http://www.informationweek.comInformationWeeken-usCopyright 2012, UBM LLC.2012-05-11T01:01:00Zhttp://reports.informationweek.com/abstract/21/8724/Security/informed-cio-8-steps-to-m-a-security.html?cid=SBX_iwk_related_commentary_Mobile_Security_security2012-02-06T19:12:00Zhttp://reports.informationweek.com/abstract/21/8677/Security/strategy-understanding-software-vulnerabilities.html?cid=SBX_iwk_related_commentary_Mobile_Security_security2011-12-21T18:20:00ZIBM thinks so, and the US-VISIT program may give a glimpse into the future. But what about data theft?http://www.informationweek.com/news/232300950?cid=SBX_iwk_related_commentary_Mobile_Security_securityAs a kid, I marveled at movies featuring retina or hand scanners, or instant DNA analysis to authenticate the bad guy to his vault. As an adult, I figured these devices would mean the end of passwords and spoofing and would bring the collision of sci-fi future and real-world security. Sadly, I still don't have a retina scanner at my desk. What I do have are so many passwords that I need a password manager to keep them straight. <P> I don't blame companies for hesitating to invest--biometrics systems still have problems, <a href="http://www.informationweek.com/news/software/info_management/232300803">despite IBM&#8217;s prediction of advances</a>. A prime example is how some fingerprint readers fell victim to the highly advanced gummy bear attack, in which a user acquires a gummy bear, applies it to the reader, and presses down. The sensor reads the fingerprint from the last user, which has now transferred to the gummy bear. The reader is defeated, the gummy-wielding attacker is authenticated as the previous user, and the system has become worthless. Organizations have been forced to replace hardware and software in light of this attack and revert to legacy methods, such as passwords, that are not vulnerable to rubbery candy. <P> More secure, it's hoped, are the digital images the government is embedding in the newest version of the U.S. passport for use with facial-recognition software, to reduce the likelihood of someone successfully using a fake passport to enter the country illegally. Since 2004, the US-VISIT--for United States Visitor and Immigrant Status Indicator Technology--program has been collecting digital fingerprint and facial images of international visitors to be used for identification; this data is shared with a number of government agencies. The enrollment and validation of these attributes is fast and accurate enough for use in everyday, large-scale deployments, and the Department of Homeland Security just announced it will pay Accenture Federal Services $71 million over 13 months to further improve the system. <P> Though they should, most users never question the privacy, storage, handling, and sharing of their biometric data. What happens if people are enrolled in a system and their biometric data is compromised, sold, shared, or mined in some way? This topic came to the fore in 2009 when a company offering faster airport security checks closed its doors and didn't immediately state where the biometric data it had collected would end up. In return for allowing Clear (which has since been reopened) to keep biometric data on file, frequent fliers could move through airport security faster. It was great for those who fly often and don't want to waste time. It would also be great for those who want to steal this data to impersonate a frequent flier, for either malicious airport activity or use elsewhere. If a credit card is stolen, it's easy enough to close the account and get a new card. Not so much for a new fingerprint. <P> While some people will always like to think they're targets of a vast international conspiracy looking to frame them for a failed government takeover, in reality, I don't see biometric data being targeted in such a way. On the other hand, this data could be sold to and mined by companies with the ability to analyze our physical traits, compare that to other data sets, store in-depth information about us, and perhaps disclose it all in some way that would harm us. <P> The fact that these concerns are mainstream shows that biometrics has evolved to a point where enrollment, usage, cost, and user fears are no longer hindering adoption. I can see a future in which governments push for inclusion of digital photos to be used with facial recognition, require fingerprints for traveling, and eventually embed DNA attributes in identification documents to address everything from fraud to immigration control. <P> As a user, it seems great not to worry about someone impersonating me and not having to carry an access token or know a password. At the same time, though, it's scary to think my fingerprint, DNA attributes, and digital image will be shared across governments, vendors, and employers. Those futuristic movies never addressed the security and privacy aspects of our personal biometric data and what happens if it's compromised, altered, or goes missing. That's up to us. <P> <em>Adam Ely is security director at TiVo and a </em>Dark Reading<em> and </em>InformationWeek<em> contributor.</em>2011-11-28T08:00:00ZWe share best practices to create safe mobile apps for users and customers.http://www.informationweek.com/news/232200004?cid=SBX_iwk_related_commentary_Mobile_Security_security<!-- KINDLE EXCLUDE --> <!-- Nov, 2011 InformationWeek Digital Supplement --> <div id="inlineGreenPromoTop"> <div class="greenBand"></div> <div class="inlineGreenPromoContent"> <a href="http://www.informationweek.com/gogreen/112811s/?k=axxe&cid=article_axxe_os"><img src="http://twimgs.com/informationweek/supplement/022/smallcov.jpg" alt="InformationWeek Green - Nov. 28, 2011" title="InformationWeek Green - Nov. 28, 2011" align="left" class="greenIssueImage" /></a> <a href="http://www.informationweek.com/gogreen/112811s/?k=axxe&cid=article_axxe_os"><img src="http://twimgs.com/infoweek/graphics_library/misc/Green_leaf_88x88.jpg" alt="InformationWeek Green" title="InformationWeek Green" align="right" class="greenLeaf" /></a> <div class="greenPromoText"> <strong><a href="http://www.informationweek.com/gogreen/112811s/?k=axxe&cid=article_axxe_os">Download the November, 2011 <em>InformationWeek</em></a> secure mobile apps supplement</strong>, distributed in an all-digital format as part of our <a href="http://www.informationweek.com/green/">Green Initiative</a><br /> (Registration required.)<br /> <center><div class="innerGreenPromoText" align="center">We will plant a tree for each of the first 5,000 downloads.</div></center> </div> </div> <div class="greenBand"></div> </div> <!-- / Nov. 28, 2011 InformationWeek Supplement --> <br /><!-- leave as a br to not interfere w/ the insights boxes --> <!-- /KINDLE EXCLUDE --> <img src="http://twimgs.com/informationweek/supplement/022/022SUP_CS_110.jpg" width="110" height="110" alt="Secure Mobile Apps" title="Secure Mobile Apps" width="110" height="110" class="artInlineTopImage" /> The runaway success of mobile devices and apps like Angry Birds has touched off a frenzy of development, as companies rush to roll out apps for consumer and enterprise markets alike. These days, if your business isn't on a mobile platform, it's nowhere. But when developers are under pressure to release new applications, security is often an afterthought. That's bad news for consumer data, applications, and a company's infrastructure.</p> <P> We've been here before, of course. It happened with client-server applications, then Web applications, and now mobile platforms. The more code that's written and the more platforms on which it runs, the more vulnerabilities will be present. It's safe to assume that all applications have security flaws, and those written to run on mobile devices are no exception. </p> <P> What follows is a look at several challenges to securing mobile applications and guidance on what you can do about them.</p> <P> <strong>Work Security In Early</strong></p> <P> Developers are pushing out code as fast as they can, and security concerns can easily get lost. In hypercompetitive markets, the business very likely isn't going to tolerate slowing the release rate to accommodate secure coding practices. To avoid being blamed for late releases, security pros must find ways to implement security without affecting timelines. </p> <P> First, you must find low-impact ways to meet security requirements. Use automated code-analysis software during the build and test process, perform security testing during quality assurance, and work with developers to use standard preapproved libraries that have been reviewed for security. These steps go a long way toward reducing the effort required in the final security review, which typically occurs at the end of the development cycle and leaves little time for security testing and remediation.</p> <P> <strong>Pay Attention To Web Links</strong></p> <P> Mobile applications typically connect to Web apps to send, retrieve, and process data, so the Web application layer presents significant risks. If you're performing code reviews, using standardized libraries, and applying other application development processes to protect Web applications, you're already doing a lot of what's needed to secure mobile applications.</p> <P> <!-- KINDLE EXCLUDE --> <center> <div id="inlineReportPromo"> <div class="inlineReportPromo_headline"><a href="http://reports.informationweek.com/abstract/18/7675/Mobility-Wireless/strategy-mobile-application-security.html?cid=pub_analyt__iwk_20111128" target="_blank" style="color:#ffffff;">Dark Side of Mobile Apps</a></div> <div class="inlineReportPromo_inner"> <center><strong>Keeping Data Safe on the Move</strong></center><br /> <img src="http://twimgs.com/informationweek/1283/283reportcover_110.jpg" class="report110" /> Our full report on <strong><a href="http://reports.informationweek.com/abstract/18/7675/Mobility-Wireless/strategy-mobile-application-security.html?cid=pub_analyt__iwk_20111128">security and mobile applications</a></strong> is free with registration.<br /> <br /> This report includes <strong>14</strong> pages of action-oriented analysis to help you secure mobile apps. What you'll find: <ul class="normalUL"> <li>Best practices on secure app development</li> <li>Advice for security teams on working with developers</li> </ul> <center><strong><a href="http://reports.informationweek.com/abstract/18/7675/Mobility-Wireless/strategy-mobile-application-security.html?cid=pub_analyt__iwk_20111128">Get This</a> And <a href="http://reports.informationweek.com/">All Our Reports</a></strong></center> </div> </div> </center></p><br clear="all"> <!-- /KINDLE EXCLUDE -->2011-05-09T15:54:00ZYou're not a player unless you play in the mobile space, but if you play insecurely, users may pass you by.http://www.informationweek.com/news/229403068?cid=SBX_iwk_related_commentary_Mobile_Security_securityMobile applications and technology are hot. The iPad was being asset-tagged and added to the corporate network the day it was released. But new platforms bring apps, which in turn bring technology management and security worries. Concern, discussion, and thought surround mobile application security and where we're heading, now that there's an app for everything. <P> My good friend and security industry colleague Rafal Los (whom I call Raf for short, and since you and I are friends you can too) recently published some of his thoughts on mobile application security on <a href="http://h30501.www3.hp.com/t5/Following-the-White-Rabbit-A/The-Hard-Truth-About-Mobile-Application-Security-Separating-Hype/ba-p/27473">Hewlett-Packard's Application Security Community site</a>. When it comes to application security in general, I agree with Raf's thoughts. To summarize, he points out that a lot of mobile application functionality is driven by server-side code, which takes us back to Web application security practices. When focusing on mobile applications you can't forget about the server-side calls, and if your Web application security practices are in place, you're that much ahead of the game. <P> I agree with Raf in this context, but the problem of mobile applications is much broader. Let's take a look at the Skype-Android privacy vulnerability. It was found that Skype didn't properly secure instant messages and profile information stored on Android devices, and thus malicious apps, intruders, or anyone who gained enough access to your handset could access these files. This is a problem of the application developers not securing the files, and now Skype developers must fix the oversight and release new code, and users must upgrade. See the statement by <a href="http://blogs.skype.com/security/2011/04/privacy_vulnerability_in_skype.html">Skype in its blog</a> and notice that it attempts to turn attention away from its mistake and focus on the user installing a malicious application. The company could have just said it's in good company since <a href="http://www.informationweek.com/news/smb/security/showArticle.jhtml?articleID=226200280">Citibank had a similar flaw</a>. This highlights an area where Web application security practices and the security of the server-side infrastructure don't always protect the user, device, and data. <P> On top of insecure client-side storage and server-side Web application security, mobile applications must ensure that network transports are secure, since users roam between open wireless networks and are prone to GSM attacks, and AT&T gives the National Security Agency direct network access. (Call me paranoid, but I live next to the building where the <a href="http://www.informationweek.com/news/global-cio/showArticle.jhtml?articleID=197007680">secret NSA spying room was found</a>, and Citibank's iPhone app was found to have insecurities.) <P> I am preparing a report on the state of mobile application security in order to provide insight and practical tips to IT and development teams that are under the gun to develop applications for their companies. In the &#8220;there's an app for that&#8221; society, you're not a player unless you play in the mobile space. If you play insecurely, though, users may pass you by. We'd like to hear from you on problems, tips, and concerns surrounding mobile application security. Email me at <a href="mailto:aely@nwc.com">aely@nwc.com</a> or send me a message @adamely on Twitter.2011-03-05T00:00:00ZTo keep your off-site data safe, don't let vendors dodge the hard questions.http://www.informationweek.com/news/229300147?cid=SBX_iwk_related_commentary_Mobile_Security_securityJust about any business function supported by enterprise IT has the potential to be delivered as a service or hosted externally. Software as a service is particularly popular. Our 2011 InformationWeek Analytics SaaS Survey showed a 13-point jump in the percentage of companies using SaaS, up to 60% from 47% in just 11 months. Need a new community outreach application? Build it for the cloud. E-mail maintenance got you down? Ship that app out. Can't get what you want from Amazon, Google, IBM, Microsoft, or Salesforce? Take a look at the hundreds of new SaaS providers, all of which are making grand promises of uptime, scalability, and cost efficiency. </p> <P> But what about security?</p> <P> SaaS vendors tend to shy away from that discussion. They disclose very little about their security practices, your rights as a customer, or exactly how your company's data is protected while in their care. </p> <P> We predict that the growth of SaaS and other cloud services will eventually stall as compliance failures and data compromises are uncovered, at which time cloud providers will be forced to divulge more information. Until then, it's up you to perform due diligence before allowing sensitive data to reside off site.