be thorough – not simply covering network or system-borne attacks, but attacks that go beyond these areas, including users, applications, and actual data. Assuming that a teller in a bank is a target and his/her system is compromised because he/she opens a Trojan in an email attachment, how does the bank respond to these types of incidents?In security, if you can't assess or gauge how well a security element is working, it would be difficult to assume that such an investment is providing the anticipated ROI for the institution. To this end, an assessment is required. This assessment can be carried out by in-house staff or by a third-party consulting firm.To be truly effective, use the third-party without the knowledge of personnel responsible for detecting incidents within the company.Areas to testAs discussed previously, testing the incident response plan may not have to be done at one time for the entire organization. While this approach would work for a small banking operation, we suggest for larger banks breaking the testing into appropriate parcels focused at specific groups, applications, or data of a specific customer. Testing should cover the following areas:
Compromise of core banking application
Data access
Systems
Network
Facility How to testTesting can be done in a variety of ways. The key thing to recognize is to look into your corporate environment and run tests that simulate a breach. A thoroughly executed infrastructure penetration test can be implemented here. With a penetration test, the testers can attempt to evade IPDS, firewalls, and other tests that would cause the monitoring systems to ignore serious network attack simulation.What about attacks at the application and data level? An IDS may not be able to detect these, especially the attacks that occur through a VPN or other encrypted tunnels such as SSH, SSL, etc.Testing could be broken down into various stages by targeting specific areas. For instance, testing could be targeted at core banking applications. Does the organization detect failed login attempts or unauthorized access?Forensics procedures to institute for possible litigationTo determine that an intrusion has occurred requires proactive monitoring of systems, applications, and data. Sometimes, these factors may not be able to determine a successful compromise. Anomalous or “usual” behavior/activity may be the symptom of a compromise. Sometimes, a compromise may not even be noticed unless different data and events are correlated. To detect a breach quickly, the bank must define what constitutes a compromise and ensure that the parameters for detection are in place, working, and producing the desired actionable items quickly. Detection might be in the form of email alerts, pagers, or even a manual reporting mechanism.Once it has been determined that a compromise has occurred, the bank must begin the investigation of the incident. Without a forensic incident response plan (FIRP), a bank may not be prepared for this task. Upon quick determination of the breach, the source and nature of the intrusion or compromise would dictate whether or not to shutdown a system.Information gathered as described above will become useful in the next phase – forensically collecting and preserving the evidence.First, you must know the source of the breach. Depending on the scope of damage, get the compliance department, risk management group, and the IT department involved. Law enforcement may be contacted, depending on the FIRP of your institution. Care should be exercised here because contacting law enforcement could require shutting down some of your services, which may remain down until replacement systems are deployed. So, unless you want an extensive service outage or unwanted publicity, be cautious as you seek outside help – FBI, local law enforcement, press, etc.Evidence should be collected in a forensically sound manner, following procedures that can withstand the scrutiny and rigor of litigation and to avoid being inadmissible in court. First, you need to know what type of forensic evidence can be found for the event – money laundering, fraudulent wire transfer, insider trading, etc. – to narrow the scope of the investigation. Evidence in a computing device comes in two forms – volatile and non-volatile or persistent evidence. As the name suggests, volatile evidence are data that is stored in medium that when power is lost to the “suspect” computing device, the information is lost -- this includes memory, cache, etc. On the other hand, persistent evidence is data that remains intact regardless of power outages. Examples include devices such as hard drives, flash drives, or USB devices.What type of evidence should you collect during an investigation? This really depends on the scope. For a fraudulent wire transfer operation that occurred, the suspect system may be gracefully disconnected or shutdown to begin the forensics process. On the other hand, for a compromise or attack that is ongoing, volatile data must be carefully forensically collected first, then the system can be shut down and persistent evidence collected.To properly collect evidence and avoid contamination or destruction, follow these simple guidelines:
Avoid writing to or modifying the “suspect” system – doing this could result in crucial evidence been rendered inadmissible.
Collect everything that may be relevant to a case. For instance, if you were to perform a forensics analysis on a PDA device, it may be wise to collect all the power supplies and cradle for the device.
Use trained forensics employees – don't wing it or you risk your evidence being tossed out in court. Alternatively, you may consider retaining outside forensics and electronic discovery consultants to assist you.
Use a chain of custody form that shows possession or transfer of evidence in the investigation.
