STE WILLIAMS

AMSTERDAM, Oct. 29, 2013 /PRNewswire/ — RSA CONFERENCE EUROPE 2013

New Summary:

— New products and services help organizations build and advance their

security operations functions while expanded visibility provides the

ability to respond to incidents quicker and reduce the business impact.

— Enhanced RSA Security Analytics solution addresses SIEM and compliance

requirements while complimenting a longer-term advanced security

operations strategy.

— The new RSA Security Operations Management solution enables enterprises

to seamlessly orchestrate people, process and technology to effectively

detect and respond to security incidents.

— RSA continues to help close the industry skills gap with new RSA

Advanced Cyber Defense (ACD) incident response retainer and industry

education service.

Full Story:

RSA, The Security Division of EMC (NYSE: EMC), today announced a new combination of products and services to help organizations mature their security operations and accelerate incident response functions while addressing traditional SIEM requirements as part of a advanced security strategy.

Read more about this news at EMC’s product and technology blog, EMC Pulse here.

The offerings include a significant update to RSA Security Analytics, a new RSA Security Operations Management solution and new RSA Advanced Cyber Defense (ACD) services – RSA Retainer for Incident Response and RSA START for Incident Handling – along with new analyst-focused education modules. The combined offerings are designed to empower organizations to continuously and consistently improve management of their security incident lifecycle – from detection, to investigation, to response and learning/process improvement.

Updates to the RSA Security Analytics solution provide additional deployment options for customers to speed adoption and advance security initiatives.

Featuring a new, modular architecture, RSA Security Analytics helps address key SIEM and logging requirements while reducing costs for long-term data retention.

Combining SIEM with near real-time streaming analytics helps expedite incident detection and alerting while an enhanced interface incorporates visualization capabilities to help improve identification of suspicious events.

Additionally, the new RSA Security Operations Management software and RSA ACD services create a unique interoperable incident response solution with focused consultancy and education services to help customers continually improve their Security Operations over time. They include:

RSA Security Operations Management – New solution enables robust orchestration of intelligence, context, processes and resources, thereby:

— Centralizing incident management and integrating business context

— Offering best practice incident management recommendations that leverage

industry-standard frameworks, as well as RSA-developed best practices

— Providing a breach impact analysis framework and recommended breach

response procedures

— Enabling SOC managers to manage the entire IT security team and measure

the effectiveness of their incident response teams.

RSA ACD Response and Learning Services

— RSA Retainer for Incident Response provides an experienced RSA response

team on retainer to help organizations respond to critical incidents.

— RSA START for Incident Handling provides forensic assessment services to

help organizations proactively improve incident response procedures.

— New SOC/CIRC analyst-focused education modules help increase the skills

of security analysts in detecting, analyzing and responding to security

incidents.

RSA’s new offerings are designed not only to address the everyday challenges of today’s security teams, but also to enable organizations to quickly identify, respond and fully manage a crisis while, while helping them to build out mature security capabilities over time.

Analyst Quote:

Jon Oltsik, Senior Principal Analyst, Enterprise Strategy Group

“Even though organizations find themselves at varying levels of maturity when it comes to advanced security operations, it’s important they employ solutions that are able to grow along with their needs. Integrated solutions that comprise incident detection, investigation, and response, can help organizations reduce the overall impact of security incidents on the business, meet compliance requirements, and streamline security operations.”

RSA Executive Quote:

Grant Geyer, Vice President, RSA Security Analytics

“By offering a robust set of tools and resources for incident detection and response, RSA is helping organizations advance their current capabilities, and is also providing a solid blueprint and flexible platform to more easily build and mature a Security Operation Center to address the threats of tomorrow.”

Additional Resources:

— Learn more about RSA Security Analytics

— Learn more about RSA Security Operations

— Register for the upcoming Webcast: Prioritize Threats with Business

Context

— Learn more about RSA Advanced Cyber Defense Services

— EMC Pulse Blog: Dispatch From RSA Conference 2013: Improving Security

Operations Management, While Moving SIEM Forward With Advanced Analytics

— Connect with EMC via Twitter, Facebook, YouTube, LinkedIn and ECN About RSA

RSA, The Security Division of EMC, is the premier provider of intelligence-driven security solutions. RSA helps the world’s leading organizations solve their most complex and sensitive security challenges:

managing organizational risk, safeguarding mobile access and collaboration, preventing online fraud, and defending against advanced threats.