</p> <P> <strong>What's In A Name? A Lot</strong></p> <P> When I managed security for a division of Walt Disney, my team evaluated several cloud providers for small community applications--for a contest on ESPN, for instance, or a short-lived Flash game built to promote a show debuting on ABC. These were applications with no sensitive data or even logins. Since Disney is so large, we usually got our security questions answered. We knew we were still taking some risks, since we had no day-to-day insight into the provider's network, virtualization infrastructure, or any internal controls, but we gathered enough facts to make informed decisions. We followed the same process when we launched a Google Apps pilot in some smaller divisions. Again, because it was Disney, Google was willing to share information to get the company signed on as an early adopter.</p> <P> When you're Disney, life is good. But as I found recently when discussing security with a cloud vendor without disclosing the company I work for now (TiVo), not every customer has that leverage. This time, the rep wouldn't provide security information. He simply recited the marketing line and offered a SAS 70 report for the vendor's data center. This company had taken the stance that providing information on security controls is, in itself, a security vulnerability and said we should just trust it. Once the laughter died down, I asked a serious question: Why should I trust you with my data and the reputation of my company when you won't trust me with documentation or insight? </p> <P> Unfortunately, for the vast majority of companies, it's difficult to get the formal information we need to make smart decisions about risk. In these cases, we need to take matters into our own hands.</p> <P> <center><img src="http://twimgs.com/informationweek/1293/293CS_Chart4.jpg" width="550" height="261" alt="How would you describe the security of your SaaS apps?" hspace="0" vspace="0" border="0" style="margin-bottom:7px;" /><br /></center></p> <P> <strong>1. Go through back channels.</strong> We all have a duty to officially document controls so we can prove due diligence if anything goes upside down, but getting some off-the-record information never hurts. Ask around. Use social networks. Often, you'll be introduced to someone who can grease the wheels for official and unofficial answers. </p> <P> <strong>2. Don't put stock in reference customers. </strong>Instead, seek out current or former customers on your own and ask them to share with you any relevant information they can, without breaking confidentiality agreements. Never believe a vendor's practices are acceptable simply because it has big-name clients, or clients you believe to be security-minded. Recently, we began talks with a vendor that had some impressive names on its roster. When we dug into the application, however, we found serious vulnerabilities that could expose data to attackers. The vendor was unwilling to discuss its internal practices, so we walked away. </p> <P> We realize all companies have exploitable gaps. But no one should accept vendors that ask for trust but inspire none. I can't repeat this enough: Never rely on a client roster as validation of risk management practices. Every company has IT providers that slipped in the back door. This is especially true of SaaS vendors, which are often brought in by businesspeople without involving the risk team.</p> <P> <strong>3. Go online to investigate the vendor's presentations and responses to any past security incidents.</strong> Some providers, such as Google, publish statements about their views on security and risk management; reading those can tell you a lot. Providers that show some level of understanding and due diligence may rise above the competition. Oxygen Cloud, for example, is a startup storage vendor that openly discusses its controls and uses security as a competitive differentiator. This doesn't mean Oxygen is more secure than a comparable rival, but all else being equal, this may move it higher up my list.</p> <P> <strong>4. Ask to test controls.</strong> You'll never be allowed--or able--to evaluate every control that matters, but even a few vulnerability scans and code reviews can provide considerable insight into a SaaS provider's practices. Most reputable vendors let clients do some testing, with advance notice. If the provider shows weak controls on the simplest of items, it's rational to think that more advanced protections are lacking as well.</p> <P> <strong>5. Use your leverage to its fullest.</strong> SaaS vendors, like the rest of us, are trying to build their businesses, and they always need marketing fodder. An attorney I once worked with added a line to every contract stating the vendor couldn't use the company logo or name in any way without written consent. Even if your company isn't in the Fortune 500, its particular use case or industry sector may make it a valuable reference account to the vendor. Use that as a bargaining chip to gain more security insight and other information. </p> <P> Always ask for what you want--don't assume you won't get anywhere. Even a high-level overview gives you a starting point. While a SAS 70 certification may not mean a lot, it at least shows that the provider took the time to do something about security. See if the company has public-sector clients; the Google Apps infrastructure dedicated to government customers has been certified as fully compliant with FISMA standards; the rest of us can expect to receive some benefits from that compliance.</p> <P> If the vendor reps you speak with can't, or won't, give you straight answers about security, if its responses vacillate, or if it outright refuses to provide any security-related insights, can you really trust it to have your best interests at heart? Don't buy the excuse that revealing information on controls is in itself a security risk. Security is more than vulnerabilities and remediation. It's about a company's ability to manage risk and remain compliant on an ongoing basis. </p> <P> Sometimes it comes down to a gut feeling. If a vendor doesn't inspire confidence, or if you find reason to doubt it's doing a good job managing risk on your behalf, move on. New providers are popping up all the time, and if enough of us force the security issue, we'll all benefit from better visibility. </P> <P> <P> <bio>Adam Ely is the director of security for TiVo. Write to us at iwletters@techweb.com.</bio> </P> <P>2011-03-05T00:00:00ZTo keep your off-site data safe, don't let vendors dodge the hard questions.http://www.informationweek.com/news/229300176?cid=SBX_iwk_related_commentary_Mobile_Security_security <!-- KINDLE EXCLUDE --> <!-- Mar. 7, 2011 InformationWeek Digital Issue--> <div style="margin:0; padding:0; border-top:dotted 2px #56a643;"> <a href="http://www.informationweek.com/gogreen/030711/index.jhtml?k=axxe&cid=article_axxe_os"><img src="http://twimgs.com/informationweek/1293/carousel3.jpg" alt="InformationWeek Green - Mar. 7, 2011" width="110" height="110" hspace="0" vspace="10" border="0" align="left" style="margin:12px 10px 8px 1px;" /></a> <a href="http://www.informationweek.com/gogreen/030711/index.jhtml?k=axxe&cid=article_axxe_os"><img src="http://twimgs.com/infoweek/graphics_library/misc/Green_leaf_88x88.jpg" alt="InformationWeek Green" width="88" height="88" hspace="0" vspace="0" border="0" align="right" style="margin:18px 10px 8px 10px;" /></a> <div style="margin:20px 0 0 0; font-size:1.1em;" align="center"> <strong><a href="http://www.informationweek.com/gogreen/030711/index.jhtml?k=axxe&cid=article_axxe_os">Download the entire Mar. 7, 2011 issue of <em>InformationWeek</em></a></strong>, distributed in an all-digital format as part of our <a href="http://www.informationweek.com/green/">Green Initiative</a><br /> (Registration required.)<br /> <div style="width:230px; margin:9px 0px 0px 0px; color:#56a643; font-weight:bold; font-size:1em;">We will plant a tree for each of the first 5,000 downloads.</div> </div> </div> <div style="clear:both; margin:0; padding:0 0 0 0; border-bottom:dotted 2px #56a643;"></div> <!-- / Mar. 7, 2011 InformationWeek Digital Issue--> <br /><!-- leave as a br to not interfere w/ the insights boxes --> <!-- /KINDLE EXCLUDE --> <img src="http://twimgs.com/informationweek/1293/293csart3_110.jpg" width="110" height="110" alt="2011 SaaS Poll: Serving Two Masters? 2011" title="2011 SaaS Poll: Serving Two Masters?" width="110" height="110" hspace="0" vspace="0" align="right" style="margin:0 0 10px 10px" /> <P> Just about any business function supported by enterprise IT has the potential to be delivered as a service or hosted externally. Software as a service is particularly popular. Our 2011 <i>InformationWeek Analytics</i> SaaS Survey showed a 13-point jump in the percentage of companies using SaaS, up to 60% from 47% in just 11 months. Need a new community outreach application? Build it for the cloud. E-mail maintenance got you down? Ship that app out. Can't get what you want from Amazon, Google, IBM, Microsoft, or Salesforce? Take a look at the hundreds of new SaaS providers, all of which are making grand promises of uptime, scalability, and cost efficiency. </p> <P> But what about security?</p> <P> SaaS vendors tend to shy away from that discussion. They disclose very little about their security practices, your rights as a customer, or exactly how your company's data is protected while in their care. </p> <P> We predict that the growth of SaaS and other cloud services will eventually stall as compliance failures and data compromises are uncovered, at which time cloud providers will be forced to divulge more information. Until then, it's up you to perform due diligence before allowing sensitive data to reside off site.</p> <P> <strong>What's In A Name? A Lot</strong></p> <P> When I managed security for a division of Walt Disney, my team evaluated several cloud providers for small community applications--for a contest on ESPN, for instance, or a short-lived Flash game built to promote a show debuting on ABC. These were applications with no sensitive data or even logins. Since Disney is so large, we usually got our security questions answered. We knew we were still taking some risks, since we had no day-to-day insight into the provider's network, virtualization infrastructure, or any internal controls, but we gathered enough facts to make informed decisions. We followed the same process when we launched a Google Apps pilot in some smaller divisions. Again, because it was Disney, Google was willing to share information to get the company signed on as an early adopter.</p> <P> When you're Disney, life is good. But as I found recently when discussing security with a cloud vendor without disclosing the company I work for now (TiVo), not every customer has that leverage. This time, the rep wouldn't provide security information. He simply recited the marketing line and offered a SAS 70 report for the vendor's data center. This company had taken the stance that providing information on security controls is, in itself, a security vulnerability and said we should just trust it. Once the laughter died down, I asked a serious question: Why should I trust you with my data and the reputation of my company when you won't trust me with documentation or insight? </p> <P> Unfortunately, for the vast majority of companies, it's difficult to get the formal information we need to make smart decisions about risk. In these cases, we need to take matters into our own hands.</p> <P> <!-- KINDLE EXCLUDE --> <center><strong>To read the rest of the article,<br /><a href="http://www.informationweek.com/gogreen/030711/index.jhtml?k=axxe&cid=article_axxe_os">Download the March 2011 issue of <em>InformationWeek</em></a></strong></center><br clear="all" /></p> <!-- /KINDLE EXCLUDE --> <P> <!-- KINDLE EXCLUDE --> <center> <div style="margin:0; padding:8px; border:solid 1px #cc0000; width:460px; text-align:left;"> <div style="margin:0; padding:5px; background-color:#CC0000; text-align:center; font-size:1.3em; color:#ffffff; font-weight:bold;"><a href="http://analytics.informationweek.com/abstract/5/5674/Cloud-Computing/research-saas-2011.html" target="_blank" style="color:#ffffff;">Research: SaaS 2011 </a></div> <div style="margin:8px;"> <center><strong>Adoption Soars, Yet Deployment Concerns Linger</strong></center><br /> <img src="http://twimgs.com/informationweek/1293/293CS_reportcover_110.jpg" width="110" height="110" hspace="0" vspace="29" border="0" align="right" style="margin:8px 0 9px 9px;" /> Become an <strong><a href=" http://analytics.informationweek.com/abstract/5/5674/Cloud-Computing/research-saas-2011.html"><i>InformationWeek Analytics</i> subscriber</a></strong> and get our full report on SaaS 2011.<br /> <br /> This report includes <strong>43</strong> pages of action-oriented analysis packed with <strong>30</strong> charts. What you'll find: <ul class="normalUL" style="margin:24px;"> <li>An assessment of lingering SaaS deployment concerns</li> <li>Exclusive year-over-year trending data</li> <li>Insight into the emerging SaaS mobile market</li> </ul> <center><strong><a href=" http://analytics.informationweek.com/abstract/5/5674/Cloud-Computing/research-saas-2011.html">Get This</a> And <a href="http://analytics.informationweek.com/">All Our Reports</a></strong></center> </div> </div> </center></p> <!-- /KINDLE EXCLUDE --><br clear="all">2011-02-14T15:33:34ZWith RSA kicking off on Tuesday, you may be asking yourself, What's to do on Monday in San Francisco?http://www.iweek-interim.com/news/229219229?cid=SBX_iwk_related_commentary_Mobile_Security_securityWith RSA kicking off on Tuesday, you may be asking yourself, What's to do on Monday in San Francisco?In case you haven't heard, <a href="http://www.securitybsides.com/w/page/35868077/BSidesSanFrancisco">BSides is in full swing Monday and Tuesday</a>. Hurry over to the <a href="http://maps.google.com/maps?f=d&source=s_d&saddr=747+Howard+Street,+San+Francisco,+CA+94103+(Moscone+Center)&daddr=Zeum:+San+Francisco&#37;27s+Children&#37;27s+Museum,+San+Francisco,+CA&hl=en&geocode=Fb-IQAIdsUq0-CFt0YGH18lQhw&#37;3BFfGFQAIds0m0-CFVfqgT8BsMNw&mra=pd&mrcr=0&sll=37.782312,-122.402127&sspn=0.0213,0.045447&ie=UTF8&z=19">Zeum, right next to the Moscone Center</a>, and attend the BSides talks. <P> BSides is a conference organized <em>by </em>those in the industry, <em>for </em>those in the industry. No fanciness here. All about the content, the audience, and building better interaction between speakers and attendees. <P> This year's talks range from comparing social network intelligence to the NSA to understanding the risks and rewards of running a bug bounty program. Big names from Barracuda, Rapid 7, and others are presenting and available to discuss anything your heart desires. <P> The goal of Security BSides is to foster communication and collaboration while increasing the level of conversation. It provides a solid framework for similar conferences to be organized and hosted locally and worldwide. In the last year alone, BSides events were hosted in 10 new cities including Berlin, Ottawa, Austin, Atlanta, Boston, Denver, Dallas, and San Francisco. <P> "Security BSides is what security cons <em>should </em>be - non-pretentious, enlightening, and community-driven," says Dave Shackleford, consultant and frequent presenter at infosec conferences. <P> Even if you're not in San Francisco this week, <a href="http://www.securitybsides.com">check out BSides</a> in your home town or sign up to organize your own. <P> Let us know on Twitter which B-Sides talks you attended. <a href="http://twitter.com/adamely">@adamely on Twitter</a>, hashtag #BSides.2011-02-14T09:01:20ZOver the past few months I've used my highly unscientific methods to identify new security startups I believe are worth watching over the next 12 months. These companies are solving problems for enterprises in various spaces. Each is worth reaching out to if you are attending RSA or BSides in San Francisco this week.http://www.iweek-interim.com/news/229219194?cid=SBX_iwk_related_commentary_Mobile_Security_securityOver the past few months I've used my highly unscientific methods to identify new security startups I believe are worth watching over the next 12 months. These companies are solving problems for enterprises in various spaces. Each is worth reaching out to if you are attending RSA or BSides in San Francisco this week.