Site Sponsor:
Ask the Expert
Search this site
Entries from Realtime Community | Messaging and Web Security tagged with 'security management'
Trying to Explain Security Threats to SMBs? A Picture is Worth a Thousand Words
I've written many words (more than a thousand for sure) about security and many of them directed to SMBs but I have to admit I wish I had come up with the elegant diagram in GFI's new whitepaper Security Threats:...
Is Security in the Cloud Better Than In Your Business?
Moving data to the cloud takes a little courage and a lot of trust. How can you trust the cloud computing/storage provider to protect your data? Zoho must get this question a lot and they're probably sick of it because...
Scope of Cybersecurity Policy
TechDirt poses an important question about cybersecurity policy, what should it cover? Government and business are fundamentally different (the current economic situation not withstanding) but basic security practices are universal....
Asus Fastest Smartphone and the Shifting Ways of Thinking about Security
Asus announced that is has released the fastest smartphone and the press release just reminds me how fundamentally computing, and security around it, is changing....
How Will Economic Downturn Affect Security?
The bleak economic news may be a prelude to a difficult period for security professionals and the companies they work for....
Anti-Malware Testing Principals and Best Practices
The Anti-Malware Testing Standards Organization has released a set of anti-malware testing principals and best practices....
Microsoft: Weakest Link Isn't the Operating System
Microsoft's 150-page Security Intelligence Report for January to June 2008 demonstrates that even if one part of an application stack is secure, attackers will still go after the weakest link. In this case, that would be third party applications....
Virtualization: Threats and Responses
Server virtualization faces the same threats as non-virtualized servers plus others. In this podcast we discuss those threats and a number of ways to mitigate these threats, including system configuration and asset management practices. Advances in hardware design are also...
Systems Recovery, Virtual Images, and Keeping Security Measures Updated
Virtual machines are easy to deploy when you have a set of standardized images to start with but this practices does bring with it new management requirements....
Google is Watching Out for You
Google is not sitting back and passively letting your Website or Android phone become victim to attackers....
IRS Faulted for Application Vulnerabilities
A recently released review of IRS applications by the Treasury Department found deployed systems contained known vulnerabilities....
Will We Eventually Need a Budget Line Item for Cybercrime?
According to the Information Security Forum, cybercrime is (not surprisingly) growing and business are more vulnerable to the cost implications of this kind of crime....
Improving Security with Configuration Management
You can't secure what you don't know you have. In this podcast we look at how the practice of configuration management can improve preventive maintenance, patch management and long term planning - all with a focus on security. The podcast...
Time for New Security Metrics
How do you estimate a security measure to decide whether or not to invest in it? In traditional risk management, it's a matter of calculating annualized loss expectancy (ALE). If that is a term that wasn't cooked up by non-security...
Cloud Computing and Security
We've just posted a new article on security and cloud computing. Here's an excerpt:...
Getting Started with Governance, Compliance and Risk Management
Governance, compliance and risk management (GCR) is a broad, demanding and sometimes intimidating topic but there are strategies for getting GCR under control. This podcast describes a seven step process for getting a GCR program started with an emphasis on...
Management Issues in Full Disk Encryption
Full disk encryption can be a significant part of a data loss prevention program but it comes with management challenges. This podcast discusses some of the advantages and management issues faced when deploying and maintaining full disk encryption for mobile...
Small & Midsized Companies Targeted by Cybercime, Too
A significant number of SMBs think they are too small to be of interest to cybercriminals but that misses the point. It isn't a matter of being "of interest", its a matter of can a bot herder control your computers...
Patching without Details Difficult to Justify
The recent leak of DNS vulnerability details is leading to a lot of discussion about how well security professionals can keep the lid on such details. Efforts by Dan Kaminsky and others to quietly patch a severe vulnerability in DNS...
Mobile Device Security Policy
Mobile devices functionality is growing more comparable to non-mobile devices. This podcast examines topics to consider when formulating a mobile device security policy, including: authentication, encryption, firewalls, anti-virus and other configuration issues. The role of network access control in enforcing...
Insider Threats and Early Warning Signs
It's hard to stop starring at a train wreck or in the case of IT professionals, tracking the events of the San Francisco network lock-out. We seem to have entered the second stage of the story where blame is being...
Knowing What You Don't Know
Security professionals turn dangerous when they start making decisions on questions they don't fully understand. It's not just the disgruntled employee that can wreak havoc, the ones that don't know their own limitations are a problem, too....
Cloud Computing Security
There are many advantages of cloud computing, like the promise of resources on demand and lower costs, but improved security isn't one of them....