Combining agile controls for identity assurance, fraud detection, and data protection, robust Security Analytics and industry-leading GRC capabilities, and expert consulting and advisory services, RSA brings visibility and trust to millions of user identities, the data they create, the transactions they perform, and the IT infrastructure they rely on. For more information, please visit www.EMC.com/RSA.

RSA and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other company and product names may be trademarks of their respective owners.

Article source: http://www.darkreading.com/management/new-rsa-products-and-services-boost-secu/240163336

MELVILLE, N.Y. and MENLO PARK, CALIF., October 29, 2013 — Verint Systems Inc. (NASDAQ: VRNT) today announced the signing of a definitive agreement to acquire Victriotrade, an innovator in fraud prevention and identity authentication solutions. The combination of Verint and Victrio advances this comprehensive solution set by combining industry-leading voice biometrics and predictive analytics with customer-centric workforce optimization (WFO) solutions, furthering the company’s strength in fraud and risk analytics.

Today, risk management, fraud prevention and identity authentication are high profile topics in more and more organizations. With an increased focus on safeguarding customer identity and private information, companies worldwide are investing in technology and services that help mitigate risk, prevent fraud, reduce fraud-related loss and improve the customer experience–all while decreasing contact center operating costs. According to Ovum, “Risk-based authentication is going to be an increasingly important requirement. It represents a more realistic approach for business users, who won’t then need to present multiple credentials every time they log in.”1

Victrio solutions combine a new generation of “passive” voice biometrics with unique predictive analysis that can accurately detect fraudsters and authenticate customers without caller interruption. Its innovative voice biometrics solution is ideally suited for large financial institutions, including banks, card issuers, wealth management service providers and other organizations focused on fraud reduction. Earlier this year, Victrio was named by Gartner, Inc. as a “Cool Vendor in Security: Identity and Access Management, 2013.”2

“We’re delighted to welcome Victrio to the Verint family and are enthusiastic about what the addition of its technology brings to the existing Verint fraud and risk analytics portfolio. This acquisition extends our offering and introduces a host of advanced capabilities that will enable us to offer our customers an even more comprehensive solution to address fraud and identity authentication problems head on,” explains Elan Moriah, president, Verint Enterprise Intelligence Solutionstrade and Video and Situation Intelligence Solutionstrade.

Extending Market Leadership in Fraud and Risk Analytics

Armed with Actionable Intelligence, Verint and now Victrio customers will be uniquely positioned to identify and respond more effectively to theft, detect and take action on behaviors that don’t comply with industry regulations and company practices, and support data privacy compliance.

By delivering solutions that reduce risk, combat fraud and help ensure compliance, Verint offers an innovative approach to addressing specific areas of risk with advanced analytics technology. This supplements the company’s existing fraud and risk analytics category leadership, which already includes video analytics, facial recognition, speech and data analytics, and desktop and process analytics. Verint has comprehensive experience in fraud, risk and compliance across many industries, including specific solutions for financial services, retail, telecommunications and government.

The combined organization will take part in next week’s Voice Biometrics Conference in London, November 6-7, at Grosvenor House, a JW Marriott Hotel. To learn more about Victrio, visit www.victrio.com.

About Victrio

Victriotrade is a leader in voice biometric solutions for call center authentication and fraud detection. Victrio clients include leading U.S. banks and card issuers. Powered by a new generation of voice biometrics and data science, Victrio screens calls to accurately catch fraudsters and verify customers without caller interruption. Victrio systems impact overall security, customer experience, and agent costs. Victrio integrates readily with existing call recording and fraud management systems. The company is headquartered in Menlo Park, California.

About Verint Enterprise Intelligence Solutions

Verint Enterprise Intelligence Solutionstrade help organizations of all sizes capture and analyze customer interactions, sentiments and trends across multiple channels, improve performance and optimize the customer experience. The solution portfolio includes the Impact 360 Workforce Optimizationtrade suite and Voice of the Customer software, which serve as strategic enterprise assets for increasing customer satisfaction and loyalty, enhancing products and services, reducing operating costs and driving revenue.

