STE WILLIAMS

MCLEAN, Va., Dec. 18, 2013 /PRNewswire/ — Today the Commtouch Security Lab

(CSL) published its Security Number of the Month for December: Ninety days ago a substantial spam campaign focusing on dubious offers and fake prizes began.

However since December 10, the campaign has been thematically recycled and sent as a Christmas themed email, featuring subjects such as “Letter from Santa For Your Child.”

The Christmas-related modification to the large-scale spam campaign illustrates that holidays are often intentionally used by cybercriminals to rejuvenate and lengthen their otherwise ordinary spam campaigns.

This spam campaign previously centered around dubious offers providing unbelievable deals on numerous products. It also notified recipients that they had allegedly won a prize and asked them to answer a few questions and provide a physical address. Those who responded unknowingly signed up for costly newsletters or services.

After 90 days, the cyber crooks simply altered their social engineering to focus on Christmas by soliciting orders for “the perfect gift for any child” – a letter from Santa postmarked from the North Pole. The revised approach is a clear example of how these criminals repurpose an existing spam campaign by maximizing the power of time-sensitive social engineering – sadly, an incredibly efficient tactic.

A sample of the thematically “recycled” spam can be found on the Commtouch blog:

http://blog.commtouch.com/cafe/commtouch-security-number-of-the-month/90-day-spam-campaign-turns-to-santa-in-december

Each month, the research team at Commtouch (NASDAQ: CTCH), a leading provider of Internet security technology and cloud-based services, presents the “Commtouch Security Number of the Month” – a number representing and illustrating a current issue or trend in Internet security.

See the related Commtouch illustration.

About Commtouch

Commtouch (NASDAQ: CTCH) is a leading provider of Internet security technology and cloud-based services for vendors and service providers, increasing the value and profitability of our customers’ solutions by protecting billions of Internet transactions on a daily basis. With 12 global data centers and award-winning, patented technology, Commtouch’s email, Web, and antivirus capabilities easily integrate into our customers’ products and solutions, keeping safe more than 550 million end users. To learn more, visit www.commtouch.com.

— Blog: http://blog.commtouch.com/cafe

— Facebook: www.facebook.com/commtouch

— LinkedIn: www.linkedin.com/company/commtouch

— Twitter: @Commtouch

Article source: http://www.darkreading.com/applications/90-day-spam-campaign-turns-to-santa-in-d/240164878

OVERLAND PARK, Kan., December 17, 2013 – FireMon, the leading provider of security management and risk analysis solutions, is partnering with immixGroup, Inc., MicroTech and SRA International to deliver FireMon Security Manager and Risk Analyzer to federal sector IT organizations. These partnerships reaffirm FireMon’s commitment to helping federal agencies meet their continuous monitoring requirements – in real-time – with strategic cybersecurity solutions that proactively reduce IT risk while increasing operational efficiency.

FireMon’s new partners include:

immixGroup – immixGroup helps technology companies do business with the government. immixGroup’s unique platform of services enables software and hardware manufacturers and their channel partners to grow their public sector business and accelerate the sales cycle. Government agencies trust immixGroup to provide leading IT products through their preferred contracts and business partners.

MicroTech – MicroTech delivers robust process-driven performance for mission success. The systems integrator applies its regimented process, enterprise IT experience and state-of-the-art engineering solutions to integrate different technologies and create proven results that can respond to the public sector’s strategic needs.

SRA – For more than 30 years, SRA has been dedicated to solving complex mission and efficiency challenges for the U.S. government. It supports government clients in civilian, defense, health, intelligence, law enforcement and homeland security agencies by delivering IT solutions and professional services that meet their cybersecurity demands.

“With the recent sequestration and its aftereffects continuing to impact both IT budgets and staffs, government entities need strategic cybersecurity solutions that allow them to efficiently leverage existing infrastructure assets, as well as optimize organizational resources,” said Chris Wilkinson, Director of Cybersecurity Technologies at immixGroup. “We are pleased to partner with FireMon to offer Security Manager and Risk Analyzer on our GSA Schedule, enabling federal agencies to procure these solutions to help meet their business, security operations and continuous monitoring objectives.”

