Choosing the Right Managed Security Services Provider
The MSSPs in the market today are by and large stable, and can best be categorized as Strategic Outsourcers, Telecommunications Providers, Enterprise Pure Plays and Boutique Pure Plays. As the MSS market continues to consolidate, organizations must carefully consider the most appropriate MSSP for their needs. By understanding how the MSS market has evolved, understanding the different classes of providers, and identifying key considerations for making the right choice in a consolidated market, organizations can select the right MSSP in an increasingly challenging threat landscape.
Verizon Business 2008 Data Breach Investigations Report
Nearly nine in 10 corporate data breaches could have been prevented had reasonable security measures been in place, according to a comprehensive report issued today by Verizon Business. The study also provides key recommendations to help businesses protect themselves and urges them to be proactive. The 2008 Data Breach Investigations Report spans four years and more than 500 forensic investigations involving 230 million records, and analyzes hundreds of corporate breaches including three of the five largest ones ever reported. This first-of-its-kind study, conducted by Verizon Business Security Solutions investigative experts, also found that 73 percent of breaches resulted from external sources versus 18 percent from insider threats, and most breaches resulted from a combination of events rather than a single hack or intrusion.
Protecting Your Data: It's Not Your Father's Encryption
The new encryption technologies that are now available are much easier to use than the technologies that were available even a few years ago. In particular, there are new technologies that now make it very practical to solve the problem of data loss and greatly reduce the chances that you'll end up on the list of data breaches maintained on Privacy Rights Clearinghouse's Web site.
"User-Proof IT Security Report" Finds Mismatch between IT Security Challenges and Solutions Deployed
In a survey released today, business IT executives indicated their biggest IT security headaches stem
from the significant number of employees who are using the Internet inappropriately, using unapproved software, and
circumventing security infrastructure and policies. The report found a significant disparity between these IT
headaches and deployment of security solutions that could relieve them, such as Internet content filtering,
network auditing, and visibility systems. Only 56 percent of respondents have Internet content filtering and blocking
solutions in place, and just 40 percent employ network auditing and visibility systems. Additionally, respondents that
reported having these solutions in place also reported a higher level of satisfaction with their end-users compliance.
Cyber Forensics and the Changing Face of Investigating Criminal Behavior
New technology provides opportunities for criminals in many areas other than pornography. Police now frequently chronicle criminals' use of the Internet and computer technology to commit a wide range of economic crimes and crimes involving malicious destruction of others' property. The emergence of new technology requires the law enforcement community-from police to prosecutors to judges-to utilize different strategies and different tools in addressing the new ways today's criminals commit these old crimes.
Best Practices for Protecting Critical Business Data
We live in an information age. In this era, even the smallest of businesses must manage large volumes of paper and electronic records, often juggling data in multiple formats and across distributed locations, to serve customers. Protecting this information and managing it properly is paramount to ensuring a company's success, both now and in the future. An effective data protection strategy safeguards data against disaster and would-be identity thieves and restores it in the event of destruction, damage or loss. Additionally, the right plan ensures companies comply with broad and industry-specific regulations for managing that information. Regardless of its size or industry, an organization requires a data protection program that mitigates risk, reduces cost, ensures compliance and improves overall operations.
Symantec June 2008 State of Spam Report
In May, Symantec found that some of the most notable scams spammers used involved IRS stimulus checks as well as offering "remedies" for home foreclosure and high gas prices. Exploiting the recent earthquake in China and cyclone in Myanmar are also not above spammers’ tactics of tugging at heartstrings and requesting donations that victims of both tragedies will never see.
The Ocean Is Full of Phish
It was only a little more than a decade ago when "the Internet" was not part of most individual's daily vocabulary. Today, the use of the Internet, e-mail, and text messaging is ubiquitous throughout coffee shops, cities, cell phone communications, and the workplace. This medium, despite the lack of inherent security at the network level, has become "trusted" by many to perform daily personal and business operations. As with everything that is "trusted" in our society, a criminal element is also invited to the party to penetrate that trust for personal satisfaction or financial gain. Enter the latest lucrative criminal element poised to diminish the trust that companies have built up-phishing. The article describes how to identify phishing attempts, methods used to deliver phishing by the attackers, attack methods, and approaches being used to minimize the threat.
Building Sustainable IP Protection against Hacking
Reverse engineering--a tool to understand competitors' technologies, improving one's products, and
defeating the competition--is rampant. Protecting software-based intellectual property is critical to maintaining
competitive positioning, protecting R&D investments, and preserving product line profitability. Hardening applications
to tampering, piracy and reverse-engineering is indispensable to maximizing software-powered businesses. To effectively
harden applications, defense-in-depth is required, with multiple defense measures in addition to obfuscation and
encryption, in order to increase the difficulty of hacking an application. The key to successfully deploying and
building a software protection solution is to ensure that it is sustainable. What are strategies to successfully
achieve sustainability? Here are some key considerations in developing a sustainable IP protection solution.
Protecting Customer Privacy Information
The public media regularly reveals exposure and misuse of customer or employee privacy information. The pervasiveness of unreported occurrences is likely to be significant and equally disturbing to those reported. The reported occurrences commonly include lost media, unauthorized access by outsiders, or inappropriate access by insiders. When such exposures are made public the affected organization is often penalized through economic disincentives such as loss of customer confidence affecting sales, government fines, and costly credit monitoring. However, an organization can reduce or mitigate the likelihood of abusive access to privacy information by implementing appropriate security controls that are directive, preventative, and detective.