About Verint Systems

Verint (NASDAQ: VRNT) is a global leader in Actionable Intelligence solutions. Its portfolio of Enterprise Intelligence Solutionstrade and Security Intelligence Solutionstrade helps organizations Make Big Data Actionabletrade through the ability to capture, analyze and act on large volumes of rich, complex and often underused information sources–such as voice, video and unstructured text. With Verint solutions and value-added services, organizations of all sizes can make more timely and effective decisions. Today, more than 10,000 organizations in over 150 countries, including over 80% of the Fortune 100, count on Verint solutions to improve enterprise performance and make the world a safer place. Headquartered in NY, Verint has offices worldwide and an extensive global partner network. Learn more at www.verint.com.

Article source: http://www.darkreading.com/intrusion-prevention/verint-acquires-voice-biometric-company/240163337

PHOENIX, Oct. 30, 2013 /PRNewswire/ — Lockheed Martin (NYSE: LMT) has developed a cyber security solution that allows intelligence to be securely shared among personnel working at all security levels – from highly classified intelligence sites to unclassified users in the field. This high assurance information solution, called Trusted Sentinel, allows data to be manually and/or automatically transferred between two or more differing security domains by using a single consolidated configuration of hardware and software.

(Logo: http://photos.prnewswire.com/prnh/20110419/PH85737LOGO-b)

“In today’s complex cyber threat environment, protecting and securing our data is critical,” said Jim Quinn, vice president of C4ISR Systems for Lockheed Martin Information Systems Global Solutions. “Trusted Sentinel addresses the difficult challenge of sharing relevant information across security domains and between organizational echelons.”

Trusted Sentinel supports the secure flow of intelligence data between all clearance levels by ensuring that sensitive information does not escape the highest clearance levels. It also ensures that information traveling back up the chain from un-cleared sources does not contain malicious code that could corrupt secure networks. By incorporating a suite of network protection capabilities that ‘guards’ classified data from unauthorized access, Trusted Sentinel controls the release of information commensurate with the security level of the information being processed, including clearance level, formal access approval and user need as determined by assigned confidentiality requirements.

Trusted Sentinel was developed by combining the capabilities of two of Lockheed Martin’s Unified Cross Domain Management Office (UCDMO)-approved Cross Domain Solutions. The UCDMO is a joint Department of Defense and Intelligence Community organization that provides centralized coordination and oversight of cross-domain initiatives across these communities. The solution, which has received design approval from the accrediting organization, is being prepared for placement into an operational environment.

Headquartered in Bethesda, Md., Lockheed Martin is a global security and aerospace company that employs about 116,000 people worldwide and is principally engaged in the research, design, development, manufacture, integration, and sustainment of advanced technology systems, products, and services. The Corporation’s net sales for 2012 were $47.2 billion.

Article source: http://www.darkreading.com/management/lockheed-martin-cyber-solution-enables-s/240163348

WASHINGTON, Oct. 30, 2013 /PRNewswire-USNewswire/ — Small businesses can help keep their business information safe and protect their online information with a new free course from the U.S. Small Business Administration.

(Logo: http://photos.prnewswire.com/prnh/20110909/DC65875LOGO)

In support of President Obama proclaiming October as National Cybersecurity Awareness Month, SBA is launching this new course, designed for small businesses, to provide an overview on how to secure business information, identify security threats and guard against cyber-attacks.

Cybersecurity for Small Businesses is one of SBA’s newest online courses to help business owners safeguard their information from computer attacks and determine their readiness against security breaches. The course, available at http://www.sba.gov/tools/sba-learning-center/training/cybersecurity-small-businesses,

teaches best cybersecurity practices and protection against cyber threats for the nation’s small business community.

The protection of sensitive data such as business invoices, payroll records, client and employee data and other proprietary information is essential to a company’s success. A computer failure or other system breach could undermine a company’s reputation, expose it to costly recovery expenses, and disrupt the business’ overall operation.

Cybersecurity for Small Businesses will help to identify information security vulnerabilities that can put a small business at risk, and the protective tools and techniques used to measure, maintain and guard business information and systems.

Small business owners will learn the types of information that should be secured, how to protect themselves from intentional attacks or unintentional damage, guard themselves from decreased productivity caused by security breaches and evaluate the needed security tools and techniques. The course also gives useful and practical steps to take to protect a business’ operations.