“Point-in-time data is great for demonstrating compliance or understanding a past event, but it does nothing to make you more secure in the moment. The hallmark of FireMon’s integrated solution is its ability to understand both risk and vulnerability on a continuous and historical basis – and at a scale that analyzes millions of vulnerabilities in seconds,” said Jody Brazil, President and CTO of FireMon. “Offering actionable intelligence that informs better proactive security posture management decisions is the key factor behind our tremendous traction in the federal government, and validates FireMon as a partner-of-choice for federal organizations.”

Delivering best practice-driven continuous assessments, Security Manager allows federal agencies to automate security device management and vulnerability risk analysis by quickly identifying, understanding and managing changes in – and tracking the historical performance of – overall security posture. Unlike reactive approaches that log past events, Security Manager enables users to understand configuration, policy and risk exposures in real-time. Complementing Security Manager, the Risk Analyzer module offers patented risk analysis functionality, generating quantifiable intelligence to help security professionals focus proactively on closing the vulnerabilities that make key assets reachable.

About FireMon

FireMon is the industry leader in providing enterprises, government and managed services providers with advanced security management solutions that deliver deeper visibility and tighter control over their network security infrastructure. The integrated FireMon solution suite – Security Manager, Policy Planner and Risk Analyzer – enables customers to identify network risk, proactively prevent access to vulnerable assets, clean up firewall policies, automate compliance, strengthen security throughout the organization, and reduce the cost of security operations. For more information, visit http://www.firemon.com.

Follow us on Facebook at http://www.facebook.com/FireMon, or Twitter at http://twitter.com/FireMon, or LinkedIn at http://www.linkedin.com/company/firemon, or on our blog at http://www.firemon.com/blog.

Article source: http://www.darkreading.com/government-vertical/firemon-teams-with-key-federal-partners/240164875

CAMBRIDGE, Mass., Dec. 18, 2013 /PRNewswire/ — Akamai Technologies, Inc.

(NASDAQ: AKAM), the leading provider of cloud services for delivering, optimizing and securing online content and business applications, today unveiled several important enhancements to the company’s flagship web experience solutions designed to intelligently maximize site and application performance.

As users continue to demand ever more mobile, personalized and dynamic web experiences, organizations of all types must rethink how to best deliver the most compelling content and applications. In addition, device proliferation, emphasis on mobility and other industry trends have forced both online businesses and enterprises to face new situational performance challenges, as represented by industry trends including responsive web design and “bring-your-own-device” (BYOD).

Organizations such as MandM Direct, one of the UK’s largest online fashion retailers, have turned to Akamai to help them address the challenges of delivering an exceptional user experience, independent of the situation.

“The key business benefit of Akamai’s web experience solutions is what they enable, not just what they deliver. For example, the page load performance improvements delivered by Akamai Ion allowed us to implement a single, fully responsive, website design that serves mobiles, tablets and PC’s rather than needing to deliver specific bespoke sites targeted at the individual device types,” explained Graham Benson, IT director, MandM Direct. “As a retailer, having a single site that is device-agnostic ensures a consistent user experience irrespective of the access device that the consumer chooses to use.

This is very important to us. And from a marketing perspective, it increases business agility by reducing the maintenance and development windows. A single site is quicker, cheaper and easier to build/maintain than three separate ones.

Finally, the implementation of the Akamai FEO technology toolset has meant that our internal IT team does not need to become browser optimization experts.

Instead, they can concentrate on the site’s functional components, safe in the knowledge that Akamai will take care of the performance elements of the site.”

Akamai has brought to market several innovative capabilities intended to help customers overcome mobile, network and browser limitations that can hinder customer engagement and negatively impact business productivity. Further, new Akamai reports and tools provide greater visibility for companies looking to gain increased control over web site optimization and application performance.

Customers already using Akamai web experience and enterprise solutions can access these capabilities immediately.

