PayPal X Innovate 2010 Developers Conference

Tags » PayPal  » Comments (0)

At its PayPal X Innovate 2010 developer conference today, PayPal unveiled "new technologies and partnerships that will allow people to change the way they pay – accessing their digital wallets from more devices to shop, browse and pay anytime, anywhere."

PayPal Announcements:

Partner Announcements: Ustream is providing a live video feed from both days of the PayPal X Innovate 2010 conference, including all general conference sessions as well as live interviews from the show floor with executives, speakers, developers and attendees.

Glenbrook's Russ Jones has his reactions from the first day of the conference posted in Payments Views.

View the original article here

PayPal X Innovate 2010 Developers Conference

Tags » PayPal  » Comments (0)

At its PayPal X Innovate 2010 developer conference today, PayPal unveiled "new technologies and partnerships that will allow people to change the way they pay – accessing their digital wallets from more devices to shop, browse and pay anytime, anywhere."

PayPal Announcements:

Partner Announcements: Ustream is providing a live video feed from both days of the PayPal X Innovate 2010 conference, including all general conference sessions as well as live interviews from the show floor with executives, speakers, developers and attendees.

Glenbrook's Russ Jones has his reactions from the first day of the conference posted in Payments Views.

View the original article here

Headline News - October 27, 2010

Tags » Payments News - Headline News  » Comments (0)

Headline News is compiled by Glenbrook Partners:

Note: Throughout the day, as we spot interesting developments, this post is updated.

View the original article here

Headline News - October 27, 2010

Tags » Payments News - Headline News  » Comments (0)

Headline News is compiled by Glenbrook Partners:

Note: Throughout the day, as we spot interesting developments, this post is updated.

View the original article here

Are You Naked Online?

You are exposing yourself every day online. You probably don't know how naked you are and how much sensitive information you display.

Learn about the many ways you show yourself to others, what naughty bits they learn about you and what you can do to cover sensitive places.

Learn who is straining to peek at you and how those peeping toms profit from your private information. Worse yet, you are also exposing your family and your business to the harsh light of day.

Theresa Payton, online security consultant and former Chief Information Officer at the White House, and Ted Claypoole, privacy lawyer and co-chair of the American Bar Association's Cyberspace Privacy Subcommittee walk you through the Internet's house of mirrors, exposing your vulnerable spots and unwrapping the best strategies for online privacy.    

View the original article here

Are You Naked Online?

You are exposing yourself every day online. You probably don't know how naked you are and how much sensitive information you display.

Learn about the many ways you show yourself to others, what naughty bits they learn about you and what you can do to cover sensitive places.

Learn who is straining to peek at you and how those peeping toms profit from your private information. Worse yet, you are also exposing your family and your business to the harsh light of day.

Theresa Payton, online security consultant and former Chief Information Officer at the White House, and Ted Claypoole, privacy lawyer and co-chair of the American Bar Association's Cyberspace Privacy Subcommittee walk you through the Internet's house of mirrors, exposing your vulnerable spots and unwrapping the best strategies for online privacy.    

View the original article here

Two Factor Authentication for the IBM System i

The pressure to demonstrate compliance with standards and regulations such as Sarbanes Oxley, HIPAA, PCI DSS and Basel II, coupled with the increased value placed on the information created and stored, means organizations are faced with the challenge of securely controlling access to sensitive data. Ever changing user requirements inside the firewall and the need for employees, partners, suppliers, etc. to have access to data outside the firewall; only increase the complexity of securely managing user access.

The traditional access control method of user IDs and passwords can no longer be considered the most secure option. Read on to learn about Two Factor Authentication, a technology which helps organizations meet compliance standards and improve the existing security environment, and how it works on the on the System i server.

View the original article here

Two Factor Authentication for the IBM System i

The pressure to demonstrate compliance with standards and regulations such as Sarbanes Oxley, HIPAA, PCI DSS and Basel II, coupled with the increased value placed on the information created and stored, means organizations are faced with the challenge of securely controlling access to sensitive data. Ever changing user requirements inside the firewall and the need for employees, partners, suppliers, etc. to have access to data outside the firewall; only increase the complexity of securely managing user access.

The traditional access control method of user IDs and passwords can no longer be considered the most secure option. Read on to learn about Two Factor Authentication, a technology which helps organizations meet compliance standards and improve the existing security environment, and how it works on the on the System i server.

View the original article here

Cisco MARS: What third-party lockout means for SIEM products

In November of 2009, Cisco Systems Inc. announced that its MARS security information and event management (SIEM) product would no longer support integration with third-party products. As such, should enterprises still consider MARS when looking at SIEM products, or is the vendor lock-in too high a price to pay? That's what we'll cover in this tip.

First, a little background: What is MARS? Quoting from Cisco's Frequently Asked Questions (FAQ), the vendor's Security Monitoring, Analysis and Response System, or MARS for short, is an "appliance-based, all-inclusive solution that allows network and security administration to monitor, identify, isolate and counter security threats." Basically, MARS is Cisco's attempt at a unified security monitoring and mitigation platform that allows the appliances within Cisco's security product portfolio to interact with each other and effectively address security threats in a timely manner (sometimes in real time).

Cisco MARS belongs to a family of products that has its roots in log management. A traditional log management platform attempts to provide a central repository for collecting events from servers, firewalls, switches, routers and even Web services. Most log management platforms come with a pretty robust parsing engine with some ability to trigger alerts on preset search signatures. These search signatures are highly customizable, providing extensive regular expression matching. To give you an example, search signatures could be set up to trigger alerts when accounts are created or deleted on systems, device configurations are modified or system failures take place, among others. This provides a pretty effective way to track down system or security events. These platforms also come with preconfigured alert packages that help organizations address compliance requirements like PCI DSS.

How is MARS different? MARS is a SIEM product, and, like other SIEM products, it offers baseline log management features and extends to provide intelligent threat analysis and threat mitigation capabilities on security events received from a wide variety of sources. It might be easier to understand where MARS fits into the enterprise by running through an example. Since a Cisco product is our focus, I have kept this example Cisco-centric.

Let's say Company A likes to stay informed on the latest security threats and has a robust security infrastructure to provide it visibility into various parts of its network. Company A has deployed a firewall with an inline intrusion prevention (IPS) module, and has also deployed a Web security gateway to provide traditional URL and reputation filtering with malware intelligence. This architecture is augmented by an endpoint security product that combines a host-based IPS with acceptable use policy enforcement and traditional antivirus protection. To disallow unauthorized systems from connecting to its network, the company also employs a network access control (NAC) system. Finally, Company A also hosts an ecommerce platform at a service provider.

As you can see, Company A likes to keep on top of security with point products addressing security at multiple levels. But having all these point products makes it difficult -- if not impossible -- to manage, monitor and mitigate security risks in a timely manner. In other words, Company A has rightly implemented a multi-layered security strategy, but the effectiveness and timeliness of its risk mitigation capabilities would be compromised by the sheer number of devices providing information. But by adding a SIEM product to the mix, Company A can use intelligent correlation to take the alerts and data from each of the point products that the company has in place, aggregate and normalize them to remove repeat entries (damping), and then apply built-in security rules to identify threats and effectively mitigate them. The last action -- the actual application of the rules -- is the most critical step to successfully identifying a security threat.