Cybersecurity for Small Businesses is self-paced and also offers best practices for guarding against cyber threats, potential computer weaknesses and the corrective actions for risk management.

Course participants completing the online course can earn a certificate of completion from the SBA. The SBA Learning Center offers free courses covering topics such as Starting, Managing, or Financing a Business, and can be found at http://www.sba.gov/sba-learning-center.

Article source: http://www.darkreading.com/end-user/new-online-security-course-available-to/240163349

SANTA CLARA, Calif. – Oct. 30, 2013 – McAfee today announced findings from a joint survey with Office Depot, Inc. that revealed surprising security misconceptions among small and medium-sized business (SMB) owners. More than 1,000 SMBs participated in the Office Depot Small Business Index[i] survey last month, and a super-majority (66 percent) felt confident that their data and devices are secure and safe from hackers, with 77% responding that they haven’t been hacked. The results are at odds with industry research that has revealed these same businesses are prime targets of complex and evolving cyber threats.

“Cyber attacks on small businesses rarely make headlines, so it is easy for these business owners to be lulled into a false sense of security, as indicated in this survey. It is especially important for small business owners to secure their systems, as they may not have the resources to survive a cyber attack, unlike a large corporation,” said Congressman Chris Collins (NY-27). “I urge small business owners to dedicate the necessary resources to securing their data, and support McAfee and Office Depot in their efforts to raise awareness among business owners about the importance of cyber security.”

Seventy-two percent of data breaches investigated by Verizon Communications’ forensic analysis unit were focused on companies with less than 100 employees[ii]. The discrepancy suggests that many SMBs are not aware that they’ve been attacked.

The study also found the following:

Only nine percent of SMBs use endpoint/mobile device security

80% don’t use data protection

Less than half use email security

About half use Internet security

45% of SMBs do not secure company data on employees’ personal devices

One of the biggest reveals from the survey was that 14% of SMBs haven’t implemented any security measures.

“A business that doesn’t have any security measures in place is putting their data and customers’ trust in jeopardy,” said Bill Rielly, senior vice president of Small Medium Business at McAfee. “As enterprises have increased their security defenses, hackers have started to target their attacks downstream to SMBs. We applaud Office Depot’s SMB survey, which not only took the pulse of cybercrime, but also increased security awareness among the small business workforce. At McAfee, we are focused on educating businesses on the devastating impact a cyber attack can have and the simple steps and solutions they can use to keep their businesses safe.”

“At Office Depot, we’re committed to serving the small business community and ensuring they have the necessary information and resources to grow and protect their businesses. We also recognize the importance of generating awareness of risks to the business, including cybercrime, and how to defend against it,” said Randy Wick, Vice President of Merchandising, Technology and Services for Office Depot.”

About McAfee

McAfee, a wholly owned subsidiary of Intel Corporation (NASDAQ:INTC), empowers businesses, the public sector, and home users to safely experience the benefits of the Internet. The company delivers proactive and proven security solutions and services for systems, networks, and mobile devices around the world. With its Security Connected strategy, innovative approach to hardware-enhanced security, and unique Global Threat Intelligence network, McAfee is relentlessly focused on keeping its customers safe. For more information visit http://www.mcafee.com.

Article source: http://www.darkreading.com/end-user/mcafee-and-office-depot-survey-reveals-s/240163375

NICE, France, 30 October 2013 — At its 2013 European Community Meeting today the PCI Security Standards Council (PCI SSC), an open, global forum for the development of payment card security standards, announced the availability of its Validated Point-to Point Encryption (P2PE) solutions listing on the PCI SSC website. This is the official PCI SSC resource for merchants and acquirers looking to deploy a P2PE solution to help simplify their PCI DSS security programs by removing clear-text cardholder data from the payment environment.

European Payment Services (EPS) is the first company to have a solution listed – its EPS Total Care P2PE solution was validated by P2PE assessor SecurityMetrics, Inc. A number of other solutions validated by P2PE assessors are under review, and once approved by the Council will be added to the listing, available at:

https://www.pcisecuritystandards.org/approved_companies_providers/validated_p2pe_solutions.php

The PCI Validated P2PE Solutions listing is the next step in the rollout of the Council’s P2PEprogram. Developed by input and feedback from the Council’s global stakeholders, the program provides a method for vendors to validate their P2PE solutions and applications, and for merchants to reduce the scope of their PCI DSS assessments by implementing a validated and PCI-listed P2PE solution for accepting and processing payment card data.

