Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
FW: Security Wire Perspectives, Vol. 6, No. 23, March 22, 2004
- From: Howell, Paul
- Date: Mon Mar 22 07:35:48 2004
-----Original Message-----
From: Security Wire Perspectives
[mailto:searchSecurity@lists.techtarget.com]
Sent: Monday, March 22, 2004 4:01 AM
To: Security Wire Perspectives
Subject: Security Wire Perspectives, Vol. 6, No. 23, March 22, 2004
Security Wire Perspectives is published by Information Security, the
industry's leading magazine for security news and information, and
SearchSecurity.com, the Web's best security-specific information resource
for enterprise IT professionals. Additional newsletters available at
http://searchsecurity.techtarget.com/?track=NL-358&ad=478684&Offer=swp
IN THIS ISSUE:
A READ ON THE NEWS
*The Cost of Privacy Safeguards
*Encryption: Building to Code
HEADLINES
*eEye Uncovers Second Major Vulnerability in Rival ISS's Software *Latest
Bagle Worm Both Nasty and Sneaky *Multiple Cisco Products Among Those
Clobbered by OpenSSL Flaw *Don't 'Creep Out' Your Customers *DHS to Release
SoHo Security Guidelines
*Oracle Web Cache Exhibits Multiple Remote Vulnerabilities
*Analyst: Tough Choices in Saturated Provisioning Market *Protecting Phones,
Handhelds From Attack
SOUND BYTES
*What's Up With Virus Cost Estimates?
By Rob Rosenberger, Vmyths
LINKS TO THE INDUSTRY
YOUR TWO CENTS
Readers sound off on secure applications development
TO UNSUBSCRIBE, REFER TO THE INSTRUCTIONS AT THE END OF THIS MESSAGE
=====================================================
SECURITY WIRE PERSPECTIVES IS SPONSORED BY: Solsoft
MUST-SEE WEBCAST: "Better Management for Network Security, a Policy-based
Approach to Securing Large and Complex Networks"
Looking for a better way to manage your network security infrastructure?
Solsoft makes it easy to put enterprise network security policies into
action - whether you're running a Cisco shop...or a multi-vendor environment
with Cisco, NetScreen, Check Point, Nortel, Symantec, and Linux. The Solsoft
Policy Server is an open system offering centralized management of leading
firewalls, routers, switches and VPNs. Join us for a live demo and learn how
Solsoft's unique, policy-based approach can help you reduce risk exposure,
cut migration costs, respond rapidly to network events, foster collaboration
between network admins and security experts, and dramatically improve team
efficiency. REGISTER TODAY at
http://searchSecurity.com/r/0,,26537,00.htm?track=NL-358&ad=478684&solsoft
=====================================================
A READ ON THE NEWS
*THE COST OF PRIVACY SAFEGUARDS
By Dr. Larry Ponemon
What are companies spending to comply with the privacy and data protection
regulations imposed by HIPAA, Sarbanes-Oxley, Gramm-Leach-Bliley and the
California Security Breach Notification Act? And, is the level of spending
an indication of the concern companies have about a potential privacy
breach?
An IBM-sponsored study conducted by Ponemon Institute surveyed 44 U.S.-based
multinational organizations, revealing that while privacy protection is
growing in importance for businesses, investments in privacy initiatives are
significantly lower when compared to other corporate compliance initiatives.
For example, the study shows that 95% of respondents feel that their
organizations spend less on privacy than on environmental initiatives.
Furthermore, spending on privacy protection increased noticeably the further
along organizations were in the implementation process. Spending on privacy
initiatives among the organizations surveyed varied from approximately
$500,000 to about $22 million annually. This difference can be attributed to
the varying stages of respondents' implementation.
The companies surveyed fell into one of three implementation stages: the
early, or planning and architecture stage; the middle, or launch and
implementation stage; and the late, or operational and maintenance stage.
Analysis of the study and the subsequent results revealed that companies in
the early stage spend an average of about $3.9 million; companies in the
middle stage spend an average of $6 million; companies that have reached the
late stage spend an average $14 million. Direct and indirect privacy costs
incurred by companies at different levels of program maturity are shown in
the bar chart
(http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci9559
51,00.html?track=NL-358&ad=478684 ).
Among those surveyed, the majority of companies were in the early stage.
These organizations should anticipate significant increases in spending as
their privacy programs move forward. Spending increases are a result of such
late-stage activities as running employee training sessions, performing
self-assessments, conducting independent audits, securing vendor
relationships and obtaining Web site certification.