Use “court-sanctioned” or recognized forensics tools
Validate each piece of evidence, using hashing algorithms – SHA1 or MD5.
Create forensics images of the suspect system. A forensics image is a bit-by-bit copy of the suspect hard drive. This copies both unallocated and allocated slack space containing deleted files, etc. In a system with terabytes of data, forensically imaging the drive may not be possible as it may take years and may be very expensive. In this case, logical file copy may be acceptable to a court. At least two images are recommended.
Don't attempt to install applications into the suspect system.
Do not modify the system as this may be considered evidence tampering.
Make a note of why you took every action you took during the investigation. Documentation of the scene is very crucial. Take good notes and write down everything you see and observe. Taking pictures and even videoing the scene may be helpful. Documentation should be an ongoing effort during the evidence gathering process and is not something that should only be done after the analysis is done. It will be difficult to remember the details if documentation is deferred to a later date and time.Once the evidence has been forensically collected, it is necessary to perform analysis on one of the forensic images. Note that, we do not want to perform our analysis on the original copy of the hard drive (“best evidence”), but rather, we want to work on one of the forensic copies we created.Suppose that we are investigating a successful penetration of a bank's backend database system by an outsider. We may be interested in knowing activities that preceded the actual database attack, source IP addresses, user names/IDs used, web pages that may have triggered the compromise, event time, etc. Consequently, we may implement the following guidelines during our investigation:
Execute a forensics tool and perform an analysis of the drive and look for evidence (information defined above).
Create a “bookmark” of evidence gathered. You can refer to items in the bookmark easily instead of reanalyzing the forensic image. Artifacts bookmarked can easily be used in the report. Assuming that you are working with hard drives it is necessary, for thoroughness, to use two different tools, such as Guidance Software's Encase, Access Data's FTK, or Technology Pathways' ProDiscover. If you are working on PDA or cell phone, use Paraben's Device Seizure or MicroSystemation's “.XRY.”Forensics investigation is about excavating evidence and providing the facts. Do not step beyond your bound or extend your scope. This approach is time consuming, expensive, and may be illegal!Create a report that is easy to read and understand by laypeople and legal counsel that may be assigned. Ensure that this document is adequately peer-reviewed. The report should explain technical terms because it may be read by other attorneys or judges who may not understand technical jargon.ConclusionTo conduct computer forensics well and produce results that are defensible in the courts, banks must plan for data breaches, develop forensics incident response plans to reduce their risk of data breaches and mitigate the possibility of law suits. Proactive measures today reduce reactive responses in the event of a breach.
Inno Eroraha is the president of NetSecurity Corporation, a digital forensics, security consulting and training company. For more information go to www.netsecurity.com or call 703-444-9009 or toll free at 866-664-6986.
May 14 2008
Financial institutions are heavily regulated. They are required to implement security programs following regulations such as SOX, GLBA, SEC, NASD, etc. In fact, most of these organizations are required to execute an annual security assessment as a key compliance measure. Because an annual assessment may not discover all vulnerabilities, these organizations should be prepared to deal with security incidents involving physical facilities, network infrastructures, systems, applications, and most importantly, data.Obviously, an entity that has no proactive mechanism to detect data, information, or system compromise wastes enormous amounts of time and money addressing an actual compromise without a response plan. To be able to deal with computer or IT related compromises, certain measures should be implemented by the institution. The following outlines example precautionary steps recommended for a bank, but some of the measures are valid for any institution.Preparing for the inevitableA banking institution must involve all of its resources in its security operation, including people, process and technology. Consider the following:Planning: This involves identifying the financial institution's business assets, identifying the risks, and developing plans for mitigation. Planning here involves determining what security measures need to be in place. Example of planning activities include developing a security policies and procedures document, developing change management plans, instituting a contingency plan and incident response plan (forensics), etc. This phase of the security process also requires the identification of security technologies that need to be in place to meet business requirements. Implementation: This stage requires the actual installation or deployment of a security technology that would provide secure communication end-to-end, as may be required. Technologies offering various levels should be in place – firewalls, proxies, content filtering, VPNs, IPDS, etc. Once implemented, these technologies must be constantly reviewed and tested following best practices for the banking business.Monitoring and response: Active monitoring is an absolute requirement. Having the best security protection technologies serve no purpose unless each of those devices is proactively monitored. While banks sometime cover the monitoring of networks and systems, back-end and other applications may not be too vigilantly monitored. Monitoring any device that stores, processes, or transmits information is crucial for after-the-fact investigation or other root-cause analysis. Adequate personnel need to be staffed and charged