Now that we've discussed the security function that SIEM tools like Cisco's MARS provide, the question emerges: How crucial is third-party interoperability? The answer: very. As the point of SIEM technologies is to be able to correlate data from a variety of sources, a SIEM's inability to talk to some or any of those sources renders it marginally useful at best, and marginally useful is not reason enough to spend a significant amount of money on a SIEM.

While we can only speculate as to the strategic reasons behind its decision, the implications are clear: A report last year from Gartner Inc. found that Cisco MARS is no longer viable as a general purpose SIEM. Alternatively, Cisco seems to be pushing its broader "security threat management" approach using Cisco products while de-emphasizing compliance reporting with non-Cisco devices.

The big question now is whether an enterprise should limit itself to the Cisco platform or consider migrating to a more open platform. A key driver for this decision would be to determine how committed an enterprise already is to the Cisco platform. If most of the switching and routing fabric within an organization's network is Cisco-based, and future spend for perimeter defenses is already ear-marked for Cisco gear, then staying with Cisco might be a much easier decision to make. On the flip side, by polarizing the SIEM space (Cisco vs. non-Cisco), Cisco has opened itself up to the risk of traditional Cisco shops abandoning its platform altogether for not only more interoperability, but also to avoid losing the flexibility of negotiating pricing and the ability to effect product enhancements in the long term. It's perhaps one of the reasons why the SIEM market (separate of Cisco) has been so fluid and competitive in the past year.

For enterprises with multi-vendor security point products that are shopping around for a SIEM platform, I wouldn't recommend putting MARS on the short list of products to consider. Enterprises currently using MARS to monitor non-Cisco security devices should begin planning the transition to an alternative SIEM platform. This recommendation is in no way a criticism of MARS' abilities -- it is good at what it does -- but more so on its effectiveness at integrating third-party vendor's security products, which is crucial to an effective SIEM platform. By making the MARS platform Cisco-centric, Cisco is setting a precedent that enterprises should consider: Will it make other, future security products less interoperable? It's hard to say, but enterprises should consider that likelihood when evaluating future adoption of Cisco security products, especially if a desire to avoid potential interoperability issues is important.

While Cisco's decision to stop supporting third-party security event management sources might affect its adoption rate in the short term, it has the unintended positive effect on the greater market of pushing a lot of the competition to support more open platforms.

About the author:
Anand Sastry is a Senior Security Architect at Savvis Inc. Before joining Savvis, he worked for clients in several industries (large and mid-sized enterprises in financial, healthcare, retail and media) as a member of the security services group for a Big 4 consulting firm. He has experience in network and application penetration testing, security architecture design, wireless security, incident response and security engineering. He is currently involved with network and web application firewalls, network intrusion detection systems, malware analysis and distributed denial of service systems.

View the original article here

Cisco MARS: What third-party lockout means for SIEM products

In November of 2009, Cisco Systems Inc. announced that its MARS security information and event management (SIEM) product would no longer support integration with third-party products. As such, should enterprises still consider MARS when looking at SIEM products, or is the vendor lock-in too high a price to pay? That's what we'll cover in this tip.

First, a little background: What is MARS? Quoting from Cisco's Frequently Asked Questions (FAQ), the vendor's Security Monitoring, Analysis and Response System, or MARS for short, is an "appliance-based, all-inclusive solution that allows network and security administration to monitor, identify, isolate and counter security threats." Basically, MARS is Cisco's attempt at a unified security monitoring and mitigation platform that allows the appliances within Cisco's security product portfolio to interact with each other and effectively address security threats in a timely manner (sometimes in real time).

Cisco MARS belongs to a family of products that has its roots in log management. A traditional log management platform attempts to provide a central repository for collecting events from servers, firewalls, switches, routers and even Web services. Most log management platforms come with a pretty robust parsing engine with some ability to trigger alerts on preset search signatures. These search signatures are highly customizable, providing extensive regular expression matching. To give you an example, search signatures could be set up to trigger alerts when accounts are created or deleted on systems, device configurations are modified or system failures take place, among others. This provides a pretty effective way to track down system or security events. These platforms also come with preconfigured alert packages that help organizations address compliance requirements like PCI DSS.

How is MARS different? MARS is a SIEM product, and, like other SIEM products, it offers baseline log management features and extends to provide intelligent threat analysis and threat mitigation capabilities on security events received from a wide variety of sources. It might be easier to understand where MARS fits into the enterprise by running through an example. Since a Cisco product is our focus, I have kept this example Cisco-centric.

Let's say Company A likes to stay informed on the latest security threats and has a robust security infrastructure to provide it visibility into various parts of its network. Company A has deployed a firewall with an inline intrusion prevention (IPS) module, and has also deployed a Web security gateway to provide traditional URL and reputation filtering with malware intelligence. This architecture is augmented by an endpoint security product that combines a host-based IPS with acceptable use policy enforcement and traditional antivirus protection. To disallow unauthorized systems from connecting to its network, the company also employs a network access control (NAC) system. Finally, Company A also hosts an ecommerce platform at a service provider.

As you can see, Company A likes to keep on top of security with point products addressing security at multiple levels. But having all these point products makes it difficult -- if not impossible -- to manage, monitor and mitigate security risks in a timely manner. In other words, Company A has rightly implemented a multi-layered security strategy, but the effectiveness and timeliness of its risk mitigation capabilities would be compromised by the sheer number of devices providing information. But by adding a SIEM product to the mix, Company A can use intelligent correlation to take the alerts and data from each of the point products that the company has in place, aggregate and normalize them to remove repeat entries (damping), and then apply built-in security rules to identify threats and effectively mitigate them. The last action -- the actual application of the rules -- is the most critical step to successfully identifying a security threat.

Now that we've discussed the security function that SIEM tools like Cisco's MARS provide, the question emerges: How crucial is third-party interoperability? The answer: very. As the point of SIEM technologies is to be able to correlate data from a variety of sources, a SIEM's inability to talk to some or any of those sources renders it marginally useful at best, and marginally useful is not reason enough to spend a significant amount of money on a SIEM.

While we can only speculate as to the strategic reasons behind its decision, the implications are clear: A report last year from Gartner Inc. found that Cisco MARS is no longer viable as a general purpose SIEM. Alternatively, Cisco seems to be pushing its broader "security threat management" approach using Cisco products while de-emphasizing compliance reporting with non-Cisco devices.

The big question now is whether an enterprise should limit itself to the Cisco platform or consider migrating to a more open platform. A key driver for this decision would be to determine how committed an enterprise already is to the Cisco platform. If most of the switching and routing fabric within an organization's network is Cisco-based, and future spend for perimeter defenses is already ear-marked for Cisco gear, then staying with Cisco might be a much easier decision to make. On the flip side, by polarizing the SIEM space (Cisco vs. non-Cisco), Cisco has opened itself up to the risk of traditional Cisco shops abandoning its platform altogether for not only more interoperability, but also to avoid losing the flexibility of negotiating pricing and the ability to effect product enhancements in the long term. It's perhaps one of the reasons why the SIEM market (separate of Cisco) has been so fluid and competitive in the past year.