Compliance Frameworks
Compliance frameworks are the connection between regulatory mandates and software practices. This chapter from Oracle Identity Management: Governance, Risk, and Compliance Architecture explores the nature of compliance frameworks and best practices in an attempt to direct the identity professional toward standards that enable auditable stewardship and governance of identity-related information.
E-mail Management
E-mail is probably the most common means of communication both within organizations and across organizations today. Because e-mails constitute business records, we need to define how we can manage these business records in terms of retaining e-mails so as to comply with standards and legislation governing an organization's documents and records. Managing e-mails is a comprehensive topic, worthy of a book on its own. However, this chapter from Implementing Document and Record Management Systems by Azad Adam, discusses the fundamental aspects of e-mail management and how it fits into document and records management.
Authentication, Authorization, and Accounting
Whether a security system serves the purposes of information asset protection or provides for general security outside the scope of IT, it is common to have three main security processes working together to provide access to assets in a controlled manner. These processes are a authentication, authorization and accounting. This is sometimes referred to as auditing. The following sections discuss these three processes and the relationship between them.
Introduction to International Standards Organization Security Standards
Assuming that your motivation is to apply a discipline to information security to be better at planning, implementing, and maintaining information security and achieving a highly effective information security program that is capable of receiving ISO 27001 certification, this chapter from How to Achieve 27001 Certification: An Example of Applied Compliance Management discusses such a discipline with an overview of security standards and with specific attention to existing and emerging International Standards Organization (ISO) security standards.
New Internet Security Threat Report Reveals Details on Hackers' Quest for Private Information
The latest Internet Security Threat Report (ISTR), Volume XIII released today by Symantec concludes that the Web is now the primary conduit of attack activity, as opposed to network attacks, and that online users can increasingly be infected simply by visiting everyday Web sites. The report also found that attackers are seeking confidential end-user information that can be fraudulently used for financial gain and are less focused on the computer or device containing the information.
Network Content Filtering and Leak Prevention
The technology designed to protect highly sensitive data from leaks through networks is complex and expensive in terms of acquisition and ongoing operation costs, and its effectiveness is dependent upon what type of traffic an organization allows to permeate through its periphery. To combat information leaks effectively through networks, organizations must follow the continuous information security plan cycle: assess, design, implement, educate, monitor, and correct. The security personnel's awareness and understanding of vectors that could be used by ill-intentioned persons to sneak sensitive or confidential information out of a network are key to mitigating its risk.
Data Loss Prevention: Where Do We Go From Here?
Data loss prvention is fast becoming one of the most overused yet misunderstood acronyms in an industry known for its cryptic abbreviations. The popular label for data loss prevention is appearing on a puzzling variety of security products, adding to the confusion and hype. Meanwhile, the debate continues over where DLP should be deployed: on the network or the endpoint? What about stored data? And does it matter whether DLP is deployed as a standalone solution or as a feature in a broader product portfolio? To address those questions, organizations must first understand what DLP is, why it is important, and how it works.
Millenial Workforce: IT Risk or Benefit?
The Millennials are here. And according to a new Symantec study,
Millennial Workforce: IT Risk or Benefit, this should be a real wake-up call to CIOs. Trying to implement IT risk
management policies with a millennial workforce--one that has been labeled as risk takers--is very problematic. The
study was conducted with 200 respondents each from the millennial workforce (born after 1980), the older workforce
(born before 1980), and IT executives and professionals, to better understand this problem and the potential IT risk
issues surrounding the emergence of this new tech savvy workforce. Clearly, the study reveals there is potential for
huge risk exposure: data loss, compliance issues, legal implications, and other problems.
Would Effective IT Controls Have Prevented Data Theft at LGT Group?
In the latest of major European security breaches, German Tax Authorities were allegedly able to pay five million Euros
to an anonymous information to get confidential information about account holders at the well-known Liechtenstein
bank. How did this breach of data happen, and what are the larger implications for financial institutions worldwide? In this article,
Calum Macleod, European Director of Cyber-Ark, examines this question in detail.
Security Testing Versus Functional Testing
There are some significant differences between security testing and functional testing that really require some fundamental shifts in how you think about testing. As explained in this excerpt from Testing Code Security, you have to step back and reassess some of the "rules of thumb" and "tribal knowledge" of software testing that you've learned over time.
Lack of Privileged Password Management Can Explain What Went Wrong at Societe Generale
There is not an organization that is not vulnerable to an attack, either through deliberate targeting or
through the failure of IT security staff and auditors who in the interests of saving a nail in their budget are
prepared to risk the Kingdom. Societe Generale should serve as a wake-up call to any organization that has not
addressed the issue of Privileged Password management and Application Password management and if what has happened at
Societe Generale does not serve as a warning to others to address what Burton Group refers to as the "Seedy
Underbelly of Identity," then it is only a matter of time until the next kingdom goes down in flames.
Ten Tips for Successful IT Disaster Recovery Planning
Every business is vulnerable to experiencing a serious incident, preventing it from continuing normal business operations
at any time. Beyond terrorist threats, less catastrophic events such as a lost or stolen laptop, the Northeast Blackout
of 2003, Manhattan's steam pipe explosion in 2007, recent wildfires in California and numerous presently unforeseen
possibilities can cause substantial business interruptions. Anticipating disaster and preparing seems both prudent and
advisable, as does regular testing of IT services and back-ups. A well-structured and coherent disaster recovery plan
will enable companies to recover quickly and effectively from an unforeseen disaster or emergency, thus avoiding
significant business interruption and loss. Here are ten things you should be doing.