with the monitoring activity. Monitoring means logging critical data or events, including affected network, email, system, application applications, and everyone's activity – with no exception. In fact, recent requirements by NASD, SEC, GLBA, SOX, etc. require that banks and other financial entities perform archiving of communication, such as emails. Logging everyone's activity satisfies this requirement and keeps bank officials out of trouble.Further, logs should be proactively reviewed. Automated mechanisms should be implemented to disseminate summarized reports of log events.An area that is often overlooked is the monitoring of applications and operations performed by banking application software. At a minimum, a summarized list of actions of interest may be desired – delivered through email or other manual process execution.Measurement: This involves identifying the weakness in the security process or program, which may be accomplished through risk assessment, vulnerability assessment, penetration testing exercises, testing of the contingency planning, incident response plan, and so forth, on a proactive basis. The result of this effort is used to determine what areas of the bank's security operation need to be enhanced.Education and training: To get the bank employees involved in the security process, they must be provided user awareness training at least twice yearly. Through this process, employees are informed of the risks associated with computers and the internet, and their roles and responsibilities to protect data.Here are some other best practices that a bank can implement to fortify its security posture:Synchronize systems time: It's important to synchronize all systems with some trusted time server internal to the organization. This is required should a security incident occur and events from different systems need to be correlated. Besides, correctly setting system time helps your case should you end up in civil or criminal litigation.Collect and preserve log data: Collecting and preserving the financial institution's log data is crucial when an after-the-fact investigation is warranted. When properly collected, with accurate time stamps of each entry, your organization would be covered when questioned by authority or other investigative bodies. Data can be collected centrally to a server – there are pros and cons to this approach. Due to the discrepancies between systems and the fact that a common central logging server cannot be implemented in the real-world, each medium that captures log data must follow these guidelines:
Physically secure the device
Log access to it
Allow only the auditing team to read the data
Prevent direct modification to the log data Institute an incident response plan: The real question is what happens when an organization is under attack – covert, overt, and stealth operations? How would an organization be able to detect and respond to an intrusion or a security breach?While the implementation of the techniques listed above helps in the fortification of an organization's security process, a key element that is often missed and should be included into any security process is an incident response plan. A security incident is a breach that compromises confidential information, alters information, or makes data or information inaccessible. An incident response plan is the process of monitoring for and detecting security events on an information system while implementing appropriate responses to these incidents. Formulating a bank's incident response plan is an absolute requirement to enable the bank to monitor, detect, and contain a potential compromise of its assets.The following are benefits of a sound incident response plan:
Provides a method to monitor and quickly identify a potential security breach
Specifies a step-by-step process of how to handle an incident – i.e., specifies what to do when a security incident occurs
Specifies how to contain and reduce the risk of damage to an organization There is no one-size-fits-all incident response plan for banks. Each institution should develop a plan that addresses its core business. The plan should be specific to the environment. For instance, if AS/400, JD Edwards, or Jack Henry, Oracle software, Centrix Safe Deposit Box, CASHplus, ImageVision, 4Sight, and other banking applications are used, then the plan must address potential incidents to these applications and the data they process or store. Form a security incident response team: While a formal Security Incident Response Team (SIRT) team is recommended, it must be championed by an incident response manager or coordinator. This manager need not be an executive within the organization, and can be a staff member whose primary role is to coordinate and manage the incident response process. Members of the forensics team in a bank may include representatives from the following departments: risk management, IT, legal, PR (if outside communication would be required), security, compliance department, internal audit, operations, and other groups relevant to the financial institution.Once a team has been formed, each member needs to be adequately trained on their role in recognizing security incidents, reporting, and containment.Train all users about incident and reporting: All users of a financial institution, as part of their security awareness training, should be trained on detecting and responding to security incidents. In other words, if a bank's employee detects an incident, what should they do? Incident response should be everyone's responsibility -- everyone should be thought of as a member of the SIRT.Reward employees for participating in the program: Employees should be rewarded for detecting and reporting security incidents in order to encourage employee participation in the program.Thoroughness of the incident response planIt is recommend that an incident response plan be thorough – not simply covering network or system-borne attacks, but attacks that go beyond these areas, including users, applications, and actual data. Assuming that a teller in a bank is a target and his/her system is compromised because he/she opens