<strong><a href="http://www.honeyapps.com">Honey Apps</a></strong> <P> Founded by former Orbitz.com CISO, Honey Apps' Conduit aims to centralize vulnerability data across an organization's applications, networks, servers, and databases. Conduit's correlation engine tracks each vulnerability throughout its lifecycle, whether it is identified by an automated scanner, manual testing, or a third-party tool. <P> Tracking of vulnerability data across many applications is a tiring task that just about every enterprise faces. If Conduit, currently in beta, holds up to its promises, Honey Apps will be doing a big favor to us all. <P> <strong><a href="http://www.loggly.com">Loggly</a></strong> <P> Just out of beta and co-founded by the former chief security strategist of Splunk, Loggly is cloud logging as a service. Loggly provides a place in the cloud for system admins, developers, or anyone else to send, store, search, and analyze logs. While not strictly a security company, Loggly can provide security teams a place to manage logs of cloud-hosted applications and services. <P> <strong><a href="http://www.ciphercloud.com">CipherCloud</a></strong> <P> CiperCloud aims to encrypt your sensitive data in real time before it's sent to SaaS applications, using format-and-function preserving encryption that requires no change on cloud applications and has no impact on functionality, performance, or user experience. This is a solution all security teams would love to have in place for data protection. CipherCloud will launch at RSA this week, swing by and kick the tires. <P> There are many new companies to look at this year, offering everything from new ways to solve old problems to new technology for new problems. These are three companies that look promising, are in the market now, and can be met with while at RSA. <P> Message me on twitter, @adamely, and let me know what you think of these new startups.2010-12-22T13:33:33ZFor most of us, it's time for sleeping in, spending time with family, and ignoring e-mail. For criminals, it's time to go to work. Scammers are looking to exploit e-card traffic, sales promotions, and the general jolliness of Internet users. What better time to attack unwatched enterprise systems, siphon out data, and dig deeper into networks?http://www.iweek-interim.com/news/229200336?cid=SBX_iwk_related_commentary_Mobile_Security_securityFor most of us, it's time for sleeping in, spending time with family, and ignoring e-mail. For criminals, it's time to go to work. Scammers are looking to exploit e-card traffic, sales promotions, and the general jolliness of Internet users. What better time to attack unwatched enterprise systems, siphon out data, and dig deeper into networks?Here are a few steps to keep an eye on your security while still having fun over the holiday season. <P> <strong>1. Rotate on-call and incident response. </strong> No single person should be chained to e-mail and incident response over the holidays; that's just asking for inattention to come back and bite you. At minimum, rotate responsibility among several people over the holiday season. Maybe even consider breaking the rotation into smaller slots than normal to allow people more time with family. That way, when they are on call, they'll be more apt to closely monitor events. <P> <strong>2. Check security events and logs regularly. </strong> Don't slack off here just because the office is empty. Watch network traffic to ensure abnormally large data transfers are not occurring. Attackers use times when people are away to transfer out their caches of stolen data. If they're smart, they will send small amounts at a time, but even this may be noticeable on days when no one is in the office. <P> <strong>3. Take this time to do maintenance. </strong> Patch your systems, reboot what needs rebooting, and tune your IDS. Use the downtime to up your security. <P> <strong>4. Protect against malware. </strong> Update your malware signatures and run full scans of all systems. Attackers love to slip malware into fake greeting cards or holiday Web sites. Chances are something is already in your network and an attacker is waiting to use it. While users are out is the best time to scan systems and remove malware. <P> <strong>5. Feeling like the Grinch? Test your incident response plan. </strong> The holiday season is the best time to test your IR plan and understand if your team is truly ready. Of course, your co-workers will not be pleased with you (see item #1), so be prepared. <P> Working during the holidays is no fun, but our opponents never stop, so we can't either. Ensure your protections and response plans are in place, be diligent and proactive, and hope for the best. <P> By the way, we're running through January 3 an <a href="http://www.surveygizmo.com/s/433700/informationweek-analytics-risk-survey">extensive survey on risk management</a> and would appreciate your input.2010-12-18T00:00:00ZLogs are a key component of an incident response plan if your database gets attacked.http://www.informationweek.com/news/228800744?cid=SBX_iwk_related_commentary_Mobile_Security_security <!-- KINDLE EXCLUDE --> <!-- Dec. 20, 2010 InformationWeek Digital Issue--> <div style="margin:0; padding:0; border-top:dotted 2px #56a643;"> <a href="http://www.informationweek.com/gogreen/122010/index.jhtml?k=axxe&cid=article_axxe_os"><img src="http://twimgs.com/infoweek/1287/smallcov.jpg" alt="InformationWeek Green - Dec. 20, 2010" width="65" height="87" hspace="0" vspace="0" border="0" align="left" style="margin:12px 33px 8px 15px;" /></a> <a href="http://www.informationweek.com/gogreen/122010/index.jhtml?k=axxe&cid=article_axxe_os"><img src="http://twimgs.com/infoweek/graphics_library/misc/Green_leaf_88x88.jpg" alt="InformationWeek Green" width="88" height="88" hspace="0" vspace="0" border="0" align="right" style="margin:8px 10px 8px 10px;" /></a> <div style="margin:10px 0 0 0; font-size:1.1em;" align="center"> <strong><a href="http://www.informationweek.com/gogreen/122010/index.jhtml?k=axxe&cid=article_axxe_os">Download the entire Dec. 20, 2010, issue of <em>InformationWeek</em></a></strong>, distributed in an all-digital format as part of our <a href="http://www.informationweek.com/green/">Green Initiative</a><br /> (Registration required.)<br /> <div style="margin:6px 0 0 0; color:#56a643; font-weight:bold; font-size:1em;">We will plant a tree<br />for each of the first 5,000 downloads.</div> </div> </div> <div style="clear:both; margin:0; padding:0 0 0 0; border-bottom:dotted 2px #56a643;"></div> <!-- / Dec. 20, 2010 InformationWeek Digital Issue--> <br /><!-- leave as a br to not interfere w/ the insights boxes --> <!-- /KINDLE EXCLUDE --> No one likes to think about database breaches, but the fact is, they happen. Rather than cross your fingers and hope for the best, create an incident response plan ahead of time. Without a plan, you may destroy critical evidence that could be used to prosecute the offender. You might also overlook just how the incident occurred, leaving you exposed to future breaches.</p> <P> Log analysis is an essential component of an incident response plan. You'll want to review logs from the compromised machine or machines and from other sources, including network devices and access control systems.</p> <P> A number of log types--transaction, server access, application server, and OS--can all provide valuable information to retrace what occurred. If your database administrator has enabled transaction logs--and it's a big if--start there because they're a rich source of information. </p> <P> Your first goal is to understand what data has been extracted, which will help you gauge the current risk to the company. Then examine what else the attacker may have tried to do. As you review logs, look for queries that would match the data known to be exported. If you don't have any evidence to match against, gather up the database administrator, application developer, and anyone else who knows normal application and database activity. Get a conference room, display the logs on a projector, and have them help you look for anomalies such as unusual queries that applications or administrators wouldn't normally make.</p> <P> Search logs for evidence of SELECT statements and examine the results for those that appear to be out of the norm. This is where having a DBA or application developer on hand will help. They know the applications that access this database server and can pick out suspect queries, such as those that return more records than normal, are formatted differently, or are preceded by erroneous requests. For example, improper SQL statement formats are common when an attacker doesn't know the database structure and is attempting to blindly guess database, table, and row names. In addition to SELECT statements, look for INSERTS, DELETES, DROPS, or command execution queries.</p> <P> The attacker may also have attempted to insert a database account, edit logs, or execute system commands from within the database, among other tactics.</p> <P><strong>Multiple Sources</strong></p> <P> Unfortunately, transaction logs typically aren't enabled on a database because the logging process can hurt performance. But there are other logs that can help an investigation. </p> <P> After transaction logs (if available), move on to logs from other sources, including the database server, the application server, and the OS. If the server tracks authentication attempts, user actions, or file changes, it may be possible to gather evidence here. The attacker may have compromised the server before going after the database. Or he may have gone through an application--compromising a Web application is by far the most common vector for accessing data. Look for authentication attempts that appear out of place, both successful and failed.</p> <P> If file-level auditing was enabled by the system admin for the server OS, check if files were created in any unusual directory. This could be evidence of a database dump or copy.</p> <P> If you know whether the attack was directly against the database or via an application, you may want to bypass system-level logs initially and focus on network and application logs to gain more information faster. You can then return to the system logs later to gather additional data. Review application or server logs for anomalies, similar to how you would look for anomalies in database logs.</p> <P> For application servers, look for lots of requests from the same IP address and those that came in rapid succession, which may indicate an automated attack against the application. Also look for user authentication errors or exceptions.</p> <P> Finally, review logs of recent user activity. An attacker may have poked around, run commands, or set off an audit alert that will show up within OS security, network, or host intrusion-detection system, or other system logs. If the database in question uses the OS or a directory service such as Active Directory to authenticate users, then the authentication logs may provide evidence of which accounts have logged in. This can help determine if the data exposed was the result of an external attack or an inside job.</p> <P> When a database breach comes to light, it's all too easy for IT to panic. A panicked response is likely to be a poor one, so create an incident response plan when you are calm and rational. It's better to have one and not need it than to need one and not have it.</p> <P> <!-- KINDLE EXCLUDE --> <center> <div style="margin:0; padding:8px; border:solid 1px #cc0000; width:460px; text-align:left;"> <div style="margin:0; padding:5px; background-color:#CC0000; text-align:center; font-size:1.3em; color:#ffffff; font-weight:bold;"><a href="http://www.darkreading.com/DatabaseSecurity/util/4580/download.html" target="_blank" style="color:#ffffff;">You've Been Breached: </a></div> <div style="margin:8px;"> <center><strong>Responding to a Database Compromise</strong></center><br /> <img src="http://twimgs.com/informationweek/1287/287Reportcover_110.jpg" width="110" height="110" hspace="0" vspace="29" border="0" align="right" style="margin:8px 0 9px 9px;" /> Become an InformationWeek Analytics subscriber: $99 per person per month, multiseat discounts available.<br /> <br /> <strong><a href="http://www.darkreading.com/DatabaseSecurity/util/4580/download.html">Subscribe</a></strong> and get our full report on surviving a breach. This report includes <strong>13</strong> pages of action-oriented analysis. What you'll find: <ul class="normalUL" style="margin:24px;"> <li>Instructions for creating an incident response plan</li> <li>Guidance on evidence collection and chain of custody</li> <li>Tips for investigating insider attacks against databases</li> </ul> <center><strong><a href="http://www.darkreading.com/DatabaseSecurity/util/4580/download.html">Get This</a> And <a href="http://analytics.informationweek.com/">All Our Reports</a></strong></center> </div> </div> </center></p> <!-- /KINDLE EXCLUDE --><br clear="all"> <P> <P>2010-10-05T01:40:20ZWhen did vendors begin setting our security priorities? I asked myself this question recently while at dinner with three friends representing two security vendors. This was a personal event, not business, and as is often the case, I was the only person from the enterprise side of the industry. You can imagine the conversation.http://www.iweek-interim.com/news/229200648?cid=SBX_iwk_related_commentary_Mobile_Security_securityWhen did vendors begin setting our security priorities? I asked myself this question recently while at dinner with three friends representing two security vendors. This was a personal event, not business, and as is often the case, I was the only person from the enterprise side of the industry. You can imagine the conversation.One friend asked why I would not buy their product. Put aside the the way this company's senior salespeople hounded me <em>after</em> having removed the sales rep I had built a relation with from my account in order to give it to a more senior person. (Not that I'm bitter.)I still had valid reasons, simply put, the threats their product protects me against aren't the biggest threats to my organization and thus not my highest priority. <P> Between the two vendors represented, I could accomplish several sections of PCI, some relevant controls for SOX, and check off all the major threats covered in the media. On the books, I would look great. At the end of the day, however, that's <em>not </em>what security is about. <P> I have several dozen real threats to think about every day. Of the threats that bubble up to me from my team, I have to determine which are real, imminent, and pose the biggest risks to the organization. I have to weight budget, manpower, and potential impact, along with various other factors, to determine what I need to prioritize. Never mind all of this. The vendors continue to call and tell me their product was rated #1 by some named publication, ranked in the upper right magic super duper quadrant of some analyst chart, and if I am smart I will really focus my time (and money) on the threat they defend against. <P> I get it. Salespeople are supposed to sell me. Marketing people are supposed to make me "understand" that the space they defend is the most important. I don't fault these people for doing their jobs. But as I spoke to my dinner companion, I realized why vendors set the priories for so many enterprises. <P> When I do have the chance to speak to my peers, I realize that some are reciting verbatim pitches I heard from a vendor as to why they are buying X product or subscribing to Y service. They cite magazine articles, analyst fluff, and something they overheard from someone they can't remember at some conference. <P> I owe it to my organization to make decisions based on better information than this. <P> Now, many CSOs/CISOs/security managers are doing prioritization right. But for most of us, vendors exert too much influence, and we end up with often-overpriced products that only do some of what we need, and mostly what the vendor thinks we need. <P> Don't believe me? I have a good friend who had an application security company. This company, and its competitors, lobbied PCI to be included as a control. Ever wonder why PCI specifically discusses Web application scanning and Web application firewalls but doesn't discuss automated solutions in the other 11 sections? Great example of vendors pushing their agenda. <P> When they spend too much time listening to vendors, enterprise IT teams tend to change focus often and fail to build long-lasting security programs; rather, they do shortsighted, threat-focused responses. Building a proper security program requires planning and focusing on the highest risks to the organization and working down the list from there. Vendors can provide invaluable information that no single organization could obtain solo, but <em>only</em> once the threat is identified as needing attention and when the organization is ready. <P> By all means, read white papers and attend talks from vendors to understand the threats they see in the wild. I do so and have learned about issues that could affect my organization. But at the end of the day, I decide what is important, not the vendor. Make sure you do the same.2010-09-18T00:00:00ZYou've got data everywhere. We've got a plan to help you find and control it.http://www.informationweek.com/news/227500068?cid=SBX_iwk_related_commentary_Mobile_Security_security <!