Representing the second set of upgrades to Akamai’s web experience solutions rolled out this year, these new capabilities deliver the following new functionalities for customers looking to get the most out of their investment with the Akamai Intelligent Platform(TM):

— Support for “the march toward instant” – Several feature enhancements in the latest release are designed to address the end-user demand for “near instant” web performance in mobile applications and other challenging situations.

o Developed by Akamai and available exclusively to the company’s customers, EdgeStart combines the benefits of Akamai’s globally-distributed network along with accelerated rendering in the browser to help deliver portions of web pages to users immediately and decrease load time. Further, new protocol optimizations are intended to help overcome highly congested networks.

o Available standard to all Ion customers, Fast DNS offers improved performance – along with Akamai’s renowned scalability and reliability – for primary or secondary name resolution with an all Anycast infrastructure.

o Browser support for advanced image formats (WebP and JPEG XR) is designed to improve the user experience while maintaining image quality.

o Intelligent use of local HTML5 cache helps achieve dramatic performance improvement in the browser for second hit requests, and requests across similar pages on a web property.

— Expanded control and visibility – The addition of new tools in the Luna Control Center is intended to offer Akamai customers greater predictability regarding optimizations before they are implemented, as well as significant visibility into exactly what their customers experience after specific optimization decisions have been made.

o Historical Real User Measurement (RUM) data can provide customers greater visibility into traffic trends and allow them to draw conclusions about ideal performance optimization strategies.

o Reporting on Adaptive Image Compression affords greater insight into image compression optimization based on the quality of a user’s connectivity.

“Increasingly, our customers’ users are demanding a near instant web experience,” said Mike Afergan, senior vice president and general manager, Web Experience Business Unit, Akamai. “What’s more, our customers are looking to improve their control and visibility. It is our mission to bring to market the web experience solutions that will help our customers realize their goals in today’s fast moving environment. With these exciting new capabilities, we believe we are doing just that. We are excited to see what our customers and partners will do with these powerful tools.”

The latest feature enhancements are available now across the company’s Ion and Terra Alta solution lines.

About Akamai

Akamai the leading provider of cloud services for delivering, optimizing and securing online content and business applications. At the core of the Company’s solutions is the Akamai Intelligent Platform(TM) providing extensive reach, coupled with unmatched reliability, security, visibility and expertise. Akamai removes the complexities of connecting the increasingly mobile world, supporting

24/7 consumer demand, and enabling enterprises to securely leverage the cloud.

To learn more about how Akamai is accelerating the pace of innovation in a hyperconnected world, please visit www.akamai.com or blogs.akamai.com, and follow @Akamai on Twitter.

Article source: http://www.darkreading.com/akamai-ups-the-ante-for-optimized-web-pe/240164879

About six months ago, the first in a series of leaks that rocked the U.S. intelligence community began to trickle out piece by piece. The source of those leaks was a former NSA contractor named Edward Snowden, a man who will likely close out the year as a fugitive from the country of his birth.

Among the most recent revelations: the NSA has spied on communications of players using online videogames such as World of Warcraft; a decryption effort known as Bullrun created to weaken encryption systems and obtain master keys; and the agency’s big data analysis and visualization system, known as Boundless Informant. The revelations about the aforementioned programs as well as the NSA’s bulk collection of phone records led to several high-profile members of the tech industry – including Google, Apple and Twitter – telling President Obama in a meeting Dec. 17 that the leaks have damaged their industry’s reputation.

And now, President Obama met today with The Review Group on Intelligence and Communications Technologies to discuss their recommendations for changes to the NSA’s surveillance programs. According to the group’s report, the NSA should stop keeping a database of telephone metadata belonging to Americans. Instead, the information should be kept either by “private providers or a private third-party.”

The panel also recommended the NSA not seek to undermine efforts to create secure encryption standards or commercial encryption products and support efforts to encourage the use of encryption technology to protect data.

“The president’s panel agreed with the growing consensus that mass electronic surveillance has no place in American society,” notes Kurt Opsahl, senior staff attorney at the Electronic Frontier Foundation. “The review board floats a number of interesting reform proposals, and we’re especially happy to see them condemn the NSA’s attacks on encryption and other security systems people rely upon. But we’re disappointed that the recommendations suggest a path to continue untargeted spying. Mass surveillance is still heinous, even if private company servers are holding the data instead of government data centers.”