a Trojan in an email attachment, how does the bank respond to these types of incidents?In security, if you can't assess or gauge how well a security element is working, it would be difficult to assume that such an investment is providing the anticipated ROI for the institution. To this end, an assessment is required. This assessment can be carried out by in-house staff or by a third-party consulting firm.To be truly effective, use the third-party without the knowledge of personnel responsible for detecting incidents within the company.Areas to testAs discussed previously, testing the incident response plan may not have to be done at one time for the entire organization. While this approach would work for a small banking operation, we suggest for larger banks breaking the testing into appropriate parcels focused at specific groups, applications, or data of a specific customer. Testing should cover the following areas:
Compromise of core banking application
Data access
Systems
Network
Facility How to testTesting can be done in a variety of ways. The key thing to recognize is to look into your corporate environment and run tests that simulate a breach. A thoroughly executed infrastructure penetration test can be implemented here. With a penetration test, the testers can attempt to evade IPDS, firewalls, and other tests that would cause the monitoring systems to ignore serious network attack simulation.What about attacks at the application and data level? An IDS may not be able to detect these, especially the attacks that occur through a VPN or other encrypted tunnels such as SSH, SSL, etc.Testing could be broken down into various stages by targeting specific areas. For instance, testing could be targeted at core banking applications. Does the organization detect failed login attempts or unauthorized access?Forensics procedures to institute for possible litigationTo determine that an intrusion has occurred requires proactive monitoring of systems, applications, and data. Sometimes, these factors may not be able to determine a successful compromise. Anomalous or “usual” behavior/activity may be the symptom of a compromise. Sometimes, a compromise may not even be noticed unless different data and events are correlated. To detect a breach quickly, the bank must define what constitutes a compromise and ensure that the parameters for detection are in place, working, and producing the desired actionable items quickly. Detection might be in the form of email alerts, pagers, or even a manual reporting mechanism.Once it has been determined that a compromise has occurred, the bank must begin the investigation of the incident. Without a forensic incident response plan (FIRP), a bank may not be prepared for this task. Upon quick determination of the breach, the source and nature of the intrusion or compromise would dictate whether or not to shutdown a system.Information gathered as described above will become useful in the next phase – forensically collecting and preserving the evidence.First, you must know the source of the breach. Depending on the scope of damage, get the compliance department, risk management group, and the IT department involved. Law enforcement may be contacted, depending on the FIRP of your institution. Care should be exercised here because contacting law enforcement could require shutting down some of your services, which may remain down until replacement systems are deployed. So, unless you want an extensive service outage or unwanted publicity, be cautious as you seek outside help – FBI, local law enforcement, press, etc.Evidence should be collected in a forensically sound manner, following procedures that can withstand the scrutiny and rigor of litigation and to avoid being inadmissible in court. First, you need to know what type of forensic evidence can be found for the event – money laundering, fraudulent wire transfer, insider trading, etc. – to narrow the scope of the investigation. Evidence in a computing device comes in two forms – volatile and non-volatile or persistent evidence. As the name suggests, volatile evidence are data that is stored in medium that when power is lost to the “suspect” computing device, the information is lost -- this includes memory, cache, etc. On the other hand, persistent evidence is data that remains intact regardless of power outages. Examples include devices such as hard drives, flash drives, or USB devices.What type of evidence should you collect during an investigation? This really depends on the scope. For a fraudulent wire transfer operation that occurred, the suspect system may be gracefully disconnected or shutdown to begin the forensics process. On the other hand, for a compromise or attack that is ongoing, volatile data must be carefully forensically collected first, then the system can be shut down and persistent evidence collected.To properly collect evidence and avoid contamination or destruction, follow these simple guidelines:
Avoid writing to or modifying the “suspect” system – doing this could result in crucial evidence been rendered inadmissible.
Collect everything that may be relevant to a case. For instance, if you were to perform a forensics analysis on a PDA device, it may be wise to collect all the power supplies and cradle for the device.
Use trained forensics employees – don't wing it or you risk your evidence being tossed out in court. Alternatively, you may consider retaining outside forensics and electronic discovery consultants to assist you.
Use a chain of custody form that shows possession or transfer of evidence in the investigation.
Use “court-sanctioned” or recognized forensics tools
Validate each piece of evidence, using hashing algorithms – SHA1 or MD5.
Create forensics images of the suspect system. A forensics image is a bit-by-bit copy of the suspect hard drive. This copies both unallocated and allocated slack space containing deleted files, etc. In a system with terabytes of data, forensically imaging the drive may not be possible as it may take years and may be very expensive. In this case, logical file copy may be acceptable to a court. At least two images are recommended.