-- KINDLE EXCLUDE --> <!-- September 20, 2010 InformationWeek Digital Issue--> <div style="margin:0; padding:0; border-top:dotted 2px #56a643;"> <a href="http://www.informationweek.com/gogreen/092010/index.jhtml?k=axxe&cid=article_axxe_os"><img src="http://twimgs.com/infoweek/1279/smallcov.jpg" alt="InformationWeek Green - September 20, 2010" width="65" height="87" hspace="0" vspace="0" border="0" align="left" style="margin:12px 33px 8px 15px;" /></a> <a href="http://www.informationweek.com/gogreen/092010/index.jhtml?k=axxe&cid=article_axxe_os"><img src="http://twimgs.com/infoweek/graphics_library/misc/Green_leaf_88x88.jpg" alt="InformationWeek Green" width="88" height="88" hspace="0" vspace="0" border="0" align="right" style="margin:8px 10px 8px 10px;" /></a> <div style="margin:10px 0 0 0; font-size:1.1em;" align="center"> <strong><a href="http://www.informationweek.com/gogreen/092010/index.jhtml?k=axxe&cid=article_axxe_os">Download the entire Sept. 20, 2010, issue of <em>InformationWeek</em></a></strong>, distributed in an all-digital format as part of our <a href="http://www.informationweek.com/green/">Green Initiative</a><br /> (Registration required.)<br /> <div style="margin:6px 0 0 0; color:#56a643; font-weight:bold; font-size:1em;">We will plant a tree<br />for each of the first 5,000 downloads.</div> </div> </div> <div style="clear:both; margin:0; padding:0 0 0 0; border-bottom:dotted 2px #56a643;"></div> <!-- / September 20, 2010 InformationWeek Digital Issue--> <br /><!-- leave as a br to not interfere w/ the insights boxes --> <!-- /KINDLE EXCLUDE --> <img src="http://twimgs.com/informationweek/1279/279F2_protect_art_110.jpg" alt="Protect Unstructured Data" title="alt" width="110" height="110" hspace="0" vspace="0" align="right" style="margin:0 0 10px 10px" /> <P> IT organizations are well aware that sensitive information resides in corporate databases, but unstructured data--e-mail, Office documents, and other content types--can be just as valuable and need protection. The challenge for IT is that unstructured data is growing at a breakneck pace--a compound annual growth rate of 61%, according to IDC, almost three times the growth rate of structured data. It's also scattered throughout the enterprise: in folders on file servers, on laptops, and tucked inside USB drives. You need a strategy for securing it.</p> <P> Start by understanding the types of content in your company, and the value it has to the business. If your company handles credit cards, then you automatically think of PCI. Your nightmare is credit card numbers sitting on a file server for anyone to find. If you're in the medical field, HIPAA and patient records are a top concern. Other important data types are customer and employee personal information, intellectual property, and operational data.</p> <P> These groupings are broad but give you enough to build on. The main idea is to understand the types of data and how you will respond once each type is discovered. Once you compile a basic list, work with representatives from IT, legal, compliance, HR, finance, and business development. They will identify data you've forgotten or didn't know about.</p> <P> Next, map your data types to a classification and handling policy that outlines how groups of data should be managed. The most common mistake we see when IT groups write these policies is specifying exactly how data should be protected. That approach is inefficient and causes more work for you later. Instead, provide a range of acceptable measures rather than mandates. For example, if your company prefers that data in transit be encrypted using SSLv2, but it also will accept the use of TLS 2.0, put both options in your policy. This makes the policy much more flexible for those implementing the protection. That's critical, because if they can't work with you, they'll work around you.</p> <P> One last note on data classification policies: They often fail because all documents are tagged as confidential, devaluing the policy. Your classification system should differentiate between valuable information that carries a high level of risk and other information that may be sensitive but carries less risk if exposed or lost.</p> <P> <strong>Searching For Unstructured Data</strong></p> <P> The next step is finding the data. This can be tricky. You know where it should be stored, but because information is so portable, it has a habit of turning up in unexpected places.</p> <P> <!-- KINDLE EXCLUDE --> <center><strong>To read the rest of the article,<br /><a href="http://www.informationweek.com/gogreen/092010/index.jhtml?k=axxe&cid=article_axxe_os">Download the September 20, 2010 issue of <em>InformationWeek</em></a></strong></center><br clear="all" /></p> <!-- /KINDLE EXCLUDE --> <P> <!-- KINDLE EXCLUDE --> <br clear="all"><center> <div style="margin:0; padding:8px; border:solid 1px #cc0000; width:460px; text-align:left;"> <div style="margin:0; padding:5px; background-color:#CC0000; text-align:center; font-size:1.3em; color:#ffffff; font-weight:bold;"><a href="http://analytics.informationweek.com/abstract/21/3477/Security/strategy-protecting-unstructured-data.html" target="_blank" style="color:#ffffff;">Beyond the Database</a></div> <div style="margin:8px;"> <center><strong><a href="http://analytics.informationweek.com/abstract/21/3477/Security/strategy-protecting-unstructured-data.html">Protecting Unstructured Data </a></strong> <br /><img src="http://twimgs.com/informationweek/1279/279F2reportcover_110.jpg" width="110" height="110" hspace="0" vspace="29" border="0" align="right" style="margin:8px 0 9px 9px;" /><br />Become an InformationWeek Analytics subscriber: $99 per person per month, multiseat discounts available. <br /><br /><strong><a href="http://analytics.informationweek.com/abstract/21/3477/Security/strategy-protecting-unstructured-data.html">Subscribe</a></strong> and get our full on protecting unstructured data free for a limited time.This report includes <strong>14</strong> pages of action-orientated analysis, packed with <strong>5</strong> charts. What you'll find:</center> <ul> <li> How to set up a data classification and handling policy </li> <li> Tips on searching unstructured data sources</li> </ul> <br /> <center><strong><a href="http://analytics.informationweek.com/abstract/21/3477/Security/strategy-protecting-unstructured-data.html">Get This</a> And <a href="http://analytics.informationweek.com/">All Our Reports</a></strong><br /></center> </div> </div> </center></p> <!-- /KINDLE EXCLUDE --> <P>2010-09-18T00:00:00ZYou've got data everywhere. We've got a plan to help you find and control it.http://www.informationweek.com/news/227500066?cid=SBX_iwk_related_commentary_Mobile_Security_securityIT organizations are well aware that sensitive information resides in corporate databases, but unstructured data--e-mail, Office documents, and other content types--can be just as valuable and need protection. The challenge for IT is that unstructured data is growing at a breakneck pace--a compound annual growth rate of 61%, according to IDC, almost three times the growth rate of structured data. It's also scattered throughout the enterprise: in folders on file servers, on laptops, and tucked inside USB drives. You need a strategy for securing it.</p> <P> Start by understanding the types of content in your company, and the value it has to the business. If your company handles credit cards, then you automatically think of PCI. Your nightmare is credit card numbers sitting on a file server for anyone to find. If you're in the medical field, HIPAA and patient records are a top concern. Other important data types are customer and employee personal information, intellectual property, and operational data.</p> <P> These groupings are broad but give you enough to build on. The main idea is to understand the types of data and how you will respond once each type is discovered. Once you compile a basic list, work with representatives from IT, legal, compliance, HR, finance, and business development. They will identify data you've forgotten or didn't know about.</p> <P> Next, map your data types to a classification and handling policy that outlines how groups of data should be managed. The most common mistake we see when IT groups write these policies is specifying exactly how data should be protected. That approach is inefficient and causes more work for you later. Instead, provide a range of acceptable measures rather than mandates. For example, if your company prefers that data in transit be encrypted using SSLv2, but it also will accept the use of TLS 2.0, put both options in your policy. This makes the policy much more flexible for those implementing the protection. That's critical, because if they can't work with you, they'll work around you.</p> <P> One last note on data classification policies: They often fail because all documents are tagged as confidential, devaluing the policy. Your classification system should differentiate between valuable information that carries a high level of risk and other information that may be sensitive but carries less risk if exposed or lost.</p> <P> <strong>Searching For Unstructured Data</strong></p> <P> The next step is finding the data. This can be tricky. You know where it should be stored, but because information is so portable, it has a habit of turning up in unexpected places.</p> <P> Using your list of data types as a reference, begin searching file shares, laptops, connected storage devices--anywhere you can. You should also involve users. Ask them where they store data, and have them review documents they own to identify sensitive data that needs to be protected or organized. This step can ease some of the burden on the IT department. The only sticking point is getting people to actually do it. This process must be reinforced through user awareness of what constitutes sensitive and risky data, what to do with it, and whom to ask when in doubt.</p> <P> If your company has the budget, investigate data loss prevention (DLP) products, which search for sensitive data and can help prevent the data from leaving the enterprise. If you're financially constrained, there's a relatively new open source offering, appropriately named OpenDLP.</p> <P> By the way, a data classification and discovery initiative is a great time to consolidate storage locations, archive or purge old documents, and generally tidy up. The fewer documents and storage locations, the easier it will be to apply and maintain controls. You may also save money on storage if you uncover--and delete--caches of duplicate data. It's also an appropriate time to revisit the company's retention policy to determine if it's too stringent.</p> <P> <strong>Apply Appropriate Controls</strong></p> <P> Rather than search piles of unstructured data for sensitive content, you might be tempted to simply apply strong security controls to all enterprise data. One common, albeit draconian, method is to slap strict access controls on all data stores and ban the use of USB drives and other portable media.</p> <P> Good for security? Sort of. Good for business? No. Overly broad controls complicate the lives of the people who need to access and share data--that is, pretty much every employee. It also complicates your own life because you'll end up applying (and managing) controls around a good deal of unimportant information, such as an employee's MP3 files and last year's corporate holiday schedule. Instead, take a measured approach. Start with highly valuable or sensitive data and revisit the rest after you've dealt with your critical information.</p> <P> You have a variety of security controls at your disposal, such as access controls, passwords, and encryption. For instance, if you find sensitive data on a file server, apply root directory access controls. Archives or spreadsheets stored in areas that can't be secured, such as on a user's desktop or on a network drive in preparation for a presentation, should be password-protected.</p> <P> When possible, encrypt highly sensitive data. Products such as PGP and the open source alternative GPG provide a standard approach to file-level encryption. WinZip, which allows for AES-256 encryption, is an inexpensive product. Consider volume or full-disk encryption for laptops and other mobile devices, especially if users store many highly sensitive documents on their systems.</p> <P> However, guard against encryption overkill. Most employees aren't walking around with thousands of customer credit card numbers on their laptops, so encrypting entire drives just because you can isn't worth the investment.</p> <P> DLP is also a control option. In addition to searching for sensitive data, DLP products monitor network traffic for improper or unauthorized transmissions. DLP systems can also be implemented in passive mode to understand how data moves in your company, so that you can create your own rules or modify the canned policies that come with the product.</p> <P> Note that DLP isn't a panacea. DLP products handle credit card and Social Security numbers out of the box, but more granular tuning of these systems--to reduce the number of false positives, for instance--can take time. We know of a recently installed DLP system that sent an alert each time a user logged into Facebook, because the session ID was similar to a credit card number. DLP products can also be expensive.</p> <P> <strong>Data Protection: Rinse And Repeat</strong></p> <P> When implementing controls, you're bound to run into problems. Unstructured content is very different from data stored in databases. It doesn't have a single home you can protect and audit. It travels outside the company. It's copied and modified. It grows rapidly. The answer is to ensure that processes and applications can scale. For instance, scan data stores for the highest-value data first, and then rescan for lower-value data.