Real Compliance Requires Technical Expertise
Network World published an interview with an Ex-Bear Stearns CISO on compliance which raises some pressing questions but I think falls short on the right answer....
Security as a Service: Is It Right for You?
Outsourcing security services has a number of advantages, including gaining access to expertise not available in house, more efficiently dealing with mundane operational tasks, and expanding the breadth of your security measures. This podcast discusses the advantages, the kinds of...
Security Management: Tips and Techniques Articles
Managing security in any sizable IT organization can sometimes feel like juggling - things keep coming at you and the stuff you've already handled seems to have a way of coming back at you. There are no simple formulas or...
Evaluating Your Security Management Program: What to Look For
The latest article in the Essentials Series: Messaging and Web Security - Volume III looks into how to keep your security management plan in synch with other business objectives. Here's an excerpt:...
One Approach to Database Security: Stick Head in Sand, Ignore Patches
Micheal Cobb's article Database Denial: How Critical are Oracle's CPUs does a nice job of laying out the pros and cons of critical patch updates (CPUs). One of the things that struck me was a sentiment that "my database is...
Basics of Event Correlation
Event correlation tools help extract actionable information from logs and other data sources of point systems. This podcast describes why event correlation is needed, what the key elements of event correlation are, and how event correlation can be used in...
Preventing Data Loss "Accidents"
Encryption is like a door lock, it's only useful when it is engaged. A story about a data loss incident at State Street brings this message home....
Security and Virtualized Servers
Concerned about security implications of virtualization? See the latest article in the Messaging and Web Security Digital Library on security and virtualized servers. Here is an excerpt:...
Employee Canned for Exposing Blank Passwords at TJX
The Register is reporting a TJX employee was fired for Internet postings about blank passwords on company servers as recently as a few weeks ago. After the long drawn out saga of their data breach last year this is the...
Yahoo-McAfee Search Deal Indicates Shape of Things to Come
The Yahoo-Microsoft deal fell through but Yahoo is back in the news after making a deal with McAfee (site sponsor) to include warnings about sites infected with malware. This is important for several reasons, the most obvious, and least important,...
Role of ISPs in Customers' Security
In a post last Friday on disrupting botnets I argued that ISPs should have a greater role. At the same time I noted this wasn't an ideal solution and when it comes to implementation, there will be elements many of...
To Kill A Botnet
What if the good guys could take control of a botnet, should they? Thats the question discussed over the last couple of days after researchers have described how they discovered how to control a well know, large botnet. The answer...
Ignorance Isn't Bliss When It Comes to Malware
It must be the season for for ideas that are so wrong headed that believing two or more puts you into the category of above average chance of winning a Darwin Award. I'll leave the latest round of whacko, X-Files...
Dumb Security Ideas: Yeah, But They're Better Than The Rest
A popular story on Digg today has the title "The Six Dumbest Ideas in Computer Security". It has some good points but doesn't give enough consideration to the constraints, especially economic ones, that define the context in which many individuals...
Controlling Spyware: Tips and Techniques
Spyware and other potentially unwanted programs can lead to data loss, poor system performance and increased service desk costs. This podcasts describes the various forms of spyware, the threats they pose, and methods for protecting users from impact of spyware...
Apple Tries Their Own Version of Bloatware
I was surprised the other day when I started updating iTunes on my Vista laptop and saw a dialog telling me new version of Safari is available. I immediately thought this was some kind of social engineering/malware attack because I...
Poor Data Management Threatens Credibility
The credibility of the FCC is called in to question by a recent GAO report that found that poor data integration and inconsistent analysis programs left the agency unable to explain, for example, why 4 out of 5 complaints were...
Generation Gap in IT Security
Back in the 60s the conventional wisdom of the younger generation was not to trust anyone over 30. If a new Symantec/Applied Research-West study on employee's attitudes about information technology is right, IT professionals should watch out for the under...
What Application Developers Can Teach Security Pros
The first thing a seasoned application developer does when starting a project is to get a handle on the scope and learn the requirements. It doesn't matter whether you are building a database driven Web app or some backend Cobol...
How to Run Your Security Program Into the Ground
I enjoy true stories that leaves me feeling "there is no way anyone could be making this up." A case in point is a story in ComputerWorld's Shark Tank about a CIO who has a problem listening to staff about...
Security Spending in All the Wrong Places
Peter Tippett, VP of risk management at Verizon, chief scientist ICSA Labs and a developer of anti-virus programs, thinks we're not paying attention to the data on what is and isn't effect allocation of security resources. Dark Reading has a...
Mac Platforms Growth Area for Malware
You can grow a business by increasing your share of a market or you can expand the market itself. The latter is the choice of cybercriminals poised to make money off the Apple Mac platforms. The growing popularity of Macs,...