Don't attempt to install applications into the suspect system.
Do not modify the system as this may be considered evidence tampering.
Make a note of why you took every action you took during the investigation. Documentation of the scene is very crucial. Take good notes and write down everything you see and observe. Taking pictures and even videoing the scene may be helpful. Documentation should be an ongoing effort during the evidence gathering process and is not something that should only be done after the analysis is done. It will be difficult to remember the details if documentation is deferred to a later date and time.Once the evidence has been forensically collected, it is necessary to perform analysis on one of the forensic images. Note that, we do not want to perform our analysis on the original copy of the hard drive (“best evidence”), but rather, we want to work on one of the forensic copies we created.Suppose that we are investigating a successful penetration of a bank's backend database system by an outsider. We may be interested in knowing activities that preceded the actual database attack, source IP addresses, user names/IDs used, web pages that may have triggered the compromise, event time, etc. Consequently, we may implement the following guidelines during our investigation:
Execute a forensics tool and perform an analysis of the drive and look for evidence (information defined above).
Create a “bookmark” of evidence gathered. You can refer to items in the bookmark easily instead of reanalyzing the forensic image. Artifacts bookmarked can easily be used in the report. Assuming that you are working with hard drives it is necessary, for thoroughness, to use two different tools, such as Guidance Software's Encase, Access Data's FTK, or Technology Pathways' ProDiscover. If you are working on PDA or cell phone, use Paraben's Device Seizure or MicroSystemation's “.XRY.”Forensics investigation is about excavating evidence and providing the facts. Do not step beyond your bound or extend your scope. This approach is time consuming, expensive, and may be illegal!Create a report that is easy to read and understand by laypeople and legal counsel that may be assigned. Ensure that this document is adequately peer-reviewed. The report should explain technical terms because it may be read by other attorneys or judges who may not understand technical jargon.ConclusionTo conduct computer forensics well and produce results that are defensible in the courts, banks must plan for data breaches, develop forensics incident response plans to reduce their risk of data breaches and mitigate the possibility of law suits. Proactive measures today reduce reactive responses in the event of a breach.
Inno Eroraha is the president of NetSecurity Corporation, a digital forensics, security consulting and training company. For more information go to www.netsecurity.com or call 703-444-9009 or toll free at 866-664-6986.
Vendor IT security software revenue increases (Source: SCMagazine)
Dan Kaplan
June 17 2008
Fueled by continued compliance demands and an evolving threat landscape, global software security revenue totaled $10.4 billion last year, a jump of nearly 20 percent, an analyst firm said Tuesday.Gartner said worldwide revenue rose from $8.7 billion, thanks to drivers such as compliance, sophisticated threats, data leakage and privacy concerns.Symantec led security software providers in 2007 with $2.77 billion in revenue, good for a 26.6 percent market share. Big Yellow's revenue increased eight percent from 2006, when it raked in $2.56 billion.McAfee followed with $1.23 billion in revenue, up 14.2 percent from the prior year. Then came Tokyo-based Trend Micro, which garnered $810 million in revenue, a spike of 15.4 percent.Of the top six security software vendors, the two with the most explosive growth from 2006 to 2007 were IBM (30.7 percent increase) and EMC (240.5 percent increase). Both companies' bottom lines have been bolstered by major security acquisitions.IBM picked up Internet Security Systems for $1.3 billion in August 2006, and EMC snared RSA Security for $2.1 billion a couple of months earlier. IBM, fourth on the list, recorded $608 million in revenue in 2007, while EMC, sixth on the list, took home $415 million.CA, the fifth-highest revenue producer, earned $419 million last year but was the only company whose income dropped (2.8 percent) from the prior year.Islandia, N.Y.-based CA, which has seen a number of senior-level managers leave for other posts, attempted to stave off its economic struggles in 2006, when it announced it was laying off 1,700 employees following a profits plunge. At the time, the company, which specializes in identity management solutions, said the move would save it about $200 million annually beginning this year.Aside from the top six revenue earners, the hundreds of other vendors that make up the IT security market brought in $4.17 billion. Gartner warned, though, that Microsoft's entry into the space "will further erode pricing in this segment."Gartner said the companies that saw the biggest gains offered products in email security and security information and event management. Meanwhile, enterprise anti-virus and web access management grew at the smallest rates.The analyst firm said anti-virus sales were down because the technology is increasingly being offered as part of an integrated solution, and access management is already a mature technology."Price competition among vendors is also bringing prices down in the more mature stand-alone market segments," Gartner principal research analyst Ruggero Contu said in a statement. "Changes in the way vendors package and price their solutions in the future will ultimately impact pricing and make some security technologies as pervasive as PCs."Latin America saw a 40 percent growth in vendor revenue, followed by the Middle East and Africa and Asia-Pacific.North America vendors earned the most revenue, with Western Europe second.