</p> <P> Remember to regularly review data types, storage locations, and the risks associated with known data. As business processes and goals evolve, some data types become more valuable, some less valuable. Storage locations will also change over time, and your processes must account for those changes.</p> <P> Protecting unstructured data is hard. To succeed, place controls close to the data and work outward, but be mindful of the impact of those controls on data owners and users. Communicate to end users what is and isn't acceptable; education is vital when implementing controls that move or alter data or stop actions, such as copying or e-mailing files.</p> <P> Finally, make sure that data owners understand that no control is 100% effective, and efforts to secure unstructured data are just one facet of a larger layered security approach, which requires their help and support.</p> <P> <strong>Adam Ely is director of security for TiVo and an InformationWeek Analytics contributor. Write to us at </strong><strong>iweekletters@techweb.com</strong><strong>.</strong></P> <P>2010-08-07T00:00:00ZBeginning with the Web 2.0 boom and accelerating with today's popular SaaS model, new attack techniques are exploiting browser flaws and leading to the compromise of data. http://www.informationweek.com/news/226600102?cid=SBX_iwk_related_commentary_Mobile_Security_security`For years, we groused about bug-ridden browsers while initiatives to harden them largely fell flat. Then one day, IT woke up to find that the browser is the new OS. Web 2.0 applications use browsers and the public Internet to create interactive interfaces and enable asynchronous collaboration, inside and outside the firewall. Google Chrome is promising to push Web-based operating systems forward, which could let businesses cut costs and infrastructure. </p> <P> All types of companies are moving toward software as a service at a steady clip--55% of the strategic IT managers responding to our June <i>InformationWeek Analytics</i> Cloud Computing &amp; IT Staffing Survey of 828 IT professionals are using SaaS or plan to. What all that means is, the browser is now your employees' gateway out--and an attacker's gateway in. IT must focus on protecting the browser from compromise without hindering functionality and derailing business initiatives in the process.</p> <P> If you read "protect the business" as "patch servers, add rules to the firewall, and apply system configurations," you're asking to be breached. Browser-based attacks are a significant challenge, for a few reasons. They're unpredictable. IT doesn't always know where a user will need to go on the Internet, what services need to be accessed, and when. This makes defense by tightly limiting where employees may surf very difficult. User errors are often factors in successful exploits. And attackers are smart and resourceful and frequently compromise seemingly innocuous sites. All the monitoring and training in the world may not make a whit of difference. </p> <P> What does matter: Putting in place a comprehensive protective strategy that's both proactive and reactive.</p> <P> <strong>Browser Blitzkrieg</strong></p> <P> What's that? You're having trouble getting funding for the security initiatives already in place, never mind a new program? Then some education is in order, because browser-based attacks are at your doorstep. We've seen real-world examples: <i>The New York Times</i> last September was found to be serving malware through a third-party online advertisement network. The attack against Google in China, nicknamed Operation Aurora, is believed to have utilized a zero-day, or previously unknown, flaw targeting Internet Explorer. </p> <P> Attacks against, or via, the browser vary in type and sophistication. The most basic simply ask the user to download a malicious file disguised as something legitimate. As users become more savvy, they fall for these attacks less and less. More sophisticated attacks involve directing people to malicious sites through links placed in the comment or advertisement sections of legitimate sites. Once the user visits the malicious site, code is loaded automatically that attempts to exploit security holes in the browser, or a browser plug-in, such as Flash Player. These attacks are called "drive-by downloads," and even wary end users can be fooled.</p> <!-- KINDLE EXCLUDE --> <center> <table cellspacing="0" cellpadding="6" style="border:solid 1px #cc0000; background-color:#e1e1e1; width:300px;"> <tr valign="middle" align="center"> <td> <a href="http://analytics.informationweek.com/issue/982/informationweek-full-issue-august-9-2010.html"><img src="http://twimgs.com/infoweek/1275/smallcov.jpg" alt="InformationWeek: Aug. 9, 2010 Issue" title="InformationWeek: Aug. 9, 2010 Issue" width="65" height="87" hspace="0" vspace="0" border="0" align="left" style="margin:0 10px 0 0;" /></a> <strong>To read the rest of the article, <a href="http://analytics.informationweek.com/issue/982/informationweek-full-issue-august-9-2010.html">download a free PDF of <nobr><em>InformationWeek</em> magazine</nobr></a><br /> (registration required)</strong> </td> </tr> </table> </center> <P> <P> <!-- /KINDLE EXCLUDE --> <P> <!-- KINDLE EXCLUDE --> <br clear="all" /> <center> <div style="margin:0; padding:8px; border:solid 1px #cc0000; width:460px; text-align:left;"> <div style="margin:0; padding:5px; background-color:#CC0000; text-align:center; font-size:1.3em; color:#ffffff; font-weight:bold;"><a href="http://analytics.informationweek.com/abstract/21/3715/Security/strategy-browser-security.html" target="_blank" style="color:#ffffff;">High Noon: The Browser as Attack Vector</a></div> <div style="margin:8px;"> <a href="http://analytics.informationweek.com/abstract/21/3715/Security/strategy-browser-security.html"><img src="http://twimgs.com/informationweek/1275/275F3reportcover_110.jpg" width="110" height="110" hspace="10" vspace="0" border="0" align="right" style="margin:8px 0 6px 9px;" /></a> <center> <br /> Become an <i>InformationWeek</i> Analytics subscriber: $99 per person per month, multiseat discounts available. Subscribe and get our full report on <a href="http://analytics.informationweek.com/abstract/21/3715/Security/strategy-browser-security.html">browser security </a>.<br /> <br />This report includes <strong>14</strong> pages of action-oriented analysis.</center><br /> <strong>What you'll find:</strong> <ul> <li>Detailed information on ways to protect data from attacks entering through browsers</li> <li> Analysis of the effect growing use of SaaS has on browser choice--and security</li> <li>Why Web filtering is more important now than ever</li> </ul> <center><strong><a href="http://analytics.informationweek.com/abstract/21/3715/Security/strategy-browser-security.html">Get This</a> And <a href="http://analytics.informationweek.com/">All Our Reports</a></strong><br /></center> </div> </div> </center></p> <!-- /KINDLE EXCLUDE -->2010-08-07T00:00:00ZBeginning with the Web 2.0 boom and accelerating with today's popular SaaS model, new attack techniques are exploiting browser flaws and leading to the compromise of data. http://www.informationweek.com/news/226600097?cid=SBX_iwk_related_commentary_Mobile_Security_securityFor years, we groused about bug-ridden browsers while initiatives to harden them largely fell flat. Then one day, IT woke up to find that the browser is the new OS. Web 2.0 applications use browsers and the public Internet to create interactive interfaces and enable asynchronous collaboration, inside and outside the firewall. Google Chrome is promising to push Web-based operating systems forward, which could let businesses cut costs and infrastructure. </p> <P> All types of companies are moving toward software as a service at a steady clip--55% of the strategic IT managers responding to our June <i>InformationWeek Analytics</i> Cloud Computing &amp; IT Staffing Survey of 828 IT professionals are using SaaS or plan to. What all that means is, the browser is now your employees' gateway out--and an attacker's gateway in. IT must focus on protecting the browser from compromise without hindering functionality and derailing business initiatives in the process.</p> <P> If you read "protect the business" as "patch servers, add rules to the firewall, and apply system configurations," you're asking to be breached. Browser-based attacks are a significant challenge, for a few reasons. They're unpredictable. IT doesn't always know where a user will need to go on the Internet, what services need to be accessed, and when. This makes defense by tightly limiting where employees may surf very difficult. User errors are often factors in successful exploits. And attackers are smart and resourceful and frequently compromise seemingly innocuous sites. All the monitoring and training in the world may not make a whit of difference. </p> <P> What does matter: Putting in place a comprehensive protective strategy that's both proactive and reactive.</p> <P> <strong>Browser Blitzkrieg</strong></p> <P> What's that? You're having trouble getting funding for the security initiatives already in place, never mind a new program? Then some education is in order, because browser-based attacks are at your doorstep. We've seen real-world examples: <i>The New York Times</i> last September was found to be serving malware through a third-party online advertisement network. The attack against Google in China, nicknamed Operation Aurora, is believed to have utilized a zero-day, or previously unknown, flaw targeting Internet Explorer. </p> <P> Attacks against, or via, the browser vary in type and sophistication. The most basic simply ask the user to download a malicious file disguised as something legitimate. As users become more savvy, they fall for these attacks less and less. More sophisticated attacks involve directing people to malicious sites through links placed in the comment or advertisement sections of legitimate sites. Once the user visits the malicious site, code is loaded automatically that attempts to exploit security holes in the browser, or a browser plug-in, such as Flash Player (see how that could happen in the diagram at left). These attacks are called "drive-by downloads," and even wary end users can be fooled.</p> <P> Really sophisticated attackers remove one key step--they compromise a legitimate site and load malware directly from there. This is always more effective than hoping a person will click a link and navigate to a malicious site. Recently, attackers have found that an even faster and easier way to infect legitimate sites is to purchase advertising on the site, as happened with the <i>Times,</i> then load their malicious code into advertisements. This gives the attacker a legitimate distribution channel without the hassle of compromising a site, setting up a malicious site, or recruiting people to click on links. Web anti-malware company Dasient, in its most recent quarterly report on Web malware data and trends, reports a spike in "malvertising" attacks since the beginning of this year, and we have no reason to think that rates will go down, seeing as just about every knowledge worker on the planet has an least one browser open at all times.</p> <P> <strong>En Garde</strong></p> <P> Since these threats come from outside, effectively protecting our users, and in turn our data, requires a two-pronged strategy:</p> <P> 1. Taking steps to reduce our exposure to these threats, and </p> <P> 2. Being ready to respond quickly and decisively to inbound attacks.</p> <P> Proactive protections can be the most effective but also the most difficult to implement. When people visit a malicious site that attempts to exploit the browser, a few stars must align to make the attempt successful. First, the user's browser must be capable of executing the malicious code. If the site uses ActiveX to exploit a flaw in the browser or OS, for example, then the browser must have support for ActiveX enabled. </p> <P> Next, the user must have permission to perform the action the malicious code is attempting. If the malicious code attempts to write to the system registry but the user doesn't have registry access, then that part of the attack fails. Because of this, the most common recommendation to stop these attacks is to remove administrator privileges from end users. If the user can't damage the system, the malicious software can't either, in most cases. There is the rare instance where multiple exploits are stacked to overcome privilege limits, but most often the attacker assumes the user will have the required permissions. </p> <P> Obviously, limiting privilege is a great idea, and highly recommended if you can swing it. But it's also a hard sell because, inevitably, it breaks some applications or restricts end users to a degree they find intolerable. The result is that companies tend to get tremendous pushback from employees when trying to implement such controls. </p> <P> To remove the ability for the browser to execute malicious code, some companies have disabled technologies commonly used in these attacks, including ActiveX, JavaScript, and even Flash and Silverlight. As with limiting privileges, this can hinder users and reducing the functionality of many Web applications. If you use Mozilla-based browsers such as Firefox, add-ons such as NoScript and AdBlock Plus attempt to block browser-based threats from these technologies while still allowing trusted applications to function properly. This approach is a good middle ground.</p> <P> One sure-fire way to protect against known weaknesses is to ensure browsers and browser plug-ins are always updated when patches or new versions are released. You probably pay attention to ensuring operating systems are patched and updated; browsers rate the same level of attention. </p> <P> To go a step further, some IT groups sandbox the browser. There are two ways to do this; we discuss them in our full report, at <i>informationweek.com/ analytics/browsersecurity</i>. The first is using the operating system's ability to run the browser as a separate, lower-privilege user. Or the browser itself can be run in a sandbox, allowing it to function but restricting it from accessing any other portion of the OS. </p> <P> <strong>Protection Plan</strong></p> <P> Once you've done your part, go train employees in three areas:</p> <P> Check it out: Most browsers enable us to check Web sites against a third-party register, typically Google's Safe Browsing list, to determine if the site is known to host malware. Use this ability.</p> <P> Rules matter: Make a policy that when warnings appear, users don't ignore them. Warnings exist for a reason. Explain that browsers may be exploited automatically on page load. It's never OK today to download free MP3s on a work system or click yes in pop-ups promising pictures of Lady Gaga.</p> <P> Reinforce your defenses: Regularly discuss the evolution of threats and keep policies current. Attackers aren't sitting still, and you can't either.</p> <P> <strong>Adam Ely is an InformationWeek Analytics contributor. Write to us at iweekletters@techweb.com.</strong></p> <P> <strong> &#91;</strong><strong>BROWSER SECURITY</strong><strong>&#93;</strong></p> <P> <strong>Get This And</strong></p> <P> <strong>All Our Reports</strong></p> <P> Become an <i>InformationWeek Analytics</i> subscriber for $99 per person per month, with multiseat discounts available, and get our full report on browser security at <strong>informationweek.com/analytics/ browsersecurity</strong> </p> <P> This report includes <strong>14</strong> pages of action-oriented analysis.