For enterprises with multi-vendor security point products that are shopping around for a SIEM platform, I wouldn't recommend putting MARS on the short list of products to consider. Enterprises currently using MARS to monitor non-Cisco security devices should begin planning the transition to an alternative SIEM platform. This recommendation is in no way a criticism of MARS' abilities -- it is good at what it does -- but more so on its effectiveness at integrating third-party vendor's security products, which is crucial to an effective SIEM platform. By making the MARS platform Cisco-centric, Cisco is setting a precedent that enterprises should consider: Will it make other, future security products less interoperable? It's hard to say, but enterprises should consider that likelihood when evaluating future adoption of Cisco security products, especially if a desire to avoid potential interoperability issues is important.

While Cisco's decision to stop supporting third-party security event management sources might affect its adoption rate in the short term, it has the unintended positive effect on the greater market of pushing a lot of the competition to support more open platforms.

About the author:
Anand Sastry is a Senior Security Architect at Savvis Inc. Before joining Savvis, he worked for clients in several industries (large and mid-sized enterprises in financial, healthcare, retail and media) as a member of the security services group for a Big 4 consulting firm. He has experience in network and application penetration testing, security architecture design, wireless security, incident response and security engineering. He is currently involved with network and web application firewalls, network intrusion detection systems, malware analysis and distributed denial of service systems.

View the original article here

Creating a network endpoint security policy for hostile endpoints

NETWORK SECURITY TACTICS

Andrew Jaquith, Forrester Research
09.13.2010
Rating: -4.25- (out of 5)




The enterprise security perimeter is quickly dissolving. Everything from company financials and source code emails to unstructured documents and other forms of data is circling outside the enterprise firewall on non-IT-controlled devices. Not surprisingly, Cambridge, Mass.-based Forrester Research Inc. has found that nearly half (47%) of North American and European enterprises have stated that implementing security requirements for third parties is a high or critical priority.

IT security has long operated on a simple principle: Because the firm owns all user endpoint devices that access company information, securing the devices means that data on them is secure. But what if that foundational principle no longer applies? The increasingly insistent and inconvenient spread of sensitive data to non-company-owned devices suggests that it doesn't.

Conversations with enterprises in the manufacturing, media and seasonal services verticals uncovered some unconventional wisdom: Control does not necessarily require ownership. Moreover, successfully controlling the spread of sensitive information on the network requires inverting conventional wisdom entirely by planning as if the enterprise owned no devices at all. Forrester calls this strategy the Zero Trust Model. To put the strategy even more simply: Treat all endpoints as hostile.

In recent research, Forrester identified five data security design patterns for implementing the Zero Trust strategy: thin client, thin device, protected process, protected data, and eye-in-the-sky. None of these patterns assume that the enterprise owns the endpoint devices. By dismissing the age-old conflation of ownership and control, enterprises will be able to design a network endpoint security policy that encompasses all possible ownership scenarios, including "technology populism," offshoring and outsourcing. To that end, look to secure your company's information with the following: Thin client: Process centrally, present locally
Thin client is the old war horse of the Zero Trust strategy, encompassing a variety of technologies, including OS streaming, hosted desktop virtualization and workplace virtualization. Implemented in a security context, sensitive data stays centralized in hardened bunkers, with remote devices allowed to view it only via thin-client terminal applications. Because network access is required, thin client doesn't support offline use.

The advantage of the thin client is that data never leaves the server: It is only rendered on the endpoint. For additional security, IT can restrict host copy-and-paste operations, limit data transfers and require strong or two-factor authentication using tokens. Client

Thin device: Replicated data, with device-kill for insurance
The thin device pattern constrains access by limiting the type of device that can be used to access the data. Point-purpose devices like smartphones, for example, can keep only limited amounts of sensitive information on them. The information they keep is replicated, with master copies stored in data centers. Because of their size, storage capacity and comparatively modest processing power, applications are limited to email, light Web surfing and simple Web applications, rather than general data processing. With the thin device pattern, IT security groups can still control the security of devices, even when they don't own them. Using native management tools or third-party mobile device platforms like those made by Sybase Inc., smartphone security policies that can typically be imposed include backup and enforced encryption. For insurance, thin devices can be remotely wiped, making them truly disposable, unlike PCs. However, IT security may find it technically or politically unfeasible to impose IT security policies on non-company-owned devices. Protected process: Local information processing in a secure "bubble"
Unlike the thin client pattern, which keeps sensitive data off of client devices entirely, the protected process pattern allows data to be processed locally on non-IT-owned machines. Sensitive information sits inside a compartmentalized processing environment that is separated from the user's local operating system environment -- essentially a "bubble" -- of which the security and backup properties are controlled by IT. The protected process pattern has many advantages: local execution, offline operation, central management and a high degree of granular security control, including remote wipe capabilities. But keep in mind that most operating system and application virtualization products are Intel- or Windows-only. Protected data: Documents protect themselves regardless of location
Whereas all of the previous patterns seek to control the operating environments that process information, the protected data pattern protects the data itself. Technologies like enterprise rights management (ERM) enshrine access rules into documents directly. These rules, which rely on cryptography for enforcement, apply no matter where the document rests, which is a key advantage. Of all the patterns in the Zero Trust data security strategy, protected data is the most fine-grained and effective because it focuses on the information, not its containers.

One of the disadvantages to this pattern is that ERM requires client-side agents on every participating endpoint. The technology can also be challenging to deploy: Organizations tell Forrester that ERM business unit users sometimes create policies that are too tight, making data difficult to access, and policies don't adapt well to organizational changes.

Eye-in-the-sky: Know when important information leaves
The fifth Zero Trust data security design pattern is a supplementary data control technique for detecting, logging and optionally blocking sensitive data that leaves the physical or logical enterprise perimeter. Data leak prevention (DLP) technology, and, to a lesser extent, security information and event management (SIEM) tools, form the backbone of this pattern.

The primary advantage of the eye-in-the-sky pattern is that it can detect sensitive data as it moves outside the logical security boundaries, making it ideal for understanding the velocity and direction of information flow and for detecting anomalous transmissions. Unfortunately, most enterprises aren't able to require their business partners to install DLP agents on their computers. For this reason, enterprises should regard the eye-in-the-sky pattern as one that supplements other protection capabilities for outside PCs.

About the author:
Andrew Jaquith is a senior analyst at Forrester Research, where he serves security and risk professionals. He will speak at Forrester's 2010 Security Forum in Boston, Sept. 16 -17. Andrew's colleague, John Kindervag, will speak at the Forum as well on the subject "No More Chewy Centers: The Zero-Trust Model Of Information Security."
To rate tips, you must be a member of SearchSecurity.com.
Register now to start rating these tips. Log in if you are already a member.

DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

View the original article here

Creating a network endpoint security policy for hostile endpoints

NETWORK SECURITY TACTICS

Andrew Jaquith, Forrester Research
09.13.2010
Rating: -4.25- (out of 5)




The enterprise security perimeter is quickly dissolving. Everything from company financials and source code emails to unstructured documents and other forms of data is circling outside the enterprise firewall on non-IT-controlled devices. Not surprisingly, Cambridge, Mass.-based Forrester Research Inc. has found that nearly half (47%) of North American and European enterprises have stated that implementing security requirements for third parties is a high or critical priority.

IT security has long operated on a simple principle: Because the firm owns all user endpoint devices that access company information, securing the devices means that data on them is secure. But what if that foundational principle no longer applies? The increasingly insistent and inconvenient spread of sensitive data to non-company-owned devices suggests that it doesn't.