“The building blocks of a strong security program are people, processes and technology. With this new solutions listing, we’re glad that merchants and others can now take advantage of PCI SSC-listed P2PE technology in their payment security efforts,” said Bob Russo, general manager, PCI SSC.

To qualify for validation and listing on the Council’s website, a P2PE solution must comply with the PCI SSC P2PE Standard, encrypting cardholder data from the point where a merchant device accepts the payment card (for example, at the point of swipe or dip) to the point where the third-party payment processor or acquirer decrypts the data for processing.

“The use of point-to-point encryption technology to simplify PCI DSS security has been of great interest to our community, and especially here in Europe, with a number of our European stakeholders actively involved in the development of the P2PE program,” said Jeremy King, European director, PCI SSC. “We’re pleased to be able to announce this new resource at our 2013 Community Meeting in France, where we know merchants are eager to take advantage of this technology for securing their payment data.”

About the PCI Security Standards Council

The PCI Security Standards Council is an open global forum that is responsible for the development, management, education, and awareness of the PCI Data Security Standard (PCI DSS) and other standards that increase payment data security. Founded in 2006 by the major payment card brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., the Council has more than 650 Participating Organizations, representing merchants, banks, processors and vendors worldwide. To learn more about playing a part in securing payment card data globally, please visit:
pcisecuritystandards.org.

Article source: http://www.darkreading.com/authentication/pci-security-standards-councils-validate/240163378

To provide some perspective on just how poorly corporate America is able to combat social engineering attacks today, consider this: Famously secretive Apple fared the worst in a recent social engineering contest.

Organizers of the annual Social Engineering Capture The Flag (SETF) contest at DEF CON have released the final report on the competition, held in August in Las Vegas, and the findings don’t bode well for enterprises: Social engineering exploits are as easy as ever to pull off successfully, with contestants able to glean valuable company information online and from employees answering phones at Apple, General Motors, Home Depot, Johnson Johnson, Chevron, Boeing, Walt Disney, Exxon, General Dynamics, and General Electric.

The fifth annual SETF, which is held to raise awareness about social engineering threats, included 10 men and 10 women contestants who each initially conducted online research (no hacking or direct contact allowed) on their assigned target company for the contest. They then placed live telephone calls to their target in a soundproof booth at DEF CON in front of an audience of attendees and contest organizers. Each was scored based on the “flags,” or specific checklist items, they were able to obtain from their targets, such as the caller’s browser, operating system, or getting them to visit a rigged URL.

“The bottom line is [the target corporations] did really poorly,” says Michele Fincher, chief influencing agent for Social-Engineer, Inc., the firm that runs the event each year at DEF CON. “The companies who happened to do well did so accidentally or out of ignorance in they either couldn’t answer the question or didn’t know how, so the call shut down. Very few [employees] said, ‘I am not allowed to give out this information.'”

One male contestant in the online-research portion of the contest prior to the live event was able to access a document on his assigned target company’s public website that provided him the credentials to log into the company’s intranet. “He didn’t do any hacking on the corporate website, [which is against the rules]. But he found a document to help new employees log in that literally showed a real badge with login information that actually worked. Using that credential, he got into the employee intranet,” Fincher says.

Fincher, who wouldn’t name the targeted firm, says that finding highlighted just how easy it is to gather valuable information on a targeted organization via the Internet using open-source intelligence, a.k.a. OSINT, or information gathered from publicly available sources such as websites, social media, and other online resources. “There has not been a lot of activity on the part of corporations to improve this sort of exposure and data leakage,” she says.

The bulk of the intel gathered by the contestants this year came from OSINT. “Most of the points were actually obtained” online this way, Fincher says. The contestants actually earned two times the amount of points via OSINT than they did in their live calls to the targets — and the OSINT flags were worth half of the points as the ones captured during the live portion of the contest, she says.

“What that really means is that it doesn’t take a skilled social engineer to dig through the Net and find information,” Fincher says.