As more and more information has come out about the breadth of the NSA’s programs, it has become clear that trust is broken at all levels of the Internet, says Jeff Hudson, CEO of encryption management vendor Venafi.

“How do we establish trust and authenticate in an online world? We’re quickly realizing what a world without trust looks like, and enterprises and vendors are starting just now to recognize current state and consequences,” says Hudson. “Every organization has to realize that they are under attack, likely compromised and that without the ability to detect and react to both. None stand a chance of winning the cyber battles to come without ensuring that the foundations of trust in our modern, digital world are better protected.”

Michael Sutton, vice president of security research at Zscaler, says that the tech industry is ramping up public lobbying efforts to make sure customers believe companies are doing everything in their power to keep data private.

“At the very least, the companies which enable communication online want to ensure that they are not seen as being complicit in the data collection programs outside of their legal mandates,” says Sutton. “Snowden’s revelations will result in financial damage to technology companies as foreign customers seek to avoid companies doing work in the US for fear that they will have private records subpoenaed. How much damage will be inflicted remains to be seen.”

While some are quick to blame the NSA, they are losing sight of the fact that the agency is tasked with protecting the nation through intelligence gathering and will do so through any legal means it can, Sutton argues.

“The legal process will no doubt play out and some NSA activities may be curtailed as a result,” he says. “However, even if that occurs, we shouldn’t expect the NSA to stop, just alter their tactics. Those that are shocked by the scope of data gathering efforts should focus their frustration not at the NSA…but rather on the politicians that put in place a system which both allows for such broad surveillance and has implemented limited oversight to police it.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/government-vertical/intelligence-panel-nsa-should-stop-bulk/240164881

Hey, nice, you got a text message from your mate.

Looks like he’s doing well, too – at any rate, he’s apparently getting his account stuffed with cash even when he’s out of town:

Hi Mate hows u? I’m still out in town, just got £850 in my account from these guys www.firstpaydayloanuk.co.uk.

But hang on, it’s not actually from your mate.

That messages and others like them were actually sent by a UK-based payday loan company that just got fined £175,000 ($283,500) for sending millions of spam text messages, in the process needling thousands of consumers who then complained to officials.

The Advertising Standards Authority (ASA), which is the UK’s independent regulator of advertising across all media, had already taken the loan company – First Financial Ltd – to task back in June.

At that time, the ASA said that the SMS spam was unsolicited, was being sent to people who’d registered with Telephone Preference Service so they wouldn’t get this kind of marketing, was irresponsible in encouraging people to take out loans to fund partying, and were misleading in that they pretended to come from people’s friends.

The ASA’s solution: tell First Financial, and the ISP they rode in on, to knock it off.

To wit:

The ads should not appear again in their current form. We told First Financial and Akklaim Telecoms to ensure text message ads were clearly identifiable as marketing communications and were only sent to those who had given explicit consent to receive them. We also told them to ensure ads did not imply that payday loans were suitable for spending on a social life.

First Financial, apparently, wasn’t convinced.

The Information Commission’s Office (ICO) announced on Tuesday that First Financial was fined after having been found to have sent millions of spam text messages that provoked thousands of complaints.

First Financial was found to have violated The Privacy and Electronic Communications Regulations governing electronic marketing by sending SMS messages without consent.

Thousands of complaints flooded data privacy watchdogs at the ICO, above and beyond the 13 complaints that spurred the ASA’s regulatory action in June.

The ICO investigated, tracing 4,031 of the spammy messages back to First Financial.

In order to avoid detection, the spam texts were sent using unregistered subscriber identity module (SIM) cards.

Despite the use of unregistered SIMs, however, identifying the sender must have been pretty straightforward, given that the messages’ content referred recipients to a website belonging to firstpaydayloanuk.co.uk, which is a trading name used by First Financial.