Conversations with enterprises in the manufacturing, media and seasonal services verticals uncovered some unconventional wisdom: Control does not necessarily require ownership. Moreover, successfully controlling the spread of sensitive information on the network requires inverting conventional wisdom entirely by planning as if the enterprise owned no devices at all. Forrester calls this strategy the Zero Trust Model. To put the strategy even more simply: Treat all endpoints as hostile.

In recent research, Forrester identified five data security design patterns for implementing the Zero Trust strategy: thin client, thin device, protected process, protected data, and eye-in-the-sky. None of these patterns assume that the enterprise owns the endpoint devices. By dismissing the age-old conflation of ownership and control, enterprises will be able to design a network endpoint security policy that encompasses all possible ownership scenarios, including "technology populism," offshoring and outsourcing. To that end, look to secure your company's information with the following: Thin client: Process centrally, present locally
Thin client is the old war horse of the Zero Trust strategy, encompassing a variety of technologies, including OS streaming, hosted desktop virtualization and workplace virtualization. Implemented in a security context, sensitive data stays centralized in hardened bunkers, with remote devices allowed to view it only via thin-client terminal applications. Because network access is required, thin client doesn't support offline use.

The advantage of the thin client is that data never leaves the server: It is only rendered on the endpoint. For additional security, IT can restrict host copy-and-paste operations, limit data transfers and require strong or two-factor authentication using tokens. Client

Thin device: Replicated data, with device-kill for insurance
The thin device pattern constrains access by limiting the type of device that can be used to access the data. Point-purpose devices like smartphones, for example, can keep only limited amounts of sensitive information on them. The information they keep is replicated, with master copies stored in data centers. Because of their size, storage capacity and comparatively modest processing power, applications are limited to email, light Web surfing and simple Web applications, rather than general data processing. With the thin device pattern, IT security groups can still control the security of devices, even when they don't own them. Using native management tools or third-party mobile device platforms like those made by Sybase Inc., smartphone security policies that can typically be imposed include backup and enforced encryption. For insurance, thin devices can be remotely wiped, making them truly disposable, unlike PCs. However, IT security may find it technically or politically unfeasible to impose IT security policies on non-company-owned devices. Protected process: Local information processing in a secure "bubble"
Unlike the thin client pattern, which keeps sensitive data off of client devices entirely, the protected process pattern allows data to be processed locally on non-IT-owned machines. Sensitive information sits inside a compartmentalized processing environment that is separated from the user's local operating system environment -- essentially a "bubble" -- of which the security and backup properties are controlled by IT. The protected process pattern has many advantages: local execution, offline operation, central management and a high degree of granular security control, including remote wipe capabilities. But keep in mind that most operating system and application virtualization products are Intel- or Windows-only. Protected data: Documents protect themselves regardless of location
Whereas all of the previous patterns seek to control the operating environments that process information, the protected data pattern protects the data itself. Technologies like enterprise rights management (ERM) enshrine access rules into documents directly. These rules, which rely on cryptography for enforcement, apply no matter where the document rests, which is a key advantage. Of all the patterns in the Zero Trust data security strategy, protected data is the most fine-grained and effective because it focuses on the information, not its containers.

One of the disadvantages to this pattern is that ERM requires client-side agents on every participating endpoint. The technology can also be challenging to deploy: Organizations tell Forrester that ERM business unit users sometimes create policies that are too tight, making data difficult to access, and policies don't adapt well to organizational changes.

Eye-in-the-sky: Know when important information leaves
The fifth Zero Trust data security design pattern is a supplementary data control technique for detecting, logging and optionally blocking sensitive data that leaves the physical or logical enterprise perimeter. Data leak prevention (DLP) technology, and, to a lesser extent, security information and event management (SIEM) tools, form the backbone of this pattern.

The primary advantage of the eye-in-the-sky pattern is that it can detect sensitive data as it moves outside the logical security boundaries, making it ideal for understanding the velocity and direction of information flow and for detecting anomalous transmissions. Unfortunately, most enterprises aren't able to require their business partners to install DLP agents on their computers. For this reason, enterprises should regard the eye-in-the-sky pattern as one that supplements other protection capabilities for outside PCs.

About the author:
Andrew Jaquith is a senior analyst at Forrester Research, where he serves security and risk professionals. He will speak at Forrester's 2010 Security Forum in Boston, Sept. 16 -17. Andrew's colleague, John Kindervag, will speak at the Forum as well on the subject "No More Chewy Centers: The Zero-Trust Model Of Information Security."
To rate tips, you must be a member of SearchSecurity.com.
Register now to start rating these tips. Log in if you are already a member.

DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

View the original article here

The Business Case for a Next-Generation SIEM

Delivering operational efficiencies and lower costs through an integrated approach to network security management.

The selection of the most effective IT technology is a major concern for companies of all sizes, across almost every industry.

In the current economic climate, organizations face the difficult task of prioritizing where to best spend their limited budgets so that they emerge from these uncertain times as strong, viable companies.

Feeling this pain most acutely are those who deliver critical network services and applications.

Despite adverse economic conditions, they must still meet a variety of requirements, such as:

• Meeting evolving and increasing numbers of regulatory mandates

• Securing IT assets from continually evolving threats

• Delivering security controls for existing and emerging technology solutions

There will be difficult, economically-driven choices to be made, and organizations need to be strategic in selecting the solutions they will deploy.

This paper will help outline the challenges and key things to consider in order to build a business case for deploying a SIEM solution.

Download This Free White Paper Here

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

The Business Case for a Next-Generation SIEM

Delivering operational efficiencies and lower costs through an integrated approach to network security management.

The selection of the most effective IT technology is a major concern for companies of all sizes, across almost every industry.

In the current economic climate, organizations face the difficult task of prioritizing where to best spend their limited budgets so that they emerge from these uncertain times as strong, viable companies.

Feeling this pain most acutely are those who deliver critical network services and applications.

Despite adverse economic conditions, they must still meet a variety of requirements, such as:

• Meeting evolving and increasing numbers of regulatory mandates

• Securing IT assets from continually evolving threats

• Delivering security controls for existing and emerging technology solutions

There will be difficult, economically-driven choices to be made, and organizations need to be strategic in selecting the solutions they will deploy.

This paper will help outline the challenges and key things to consider in order to build a business case for deploying a SIEM solution.

Download This Free White Paper Here

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Data Center Virtualization: Delivering More Efficient Use of Server Resources to Aid in Disaster Recovery Efforts, Minimizing Server Sprawl and Maintain System Uptime

Data Center Virtualization: Delivering More Efficient Use of Server Resources to Aid in Disaster Recovery Efforts, Minimizing Server Sprawl and Maintain System Uptime

Access Control

This paper examines how CDW Healthcare can help you create a comprehensive access control solution. This access control solution will incorporate user authorization and user tracking throughout the facility.

Protecting your networks and the data within them from unauthorized access involves a multilayered approach, utilizing multiple access point safeguards.

CDW Healthcare can help you create a comprehensive access control solution that:

Streamlines user authorization and secure access across the enterpriseTracks user access throughout your facility, synching with physical security components (e.g., cameras) for a complete activity snapshotCentralizes monitoring, control and assignment of access levels for simplified I.T. management

Continue reading to learn more about how to protect your network from unauthorized users.

View the original article here

Access Control

This paper examines how CDW Healthcare can help you create a comprehensive access control solution. This access control solution will incorporate user authorization and user tracking throughout the facility.