June 17 2008
Fueled by continued compliance demands and an evolving threat landscape, global software security revenue totaled $10.4 billion last year, a jump of nearly 20 percent, an analyst firm said Tuesday.Gartner said worldwide revenue rose from $8.7 billion, thanks to drivers such as compliance, sophisticated threats, data leakage and privacy concerns.Symantec led security software providers in 2007 with $2.77 billion in revenue, good for a 26.6 percent market share. Big Yellow's revenue increased eight percent from 2006, when it raked in $2.56 billion.McAfee followed with $1.23 billion in revenue, up 14.2 percent from the prior year. Then came Tokyo-based Trend Micro, which garnered $810 million in revenue, a spike of 15.4 percent.Of the top six security software vendors, the two with the most explosive growth from 2006 to 2007 were IBM (30.7 percent increase) and EMC (240.5 percent increase). Both companies' bottom lines have been bolstered by major security acquisitions.IBM picked up Internet Security Systems for $1.3 billion in August 2006, and EMC snared RSA Security for $2.1 billion a couple of months earlier. IBM, fourth on the list, recorded $608 million in revenue in 2007, while EMC, sixth on the list, took home $415 million.CA, the fifth-highest revenue producer, earned $419 million last year but was the only company whose income dropped (2.8 percent) from the prior year.Islandia, N.Y.-based CA, which has seen a number of senior-level managers leave for other posts, attempted to stave off its economic struggles in 2006, when it announced it was laying off 1,700 employees following a profits plunge. At the time, the company, which specializes in identity management solutions, said the move would save it about $200 million annually beginning this year.Aside from the top six revenue earners, the hundreds of other vendors that make up the IT security market brought in $4.17 billion. Gartner warned, though, that Microsoft's entry into the space "will further erode pricing in this segment."Gartner said the companies that saw the biggest gains offered products in email security and security information and event management. Meanwhile, enterprise anti-virus and web access management grew at the smallest rates.The analyst firm said anti-virus sales were down because the technology is increasingly being offered as part of an integrated solution, and access management is already a mature technology."Price competition among vendors is also bringing prices down in the more mature stand-alone market segments," Gartner principal research analyst Ruggero Contu said in a statement. "Changes in the way vendors package and price their solutions in the future will ultimately impact pricing and make some security technologies as pervasive as PCs."Latin America saw a 40 percent growth in vendor revenue, followed by the Middle East and Africa and Asia-Pacific.North America vendors earned the most revenue, with Western Europe second.
National health-record privacy law in Congress (source: SCMagazine)
Chuck Miller
June 26 2008
A new law in Congress would require every U.S. citizen to have electronic health records by 2014. It would also set up privacy rules for those records, requiring information keepers to notify patients of security breaches.The bill, called the "PRO(TECH)T Act," would provide incentives to doctors, hospitals, insurers, and the government to use electronic formats for health information, hopefully reducing medical errors and costs. Its provisions include safeguards, penalties, and notification requirements when a breach takes place. "Your grocery store automatically knows what brand of chips you bought last year, but your cardiologist doesn't automatically know what prescriptions your family doctor prescribed for you yesterday," U.S. Rep. John Dingell, D-Mich., said in an announcement.In a comment, U.S. Rep. Frank Pallone, Jr. D-N.J., chairman of the Subcommittee on Health, added: "Investing in health information technology today will help make our health care system more efficient tomorrow, thereby lowering costs and saving lives."The bill would change the HIPAA (Health Insurance Portability and Accountability Act) privacy and security rules. Specifically, it would require individuals affected by breaches of unencrypted protected health information to be notified without unreasonable delay – no more than 60 days after discovery. Another provision would permit patients to demand that information about a specific health care service not be disclosed to insurers if the patient paid for it already.The bill also would tighten disclosure requirements, broaden individuals' rights to request disclosures, and require consent for disclosure of protected information if a provider is using an electronic medical record.