The company’s former sole director, Hamed Shabani, had been prosecuted on 8 October 2013 after he failed to notify First Financial’s processing of personal information with the ICO, which is a legal requirement under the Data Protection Act.

The ICO reports that Shabani was fined £1,180.66 ($1,912.67), despite trying to claim he had no affiliation with the company.

The Register’s John Leyden reports that, in an effort to avoid prosecution, prior to a hearing in front of City of London Magistrates Court, Shabani had attempted to remove his name from the company’s registration at Companies House.

In its news release, ICO Director of Operations Simon Entwisle said that the office is working with the government to make it easier for them to slap spammers down earlier than in this case:

People are fed up with this menace and they are not willing to be bombarded with nuisance calls and text messages at all times of the day trying to get them to sign up to high interest loans. The fact that this individual tried to distance himself from the unlawful activities of his company shows the kind of individuals we’re dealing with here.

We will continue to target these companies that continue to blight the daily lives of people across the UK. We are also currently speaking with the government to get the legal bar lowered, allowing us to take action at a much earlier stage.

The ICO advises people to avoid replying to unsolicited text messages and to instead report the message using the survey on the ICO website or by forwarding the texts to their network operator at ‘7726’, given that the networks are working to block the worst offenders.

The ICO has also provided guidance for direct marketers that explains their legal requirements under the Data Protection Act and Privacy and Electronic Communications Regulations.

The materials detail how organisations are allowed to market via phone, text, email, post or fax.

Follow @LisaVaas

Follow @NakedSecurity

Image of phone courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/NZ_48ylQU5k/

Facebook’s facial recognition technology managed to recognize the face of a female child who was victimized in a child-abuse image, and then it led law enforcement to an account where investigators found images of a child who matched the abusive images.

Armed with the child’s likely identity, investigators on 24 September arrested a man in the US city of Myrtle Beach, South Carolina, on one felony charge of sexual exploitation of a minor in the first degree – a charge that carries a maximum 20-year prison sentence.

The State, a South Carolina news outlet, on Monday reported that Joseph Robert Smith, of Myrtle Beach, admitted to producing the pornographic images and sharing them with others on an image hosting website based outside the US.

Not that Smith shared child abuse images on Facebook, mind you. The investigation was more involved and circuitous than that.

According to an affidavit referenced by The State, Smith identified two email addresses he uses to trade child abuse images.

From the affidavit, as quoted by the news outlet:

[Smith said] that he would save child pornography from his email accounts onto his computer and delete the emails after a period of time, but said there should be some emails in the accounts that he has not deleted.

Those email accounts included addresses of individuals with whom Smith swapped child porn and could lead to more arrests in the future.

Smith’s arrest came about because of a separate case being worked on by a special agent with the US’s Homeland Security Investigations in Boston.

That case involved child abuse images, deleted from a computer’s hard drive that investigators had seized in Boston and then retrieved through digital forensics.

Some of those retrieved images contained file names that were consistent with the types of images uploaded to Facebook accounts.

Federal agents contacted Facebook, whose site states that the company works with law enforcement “where appropriate and to the extent required by law to ensure the safety of the people who use Facebook”, meaning that it may disclose information under subpoenas, court orders or other requests if the response is required by law.

Facebook also shares information with law enforcement in order to prevent illegal activities and/or to prevent “imminent bodily harm”, including, of course, to children.

Facebook was able to match the images retrieved from the hard drive to a female child “very similar in appearance to the child victim depicted in the series of child pornographic images,” according to the affidavit.

The Facebook account containing images of the child was registered to a woman whose name Facebook shared with police.

The State reports that the photos on the woman’s Facebook page weren’t explicit and that the woman isn’t a suspect in the alleged crime.

Using a nationwide database, investigators tracked the woman down to the Myrtle Beach area, checked out her male acquaintances, and then used a driver’s license database to identify Smith as being “very similar in appearance to an individual who is able to be partially seen in two of the child pornographic images.”

A special agent with Homeland Security Investigations requested a search warrant in federal court that would allow for the seizure of Smith’s email correspondence over Gmail and Hotmail accounts.