Feds WantTo Spend $30 Billion on Security
The Bush administration is advocating spending up to $30 million dollars over the next seven years to improve the security of communications networks; the plan calls for $6 billion in the first year. As George Hulme points out in his...
Société Générale, Predictability and Overlapping Countermeasures
The $7 billion fraud at the Société Générale has to have a lot of bankers and trading managers wondering if something like that could happen to them. A couple of writers have pointed out that predictability is a key weakness...
Laws Need to Catch Up With Cybercrime
Art Coviello, executive vice president of EMC Corporation, and Robert Hollyeman, president and CEO of the Business Software Alliance, argue in an op ed piece in the San Jose Mecury News that federal legislation is required to stem the increasingly...
How SMBs Can Improve Security
Last week I commented on a survey by GFI Software on SMB security and this week I had a chance to dig into more details with David Kelleher a research analyst at GFI. One of the things that struck me...
IRS Struggles with Security Issues
This is not a good time for the IRS. Americans are starting to pull together paper work to file tax returns, some of the presidential candidates want to shut down the agency, and now the Government Accounting Office (GAO) has...
SMB Security Survey
eMediaUSA and GFI Software have conducted a security survey of small and mid-sized businesses and found that few IT pros in these companies (10-12%) are looking for more money or staff to improve security. They are more concerned with education:...
Can Better Processes Lead to Better Security?
The short answer to the question in the title is "yes" but the more important part of this podcast is how to do it. Here we focus on relatively simple steps to improve service management, infrastructure management and software development....
NIST Recommends Penetration Testing
The National Institute of Standards and Technology (NIST) is recommending penetration testing in its forthcoming "Guide for Assessing Security Controls in Federal Information Systems”, due out in March, 2008. The recommendations NIST develops for federal systems are applicable to commercial...
Small Business and Computer Security: Some Don't Care
A survey of small businesses find that while many of these companies take computer security seriously and take steps to protect their assets, a sizable percentage don't. From Computer Technology Review: AT&T Inc. announced last week that though the majority...
Confusing Control with Security
Bruce Schneier and Marcus Ranum conjecture on the state of security in ten years in a recent post. Their forecasts are as much a comment on how things are done now as how they will be done in the future....
Cyberwarfare Threatens Operational Capability
In the TimesOnline's UK headed for cyber 'cold war' we get some sobering insight into the threats of cyberwarfare. For example: On Tuesday, Andrew Palowitch, a senior adviser to the Pentagon, said that military officials had conceded that attacks had...
Human Factors and Improving Application Security
We've just added a new article to the Essentials Series: Messaging and Web Security Volume II on the role of human factors and usability in application security. The article discusses the difference between security and trust and how to convey...
McAfee Foresees Growing Threat from Botnets and Vulnerable Web Services
McAfee is looking to the recent past and predicting that two of the biggest problems we'll face in the next year are more resilient and dangerous botnets and more attacks on Web sites. vnunet.com notes: Many of the threats to...
5 Evaluation Criteria for Selecting a Data Loss Prevention Product
We've just added a new article to the Essentials Series: Messaging and Web Security Volume II on data loss protection products. The article provides guidance on selecting a DLP solution from among the growing number of options on the market....
Good Tips for the Security Novice
I was a little hesitant to click through on a BusinesssWeek article entitled "Looming Online Security Threats in 2008". It isn't even Thanksgiving yet and already Christmas decorations are in the stores and doom and gloom predictions for 2008 are...
Social Enterprise Can't Skimp on Security
I came to security from an applications and database development background. I can understand some of my colleagues in those areas feeling like security pros are too obsessed with security and not enough with functionality. I get it, we're working...
Google Android Phones in the Workplace
Ben Worthen raises good points in his post at the Wall Street Journal on why the Google phone is "A Business-Tech Nightmare Waiting to Happen." The basic gist is: Here’s the first thing that will happen when a phone with...
IBM Security Pushing a Good Idea with a Terrible Name
Security is broken, or at least that's the word from Stuart McIrvine, director of IBM’s Corporate Security Strategy, and IBM is going to help fix it. Judging from the limited information we have so far, IBM is on the right...
Reducing Risks of Insider Attacks
I especially like the SANS Institutes's Cybersecurity Awareness Tip today on insider threats for a couple of reasons. First, and probably most importantly, it emphasizes the human element along with technical measures. Second, it notes that insider threats are one...
SMBs Need to Pay More Attention to Security
A new report out of Webroot Software discussed in eWeek argues that SMBs are "sitting ducks" for cybercrime: In most industrialized countries, SMBs make up 97 to 99 percent of all companies. Yet most of those small to midsize businesses...