Findings show that program spending increases markedly as companies advance
from early stage activities, such as planning and strategy, to later stage
activities that emphasize program execution and delivery. Also note that
privacy costs increase faster within direct versus indirect cost categories.
This suggests that as the corporate program matures, more dedicated
resources are applied to formal privacy compliance activities.
Additional study findings:
--As company privacy initiatives progress, spending is expected to increase
approximately 355% from early to late stages.
--According to industry classification, technology companies appear to incur
the highest privacy costs. Transportation and hospitality companies appear
to spend the least on privacy initiatives, as compared to other industry
groups. Companies in heavily regulated industries, such as financial
services and health care, appear to spend within the middle range.
--Ten percent of the companies surveyed are using privacy enabling
technologies that directly enhance compliance or mitigate business risk.
The majority of respondents believe that spending increases are needed to
achieve adequate levels of compliance. And, that as privacy becomes a more
mature area of corporate compliance, there will be a subsequent rise in
financial investment in technologies that will protect data and decrease
risk.
Most of the respondents believe that privacy expenditures will increase in
the next one to three years, and 80% believe that privacy enabling
technologies will be the single most important area for program improvement
over the next three to five years.
DR. LARRY PONEMON is chairman and founder of the Ponemon Institute, an
organization focused on the development of privacy audits, privacy risk
management and ethical information management. For more information about
the IBM & Ponemon Institute Cost of Privacy Study, please contact Ponemon
Institute at mailto:research@ponemon.org.
*ENCRYPTION: BUILDING TO CODE
By Anne Saita
Data protection mandates in legislation like HIPAA and the Sarbanes-Oxley
Act are making encryption more popular, but cryptography as a point solution
is another story.
Enterprises "aren't going out and searching for what product can solve
everything out of the box," explains Adam K. Erickson, senior VP of
worldwide sales and marketing for encryption middleware provider Eruces.
"Rather, what they're tending to do is develop their own solutions
in-house."
But it takes time and skill to build encryption from scratch -- more than
some companies can afford.
Last month Eruces rolled out the platform-independent Encryption Framework
for Enterprises, which leverages its patented Tricryption engine to create
an abstraction layer, bridging applications requiring encryption with
commonly used algorithms, libraries and toolkits on the market today. Expect
other vendors to follow.
Such frameworks should reduce manpower that developers now devote to
creating cryptography, or it may save the sanity of those unsure just how to
customize, say, an RSA algorithm or OpenSSL. It also tackles a problem
arising from transmissions using PKI or VPNs: what do to once encrypted data
reaches its destination.
"Now, if an organization has multiple encryption projects going on,
developers can go and build upon the same platform, so every data piece will
be encrypted and still talk to each other," Erickson says.
The framework is especially appealing to security managers whose developers
are racing against a legislative deadline.
"If you're building a simple Java app to run on your Web site and you get it
wrong, there's not too much damage to be done," Erickson adds. "If you mess
with your cryptography, very bad things can be done."
=====================================================
HEADLINES
A look at other significant industry happenings from our sister publication,
Security Wire Daily
*eEye Uncovers Second Major Vulnerability in Rival ISS's Software
SearchSecurity.com
For the second time in less than a month, eEye Digital Security has revealed
a major vulnerability in a core module affecting multiple products of rival
Internet Security Systems.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci95603
5,00.html?track=NL-358&ad=478684
*Latest Bagle Worm Both Nasty and Sneaky
SearchSecurity.com
A new variant of Bagle has a unique way of worming through computer systems
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci95590
7,00.html?track=NL-358&ad=478684
*Multiple Cisco Products Among Those Clobbered by OpenSSL Flaw
SearchSecurity.com Cisco switches, routers and firewalls are vulnerable to
attack due to a problem in OpenSSL that has other software vendors
scrambling to cope.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci95589
5,00.html?track=NL-358&ad=478684
*Don't 'Creep Out' Your Customers
SearchCRM.com
It's not good enough for your marketing campaigns to just meet the letter of
privacy laws. There's also a comfort threshold for customers, Gartner
research finds.
http://searchcrm.techtarget.com/originalContent/0,289142,sid11_gci955520,00.