Protecting your networks and the data within them from unauthorized access involves a multilayered approach, utilizing multiple access point safeguards.

CDW Healthcare can help you create a comprehensive access control solution that:

Streamlines user authorization and secure access across the enterpriseTracks user access throughout your facility, synching with physical security components (e.g., cameras) for a complete activity snapshotCentralizes monitoring, control and assignment of access levels for simplified I.T. management

Continue reading to learn more about how to protect your network from unauthorized users.

View the original article here

PCI Security Standards Council Releases Version 2.0 of the Security Standard

Tags » PCI Security Standards Council  » Comments (0)

The PCI Security Standards Council (PCI SSC) has announced version 2.0 of the PCI-DSS and PA-DSS standards. Reflecting input from the Council’s global stakeholders, this latest version does not introduce any new major requirements, but does modify language of the standard in order to clarify the meaning of the requirements and make understanding and adoption easier for merchants.

View the original article here

PCI Security Standards Council Releases Version 2.0 of the Security Standard

Tags » PCI Security Standards Council  » Comments (0)

The PCI Security Standards Council (PCI SSC) has announced version 2.0 of the PCI-DSS and PA-DSS standards. Reflecting input from the Council’s global stakeholders, this latest version does not introduce any new major requirements, but does modify language of the standard in order to clarify the meaning of the requirements and make understanding and adoption easier for merchants.

View the original article here

802.11n Migration: The Newest Fact of Life For IT Organizations

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of   |     

All Rights Reserved, Copyright 2000 - 2010, TechTarget | 

View the original article here

802.11n Migration: The Newest Fact of Life For IT Organizations

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of   |     

All Rights Reserved, Copyright 2000 - 2010, TechTarget | 

View the original article here

A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security

Recent economic troubles might have something to do with the fact that many organizations today seek to establish only the bare minimum level of security. To be more pre­cise, they try to do what they think is the bare minimum. In fact, their belief that security “due diligence” can be reduced to the level prescribed by regulations such as the Payment Card Industry Data Security Standard (PCI DSS) is more common than ever. Unfortunately, the results of this flawed thinking include security breaches and other damag­ing events.

This trend toward establishing the minimum required level of security has affected many security safeguards, including Security Information and Event Management (SIEM) and log management. Most organizations simply deploy these tech­nologies to place a check in the compliance check box. In this paper we will take a look at this disturbing trend and provide useful guidance for maximizing the value of SIEM and log management tools, while focusing on protecting systems and data not on simply checking the compliance check box.

To summarize, SIEM focuses on security while log manage­ment focuses on broad use of log data. More specifically, SIEM tools include correlation and other real-time analysis functionality, which is useful for real-time monitoring. In comparison, log tools often focus on advanced search across all log data. Today, select tools combine select capabilities of SIEM and log management in a single product or product suite. Read on to learn more about SIEM and log management.

View the original article here

A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security

Recent economic troubles might have something to do with the fact that many organizations today seek to establish only the bare minimum level of security. To be more pre­cise, they try to do what they think is the bare minimum. In fact, their belief that security “due diligence” can be reduced to the level prescribed by regulations such as the Payment Card Industry Data Security Standard (PCI DSS) is more common than ever. Unfortunately, the results of this flawed thinking include security breaches and other damag­ing events.

This trend toward establishing the minimum required level of security has affected many security safeguards, including Security Information and Event Management (SIEM) and log management. Most organizations simply deploy these tech­nologies to place a check in the compliance check box. In this paper we will take a look at this disturbing trend and provide useful guidance for maximizing the value of SIEM and log management tools, while focusing on protecting systems and data not on simply checking the compliance check box.

To summarize, SIEM focuses on security while log manage­ment focuses on broad use of log data. More specifically, SIEM tools include correlation and other real-time analysis functionality, which is useful for real-time monitoring. In comparison, log tools often focus on advanced search across all log data. Today, select tools combine select capabilities of SIEM and log management in a single product or product suite. Read on to learn more about SIEM and log management.

View the original article here

Backup System & Nerve Center Upgrade

This paper examines the importance in protecting your network from internal and external attacks.  CDW Healthcare can help you design an integrated security solution to safeguard your network, servers, and clients.

Protecting your network from internal and external attacks begins at the gateway, and should involve deploying multilayer technologies to safeguard your network servers and clients.

CDW Healthcare can help you design and implement an integrated gateway and network security solution that:

Monitors network activity and takes action against people or devices that misuse access; controls network access at connection and during network activitiesIntegrates policy enforcement throughout the network to ensure use only by authorized people and devicesSupports stronger, more scalable, comprehensive network securityBuilds in redundancy to protect against blended attacks

Continue reading to learn more about protecting your network from internal and external attacks.

View the original article here

Backup System & Nerve Center Upgrade

This paper examines the importance in protecting your network from internal and external attacks.  CDW Healthcare can help you design an integrated security solution to safeguard your network, servers, and clients.

Protecting your network from internal and external attacks begins at the gateway, and should involve deploying multilayer technologies to safeguard your network servers and clients.

CDW Healthcare can help you design and implement an integrated gateway and network security solution that:

Monitors network activity and takes action against people or devices that misuse access; controls network access at connection and during network activitiesIntegrates policy enforcement throughout the network to ensure use only by authorized people and devicesSupports stronger, more scalable, comprehensive network securityBuilds in redundancy to protect against blended attacks

Continue reading to learn more about protecting your network from internal and external attacks.

View the original article here

Your Journey to EMR Starts with Content Management

Now is the time to assess your existing equipment and consult with a partner like CDW Healthcare to determine what you may need to upgrade or replace your document management technology for EMR readiness. Here’s a quick checklist: 

Data capture — Does your scanning technology recognize optical characters, barcodes and other patterns?Workflow — Does your system automate file copying and does it support worklists, e-mail notifications and timed alerts?Data storage — Do you have enough storage space to handle growing digital file sizes?Data retrieval — How quickly can you access, download and transmit digital records?Data distribution — Printing, faxing and e-mailing should be standard capabilities for sharing patient data.Security — A system must protect information on multiple levels to comply with HIPAA and internal security policies. 

Continue reading to learn more about content management and EMR.

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of   |     

All Rights Reserved, Copyright 2000 - 2010, TechTarget | 

View the original article here

Your Journey to EMR Starts with Content Management

Now is the time to assess your existing equipment and consult with a partner like CDW Healthcare to determine what you may need to upgrade or replace your document management technology for EMR readiness. Here’s a quick checklist: 

Data capture — Does your scanning technology recognize optical characters, barcodes and other patterns?Workflow — Does your system automate file copying and does it support worklists, e-mail notifications and timed alerts?Data storage — Do you have enough storage space to handle growing digital file sizes?Data retrieval — How quickly can you access, download and transmit digital records?Data distribution — Printing, faxing and e-mailing should be standard capabilities for sharing patient data.Security — A system must protect information on multiple levels to comply with HIPAA and internal security policies. 

Continue reading to learn more about content management and EMR.