</p> <P> What you'll find: </p> <P> &gt; Detailed information on ways to protect data from attacks entering through browsers</p> <P> &gt; Analysis of the effect growing use of SaaS has on browser choice--and security</p> <P> &gt; Why Web filtering is more important now than ever</P> <P>2010-07-20T17:10:00ZI'm like the proverbial kid in a candy store. This my favorite time of year. Between Black Hat, Defcon, and BSides, you have feds, criminals, security experts, reporters, and everyone in between congregating in the city of sin. What's not to like? Here's a rundown of these events, my picks for talks not to be missed, and an invitation.http://www.iweek-interim.com/news/229200996?cid=SBX_iwk_related_commentary_Mobile_Security_securityI'm like the proverbial kid in a candy store. This my favorite time of year. Between Black Hat, Defcon, and BSides, you have feds, criminals, security experts, reporters, and everyone in between congregating in the city of sin. What's not to like? Here's a rundown of these events, my picks for talks not to be missed, and an invitation.It's a good time to be me: This weekend I'll head to Florida to see friends and spend some time in South Beach. In three weeks I'll go to Seattle to catch up with the start ups of Puget Sound. After that, a few work trips to Asia and Europe. <P> But what I'm <em>really</em> excited about is that my annual pilgrimage to Las Vegas is only a week away. First, there's <strong>Black Hat,</strong> which will be filled with sponsored parties and great talks. Plenty of industry deals get closed here. The lineup of speakers and topics looks good this year, definitely worth attending. <P> As Black Hat begins to wind down, the city will be filled with a different crowd as the <strong>Defcon</strong> hacker conference kicks off at the end of the week. Defcon is an eclectic mix of who's who from the corporate and underground scenes. Good guys and bad all intertangled for the same purpose: to learn and spread ideas. This year, Defcon is running a bit longer than usual and has added talks all the way through the weekend, so if you're in town, swing by and check it out. <P> Less well-known is the <strong>Security BSides</strong> conference, or just BSides for short. The founders of BSides formed it with the intention of creating a more informal gathering where presenters and attendees have plenty of time to mingle and discuss topics in depth. Gone are the VIP suites reserved only for the elite few who speak. Instead, presenters, attendees, and yes even press are treated the same. We all talk, discuss ideas, and help one another learn and solve problems. BSides is beginning to draw traction as it expands to different parts of the country. Each BSides event is organized by people who live in the city where the event is being held; this gives a local feel and makes attendees feel much more at home. <P> The casual, collaborative environment fosters sharing of ideas. At a recent Boston event, some attendees were huddled in a corner writing code to prove a theory, while others were discussing problems they face day to day and how to solve them. At the end of the day, this is what it's all about. <P> I have always said my favorite time at conferences is not the talks, though there are some good ones. At RSA each year you can find me in the lobby of the W catching up and discussing the finer points of Russian cybercrime. At Black Hat ... well, it's Vegas, so you probably can't find me unless you have me on foursquare. At BSides I'll be watching quietly to see if this little scrappy conference that could is ready for prime time. <P> Just a few of the talks I recommend attending <P> Black Hat Jackpotting Automated Teller Machines by Barnaby Jack. Extending Data Visualization Tools for Faster Pwnage by Chris Sumner Ushering in the Post-GRC World: Applied Threat Modeling by Alex Hutton and Allison Miller App Attack: Surviving the Mobile Application Explosion by John Hering Hadoop Security Design by Andrew Becherner <P> Defcon How to Get Your FBI File (and other information you want from the federal government) by Marcia Hoffman/EFF Our Instrumented Lives: Senors, Sensors, Everywhere by Greg Conti Open Public Sensors and Trend Monitoring by Daniel Burroughs Web Application Fingerprinting with Static Files by Patrick Thomas Practical Cellphone Spying by Chris Paget The Chinese Cyber Army by Wayne Huang and Jack Yu <P> Security BSides Mobilizing the PCI Resistance: Lessons From Fighting Prior Wars by Gene Kim A Mechanics View of SQL Injection by Ray Kelly InfoSec Communities Career Success by Grecs Top Ten Things IT is Doing to Enable Cyber-Crime by Daniel Molina Drivespolit: Circumventing Both Automated and Manual Drive-By-Download Detection by Wayne Huang Multi-Player Metasploit by Ryan Linn (Special appearance by HD Moore?) <P> The clock is ticking down and I am ready to head to the desert. Find me during the week and let's catch up, or meet for the first time. As always, follow me on Twitter, <a href="http://twitter.com/adamely">@adamely</a>, to get my up-to-the-minute thoughts during the conference. If you are sleuthy enough to find me on foursquare you might even locate the infamous RaffCon meeting and other parties during the week. See you in Sin City.2010-05-10T06:00:00ZHere's what you need to know about managing employee identities in this age of outsourcing and SaaS.http://www.informationweek.com/news/224700981?cid=SBX_iwk_related_commentary_Mobile_Security_securityManaging employees' identities, passwords, and access rights has always been a challenge. And now, increased use of outsourcing and software-as-a-service offerings have further complicated things, requiring the use of federated identity management outside the corporate walls.</p> <P> Setting up and managing federated IDM, which makes users' identity data portable across autonomous security domains, can be complicated and cumbersome. With distributed systems, employees around the globe, and an endless number of technologies to integrate, it's not for the faint of heart.</p> <P> But if planned properly, there are significant benefits, including improved security, reduced operational overhead, lower support costs, and a better user experience. Identity management lets IT understand who users are, what applications and networks they have access to, and in most cases their job functions. It enables the complete management of an identity, versus providing an isolated view of a single account in a single system.</p> <P> The key is to understand what identity management technologies are in your environment, how people interact with them, and how they all tie together. What follows are seven steps for tackling these issues and improving the control you have over your environment.</p> <P> <strong>What Are You Managing?</strong></p> <P> Before you can manage user identities, step one is to know what you're managing. Your identity management approach will depend on how much you have to spend, the technologies that require identity management, and how sophisticated and comprehensive the system needs to be.</p> <P> Does your company need basic user admin support, or everything from provisioning new users to single sign-on to deprovisioning of users who've left? If your company's growing, adding locations and employees, opting for SaaS applications instead of bringing more applications in-house, then you're better off with more automation of current IDM processes than spending money to bring in new solutions.</p> Fully automating the provisioning and deprovisioning of employees will cut back on mistakes, provide better security, and result in fewer audit issues. You can go a step further and create templates and expiration dates for employee accounts for application and network access; that will make your auditors happy.</p> <P> If your company gives system access to outsourced partners, particularly third-party developers with high turnover, then automation is critical. Too often, contractors' accounts are left active long after they leave, or new contractors use the account of the person they replaced because the access provisioning process is so painful.</p> <P> <strong>Where Are The User Accounts?</strong></p> <P> The next step is to identify the technology in which user accounts reside. This may be a human resource system, SAP, Active Directory, OpenLDAP, or any other employee or user account directory, or some combination of these. HR and payroll systems are the best places to look for a system that identifies which users are legit and active.</p> <P> You also need to determine what IT's master authentication system is. Is it Active Directory, or some other centralized account repository? If there isn't one, that explains your problem, and it's the place to start.</p> <P> If you have Active Directory or another system, figure out what it's authenticating against it. It may be just your desktops and servers, or it may also include custom applications, database logins, and third-party apps.</p> <P> <strong>Time To Centralize Authentication? </strong></p> <P> At this point you should thoroughly evaluate whether to move to a central authentication system. One of the keys of federated IDM is having a central place to manage accounts, and most companies find the benefits of central authentication outweigh the drawbacks.</p> <P> CA's Identity Manager and IBM's Tivoli Identity Manager are among the IDM offerings companies can use whether or not they have a central user directory. Most of these tools do the same job, but each has its own sweet spot. The larger systems such as CA's and IBM's run $100,000 or more and provide full workflow management for provisioning and deprovisioning users, including taking in the initial request, getting authorization, creating an account, and removing an account with one click. These features are what distinguish identity management systems from directory services systems like Active Directory. They let IT import accounts from a master directory or individual system. Once accounts have been discovered and imported, you can map, group, remove, modify or do just about anything else you want to with them.</p> <P> If there's a master record of employees from HR or payroll, it can be imported through supported connectors or the import of flat files and used to map system accounts to actual employees. Doing this will make it easier to understand the entirety of what a particular person has access to, rather than an isolated view of a single account in a single system.</p> <P> <strong>Do You Know What External Apps Are In Use?</strong></p> <P> Once the internal enterprise is understood, look outward. Is your company using SaaS services such as Salesforce.com, social networks, outsourced expense management, and HR systems? With lower operating cost and faster deployment, SaaS offerings can make a great addition to the enterprise--if they have sufficient user management capabilities. If you don't have good tools, managing hundreds of accounts in an outsourced system can suck up a lot of resources.</p> <P> Query your accounting department and survey employees about what third-party online apps and sites they're using without IT's knowledge. The goal isn't to stop them from using these services but to understand how to better manage them.</p> <P> The challenge with third-party services will be finding a tool that can properly manage accounts while also managing internal resources. You may need two products or even some custom scripting. Examine the options, and ask IDM vendors and SaaS vendors for suggestions.</p> <P> <strong>Do You Understand Your Workflows?</strong></p> <P> The next step is to understand workflows. You want to fully understand the process as it is and be able to provide a map showing how it would work differently in a vendor's offering. Look at how users are provisioned, how changes to their access are handled, and how you deprovision them when they leave. How do you add accounts across multiple systems?</p> <P> Walk through a test of how requests are processed. Do this exercise for edge cases, too, such as external systems like Salesforce, and that system that's always been managed by one person who refuses to let others in.</p> <P> Use flow charts to document workflows. They're useful as you implement new products and for spotting redundancy in processes.</p> <P> Do this with the end users. Often we look at the technical processes and forget to ask users what they think of the process, how they understand it, and the pain points they encounter. I recently did this and found end-user views to be very different from those of IT. Problems and misunderstandings in the existing system, if not addressed, will carry over to the new one.</p> <P> <strong>Do You Know Your Limits?</strong></p> <P> Now that you know the technology, directories, and services you need to integrate with, assess your limitations. Can you manage all of these technologies? Is one product the way to go, or do you need multiple ones?</p> <P> One easy way to simplify identity management is to tie as many resources into the least number of user directories. For instance, authenticate as many systems and applications to Active Directory as possible. Once you reduce the number of authentication points, implementing an IDM system is easier, there are fewer potential outages due to system changes, and fewer help-desk tickets for forgotten passwords.</p> <P> Now you have the number of places to manage accounts down to a reasonable level and hopefully back in IT's hands. And if there isn't a lot of employee turnover, it may not make sense to invest in a larger, automated system. Alternatively, automation may substantially improve compliance with requirements like the Payment Card Industry standards. If you stop here, at least you've reduced support costs and improved the IDM process.</p> <P> <strong>Which System Is Right?</strong></p> <P> There are many vendors in the IDM market, including CA, Conformity, IBM, Logic, Oracle, Radiant, SAP, and Symplified.The other option is to develop an in-house tool, but most companies find that's difficult and ends up costing too much. Off the shelf might cost more initially, but in the long run, it typically works much better as companies grow and add technologies.</p> <P> Send vendors a list of the technologies you use, have them verify which they support, whether that support adds to the cost, and explain how your processes can be implemented with their systems. Rank them based on your criteria and budget considerations.</p> <P> Before making a final selection, make sure you've taken time to look beyond what's in place now. You'll likely want to implement some new technology eventually. Ensure that whatever path you take with identity management, it's flexible and allows for additions and changes.</p> <P> <i><strong>Adam Ely</strong> is TiVo's director of security where he's responsible for IT and app security.</p>2010-05-10T06:00:00ZHere's what you need to know about managing employee identities in this age of outsourcing and SaaS.http://www.informationweek.com/news/224700983?cid=SBX_iwk_related_commentary_Mobile_Security_security<!-- KINDLE EXCLUDE --> <!-- May 10, 2010 InformationWeek Green Promo --> <div style="margin:0; padding:0; border-top:dotted 2px #56a643;"> <a href="http://www.informationweek.com/gogreen/051010/index.jhtml?k=axxe&cid=article_axxe_os"><img src="http://twimgs.com/infoweek/1266/smallcov.jpg" alt="InformationWeek Green - May 10, 2010" width="65" height="87" hspace="0" vspace="0" border="0" align="left" style="margin:12px 33px 8px 15px;" /></a> <a href="http://www.informationweek.com/gogreen/051010/index.jhtml?k=axxe&cid=article_axxe_os"><img src="http://twimgs.com/infoweek/graphics_library/misc/Green_leaf_88x88.jpg" alt="InformationWeek Green" width="88" height="88" hspace="0" vspace="0" border="0" align="right" style="margin:8px 10px 8px 10px;" /></a> <div style="margin:10px 0 0 0; font-size:1.1em;" align="center"> <strong><a href="http://www.informationweek.com/gogreen/051010/index.jhtml?k=axxe&cid=article_axxe_os">Download the entire May 10, 2010 issue of <em>InformationWeek</em></a></strong>, distributed in an all-digital format as part of our <a href="http://www.informationweek.com/green/">Green Initiative</a><br /> (Registration required.)