Dean Secor, an assistant US Attorney in Charleston and coordinator of the agency’s Project Safe Child program in South Carolina, told The State that agents aren’t sitting in a room monitoring average citizens’ Facebook accounts:

But if something pops up in a case where we find out a social network is involved, we’ll utilize whatever is legally available to us through a search warrant.

Facebook has been big on facial recognition for some time. On Monday, it garnered headlines for being one of the companies that will be helping to draft facial recognition rules as the US Commerce Department hammers out voluntary standards for the technology, which is becoming increasingly ubiquitous.

We will of course have to keep a close eye on what happens with privacy as use of this technology spreads.

As it is, the US city of San Diego, for one, has quietly slipped facial recognition into law enforcers’ hands – a situation that can lead to secret surveillance.

But at least with this case, the technology is being used to help, rather than to invade privacy.

I think Facebook should be commended for using the technology for good – extreme good, with regards to child exploitation.

Agree? Disagree? Let us know your thoughts in the comments section below.

And if you want to stay on top of all things security, be they Facebook-related or not, check out Naked Security’s Facebook page.

Follow @LisaVaas

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/O-rU6g-rWKU/

Disaster recovery protection level self-assessment

Privacy campaigner Simon Davies is offering a $1,000 bounty for the capture of the DNA and fingerprints of spy chiefs.

The 21st century treasure hunt offers a $1,000 cash windfall for anyone who supplies the Privacy Surgeon site run by Davies with an item – such as a drinking glass – with the DNA and fingerprints of any senior intelligence official of the “Five Eyes” alliance of spy agencies (made up from the NSA and Britain’s GCHQ as well as the signals intelligence agencies of Australia, Canada and New Zealand).

The objective of the bounty-hunt is to send a message to intelligence chiefs that personal information must be treated with respect, not to actually use the biometrics obtained.

“The aim is to raise their level of awareness and sensitivity, not to exploit the data,” Davies explains in a blog post. “Indeed, once the acquisition has been fully verified, the data – and the associated receptacle – will be publicly destroyed.”

The tone of the whole exercise is firmly tongue-in-cheek, but Davies is keen to suggest that the point it is seeking to make is not frivolous or irresponsible.

“Of course this exercise is entirely in the public interest, and don’t let anyone persuade you otherwise,” he explains. “All of us desire a safe society based on highly trusted security procedures, so you’re merely doing your bit to help this global effort. This isn’t about being mischievous; it’s about being responsible citizens.”

Would-be participants are firmly instructed not to risk breaking the law, such as by “confiscating” the drinking glass of a spy boss, in their quest to take part in the exercise. Discarded items are fine. Claims need to be submitted together with supporting evidence in the form of a visual image and/or statements from credible witnesses.

The spy boss bounty is not without precedent. In 2008, in response to the UK Government’s plan to introduce mandatory fingerprinting for a national ID card, both Privacy International and the campaign group NO2ID offered bounties for the acquisition of the fingerprints of senior ministers. The-then Home Secretary’s data was successfully obtained from a water glass used by Jacqui Smith at a conference. ®

* NZSIS = New Zealand Security Intelligence Service

Quick guide to disaster recovery in the cloud

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/18/spy_boss_dna_treasure_hunt/

Clearwater, FL., U.S.A., December 17, 2013 – (ISC) (“ISC-squared”), the world’s largest information security professional body and administrators of the CISSP, today announced a series of recommendations for the U.S. government to consider in order to more effectively solve the cyber security workforce skills gap challenge. The recommendations were delivered early this month directly to government officials at the White House, U.S. Department of Homeland Security, U.S. Department of Defense, and National Institute of Standards and Technology, as well as members of academia and other influencers within the federal workforce community.

As supported by data from the 2013 (ISC)2 Global Information Security Workforce Study, the known gap between the supply and demand for qualified information security professionals around the world has become acute. Over half of U.S. government survey respondents said the greatest reason their agency has too few information security workers is because business conditions can’t support additional personnel at this time. Yet, other experts around the world claim the problem of the skills gap lies primarily with the difficulty in finding qualified personnel and funding challenges.