Blame the Vendor, Blame the Victim Isn't A Game Worth Playing
A recent post at the ZNet's Threat Choas Blog describes a conversation at an IT conference between a the blogger and the CIO of a major branch of the military. I engaged him in conversation about network security and he...
SMBs Getting Attention from Security Vendors
Small and mid-sized businesses face many of the same threats of larger enterprises but they don't have nearly the resources to addresses them. Vendors and resellers are on to this. Take for example, the announcement yesterday from Anchiva about a...
Does PCI DSS Really Matter?
eWeek's Security Experts: Merchants Racing to the Bottom for PCI Certs exposes some of the dark side of security certifications. Quoting Jeremiah Grossman, chief technology officer of WhiteHat Security, the article says: "I work with security guys as customers," he...
CT Governor Has No Intention of Becoming A Data Breach Poster Child
It's good to read an article about an executive making security policies a topic of discussion. The state of Connecticut will be rapidly deploying SafeBoot (related post) encryption technology on state laptops. The governor also reiterated some key points on...
Security Budgets Growing to Approx. 20% of IT Spending
A survey of 1,070 organizations by the Computing Technology Industry Association (CompTIA) found that security related spending reached 20% of IT budgets in 2006, up from 15% in 2005 and 12% in 2004. Other findings include: 1. Organizations expect to...
McAfee Acquires SafeBoot: The AV Market Ain't What It Used to Be
McAfee has been expanding its offerings well outside just traditional anti-virus market with moves to expand into the risk management arena and today's announcement of the purchase of SafeBoot is more evidence of the evolution of the security market. IT...
Limits of Full Disk Encryption
I've seen a couple of posts in the last week arguing that some security measure doesn't always work or doesn't offer complete security. The fact that there is no silver bullet solution is the closest thing we have to a...
Microsoft Makes More Moves to Software as a Service
Microsoft is making more announcements about its strategy to implement some kind of Web-based Office solution. We've been waiting for details on how Redmond would respond to Google Apps and the demise of pay-for-local-use word processing/spreadsheet/presentation software. The details are...
We Make Hacking Too Easy: The Scourge of Default Passwords
How was convicted hacker Micheal Moore able to so many corporate computers and networks? He told InformationWeek "It's so easy. It's so easy a caveman can do it". It's true you don't have to be the inventor of polymorphic viruses...
Internet Security Threat Report Now Tracks Fortune 100
Symantec has released their twelfth Internet Security Threat Report for the first half of 2007 and for the first time they are tracking malicious activity originating in Fortune 100 companies. The report finds that although the Fortune 100 companies account...
Who Can You Trust? Hacker/Security Expert Busted for Credit Card Theft
This is the kind of story that could be from a Robert Ludlum novel or maybe an episode of Alias where you're not quite sure if the guy who acts good is really bad or not. ComputerWorld is running a...
Establishing an Organizational Security Framework
Those who work in security and systems administration could spend every hour of every day down in the trenches dealing with the latest threat, reconfiguring devices, patching applications, and telling others to stop downloading non-work related material from P2P networks....
Unified Threat Management (UTM) at the Enterprise Scale
The market in unified threat management firewalls is maturing and according to a Network World article by Joel Snyder, titled UTM Firewalls:Ready for the Enterprise, they're not just for the small and mid-sized market anymore. I don't have an argument...
Data Breaches, Monitoring and Microsoft Changing Security Vendor's Market
A few stories recently are indicating a shift in the center of gravity in the security market. First, there is Symante CEO's comments on Microsoft's downward pressure on the desktop security market. Then there is Monster.com's recent announcement that they'd...
Justifying Application Vulnerability Assessments
An article on Buzzle.com by Vincent Liu geared toward non-technical managers and executives on the need for application vulnerability assessment is worth forwarding to on to non-IT colleagues who wonder what we worry about all day. Web Application Vulnerability Assessment...
Automated Vulnerability Assessment Can Only Go So Far
In response to the attack on hosted Ubuntu servers, I mentioned that automated tools can help system admins keep up with vulnerability monitoring. A new article by David M. Piscitello of Core Competence at SearchNetworking points out the limits of...
Can vPro and Remote Management Applications Improve Security?
Intel's vPro line provides hardware-based security improvements but there are even more security benefits to be gained with remote management capabilities. This podcast reviews the hardware enhancements in vPro as well as the Active Management Technology (AMT). The AMT holds...
Microsoft and Google Desktop/Web Integration Offer Too Little, Bring Too Many Risks
Microsoft and Google have decided there is money in your hard drive, and they want to get it. We have Microsoft filing patents on an advertising framework that includes the ability to scan the contents of your hard drive so...