html?track=NL-358&ad=478684
*DHS to Release SoHo Security Guidelines
SearchSecurity.com
This week the U.S. Department of Homeland Security is expected to release
guidelines for improving cybersecurity for small businesses and home
computer users -- groups normally not focused on security.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci95551
8,00.html?track=NL-358&ad=478684
*Oracle Web Cache Exhibits Multiple Remote Vulnerabilities
SearchSecurity.com Oracle recommends immediately patching to fix multiple
high-risk vulnerabilities in the Oracle Web Cache that impacts all
platforms.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci95551
6,00.html?track=NL-358&ad=478684
*Analyst: Tough Choices in Saturated Provisioning Market
SearchWebServices.com The Burton Group analyzes the state of the
provisioning market and offers advice on buying and deploying provisioning
tools.
http://searchwebservices.techtarget.com/originalContent/0,289142,sid26_gci95
5347,00.html?track=NL-358&ad=478684
*Protecting Phones, Handhelds From Attack SearchMobileComputing.com There
are hidden dangers out there that threaten the data on your mobile phone. In
this interview, an analyst explains the issues, including the various ways
Bluetooth devices can be exploited.
http://searchmobilecomputing.techtarget.com/qna/0,289202,sid40_gci955283,00.
html?track=NL-358&ad=478684
=====================================================
*ADVERTISEMENT*
Protect Your Network from the Latest Vulnerabilities Today!
eEye Digital Security is credited with discovering the ASN vulnerability -
the most critical Windows flaw ever detected. eEye's Retina Network Security
Scanner rapidly pinpoints security weaknesses throughout your network
including Internet-facing devices that can be attacked remotely. Retina
accurately identifies vulnerable systems and provides detailed remediation
instructions to safeguard your network.
Don't wait for the next attack - download a free trial of Retina Network
Security Scanner at:
http://searchSecurity.com/r/0,,26538,00.htm?track=NL-358&ad=478684&eeye
=====================================================
SOUNDBYTES
*WHAT'S UP WITH VIRUS COST ESTIMATES?
By Rob Rosenberger
Cost estimates associated with damages and downtime from worms and viruses
are a hot commodity. Unfortunately estimates are all there is, with no solid
data to back it up. But CIOs can make all the difference by demanding such
information from their security teams.
The following story could serve as a real-life example. A CIO calls down to
his webmaster and his security manager. "I want you both in my office at
noon. Bring all of your graphs and charts."
When the meeting begins, the webmaster displays two dozen charts and graphs
related to the firm's Web site. "We've been collecting data since 1996 when
we first arrived on the Web," the webmaster proudly beams. "Are there any
questions?"
The CIO nods his approval.
The security manager holds up an international survey. He states with
authority, "As this survey attests, the threat of computer viruses has risen
from a nuisance to an epidemic. My team has fought them for years, as you
well know. Are there any questions?"
The CIO seems bewildered. "Where're the charts and graphs for our firm?"
The computer security manager replies, "We don't keep track of virus
infections."
The CIO's jaw drops to the floor. "Why not?"
The computer security manager shakes his head. "We've never seen a need for
that data in almost two decades."
This, then, is our first dirty little secret -- security experts don't keep
data on virus attacks at the personal/corporate level. We rely exclusively
on "international surveys" and "global estimates." But how can we fill out a
survey or declare an estimate if we have no data to begin with?
This, then, is our second dirty little secret -- security experts pull
estimates out of thin air. And some of them are better at it than others.
Not to name names, but some companies have grown infamous for spouting
absurdly "precise" estimates. "Preliminary data shows that all the NetSky
variants put together have already caused between $25.6 billion and $31.3
billion of estimated damages worldwide," mi2g trumpeted in a recent press
release. "The combined economic damage to date from Bagle, MyDoom and NetSky
has now crossed $100 billion worldwide," declared another recent press
release from mi2g.
The press routinely publishes "estimates" without question -- not just
because they sound so precise, but also because there are no other numbers
to publish. Few companies are willing to go out on such a limb in exchange
for media exposure, but it wasn't always this way.
Antivirus firms and even government agencies used to declare damage
estimates to any reporter who would publish it. Slowly, one by one, they
fell by the wayside from criticism. mi2g is currently the major source for
virus damage estimates and endures constant criticism, but probably won't
stop anytime soon because reporters crave numbers.
The solution may seem simple enough -- start collecting data! -- but it's
not as simple as you'd think. You see, webmasters collect data because it's
valuable to them. Security experts will only collect data if/when they
consider it valuable.
Virus infection data is "irrelevant" right now, and only a CIO can change
this. Things will change when CIOs drop their jaws at the utter lack of
virus data. That's when we'll start collecting data and stop pulling
estimates out of thin air.