While the contestant assigned to Apple was able to garner the most total points from the target, 1,200, and the contestant assigned to GE, the lowest with less than 300, that doesn’t mean one company is necessarily a weaker link than another. “Here’s the thing: You can’t really make hard-core assumptions that Apple is bad and GE is good,” Fincher says. Other factors include the caller’s expertise, the respondent’s naivete — plus the amount of information the contestant was able to research and gather online prior to the event to help his or her mission to extract information.

The top flags captured by the contestants, in order, were Internet browser type; operating system information; information on corporate wireless access; confirmation of a corporate VPN; and the presence of an on-site cafeteria. Browser and OS intel could aid an attacker in crafting a targeted phishing email, for instance.

[Postmortem details released on high-profile contest that targeted Walmart, Target, ATT, Verizon, HP, Cisco, Mobil, Shell, FedEx, and UPS. See Retail Fail: Walmart, Target Fared Worst In Def Con Social Engineering Contest.]

Why the cafeteria flag? Service workers in food and janitorial services often fly under the radar with physical access to all types of possible information leaks, including trash cans or documents, according to Fincher.

“One of the key findings are across the board there is way too much information to be gathered through open source. The training being provided is not adequate to cover this,” Fincher says. “There’s a lot of focus on technology: It’s a lot easier to put up a firewall. But a conversation can be way more damaging than malware.”

It takes more customized, repetitive training to teach employees to be careful in what they share online or in conversation, she says. “I would like to see people put as much effort in keeping their human network safe” as they do their computer networks, she says.

The full report on this year’s SECTF is available
here for download.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/social-engineers-pwn-the-human-network-i/240163379

5 ways to reduce advertising network latency

RSA Europe 2013 A dogmatic allegiance to anonymity is threatening privacy, according to Art Coviello, executive chairman of RSA.

Coviello cast anonymity as the “enemy of privacy” because it gives “free reign to our networks to adversaries” with “no risk of discovery or prosecution.”

The head of EMC’s security division told delegates at the RSA Conference Europe that security and privacy need to be aligned like two poles of a magnet in a trusted environment for internet commerce to flourish.

An imbalance between privacy and security was causing customers decisions to deploy Big Data technologies that could give them a much clearer picture of hacking attacks, Coviello claimed.

“Customers are caught in a Catch-22. They’re afraid to deploy technology for fear of violating workers’ privacy” even though security intelligence tools are ultimately the best way to protect personal information, Coviello argued.

The security leader’s remarks follow on from criticism at the same show last year that privacy concerns were hampering intelligence-sharing efforts. The combined pitch caused one French wag to note that there’s only one letter of difference between the NSA and RSA.

Mindful of such unflattering comparisons, Coviello admitted Big Data systems could be “misused”. He said: “Big Brother, ethics aside, will stifle innovation.”

Anonymising services and technologies that offer anonymity, such the Tor network and VPNs, have been in the news recently because of law enforcement action and intelligence agency leaks. Coviello’s line was a controversial one to peddle to European audiences in the wake of the latest Snowden revelations, which put figures on the extent of NSA’s dragnet spying on the phone calls of French, German and Spanish citizens.

“Many privacy advocates hold the polar opposite view to Coviello, believing anonymity online is a fundamental ingredient for online privacy,” writes security consultant and blogger Dave Whitelegg. . “Art’s perspective also highlights the difference in attitudes towards privacy harboured between the United States and Europe,” added Whitelegg. “The European Union was built on its citizens’ rights, including the right to privacy, a right the EU wishes to see exercised online, whereas the US view tends to be ‘privacy is dead’, believing the right to online privacy has been given up and the privacy fight lost.”

Less controversially, Coviello added that security industry needs to act less like a police headquarters that simply responds to attacks and more like beat cops who know their environment and can recognise and respond to anomalies. Big Data technologies were key moving away from a purely reactive security model to an intelligence-driven approach.

“When we understand the context of people’s ‘normal’ behaviour or how information flows on our networks, we can more clearly and quickly spot even a faint signal of any impending attack or intrusion, ” Coviello explained, “This is what makes intelligence-driven security future-proof. It eliminates the need for prior knowledge of the attacker or their methods.” ®

Email delivery: 4 steps to get more email to the inbox

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/29/coviello_keynote_rsa/

The upcoming holiday shopping season could be prime time for attackers who hope to catch enterprises at their weakest moment, according to a study published this week.