Security Skills in High Demand
IT professionals are used to keeping up with changing demands for skills but understanding security is a requirements for all of us now. Understanding how to secure distributed applications, especially those that use Service Oriented Architectures, is essential for all...
Report Finds Problematic User Attitudes About Security
VUNet.com comments on a Trend Micro report on corporate user attitudes on computer security finding: About 40 per cent believed that their work computers are better protected than their home computers against spam, spyware and phishing, and are more likely...
Do As I Say, Not As I Do: Homeland Security Coming Up Short on Info Security
The Department of Homeland Security is getting hammered for poor security. While specific incidents make for headlines and stinging questions by investigators, it’s the more systemic problems we should focus on. Take for example a question from the chairman of...
Cybercrime Getting Worse for Victims, Easier for Criminals
In yesterday's post I talked about speech by Richard Clarke, former cybersecurity czar, in which Clarke argued that cybercrime and industrial espionage is worse than many of use think. Today I thought I'd run down some examples, research and other...
Data Loss Prevention and PCI Data Security Standard
The Payment Card Industry Data Security Standard (PCI DSS) is a good case study of security standards that try to address the wide breadth of security requirements while providing sometimes detailed implementation specifications. This podcasts examines the nature of PCI...
Symantec-Veritas Merger Improves Anti-Malware
Radical improvements in anti-malware detection isn't going to come from marginal tweaks to existing algorithms and techniques. We need fundamental changes. The Symantec Veritas merger is showing how this can be done. By combining disk scanning techniques that can bypass...
Resources and Tools for Measuring Security Threats
Accurate numbers about security are tough to come but I still like to find and track them as much as possible. We can tell from war stories shared with colleagues that malware, spyware and phishing seem to be getting worse,...
Effective Security Can Be Simple (sometimes)
Yesterday I advocated for a simple approach for controlling botnets: turn off your PC. It's simple and even the least technical user can handle that one. Mike Knight, an IT consultant in the UK, has a similar keep it simple...
Feds Aren't All Bad At Security: What Makes the Difference
Every year U.S. Federal agencies get graded on their information security, and this year is a mixed bag. Some agencies did well, others failed. Assuming private sector enterprises have the same range of the good, the bad, and the ugly,...
Easy, Easier is Not Good, Better
Wait a minute, is this a Microsoft site or did I happen onto Cartoon Network? I don't get Microsoft's new marketing push on Forefront, it's security suite. At the Easy, Easier site you are invited to play the role of...
Collective Security: Feds and Business to Work Together on Cybersecurity
ComputerWorld is reporting in Feds Hope to Boost Businesses’ Role in Slowing Cyberattacks that the U.S. Department of Homeland Security is planning to collocate workers from the communications and IT industry at a US-CERT facility. The goal is to build...
Gates Focuses on Security Fundamentals at RSA
At their keynote address to the RSA conference yesterday, Bill Gates and Craig Mundie made a number of points that are welcome and long awaited. First, the recently released Vista and MS Office 2007 were built from the start using...
Can Standards Like ITIL and ISO 27001 Help Prevent Yet Another Massive Data Breach?
It was almost two years ago when the ChoicePoint breach was made public. Identity thieves established over 160,000 bogus accounts using data stolen from the Georgia-based data aggregator. The company ended up paying $10 million in fines to the FTC...
10 Tips for Minimizing Complexity to Improve Security
Complex network and application designs can introduce vulnerabilities and add to system administrators' headaches. Fortunately, minimizing complexity can be done relatively easily and inexpensively by following the 10 tips outlined here. The podcast discusses standardizing design patterns, reducing dependencies between...
Audit and Assessment Tools: OWASP Report Generator
One of the time consuming tasks about conducting security audits and assessments is just keeping track of the details. Fortunately Open Web Application Security Project (OWASP), which sponsors a number of specialized efforts to create tools and best practices, has...
Attack on Vulnerability Disclosures Part 2: They Actually Do Some Good, Just Not What is Intended
I have a few more thoughts on yesterday's post about vulnerability disclosures. While I agree with Ranum that the rush to make public every vulnerability under the sun has not necessarily improved software security, it has certainly raised awareness of...
Securing Web Applications: The Open Web Application Security Project
Management practices are an important part of the security mosaic and a number of such frameworks are justifiably popular, especially ISO-17799 and COBIT. Other useful best practices are less well known than they should be. The Open Web Application Security...
Feed Subscription
If you use an RSS reader, you can subscribe to a feed of all future entries tagged 'security management'. [What is this?]