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of   |     

All Rights Reserved, Copyright 2000 - 2010, TechTarget | 

View the original article here

eGuide: IT Compliance - Documentation Tips and 10 Tasks You Should Complete

Many IT managers understand the importance of meeting compliance requirements, but maintaining documentation and keeping it up to date can be difficult if you don’t know what auditors look for. This expert e-guide from Search Exchange.com explains how to provide documentation to meet data protection laws and regulations. Find out what auditors look for and which documentation is required. And, learn about ten compliance-related tasks you should complete to ensure optimal internal controls have been established for your email systems.

View the original article here

eGuide: IT Compliance - Documentation Tips and 10 Tasks You Should Complete

Many IT managers understand the importance of meeting compliance requirements, but maintaining documentation and keeping it up to date can be difficult if you don’t know what auditors look for. This expert e-guide from Search Exchange.com explains how to provide documentation to meet data protection laws and regulations. Find out what auditors look for and which documentation is required. And, learn about ten compliance-related tasks you should complete to ensure optimal internal controls have been established for your email systems.

View the original article here

Dr. InfoSec's Quotes of the Week (012)

RSA on Patching

"Unlike IT systems, users cannot be patched and will always be vulnerable to manipulation and infection..." -- Uri Rivner, head of new technologies, identity protection and verification at RSA

On the Smart Grid

"The more proliferation there is of intelligent metering and energy usage, the more opportunities there are for attackers..." -- Heath Thompson, CTO at metering company Landis+Gyr

Sykes on Communication

"The security of corporate information will stand or fall by the ability of the organisation’s various functions to communicate clearly and effectively with one another. It takes all teams to sustain a meaningful dialogue, so a change in mindset is needed from all sides..." -- Richard Sykes, PwC Governance Risk and Compliance Leader

On the Need for a Security Collective

"Just as when an individual who is not vaccinated puts others' health at risk, computers that are not protected or have been compromised with a bot put others at risk and pose a greater threat to society. Simply put, we need to improve and maintain the health of consumer devices connected to the Internet in order to avoid greater societal risk..."  -- Scott Charney, Corporate VP of Trustworthy Computing at Microsoft

On Security Hampering Productibity

"The blade guard on my power saw hampers my productivity in cutting wood, but chopping off my hand or even just a few fingers tends to also have an impact on my productivity. That said, there are a lot of very, very silly URL blocking and email policies in place out there that *do* impact productivity, *don't* increase security and *do* encourage users to bypass IT systems..."  -- John Pescatore, VP Gartner Inc.

On Stuxnet-like Weapons

"A cyberweapon like Stuxnet threatens nation-states much more than it threatens a non-state actor that could deploy it in the future. In short, like every other major new weapons system introduced since the slingshot, Stuxnet creates new strengths as well as new vulnerabilities for the states that may wield it..."  -- Caroline B. Glick, writing for The Jerusalem Post

Cross-posted from Dr. Infosec

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Dr. InfoSec's Quotes of the Week (012)

RSA on Patching

"Unlike IT systems, users cannot be patched and will always be vulnerable to manipulation and infection..." -- Uri Rivner, head of new technologies, identity protection and verification at RSA

On the Smart Grid

"The more proliferation there is of intelligent metering and energy usage, the more opportunities there are for attackers..." -- Heath Thompson, CTO at metering company Landis+Gyr

Sykes on Communication

"The security of corporate information will stand or fall by the ability of the organisation’s various functions to communicate clearly and effectively with one another. It takes all teams to sustain a meaningful dialogue, so a change in mindset is needed from all sides..." -- Richard Sykes, PwC Governance Risk and Compliance Leader

On the Need for a Security Collective

"Just as when an individual who is not vaccinated puts others' health at risk, computers that are not protected or have been compromised with a bot put others at risk and pose a greater threat to society. Simply put, we need to improve and maintain the health of consumer devices connected to the Internet in order to avoid greater societal risk..."  -- Scott Charney, Corporate VP of Trustworthy Computing at Microsoft

On Security Hampering Productibity

"The blade guard on my power saw hampers my productivity in cutting wood, but chopping off my hand or even just a few fingers tends to also have an impact on my productivity. That said, there are a lot of very, very silly URL blocking and email policies in place out there that *do* impact productivity, *don't* increase security and *do* encourage users to bypass IT systems..."  -- John Pescatore, VP Gartner Inc.

On Stuxnet-like Weapons

"A cyberweapon like Stuxnet threatens nation-states much more than it threatens a non-state actor that could deploy it in the future. In short, like every other major new weapons system introduced since the slingshot, Stuxnet creates new strengths as well as new vulnerabilities for the states that may wield it..."  -- Caroline B. Glick, writing for The Jerusalem Post

Cross-posted from Dr. Infosec

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Rogue antivirus spoofs Firefox, Google attack warning pages

» VIEW ALL POSTS Oct 20 2010   2:03PM GMT

Posted by: Robert Westervelt
Rogue Antivirus, Phishing, malicious URLs, malware

Spoofed warning page includes a download link attempting to trick users with a phony browser update.

Security researchers at F-Secure and Websense have discovered cybercriminals pitching rogue antivirus software using a spoofed version of attack warning pages used in Firefox and Google Chrome designed to block users from visiting malicious websites.

The phony attack page includes a download link that purports to be a browser update, but instead downloads rogue antivirus software, according to F-Secure.

According to F-Secure:

If your scripts are enabled, you don’t even need to click on the “Download Updates!” button. It will just offer the rogue AV to you.

It then refuses to let the user cancel the download.

In addition, Websense researchers found an iFrame that installs the Phoenix exploit kit from a different domain. Phoenix is used by cybercriminals pimping rogue AV to harvest data on infected machines and dupe the end user into buying the antivirus software. The kit consists of nine exploits for browser vulnerabilities, Java flaws, Flash errors and Adobe Reader bugs.

             

View the original article here

Rogue antivirus spoofs Firefox, Google attack warning pages

» VIEW ALL POSTS Oct 20 2010   2:03PM GMT

Posted by: Robert Westervelt
Rogue Antivirus, Phishing, malicious URLs, malware

Spoofed warning page includes a download link attempting to trick users with a phony browser update.

Security researchers at F-Secure and Websense have discovered cybercriminals pitching rogue antivirus software using a spoofed version of attack warning pages used in Firefox and Google Chrome designed to block users from visiting malicious websites.

The phony attack page includes a download link that purports to be a browser update, but instead downloads rogue antivirus software, according to F-Secure.

According to F-Secure:

If your scripts are enabled, you don’t even need to click on the “Download Updates!” button. It will just offer the rogue AV to you.

It then refuses to let the user cancel the download.

In addition, Websense researchers found an iFrame that installs the Phoenix exploit kit from a different domain. Phoenix is used by cybercriminals pimping rogue AV to harvest data on infected machines and dupe the end user into buying the antivirus software. The kit consists of nine exploits for browser vulnerabilities, Java flaws, Flash errors and Adobe Reader bugs.

             

View the original article here

Database application security: Balancing encryption, access control

This tip is part of SearchSecurity.com's Data Protection School lesson, Locking down database applications. For more learning resources, visit either the lesson page or the Data Protection School main page.

Some of the most sensitive data in a company is stored in databases. Medical records, credit card numbers, employee records, Social Security numbers and other such data are subject to privacy regulations and must be protected.