Unfortunately, we'll never truly know what's happened in the last 18 years
of virus attacks. We lost the most valuable data of all -- the beginning.
But you know what upsets me most? We didn't lose all of this data because of
a virus....
ROB ROSENBERGER is one of the original virus experts from the 1980s, and the
first to focus on virus hysteria. He is an editor and columnist at
Vmyths.com.
Have an opinion on this article? E-mail your letters to Shawna McAlearney (
mailto:smcalearney@infosecuritymag.com ), and include your name, title and
organization. Letters may be edited for space and clarity.
=====================================================
LINKS TO THE INDUSTRY
Industry Notebook
SafeNet Completes Merger With Rainbow Technologies
Network security and managed service provider SafeNet announced its
completed merger with Rainbow Technologies, maker of cryptography solutions,
as of the week. The deal reportedly cost the Baltimore-based SafeNet $457
million in stock. Under this new company, SafeNet will provide a more
comprehensive line of security solutions with the addition of Irvine,
Calif.-based Rainbow Technologies' large array of authentication and access
control products. The company announced plans to merge on Oct. 22.
http://www.safenet-inc.com
Other industry news:
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci95551
4,00.html?track=NL-358&ad=478684
Happenings
Current industry events:
http://searchsecurity.techtarget.com/bestWebLinks/0,289521,sid14_tax281973,0
0.html?track=NL-358&ad=478684
Security training:
http://searchsecurity.techtarget.com/bestWebLinks/0,289521,sid14_tax281975,0
0.html?track=NL-358&ad=478684
Market Monitor
Current security company stock prices:
http://searchSecurity.com/r/0,,22258,00.htm?track=NL-358&ad=478684&n/a
SearchSecurity.com Top 10
Weekly recap of top news stories and security tips by our sister
site:
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci91316
1,00.html?track=NL-358&ad=478684
=====================================================
Live Expert Webcast: New Directions in VPNs
After half a decade in the field, where do secure VPNs stand? Join Lisa
Phifer, owner of consulting firm Core Competence and contributor to
SearchSecurity and Information Security magazine, for an interactive
discussion on the status of IPSec and SSL VPN technologies. You'll learn how
new trends like managed service outsourcing and wireless are changing the
VPN landscape and factors to consider when choosing the right combination of
VPN technologies to meet business needs.
Pre-register for this live webcast on Tuesday, March 30 at Noon ET.
http://searchsecurity.com/vpn1?track=NL-358&ad=478684
=====================================================
YOUR TWO CENTS
Have an opinion on a Security Wire Perspectives article? We're interested in
your feedback. E-mail your letters to Shawna McAlearney (
mailto:smcalearney@infosecuritymag.com ), and include your name, title and
organization. Letters may be edited for space and clarity.
*An Indictment for Applications Development
http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci954111,00.html?tr
ack=NL-358&ad=478684
Are you that hard up for content that you have to run this kind of nonsense?
It's easy to self-righteously browbeat developers without acknowledging the
history of how we got here -- or suggesting a solution. Oh wait: he's just
published a book on the topic. Maybe I need to buy that to see what I should
do...
Not bloody likely...
--Scott Wierschem
::::::::::::::::::::: ABOUT THIS NEWSLETTER ::::::::::::::::::::::
Security Wire Perspectives (BPA E-Mail Audit Report, June 2002*) is an
e-mail newsletter brought to you on Mondays and Thursdays by Information
Security magazine, a TechTarget publication. Copyright
(c) 2004, Information Security and TechTarget. No reuse or redistribution
without the express written authorization of Information Security and
TechTarget.
Permission requests, questions or comments should be e-mailed to Shawna
McAlearney, online editor, mailto:smcalearney@infosecuritymag.com.
*A copy of the BPA Audit is available for download at:
http://www.bpai.com/library/statement_files/s343h0j2.pdf
_____________________________________________________________________
To unsubscribe from "Security Wire Perspectives":
Go to unsubscribe:
http://SearchSecurity.com/u?cid=478684&lid=559334&track=NL-358&ad=478684
Please note, unsubscribe requests may take up to 24 hours to process; you
may receive additional mailings during that time. A confirmation e-mail will
be sent when your request has been successfully processed.
Contact us:
SearchSecurity
Member Services
117 Kendrick Street, Suite 800
Needham, MA 02494
------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------
|