During the 10th anniversary gathering of (ISC)2’s U.S. Government Advisory Board for Cyber Security (GABCS), (ISC)2 officials led a discussion with former and current board members representing CISO-level executives from federal agencies and departments in an effort to gain greater understanding of the underlying challenge facing the federal environment. As a result, (ISC)2 developed a series of recommendations that address the following topics:

ensuring security in the cloud, software, and the supply chain;

establishing a cyber “special forces” team;

aligning existing workforce programs such as the Scholarship for Service (SFS) and Centers for Academic Excellence (CAE) programs to the NICE Framework;

implementing the DoD 8570.01-M model across all government agencies;

assigning accountability for information security failures to mission and business owners, and recognizing successes, among other recommendations.

“Based on our research, 61% of U.S. government information security professionals believe that their agency has too few information security workers to manage threats now, let alone in the future. Yet, information security positions are going unfilled,” says W. Hord Tipton, CISSP, executive director of (ISC)2 and former CIO of the U.S. Department of Interior. “Our goal in delivering these recommendations to key influencers is to help the U.S. government close the workforce skills gap and to strengthen information security via avenues such as existing frameworks, the acquisition process, and personal accountability, among others.”

For a copy of the letter sent to members of the U.S. government information security community that includes a complete list of (ISC)2’s recommendations, please visit https://www.isc2.org/government.aspx.

Article source: http://www.darkreading.com/government-vertical/isc2-delivers-recommendations-for-solvin/240164847

Enterprise use of cloud services grew tremendously in 2013, but perceived security shortfalls continue to be the biggest block for companies in adopting the services.

For most industries, cloud services have already become part of the corporate infrastructure, either by design or, more often, by workers adopting cloud services without the approval of the IT department. Cloud-service assessment firm Skyhigh Networks, for example, adds approximately 500 cloud services to those that it already tracks, according to CEO and co-founder Rajiv Gupta.

“Employees are using cloud services almost with abandon, without assessing the risk of those services,” Gupta says. For that reason, the security requirements will move front and center in 2014, he says.

No wonder, then, that nearly half of all IT managers continue to be concerned about the security of their cloud resources, even though 35 percent believe the security of the cloud to be superior to on-premise deployments. One reason: Many cloud providers continue to fail to address the concerns of their clients, says Charles Burckmyer, president of security-service provider Sage Data Security, whose clients often work with the firm to assess the security of third-party cloud services.

“Clients need to build a structured approach to working with cloud vendors, have a process for creating permissible exceptions, assigning risks and mitigating that risk,” he says. “Support around and by cloud services is vital for most clients today.”

By opening a dialog with their cloud providers, companies can create a secure hybrid infrastructure. Here are five topics that companies should discuss with their cloud providers in 2014, according to security experts.

1. Make security responsibilities clear.
Cloud-service providers continue to place the responsibility for securing business data on the client, while many client assume that cloud services will take responsibility for the data stored in their services.

The gap in expectations narrowed in 2013 compared to previous years, but more than a third of customers still expect their software-as-a-service provider to secure the applications and data, according to a Ponemon Institute study released in March. Only 8 percent of companies assess the security of the applications using their information-technology and security teams, the study found.

While many industries have moved to the cloud without concern, security-conscious industries and those that have to comply with regulations are balking because cloud providers are not clarifying their risk, says Sage Data Security’s Burckmyer.

“Cloud-vendor due diligence and understanding what your responsibilities are, as a client, and what your vendor is doing to support you in those responsibilities is a very necessary topic,” he says. “There has been a reticence about moving to the cloud, from a regulatory and from a security standpoint, because many providers are not doing enough.”

2. Design systems to provide meaningful log data.
Companies increasingly want to collect security information on what is happening to their data and applications out in the cloud. Yet, many cloud providers do not supply detailed logs files or cannot adequately separate the events pertaining to one customer from those dealing with another.