At the same time, however, security must be balanced with the need to access the data for legitimate business use, including backups and remote replication for business continuity. The most powerful tool for data privacy is encryption, but it must be applied carefully in order to be effective for security and not disruptive to business. Here are some best practices for database application security when it comes to protecting sensitive data and establishing an encryption/access control balance:

Data minimization and obfuscation
The best and most effective way to protect sensitive data is to not store it in the first place. Thus, companies should always ask the following data minimization questions:

Will the data be needed beyond today?Can we store only partial data for verification (e.g., last four digits of SSNs)?Can we use other, less sensitive data for authentication (e.g., name of pet)?Can we use or store a hash instead of the original data (e.g., MD5, SHA)?

In many cases, these questions can lead to a smaller, less sensitive set of stored data.

Data encryption
Companies can encrypt database data to protect against theft or accidental disclosure. There are three key issues that come with database encryption: where the data is encrypted, how it is encrypted and where the keys are stored. Let's address each below:

Where to encrypt data -- Encryption can be applied at the application layer, in the database or in the underlying storage. Within the database, data can be encrypted in a specific field, a column, a table or across the entire database. Each of these choices has pros and cons.

Application-layer encryption ensures the data is encrypted at the highest layer in the system, thus making it invisible to all the layers below. If encrypted in the application, the database, OS, network and all other components through which the data passes will only see the encrypted form.

The problem with encrypting at the highest level is that there are usually several high-level applications that need access to the data and will therefore need copies of the keys to decrypt it. The more the keys are distributed, the more vulnerable they are.

But if you encrypt at the lower levels, then you need to add other layers of encryption further up; for example, data will need to be encrypted in the network flows between database and application, otherwise it will be visible. This introduces other encryption keys that will need to be secured. It's a delicate balance that depends on the architecture of the application and the data flows.

How to encrypt -- Encryption can be implemented in software, in software with hardware assistance or entirely in hardware. Depending on the throughput you are trying to support (Mbit/sec), you may need some hardware acceleration. One choice is clear though: Always use a modern, strong and standards-based encryption and key management system; don't try to invent your own system that may or may not do the job properly. Some high-end server processors now have built-in encryption primitives supporting AES, which allow for much faster (up to nine times faster) encryption than software-based algorithms.

Where to store the keys -- The biggest challenge is not encryption per se, but key storage and distribution. The encryption is only as secure and only as accessible as the keys. Keys must be protected from attackers and stored separately from the encrypted data, but accessible to the encryption/decryption algorithm. At the same time, the keys must be backed up and replicated, so that backup data can also be decrypted if the primary data or primary key storage is lost due to a disaster. Any key management technology you select must support:

Secure storage of keys.Authenticated and audit-trail access of keys.Escrow or recovery keys to protect against loss.The ability to backup and securely transfer keys to a remote location for recovery.

Encryption standards
Many encryption and key management systems are certified by one of two useful standards: Federal Information Processing Standard (FIPS) 140, levels 1 through 4, and Common Criteria Evaluation Assurance Level (EAL), levels 1 through 7. These standards offer a metric to compare the security of different systems' encryption algorithms, key storage and key management mechanisms: Higher numbers mean better encryption algorithms, better key storage, tamperproof hardware and better key management practices. For example, FIPS considers 11 different areas of security to assign a level of certification. You should pick the appropriate level of security depending on the sensitivity of the data and any regulatory requirements you face.

Database applications are complex and made of multiple tiers of loosely coupled components. They are difficult to secure, yet contain the most sensitive data in an organization. But by using data minimization and encryption, companies can strike the right balance between security, accessibility and availability for their data.

About the author:
Andreas M. Antonopoulos is a Senior Vice President and Founding Partner with Nemertes Research, where he develops and manages research projects, conducts strategic seminars and advises key clients. Andreas is a computer scientist, a master of data communications and distributed systems, a Certified Information Systems Security Professional (CISSP), with an engineering, programming and consulting background. For the past 16 years, has advised a range of global industries on emerging technologies and trends.

View the original article here

Database application security: Balancing encryption, access control

This tip is part of SearchSecurity.com's Data Protection School lesson, Locking down database applications. For more learning resources, visit either the lesson page or the Data Protection School main page.

Some of the most sensitive data in a company is stored in databases. Medical records, credit card numbers, employee records, Social Security numbers and other such data are subject to privacy regulations and must be protected.

At the same time, however, security must be balanced with the need to access the data for legitimate business use, including backups and remote replication for business continuity. The most powerful tool for data privacy is encryption, but it must be applied carefully in order to be effective for security and not disruptive to business. Here are some best practices for database application security when it comes to protecting sensitive data and establishing an encryption/access control balance:

Data minimization and obfuscation
The best and most effective way to protect sensitive data is to not store it in the first place. Thus, companies should always ask the following data minimization questions:

Will the data be needed beyond today?Can we store only partial data for verification (e.g., last four digits of SSNs)?Can we use other, less sensitive data for authentication (e.g., name of pet)?Can we use or store a hash instead of the original data (e.g., MD5, SHA)?

In many cases, these questions can lead to a smaller, less sensitive set of stored data.

Data encryption
Companies can encrypt database data to protect against theft or accidental disclosure. There are three key issues that come with database encryption: where the data is encrypted, how it is encrypted and where the keys are stored. Let's address each below:

Where to encrypt data -- Encryption can be applied at the application layer, in the database or in the underlying storage. Within the database, data can be encrypted in a specific field, a column, a table or across the entire database. Each of these choices has pros and cons.

Application-layer encryption ensures the data is encrypted at the highest layer in the system, thus making it invisible to all the layers below. If encrypted in the application, the database, OS, network and all other components through which the data passes will only see the encrypted form.

The problem with encrypting at the highest level is that there are usually several high-level applications that need access to the data and will therefore need copies of the keys to decrypt it. The more the keys are distributed, the more vulnerable they are.

But if you encrypt at the lower levels, then you need to add other layers of encryption further up; for example, data will need to be encrypted in the network flows between database and application, otherwise it will be visible. This introduces other encryption keys that will need to be secured. It's a delicate balance that depends on the architecture of the application and the data flows.

How to encrypt -- Encryption can be implemented in software, in software with hardware assistance or entirely in hardware. Depending on the throughput you are trying to support (Mbit/sec), you may need some hardware acceleration. One choice is clear though: Always use a modern, strong and standards-based encryption and key management system; don't try to invent your own system that may or may not do the job properly. Some high-end server processors now have built-in encryption primitives supporting AES, which allow for much faster (up to nine times faster) encryption than software-based algorithms.

Where to store the keys -- The biggest challenge is not encryption per se, but key storage and distribution. The encryption is only as secure and only as accessible as the keys. Keys must be protected from attackers and stored separately from the encrypted data, but accessible to the encryption/decryption algorithm. At the same time, the keys must be backed up and replicated, so that backup data can also be decrypted if the primary data or primary key storage is lost due to a disaster. Any key management technology you select must support:

Secure storage of keys.Authenticated and audit-trail access of keys.Escrow or recovery keys to protect against loss.The ability to backup and securely transfer keys to a remote location for recovery.

Encryption standards
Many encryption and key management systems are certified by one of two useful standards: Federal Information Processing Standard (FIPS) 140, levels 1 through 4, and Common Criteria Evaluation Assurance Level (EAL), levels 1 through 7. These standards offer a metric to compare the security of different systems' encryption algorithms, key storage and key management mechanisms: Higher numbers mean better encryption algorithms, better key storage, tamperproof hardware and better key management practices. For example, FIPS considers 11 different areas of security to assign a level of certification. You should pick the appropriate level of security depending on the sensitivity of the data and any regulatory requirements you face.