<br /> <div style="margin:6px 0 0 0; color:#56a643; font-weight:bold; font-size:1em;">We will plant a tree<br />for each of the first 5,000 downloads.</div> </div> </div> <div style="clear:both; margin:0; padding:0 0 0 0; border-bottom:dotted 2px #56a643;"></div> <!-- / May 10, 2010 InformationWeek Green Promo --> <br /><!-- leave as a br to not interfere w/ the insights boxes --> <!-- /KINDLE EXCLUDE --> <img src="http://twimgs.com/informationweek/1266/266F2art_110.jpg" alt="7 Steps To Better Identity Management " title="7 Steps To Better Identity Management " width="110" height="110" hspace="0" vspace="0" border="0" align="right" style="margin:0 0 10px 10px;" /> Managing employees' identities, passwords, and access rights has always been a challenge. And now, increased use of outsourcing and software-as-a-service offerings have further complicated things, requiring the use of federated identity management outside the corporate walls.</p> <P> Setting up and managing federated IDM, which makes users' identity data portable across autonomous security domains, can be complicated and cumbersome. With distributed systems, employees around the globe, and an endless number of technologies to integrate, it's not for the faint of heart.</p> <P> But if planned properly, there are significant benefits, including improved security, reduced operational overhead, lower support costs, and a better user experience. Identity management lets IT understand who users are, what applications and networks they have access to, and in most cases their job functions. It enables the complete management of an identity, versus providing an isolated view of a single account in a single system.</p> <P> The key is to understand what identity management technologies are in your environment, how people interact with them, and how they all tie together. What follows are seven steps for tackling these issues and improving the control you have over your environment.</p> <P> <strong>What Are You Managing?</strong></p> <P> Before you can manage user identities, step one is to know what you're managing. Your identity management approach will depend on how much you have to spend, the technologies that require identity management, and how sophisticated and comprehensive the system needs to be.</p> <P> Does your company need basic user admin support, or everything from provisioning new users to single sign-on to deprovisioning of users who've left? If your company's growing, adding locations and employees, opting for SaaS applications instead of bringing more applications in-house, then you're better off with more automation of current IDM processes than spending money to bring in new solutions.</p> Fully automating the provisioning and deprovisioning of employees will cut back on mistakes, provide better security, and result in fewer audit issues. You can go a step further and create templates and expiration dates for employee accounts for application and network access; that will make your auditors happy.</p> <P> If your company gives system access to outsourced partners, particularly third-party developers with high turnover, then automation is critical. Too often, contractors' accounts are left active long after they leave, or new contractors use the account of the person they replaced because the access provisioning process is so painful.</p> <P> <!-- KINDLE EXCLUDE --> <center><strong>To read the rest of the article,<br /><a href="http://www.informationweek.com/gogreen/051010/index.jhtml?k=axxe&cid=article_axxe_os">Download the May 10, 2010 issue of <em>InformationWeek</em></a></strong></center><br clear="all" /></p> <!-- /KINDLE EXCLUDE --> <P> <!-- KINDLE EXCLUDE --> <br clear="all"> <center> <div style="margin:0; padding:8px; border:solid 1px #cc0000; width:460px; text-align:left;"> <div style="margin:0; padding:5px; background-color:#CC0000; text-align:center; font-size:1.3em; color:#ffffff; font-weight:bold;"><a href="http://analytics.informationweek.com/abstract/21/3019/Security/identity-crisis-7-steps-to-better-identity-management.html" target="_blank" style="color:#ffffff;">Identity Crisis: 7 Steps to Better Identity Management</a></div> <div style="margin:8px;"> <a href="http://analytics.informationweek.com"><img src="http://twimgs.com/informationweek/1266/266F2reportBox_110.jpg" width="110" height="110" hspace="0" vspace="0" border="0" align="right" style="margin:8px 0 9px 9px;" /></a> <br /> <center><strong><a href="http://analytics.informationweek.com">Never Miss A Report</a></strong><br /> <br /> Become an InformationWeek Analytics subscriber: $99 per person per month, multiseat discounts available</strong></center> <br /> <center><strong><a href="http://analytics.informationweek.com/">Get All Our Reports</a></strong><br clear="all" /></center> </div> </div> </center></p> <!-- /KINDLE EXCLUDE -->2010-03-20T00:01:00ZAnyone working with a federal agency will face one of these sooner or later. The best way to sail through is to know what auditors are looking for.http://www.informationweek.com/news/224000063?cid=SBX_iwk_related_commentary_Mobile_Security_security<!-- KINDLE EXCLUDE --> <!-- Mar. 22, 2010 InformationWeek Green Promo --> <div style="margin:0; padding:0; border-top:dotted 2px #56a643;"> <a href="http://www.informationweek.com/gogreen/032210/index.jhtml?k=axxe&cid=article_axxe_os"><img src="http://twimgs.com/infoweek/1260/smallcov.jpg" alt="InformationWeek Green - Mar. 22, 2010" width="65" height="87" hspace="0" vspace="0" border="0" align="left" style="margin:12px 33px 8px 15px;" /></a> <a href="http://www.informationweek.com/gogreen/032210/index.jhtml?k=axxe&cid=article_axxe_os"><img src="http://twimgs.com/infoweek/graphics_library/misc/Green_leaf_88x88.jpg" alt="InformationWeek Green" width="88" height="88" hspace="0" vspace="0" border="0" align="right" style="margin:8px 10px 8px 10px;" /></a> <div style="margin:10px 0 0 0; font-size:1.1em;" align="center"> <strong><a href="http://www.informationweek.com/gogreen/032210/index.jhtml?k=axxe&cid=article_axxe_os">Download the entire Mar. 22, 2010 issue of <em>InformationWeek</em></a></strong>, distributed in an all-digital format as part of our <a href="http://www.informationweek.com/green/">Green Initiative</a><br /> (Registration required.)<br /> <div style="margin:6px 0 0 0; color:#56a643; font-weight:bold; font-size:1em;">We will plant a tree<br />for each of the first 5,000 downloads.</div> </div> </div> <div style="clear:both; margin:0; padding:0 0 0 0; border-bottom:dotted 2px #56a643;"></div> <!-- / Mar. 22, 2010 InformationWeek Green Promo --> <br /><!-- leave as a br to not interfere w/ the insights boxes --> <!-- /KINDLE EXCLUDE --> The Federal Information Security Management Act, known as FISMA, is typically thought to apply only to government organizations. However, contractors and vendors that provide services to, manage systems on behalf of, or maintain close relationships with a government agency may be held to similar standards.</p> <P> That can be a problem because FISMA regulations are confusing at best and more commonly just plain overwhelming. Not surprisingly, a cottage industry has sprung up of expensive contractors who promise FISMA help.</p> <P> Here's what they don't want you to know: Staying on the right side of FISMA auditors is a matter of common sense and solid security best practices. You're probably already doing much of what's required if you're complying with other security requirements, like PCI for payment accounts data security.</p> <P> What follows are 10 commonsense steps you can take to prepare for a FISMA audit. While basic FISMA compliance won't always meet every government organization's security requirements--for example, you may be required to implement stricter data control requirements or a more involved change control process--you will have a sturdy base to build on.</p> <P> <strong>1. Don't let details overwhelm you.</strong></p> <P> When FISMA was drafted eight years ago, its six tenets were nothing less than groundbreaking. Where information security had long been an afterthought in most government agencies, it was brought to the forefront and made a requirement.</p> <P> While these items are broad, their intent can be distilled: Agencies and their contractors need to build frameworks to address information security and risk management within their organizations. An accountable party must be tasked with information security, so that it won't fall by the wayside. And the government recognized, possibly for the first time, that the private sector has many benefits to offer in terms of protecting public information assets.</p> <P> FISMA provides a bare-minimum starting point for organizations to build and take responsibility for their information security programs.</p> <P> <strong>2. Protect the data.</strong></p> <P> Throughout FISMA, there's an emphasis on protecting information rather than systems. Systems and system security are important, of course, but in most cases, it's the data on these systems that has the most value.</p> <P> Look at the data that's critical to your organization and the agency you work with. Work outward to the systems, segments, and people around that data. This will not only better align you with FISMA, it will give you a more cost-effective, risk-based security program.</p> <P> <!-- KINDLE EXCLUDE --> <center><strong>To read the rest of the article,<br /><a href="http://www.informationweek.com/gogreen/032210/index.jhtml?k=axxe&cid=article_axxe_os">Download the Mar. 22, 2010 issue of <em>InformationWeek</em></a></strong></center><br clear="all" /></p> <!-- /KINDLE EXCLUDE --> <P> <!-- KINDLE EXCLUDE --> <center> <div style="margin:0; padding:8px; border:solid 1px #cc0000; width:460px; text-align:left;"> <div style="margin:0; padding:5px; background-color:#CC0000; text-align:center; font-size:1.3em; color:#ffffff; font-weight:bold;"><a href="http://analytics.informationweek.com/abstract/104/2374/Government/best-practices-10-steps-to-ace-a-fisma-audit.html" target="_blank" style="color:#ffffff;">Best Practices: 10 Steps to Ace a FISMA Audit</a></div> <div style="margin:8px;"> <center><strong>Become a subscriber: $99 per person per month, multiseat discounts available. <a href="http://analytics.informationweek.com/abstract/104/2374/Government/best-practices-10-steps-to-ace-a-fisma-audit.html">Subscribe and get our full report on acing a FISMA audit</a><br /></strong></center> <br /> <img src="http://twimgs.com/informationweek/1260/260F3analytic_cover_110.jpg" width="110" height="110" hspace="0" vspace="0" border="0" align="right" style="margin:8px 0 9px 9px;" /> <strong>What you'll find:</strong> <ul> <li style="margin: 0 0 7px 0;">More on who should be responsible for data security</li> <li style="margin: 0 0 7px 0;">A deeper discussion of acceptable risks</li> <li style="margin: 0 0 7px 0;">More on automating reporting</li> <li>Links to sites that provide guidance on FISMA compliance</li> </ul> <center><strong><a href="http://analytics.informationweek.com/abstract/104/2374/Government/best-practices-10-steps-to-ace-a-fisma-audit.html">Get This</a> And <a href="http://analytics.informationweek.com/">All Our Reports</a></strong><br /></center> </div> </div> </center></p> <!-- /KINDLE EXCLUDE -->2010-03-20T00:00:00ZAnyone working with a federal agency will face one of these sooner or later. The best way to sail through is to know what auditors are looking for.http://www.informationweek.com/news/224000067?cid=SBX_iwk_related_commentary_Mobile_Security_securityThe Federal Information Security Management Act, known as FISMA, is typically thought to apply only to government organizations. However, contractors and vendors that provide services to, manage systems on behalf of, or maintain close relationships with a government agency may be held to similar standards.</p> <P> That can be a problem because FISMA regulations are confusing at best and more commonly just plain overwhelming. Not surprisingly, a cottage industry has sprung up of expensive contractors who promise FISMA help.</p> <P> Here's what they don't want you to know: Staying on the right side of FISMA auditors is a matter of common sense and solid security best practices. You're probably already doing much of what's required if you're complying with other security requirements, like PCI for payment accounts data security.</p> <P> What follows are 10 commonsense steps you can take to prepare for a FISMA audit. While basic FISMA compliance won't always meet every government organization's security requirements--for example, you may be required to implement stricter data control requirements or a more involved change control process--you will have a sturdy base to build on.</p> <P> <strong>1. Don't let details overwhelm you.</strong></p> <P> <!-- FISMA's Original Purpose --> <div style="margin:0; padding:0 0 10px 10px; width:260px; float:right;"> <div style="border:1px solid #000000; padding:0;"> <div style="margin:0; padding:4px; font-size:1.4em; text-align:center; color:#ffffff; background-color:#000000;"> <strong>FISMA's Original Purpose</strong> </div> <div style="margin:0; padding:8px;"> <strong>Provide</strong> a comprehensive framework for ensuring the effectiveness of information security controls that support federal operations and assets. <div style="margin:10px 0 10px 0; padding 0; border-bottom:solid 1px #666666;"></div> <strong>Establish</strong> effective government-wide management and oversight of related information security risks, including coordination of civilian information security efforts. <div style="margin:10px 0 10px 0; padding 0; border-bottom:solid 1px #666666;"></div> <strong>Provide</strong> for development and maintenance of minimum controls required to protect federal information and information systems. <div style="margin:10px 0 10px 0; padding 0; border-bottom:solid 1px #666666;"></div> Virtual Iron could go head-to-head with VMware in the data center, but it's building its base from below with an easy-to-administer product at a very aggressive price. <div style="margin:10px 0 10px 0; padding 0; border-bottom:solid 1px #666666;"></div> <strong>Acknowledge</strong> that commercially developed information security products offer advanced,dynamic, robust, and effective information security. <div style="margin:10px 0 10px 0; padding 0; border-bottom:solid 1px #666666;"></div> <strong>Recognize</strong> that agencies should be able to select specific hardware and software from among commercial products. </div> </div> </div> <!-- / FISMA's Original Purpose --> When FISMA was drafted eight years ago, its six tenets were nothing less than groundbreaking (see box, right). Where information security had long been an afterthought in most government agencies, it was brought to the forefront and made a requirement.</p> <P> While these items are broad, their intent can be distilled: Agencies and their contractors need to build frameworks to address information security and risk management within their organizations. An accountable party must be tasked with information security, so that it won't fall by the wayside. And the government recognized, possibly for the first time, that the private sector has many benefits to offer in terms of protecting public information assets.</p> <P> FISMA provides a bare-minimum starting point for organizations to build and take responsibility for their information security programs.</p> <P> <strong>2. Protect the data.</strong></p> <P> Throughout FISMA, there's an emphasis on protecting information rather than systems. Systems and system security are important, of course, but in most cases, it's the data on these systems that has the most value.