“We need to make that the default standard practice, that there is a certain amount of logging information that is available proactively for all the different analytics that companies need to track,” says Jim Reavis, CEO of the Cloud Security Alliance. “A big sore spot has been log file information, and that has been a sticking point.”

[With cloud services collecting more data from businesses, firms should prepare for potential breaches that involve their providers. See Enterprises Should Practice For Cloud Security Breaches.]

Keeping audit logs of admin access is especially important, but most smaller cloud services do not provide such information.

3. Encryption needs to be pervasive.
Companies are not only demanding end-to-end encryption in the cloud, but increasingly asking for cloud providers to allow them to encrypt data on-premise before sending it to the cloud.

Cloud providers should not only work with their customers, but develop strong encryption solutions that allow the companies to be confident that their data is secure, while allowing some features to be preserved, says Sanjay Beri, CEO of cloud-service management firm Netskope.

“Encryption is the one thing that they, as an app provider, can do better than anyone in the middle,” Beri says. “No one knows the app better than they do, and as long as they expose the keys to be managed by someone else, many customers will be very happy.”

4. Alert users to anomalies.
Encryption, however, is not sufficient to protect a customer’s data, if an attacker has gained access to account credentials. For that reason, cloud providers must also maintain good anomaly detection systems and share the information and audit records from those systems with the client, says Skyhigh’s Gupta.

“You need all these different tools to make sure that the cloud provider meets the customer’s requirement,” he says. “It is a layered approach.”

5. Discuss protections from third-party access.
While cloud providers have to abide by the jurisdiction of the nation in which they do business and in which their data resides, the revelations about the massive data collection conducted by the U.S. National Security Agency and other nations’ intelligence groups have left companies increasingly asking cloud providers about who requests data, how frequently, and whether the provider complies with the requests.

“It is very clear that providers need to help consumers understand how they manage and handle requests for information,” says the CSA’s Reavis. “Providers are not beginning to see that they need to put government requests are arm’s length.”

That clarity needs to extend to the ownership of the information as well, says Skyhigh’s Gupta. Cloud providers need to emphasize that their clients’ continue to own their own data, and be as explicit as possible about the provider’s use of that data.

“How long do they keep your data? In some cases, they keep your data longer than you want them to, in others, they don’t give you enough time to retrieve your data, if you leave the service,” he says.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/services/5-ways-cloud-services-can-soothe-securit/240164848

MACH37, a cyber security “accelerator” that helps emerging vendors come to market more quickly, is opening a new season of startup hunting.

Accelerators, organizations that provide advice and funding assistance to promising young firms and entrepreneurs, are becoming an important part of the cultivation of new security technology, experts say. While MACH37 focuses primarily on east-coast startups, startup incubator CyberHive is operating as an incubator in the west, and organizations such as SINET are helping emerging companies make connections and gain recognition.

“In many cases, we find that cyber security entrepreneurs have a good solid technology idea, but they don’t know a lot about how to get funding or how to bring products to market,” says Rick Gordon, managing partner at MACH37. “The program is here to provide the business and technical validation necessary to compete in today’s markets.”

In an announcement posted Monday, MACH37 began accepting applications for its spring season of assistance, in which it will take on six or more startups for an intense program of technical validation, funding assistance, and potential customer introductions.

“We’re looking for companies and entrepreneurs that have ideas which could be disruptive, and have the technical chops and the will to bring them to market,” Gordon says.

Upon acceptance into the program, companies receive $25,000 in exchange for a small amount of equity. Following completion of the program and a successful Demo Day presentation, the CIT GAP Fund will match up to $100,000 of outside investment for companies located in Virginia.

“It’s one thing to know what you’re building; it’s another thing to know whether customers are ready to buy it,” says Gordon. “For most cyber security startups, it’s hard to even get in the door, much less find customers that are willing to participate in alpha or beta testing. We have those relationships, and we help the startups get an opportunity to work with real customers.”

The deadline for applications to MACH37’s spring “cohort” is Jan. 31. The accelerator will conduct another session in the fall.

Have a comment on this story? Please click “Add a Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/perimeter/cybersecurity-accelerator-set-to-fast-tr/240164854