Database applications are complex and made of multiple tiers of loosely coupled components. They are difficult to secure, yet contain the most sensitive data in an organization. But by using data minimization and encryption, companies can strike the right balance between security, accessibility and availability for their data.

About the author:
Andreas M. Antonopoulos is a Senior Vice President and Founding Partner with Nemertes Research, where he develops and manages research projects, conducts strategic seminars and advises key clients. Andreas is a computer scientist, a master of data communications and distributed systems, a Certified Information Systems Security Professional (CISSP), with an engineering, programming and consulting background. For the past 16 years, has advised a range of global industries on emerging technologies and trends.

View the original article here

Single Sign On, Digital Signage, Enterprise Apps

Using a single password or biometric fingerprint, SSO allows authorized users to log on to a PC or network one time, yet achieve access to multiple clinical, financial, and other applications and systems.

Look to CDW Healthcare for an SSO solution that aligns with your hospital’s needs and:

Streamlines secure access to patient dataEnsures privacy of patient recordsImproves HIPAA complianceIncreases speed and quality of careEliminates time-consuming password resetting

Continue reading to learn more about single sign on log in applications.

View the original article here

Single Sign On, Digital Signage, Enterprise Apps

Using a single password or biometric fingerprint, SSO allows authorized users to log on to a PC or network one time, yet achieve access to multiple clinical, financial, and other applications and systems.

Look to CDW Healthcare for an SSO solution that aligns with your hospital’s needs and:

Streamlines secure access to patient dataEnsures privacy of patient recordsImproves HIPAA complianceIncreases speed and quality of careEliminates time-consuming password resetting

Continue reading to learn more about single sign on log in applications.

View the original article here

Pen Testing for Low Hanging Fruit - Part 6 of 7

Do It Yourself or Outsource? - Part 6 of a 7-part series - (Part 1 Here) (Part 2 Here) (Part 3 Here) (Part 4 Here) (Part 5 Here)

Categories of Vulnerabilities

The category of passwords includes all forms of passwords and similar authentication schemes. 

They take the form of default application passwords, missing, blank and easily guessed passwords on operation system accounts and other password uses such as SNMP community strings. 

Another common area of password weaknesses is cases where administrators use similar passwords across different platforms. 

In other words, this becomes a problem when network administrators use the same password for their Microsoft Windows account, the Oracle “system” account and the Cisco administrative account.

Patch management for desktop PC’s and servers always seems to be an issue even in organizations that have robust patch management applications and policies already in place. 

It is not uncommon to find missing patches from vulnerabilities that were announced three or four years ago. The implications of missing patches on security and privacy cannot be overstated. 

Missing patches accounts for a very large percentage of successful network attacks.

Information Technology policy and procedures are often the bane of a network administrator. 

Next to documenting network topologies and device configurations, policies and procedures are often the IT stepchild and receive the least amount of effort. 

Nobody likes to write them and few people read them. But they are critical to the overall success of any information security and privacy plan and should drive the configuration of all security devices.

There are many reasons why organizations don’t have current IT policy and procedure documents. The first reason is that it takes a lot of time and managers don’t often get evaluated on such projects. 

Metrics are developed to measure and reward for successful network implementations, short times for help desk users and great call qualities for the new VoIP implementation. 

Few corporate leaders are going to reward IT managers for well-written policy documents. 

Another reason for not having accurate policy documents is that often the person writing them has no authority to enforce them.

Despite all of these reasons, IT managers need to work together with human resources, legal and compliance personnel to convince top management of the need for current, accurate policies and procedures. 

Well written documentation is the key to an effective management strategy and in the long run will help save the company money by ensuring a consistent process for each management task. 

Consistent procedure documents also reduce the time spent training new employees which also helps to save money. 

Finally, accurate documentation is also a key component of most security and privacy regulations.

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Pen Testing for Low Hanging Fruit - Part 6 of 7

Do It Yourself or Outsource? - Part 6 of a 7-part series - (Part 1 Here) (Part 2 Here) (Part 3 Here) (Part 4 Here) (Part 5 Here)

Categories of Vulnerabilities

The category of passwords includes all forms of passwords and similar authentication schemes. 

They take the form of default application passwords, missing, blank and easily guessed passwords on operation system accounts and other password uses such as SNMP community strings. 

Another common area of password weaknesses is cases where administrators use similar passwords across different platforms. 

In other words, this becomes a problem when network administrators use the same password for their Microsoft Windows account, the Oracle “system” account and the Cisco administrative account.

Patch management for desktop PC’s and servers always seems to be an issue even in organizations that have robust patch management applications and policies already in place. 

It is not uncommon to find missing patches from vulnerabilities that were announced three or four years ago. The implications of missing patches on security and privacy cannot be overstated. 

Missing patches accounts for a very large percentage of successful network attacks.

Information Technology policy and procedures are often the bane of a network administrator. 

Next to documenting network topologies and device configurations, policies and procedures are often the IT stepchild and receive the least amount of effort. 

Nobody likes to write them and few people read them. But they are critical to the overall success of any information security and privacy plan and should drive the configuration of all security devices.

There are many reasons why organizations don’t have current IT policy and procedure documents. The first reason is that it takes a lot of time and managers don’t often get evaluated on such projects. 

Metrics are developed to measure and reward for successful network implementations, short times for help desk users and great call qualities for the new VoIP implementation. 

Few corporate leaders are going to reward IT managers for well-written policy documents. 

Another reason for not having accurate policy documents is that often the person writing them has no authority to enforce them.

Despite all of these reasons, IT managers need to work together with human resources, legal and compliance personnel to convince top management of the need for current, accurate policies and procedures. 

Well written documentation is the key to an effective management strategy and in the long run will help save the company money by ensuring a consistent process for each management task. 

Consistent procedure documents also reduce the time spent training new employees which also helps to save money. 

Finally, accurate documentation is also a key component of most security and privacy regulations.

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Meeting the True Intent of File Integrity Monitoring

The term “file integrity monitoring,” or FIM, popped up back in 2001 when the VISA started working on a security specification that would eventually become the Payment Card Industry Data Security Standard (PCI DSS, or just PCI). FIM was referenced in two requirements of PCI specification, but requirement 10.5.5 specifically instructed organizations that processed, transmitted or stored cardholder data to “Use file integrity monitoring/change detection software (such as Tripwire) on logs to ensure that existing log data cannot be changed without generating alerts.”

In reality, FIM had been around before its reference in the evolving PCI standard. Previously, though, it used a differ­ent name: “change audit.” So here we are ten years later. Where is FIM now? Is it still relevant or important? Does it really protect data and improve security? The answers, in order are:

FIM is still called file integrity monitoring (FIM), and is now part of almost every IT compliance regulation and standard and every IT security standard. Some refer to FIM as “change audit.” Yes, FIM is still relevant and important, although many organizations that must use FIM solutions complain that the term “FIM” is now synonymous with “noise” due to the huge volume of changes these solutions detect. Yes, FIM does protect data and improve security, but only when FIM has specific capabilities. Read on to learn more about FIM and how it can effectively provide data protection and security.

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of   |     

All Rights Reserved, Copyright 2000 - 2010, TechTarget | 

View the original article here