June 26 2008
A new law in Congress would require every U.S. citizen to have electronic health records by 2014. It would also set up privacy rules for those records, requiring information keepers to notify patients of security breaches.The bill, called the "PRO(TECH)T Act," would provide incentives to doctors, hospitals, insurers, and the government to use electronic formats for health information, hopefully reducing medical errors and costs. Its provisions include safeguards, penalties, and notification requirements when a breach takes place. "Your grocery store automatically knows what brand of chips you bought last year, but your cardiologist doesn't automatically know what prescriptions your family doctor prescribed for you yesterday," U.S. Rep. John Dingell, D-Mich., said in an announcement.In a comment, U.S. Rep. Frank Pallone, Jr. D-N.J., chairman of the Subcommittee on Health, added: "Investing in health information technology today will help make our health care system more efficient tomorrow, thereby lowering costs and saving lives."The bill would change the HIPAA (Health Insurance Portability and Accountability Act) privacy and security rules. Specifically, it would require individuals affected by breaches of unencrypted protected health information to be notified without unreasonable delay – no more than 60 days after discovery. Another provision would permit patients to demand that information about a specific health care service not be disclosed to insurers if the patient paid for it already.The bill also would tighten disclosure requirements, broaden individuals' rights to request disclosures, and require consent for disclosure of protected information if a provider is using an electronic medical record.
zondag 15 juni 2008
Accountgegevens van 2000 Belgacom abonnees op website van Skynet
Woensdag 11 juni 2008
http://www.security.nl/article/18862/1/Klantgegevens_Belgacom_abonnees_op_straat.html
Security.nl meldt dat de accountgegevens van 2000 Belgacom abonnees op een website van Skynet zijn geplaatst. Inmiddels zijn die gegevens op verzoek van Belgacom van de bewuste website verwijderd.
Eigenlijk blijft 't een ongelovelijk verhaal. Hoe kan 't gebeuren dat die gegevens op de systemen van Belgacom niet geencrypteerd zijn.
http://www.security.nl/article/18862/1/Klantgegevens_Belgacom_abonnees_op_straat.html
Security.nl meldt dat de accountgegevens van 2000 Belgacom abonnees op een website van Skynet zijn geplaatst. Inmiddels zijn die gegevens op verzoek van Belgacom van de bewuste website verwijderd.
Eigenlijk blijft 't een ongelovelijk verhaal. Hoe kan 't gebeuren dat die gegevens op de systemen van Belgacom niet geencrypteerd zijn.
donderdag 12 juni 2008
Data thieves get focused (but buyers get sloppy) (source: Compueterworld
By Jaikumar Vijayan , Computerworld , 06/18/2008
1 Comment
Print
When it comes to online data theft, credit card numbers and bank account data are so 2007.
Increasingly, thieves are after more specialized information such as healthcare data, single sign-on credentials for remotely login to corporate networks, and FTP account data, according to a new report from security vendor Finjan Inc.
Don't Miss!Read the latest WhitePaper - Core PCI Requirements for Windows and Active Directory
The report, which was released Wednesday, summarizes the latest trends in the cybercrime marketplace over the first six months of 2008.
One of the biggest among those trends is the growing commoditization of some kinds of stolen data, according to Yuval Ben-Itzhak, chief technology officer at Finjan. Until recently, he said, credit card numbers and bank accounts with PINs were considered valuable items in the underground market. But of late, the market has become flooded with such information leading to its commoditization.
Related Content
Details emerging on Hannaford data breach
Banks sue TJX
FTC wants answers
Case study in what to do wrongBLOG
TJX apology: We give it a 5
Sloppy companies, not hackers
Bill puts onus on retailers
Boards need to wake upBLOG
Most data breaches discovered too late, study says
Marketers mucking up data-privacy effortsView all related articles
Where valid credit card numbers and PINs used to sell for $100 or more each, Ben-Itzhak added, they retail today for $10 to $20 in the underground market. Depressing prices even more is the easy availability of such information from numerous sources, most of which are quite literally a mere Google search away from prospective buyers.
As a result, there is a trend on the part of some online thieves to go after data that can fetch them premium prices in the cybercrime market. "It's just basically the rules of supply and demand," Ben-Itzhak said.