</p> <P> Look at the data that's critical to your organization and the agency you work with. Work outward to the systems, segments, and people around that data. This will not only better align you with FISMA, it will give you a more cost-effective, risk-based security program.</p> <P> <strong>3. Accept that some risk is OK.</strong></p> <P> A 100% clean assessment checklist means the organization being assessed either lied or the assessor missed something, because there is always something to be found. Even the government accepts this as part of FISMA, stating that agencies must implement policies and procedures to "cost-effectively reduce risks to an acceptable level."</p>There it is in black and white--the U.S. government telling you to be cost prudent, take a risk-based approach, and accept risk when necessary.</p> <P> What's acceptable will vary from auditor to auditor. Use common sense, and when in doubt, do some research to understand how best-practices frameworks handle the risk. Typically, if you can provide reasonable thought behind a decision and show compensating controls in other areas, auditors will be open to discussing the situation.</p> <P> <strong>4. Appoint someone to own data security.</strong></p> <P> FISMA requires organizations to appoint someone responsible for information security, with accountability ultimately rolling up to the CIO. Outside the government, many organizations have adopted other management paths for information security. Don't get hung up on the "letter of the law" here: The CIO doesn't need to be the person responsible. What must be in place, though, is a person who has ultimate oversight over information security matters, policies, and risk management and who's free from conflicts that may arise from other responsibilities.</p> <P> That said, don't go too far down the ladder, either. A single, lowly system or network administrator responsible for security as part of a greater duty set isn't going to pass muster.</p> <P> <strong>5. Implement a written plan and a budget. </strong></p> <P> Don't make security part of the miscellaneous bucket, where you force admins to rob Peter to pay Paul. This indicates to auditors a lack of planning and foresight. Set a budget, even if it's a small one to start, to show your clients and assessors that you're serious about security.</p> <P> <strong>6. Embrace reporting.</strong></p> <P> Like many IT pros, I dislike reports. But the fact is, reports can actually save time and very often reduce misunderstandings. Keep in mind that assessors want their reports, and FISMA requires annual reporting for government agencies.</p> <P> Automation is key here, so invest in software that will save time and money in the long run. Spend the time needed to automate as many reports as you can. Pretty is not key.</p> <P> Implementing technologies to provide better insight, refine reporting metrics, and reduce workload will go a long way with auditors while increasing the effectiveness of your security program. For example, a security information and event management system such as ArcSight or OSSIM can be invaluable in helping to correlate information from which metrics can be derived and reports built.</p> <P> <strong>7. Note that monitoring is mandatory.</strong></p> <P> FISMA requires continuous monitoring of certain controls, such as system changes, configuration management, ongoing assessments of security controls, and reporting activities. Monitoring can be costly and overwhelming, so look at what tools you already have and determine if they can be used to meet this requirement. For example, are you logging activity already? Is someone looking at reports periodically, and does the tool support automated alerts? Great--pass security logs through this process. If not, look to automate as much as possible without breaking the bank, such as with the open source OSSIM tool. Also go with a system that can benefit the organization in ways other than just security, such as Splunk for log management.</p> <P> <strong>8. Test controls and be able to prove you did so.</strong></p> <P> FISMA requires that organizations evaluate the controls they have in place regularly, at least annually. Many companies stumble with this. Testing needs to be thought out. Spend time planning this step to meet these goals: <ul> <li> Thoroughly evaluate the controls;</li> <li> Retain evidence of evaluation and findings; and</li> <li> Implement a process to remediate findings.</li> </ul></p> <P> Keep proper documentation, plan this step before beginning the evaluation, and assign someone ownership of the remediation project--it will make the process much smoother. And to avoid stumbling in this area, employ an audit-tracking system.</p> <P> <strong>9. Follow the leader.</strong></p> <P> Investigate the controls stressed by the agency that will be assessing your program, and follow its lead. If you have yet to win a contract, search Google for information security policies and requirements for providers at the agency you want to work with. If you can't find anything online, call the office of the CIO and ask for guidance.</p> <P> <strong>10. Still confused? Time for outside help.</strong></p> <P> Don't be afraid to ask your assessors or clients for recommendations on security products and services. If this isn't possible, bring in a consultant familiar with FISMA to evaluate your plans. A few hours of consulting fees may save you a lot of hassle and cost during the remediation process.</p> <P> We worked with one information security manager whose company was undergoing a review by a federal agency. He read everything he could and talked to colleagues, but in the end what paid off most was attending an event where federal security practitioners were available for questions. There, he met someone willing to provide pointers and insight into specific control areas free of charge.</p> <P> When all is said and done, FISMA compliance isn't much different from other standards. Bottom line: Look at a FISMA audit as an impetus to implement better security, provide value to your customers, and do the right thing by those whose data you hold.</p> <P> <em><strong>Adam Ely</strong> is director of security for TiVo.</em></p> <P> Write to us at <a href="mailto:weekletters@techweb.com">iweekletters@techweb.com</a>.</p>2010-03-03T14:00:33ZMalware has been around for years, but most IT pros think about it only when a family member calls for computer help. Well, one theme of RSA is that we're all going to have to pay closer attention.http://www.iweek-interim.com/news/229203184?cid=SBX_iwk_related_commentary_Mobile_Security_securityMalware has been around for years, but most IT pros think about it only when a family member calls for computer help. Well, one theme of RSA is that we're all going to have to pay closer attention.That's because malware is back in a big, and new, way. <a href="http://www.armorize.com">Armorize</a> CEO and founder of SPI Dynamics Caleb Sima gave the RSA keynote on Tuesday detailing the malware threat to Web sites and site visitors. Also this week, <a href="http://www.qualys.com">Qualys</a> announced the launch of its Web site malware scanning service to compete with Armorize and <a href="http://www.dasient.com">Dasient</a>. <P> Web malware is the new threat to organizations and their users. Most IT professionals think of malware only at the desktop. We install an anti-malware package and go about our business. So, attackers looking for ways into organizations are now exploiting new attack vectors to infect systems and steal data. They're targeting trusted Web sites with security flaws, loading their malware, and infecting site visitors. No longer must attackers compromise the site database to steal information; just compromise all the users. <P> That's big a problem for the organization running the Web site, not just visitors and their IT groups. Enter Armorize, Dasient, and Qualys. <P> These three companies are attempting to solve this problem by scanning Web sites to find malicious content, detect security flaws, and protect clients' brands as well as their site visitors. This has been a hot topic at RSA all week, and all organizations with a Web presence should think about it.2010-02-07T17:39:30ZIt's once again travel time. Full disclosure: I was the first to publish an exploit against travel systems. Co-released with iDefense (since acquired by Symantec) this simple <a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1191">denial of service</a> exploit was capable of halting operations at most airlines and airports in the United States.http://www.iweek-interim.com/news/229203441?cid=SBX_iwk_related_commentary_Mobile_Security_securityIt's once again travel time. Full disclosure: I was the first to publish an exploit against travel systems. Co-released with iDefense (since acquired by Symantec) this simple <a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1191">denial of service</a> exploit was capable of halting operations at most airlines and airports in the United States.I never released buffer overflow exploit code, and this flaw has since been rectified. Now, I'm just a frequent traveler and industry observer of misguided travel security processes that sometimes seem a physical manifestation of that DoS exploit. <P> Moreover, it's eerily similar to the worst type of enterprise IT security. <P> How so? IT security in some organizations is still reactionary, Draconian, and too often just for show. Sometimes this is due to bad managers hoping to save their jobs or impress the boss. In others, it's good intentions combined with inexperience. In either case, many organizations see a threat, react&#8212and cause harm to the organization. In the end, when they get in the way, bad controls and processes are always bypassed for the good of the company. <P> The travel industry is a prime example of this in action. <P> At SFO, the TSA installed a new fancy people x-ray machine made by L3 to scan passengers. I am not a big fan of these but was willing to go through it for the experience. (Never mind that I have no idea if these are safe or not. At one time we thought lead paint on childrens toys was safe. Enough said.) As I was waiting in line, the carry-on x-ray machine backed up. Seeing a problem, the TSA shuffled us through a metal detector instead and bypassed the x-ray machine. The x-ray machine took so much longer for each person to properly pass through, that the baggage x-ray machine operator had to stop his work. Impact to business, control bypassed. This new machine, which was supposed to increase our security, caused delays and was bypassed, thus reducing its ROI and proving that our security may not be any better with it than without, and may even be worse. <P> Granted, the airline industry's security protocol is immature and at times misguided. I like to pick on it as an example, and any corporate security manager will tell you, with time and experience come better processes and controls. Assuming the power-hungry TSA does not remove all of our civil liberties and comes to its senses, we will overcome this. In the meantime, IT security managers of the world, do not follow this example. Be proactive, be risk-based, and align with the organization. Earn trust, prove results, and grow your program. <P> If you're with the TSA, L3, or Homeland Security and want to chat, <a href="mailto:aely@nwc.com">e-mail me</a>, <a href="http://twitter.com/adamely">tweet me</a>, or just stop me in an airport. I'll be the guy standing in line to be x-rayed with holes in my socks and pants falling down as my belt passes me by.2010-02-01T20:09:49ZThrough its acquisition of Phion, Barracuda Networks has launched a line of seven enterprise firewalls meant to consolidate network security devices and reduce management overhead when dealing with numerous distributed firewalls.http://www.iweek-interim.com/news/229203430?cid=SBX_iwk_related_commentary_Mobile_Security_securityThrough its acquisition of Phion, Barracuda Networks has launched a line of seven enterprise firewalls meant to consolidate network security devices and reduce management overhead when dealing with numerous distributed firewalls.The firewalls are aimed at the needs of a variety of orgs and priced from $599 for small branch offices to $40,000 for data centers. We spoke with Steve Pao, VP product management, who says the devices are designed to provide the services and optimization today's distributed networks need. The Phion technology was originally developed for an Austrian banking data center that needed 650 firewalls with centralized management; Phion was founded in 2000 and acquired by Barracuda in 2009. <P> The Barracuda NG firewalls support IPSec and SSL VPNs, Web filtering, and can act as antivirus gateways. The devices are a compilation of technologies developed and acquired by Barracuda Networks over the fast few years, with additional engineering for WAN optimization to save organizations line costs and improve communications. One distinctive feature not offered by many firewall vendors today is the ability to deploy either physical devices or VMware-ready images. <P> The Barracuda NG line is available immediately in North America with worldwide support. Other markets will be added later.2010-01-21T00:01:00ZToday Websense released what is touted as the first security application for Facebook, developed via its recently acquired Defensio brand. Facebook users can now monitor their pages for unwanted content, including spam comments, profanity, and links to malware. This could be valuable for companies that want to control their online images and brands.http://www.iweek-interim.com/news/229203683?cid=SBX_iwk_related_commentary_Mobile_Security_securityToday Websense released what is touted as the first security application for Facebook, developed via its recently acquired Defensio brand. Facebook users can now monitor their pages for unwanted content, including spam comments, profanity, and links to malware. This could be valuable for companies that want to control their online images and brands.Facebook users add the application, choose which settings to activate, and receive alerts when content is posted that violates their policies. Besides monitoring for profanity and spam comments, users can disallow links based on URL categories. All URLs are scanned in real time and compared with Websense's URL database. <P> Carl Mercier, Websense director of software development and Defensio founder, says the company has been monitoring pages of celebrities, including Lady Gaga, Oprah, and Jay-Z, to test the product. To date, Defensio has detected profanity, links to malware sites, and spam comments on Lady Gaga's page as well as the pages of many other celebrities. Besides safeguarding the reputations of page owners, the tool can help protect users of the social network site. <P> While privacy advocates may worry, Websense says the activities of users are not tracked, monitored, or analyzed. Only the content posted is reviewed, and the Defensio product cannot identify users. <P> Currently free during beta, the Facebook application will remain free for individual users while there will be a charge for business or high-volume pages. Pricing and definition of what constitutes a business or high volume page has not been finalized. <P> Check out the Defensio demo video via YouTube: <P> <object width="560" height="340"><param name="movie" value="http://www.youtube.com/v/BSLg-yVXt4I&hl=en_US&fs=1&"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/BSLg-yVXt4I&hl=en_US&fs=1&" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="560" height="340"></embed></object> <P> Tell me what you think on twitter, <a href="http://twitter.com/adamely">@adamely</a>