According to

a new survey of 1,100 retail companies conducted by the Ponemon Institute

and sponsored by RSA, daily revenue surges by an average of 55% during the holiday season. If a retail site is hacked or disabled, average losses may amount to as much as $500,000 per hour, or $8,000 per minute.

Two thirds of respondents (66 percent) said that such a disruption would also result in customer churn that would damage reputation and brand, pushing losses as high as $3.4 million from a single hour of disruption.

“This time of year is not just an opportunity for retail fraud, but an opportunity to launch attacks that take advantage of business logic vulnerabilities, DDoS [distributed denial of service] attacks, and more sophisticated attacks as well,” says Demetrios Lazarikos, IT threat strategist at RSA.

Yet while 64% of organizations said they see significant increases in attack activity during the holidays, more than 70% of organizations do not take additional precautions in anticipation of increased attacks. And with their currently-installed technology, 51% say that they do not have real-time visibility into Web traffic, making it difficult to identify the root cause of such attacks, the study says.

Just 23% of respondents said they feel that most holiday-season attacks can be quickly detected and remediated.

The report also identifies the top nine attacks organizations will likely face during the holiday season. In order of likelihood, these attacks are:

1. Botnet and Distributed Denial of Service (DDoS)
2. App store fraud
3. Mobile access/account compromise
4. Click fraud
5. Stolen credit card validation
6. eCoupon abuse
7. Account hijacking
8. Electronic wallet abuse
9. Brand promotion hijacking

“We expect to see more of these attacks this year, and more attacks targeted at specific companies,” says Lazarikos.

Have a comment on this story? Please click “Add a Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/privacy/study-cyber-monday-attacks-cost-enterpri/240163312

A brief reminder for Firefox users: version 25 is out.

As usual, there are some new and tweaked features, plus a fair number of security fixes.

And, as usual, Mozilla recommends your immediate attention to the update, if you’re one of those who prefers to be alerted to updates first rather than having them automatically applied:

It is strongly recommended that you apply this update for Firefox as soon as possible.

If you aren’t already using Firefox you can get a copy of the latest version from the downloads page.

There are actually four updated software versions in the Mozilla stable that have received the security patches from the latest upgrade:

• Firefox 24.0 goes to 25.0.
• Firefox 24.0ESR (Extended Support Release) goes to 24.1ESR
• Firefox 17.0.9ESR goes to 17.0.10ESR.
• Thunderbird goes to 24.1.

The Seamonkey application suite is also listed as getting the fixes, moving to 2.22, but it looks as though Seamonkey users may have to wait, as the official download page [at 2013-10-30T05:45Z] still offers 2.21.

Tor Browser users will also need to keep their eye on the progress of updates, as the Firefox ESR version that ships in the Tor Browser Bundle is still at 17.0.9.

Five of the security advisories are marked in red, meaning they’re critical, and can therefore possibly, or even probably, be used for implanting malware via Remote Code Execution (RCE).

All of the critical fixes involve memory mismanagement errors such as use-after-free bugs: if you’re interested in the potential implications of this sort of programming flaw, you might want to check out our Anatomy of an IE Exploit series.

There are two official changes listed for Firefox 25, and both caught my eye, as they have to do with the Firefox Reset feature:

Resetting Firefox is a not-very-well-known option you can try when websites stop working properly, perhaps because of accumulated state information about your browsing so far. (So much for HTTP being a so-called stateless protocol where each request stands entirely on its own.)

If you browse to the URL about:support, you’ll see the reset option:

As the change list reminds us quite clearly, a Firefox reset doesn’t set you back to a state of total browsing innocence, and in Firefox 25, it seems that slightly less than before is deleted from the browser’s store of information.

In particular, the reset function no longer forces an end to any current browser sessions, meaning that it leaves behind a fair amount of data about your current browser state.

Do bear this in mind, especially if you also use Safari, where the Reset option can be used to remove all browser data, effectively logging you out, removing all tracking cookies, and more.

The equivalent option in Firefox isn’t Reset, but rather Clear All History, which you reach from the History|Clear Recent History menu option.

Now grab the update, and shield yourself from any potential attacks that might be found against those use-after-free bugs!

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/TLRFDHlAcWM/