One trend Finjan has noted is an increased focus on trying to steal login credentials for Citrix applications. Technologies from Citrix Systems Inc. are being used by an increasing number of healthcare organizations to enable remote network access, Ben-Itzhak said, and stealing Citrix log-in credentials often allows data thieves to gain single sign-on access to a wide range of healthcare related information from inside hospital networks. The stolen data is used for a variety of scams such as fraudulent insurance claims, illegal purchases of prescription drugs, and medical ID theft.
It's not just healthcare organizations that criminals are targeting either, Ben-Itzhak said. There's a growing focus on stealing login credentials that provide remote access to business networks as well.
Finjan, for instance, recently discovered a Argentina-based server containing over 500MB of stolen data, and another server containing over 1.4GB of similar information in Malaysia. In both cases, the systems contained not just healthcare information but also business-related data -- for instance, one of the servers had a cache of data that included passenger reservation data and flight scheduling information stolen from a major airline.
For more enterprise computing news, visit Computerworld. Story copyright Computerworld, Inc.
1 Comment
When it comes to online data theft, credit card numbers and bank account data are so 2007.
Increasingly, thieves are after more specialized information such as healthcare data, single sign-on credentials for remotely login to corporate networks, and FTP account data, according to a new report from security vendor Finjan Inc.
Don't Miss!Read the latest WhitePaper - Core PCI Requirements for Windows and Active Directory
The report, which was released Wednesday, summarizes the latest trends in the cybercrime marketplace over the first six months of 2008.
One of the biggest among those trends is the growing commoditization of some kinds of stolen data, according to Yuval Ben-Itzhak, chief technology officer at Finjan. Until recently, he said, credit card numbers and bank accounts with PINs were considered valuable items in the underground market. But of late, the market has become flooded with such information leading to its commoditization.
Related Content
Details emerging on Hannaford data breach
Banks sue TJX
FTC wants answers
Case study in what to do wrongBLOG
TJX apology: We give it a 5
Sloppy companies, not hackers
Bill puts onus on retailers
Boards need to wake upBLOG
Most data breaches discovered too late, study says
Marketers mucking up data-privacy effortsView all related articles
Where valid credit card numbers and PINs used to sell for $100 or more each, Ben-Itzhak added, they retail today for $10 to $20 in the underground market. Depressing prices even more is the easy availability of such information from numerous sources, most of which are quite literally a mere Google search away from prospective buyers.
As a result, there is a trend on the part of some online thieves to go after data that can fetch them premium prices in the cybercrime market. "It's just basically the rules of supply and demand," Ben-Itzhak said.
One trend Finjan has noted is an increased focus on trying to steal login credentials for Citrix applications. Technologies from Citrix Systems Inc. are being used by an increasing number of healthcare organizations to enable remote network access, Ben-Itzhak said, and stealing Citrix log-in credentials often allows data thieves to gain single sign-on access to a wide range of healthcare related information from inside hospital networks. The stolen data is used for a variety of scams such as fraudulent insurance claims, illegal purchases of prescription drugs, and medical ID theft.
It's not just healthcare organizations that criminals are targeting either, Ben-Itzhak said. There's a growing focus on stealing login credentials that provide remote access to business networks as well.
Finjan, for instance, recently discovered a Argentina-based server containing over 500MB of stolen data, and another server containing over 1.4GB of similar information in Malaysia. In both cases, the systems contained not just healthcare information but also business-related data -- for instance, one of the servers had a cache of data that included passenger reservation data and flight scheduling information stolen from a major airline.
For more enterprise computing news, visit Computerworld. Story copyright Computerworld, Inc.
maandag 2 juni 2008
The need for data security software
Here you'll find article to prove the need for data security software like SecureZIP
Financial Service Company State Street Corp. loses data of persons due to insecure acting.
Think about the PCI DSS procedures
zondag 1 juni 2008
SecureZIP, the successor of PKZIP
Data Security and Compression
SecureZIP frees your sensitive data, to go wherever it needs to, securely. Data remains secure regardless of how it is transmitted or where it is stored.
SecureZIP for Windows® Desktop
SecureZIP Command Linefor Windows
SecureZIP for Server
SecureZIP for i5/OS®
SecureZIP for z/OS®
SecureZIP frees your sensitive data, to go wherever it needs to, securely. Data remains secure regardless of how it is transmitted or where it is stored.
SecureZIP for Windows® Desktop
SecureZIP Command Linefor Windows
SecureZIP for Server
SecureZIP for i5/OS®
SecureZIP for z/OS®
Abonneren op:
Posts (Atom)