STE WILLIAMS

A bizarre warning is circulating on Facebook urging you not to change your profile picture to a giraffe.

When I heard about this, my first reaction was, “Of all the things I could choose to represent myself, what’s the chance that today I’d suddenly want it to be a giraffe?”

My next thought was, “But if I were to decide on a giraffe – and they are majestic animals, let’s face it – why would that be a problem?”

The whole thing is a load of rot, of course, and just the latest in a long line of internet hoaxes.

The advice in the hoax

The bogus reasoning in the hoax is somewhat contorted, but it seems to go something like this:

• There’s a Facebook game in which players who fail to answer a riddle correctly are urged to set their picture to a giraffe as a harmlessly light-hearted signal they got it wrong.
• Crooks have tried to take advantage of this by poisoning Google’s image searches with booby-trapped giraffe images.
• These booby-trapped JPEG files install malware with a range of dangerous side-effects, including stealing your username and password.
• So don’t change your profile picture to a giraffe.

There’s enough here to be mildly believable: readers may have heard of the riddle that asks you to change your profile picture if you get it wrong; search engine results can be manipulated by cybercriminals; and software bugs have been found in the past that allowed booby-trapped JPEG files to deliver malware.

Why it isn’t true

It’s all a pack of made up rubbish – and here’s how you can tell.

Way back in 2004, a lot of media coverage was given to a JPEG vulnerability in the heart of Windows.

This security hole could, in fact, have allowed booby-trapped images on web pages to inject malware onto your computer, in the same way that booby-trapped DOC and PDF files are often used for that purpose these days.

Patches from Microsoft headed off that vulnerability at the pass with security update MS04-028, but the concern at the time was understandable, since the JPEG format was, and still is, one of the most commonly-used image types on the internet.

Indeed, if you dig around online for nine-year-old stories aobut the MS04-028 vulnerability, you will find articles like this one:

A virus that exploits the recently discovered JPEG vulnerability has been discovered spreading over America Online’s instant-messaging program….

“It’s been done in the past, but with HTML code instead of the JPEG,” said Johannes Ullrich, chief technical officer for SANS’ Internet Storm Center, the organization’s online-security research unit. “It is a virus, but it didn’t spread very far. We’ve only had two reports of it.”

…The code also installs a back door that can give hackers remote control over the infected computer. Antivirus expert Mikko Hypponen of F-Secure warned on Wednesday that the JPEG exploit can also dodge antivirus technology.

Guess what?

According to the Hoax-Slayer website (which has itself been around since 2003), the current hoax tells much the same story, with some minor changes in detail, and some deliberate mis-identification of the “experts” being quoted (my emphasis):

A virus that exploits the recently discovered JPEG vulnerability has been discovered spreading over google’s giraffe pictures.

“It’s been done in the past, but with HTML code instead of the JPEG,” said James Thompson, chief technical officer for SANS’ Internet Storm Center, the organization’s online-security research unit. “It is a virus, but it didn’t spread very far. We’ve only had two reports of it.”

…The code also installs a back door that can give hackers remote control over the infected computer. Antivirus expert Fred Hypponen of F-Secure warned on Wednesday that the JPEG exploit can also damage your Iphone if you charge it with your computer.

Johannes Ulrich, quoted back in 2004, is still the Internet Storm Center CTO, not James Thompson.

And although F-Secure’s best-known antivirus expert is indeed – today as in 2004 – a certain Mr Hypponen, his first name is Mikko, not Fred.

Adding a modern twist

The introduction of the warning about charging your iPhone gives the old story a bit of a modern twist, and takes advantage of a recent expose about the potential risk to iPhones (now patched) posed by booby-trapped chargers.

The current hoax apparently also adds a bogus detail to say that:

By default, antivirus software only scans for .exe files. And even if users change the settings on antivirus software, the JPEG file name extensions can be manipulated to avoid detection.

That’s not true either.

An on-access (real time) virus scanner – the component that prevents virus infection by blocking files before they open – will generally identify files by their content, meaning that the extension is largely irrelevant.

And if you change the settings on your on-demand scanner, you can just set it to check all files, which makes misapplied extensions irrelevant.

As you can see, there are lots of signs that this “giraffe story” is entirely bogus.

→ If it were true, and a vulnerability were currently known that would let JPEGs inject malware onto your computer, then the crooks wouldn’t bother going to all the trouble of poisoning Google image searches and hoping you would change your Facebook profile. They’d just put the booby-trapped files onto innocent-looking web pages and infect you during normal browsing, wouldn’t they?

What to do?

Our advice:

• If you’re a news writer who covers computer security, check your facts before you endorse security warnings: false alarms just make us collectively less likely to react when there is a problem.
• If you’re a reader of security warnings, don’t spread this hoax, even if you think it’s amusing: false alarms just make us collectively less likely to react when there is a problem.

Follow @duckblog

Image of giraffe warning sign courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/H4SeNybovw8/

US President Barack Obama has initiated a review to make sure that the National Security Agency (NSA) is doing what it should be doing, as opposed to doing whatever it can do with its continues-to-amaze data-vacuuming capabilities.

The President briefly touched on what he called an ongoing, complete review in an interview with White House correspondent and ABC News senior national correspondent Jim Avila for “America With Jorge Ramos” on Monday afternoon.

He said:

We’re undergoing a complete review of how our intelligence operates outside of the country.

As it is, the laws that supposedly protect what the US does internally tend to sag when they get shipped over the border, he said:

There are some very strict laws governing what we do internally.

And that was the initial concern brought about by some of the [whistleblower Edward] Snowden disclosures. Internationally, there are less constraints on how our intelligence teams operate.

On Sunday, the NSA found itself fidgeting in a diplomacy blow-out after revelations about its having intercepted personal mobile phone calls of German chancellor Angela Merkel.

The agency was forced to deny that its director had ever told Obama about it.

(Take that for what you will: An unnamed, high-ranking NSA official alleged that the president, “not only did not stop the operation, but he also ordered it to continue”, according to reporting from the German newspaper Der Spiegel.)

Avila had asked the President how it is that he didn’t know about the NSA listening in on cell phones of world leaders that are also the country’s allies and just who, exactly, should have told him.

Obama answered by calling himself the ultimate end user of intelligence:

The national security operations, generally, have one purpose and that is to make sure the American people are safe and that I’m making good decisions. I’m the final user of all the intelligence that they gather.

Just four months ago, at a rally at the Berlin Wall – to which Merkel had invited him – the President said that the US’s intelligence efforts hadn’t run amok.

“Our current programs are bound by the rules of law,” the President said at the time.

But the Snowden leaks are giving the country pause over whether, actually, technology advances have, well, allowed intelligence efforts to run amok, the President said:

It’s important for us to make sure that as technology develops and expands and the capacity for intelligence gathering becomes a lot greater, that we make sure we’re doing things in the right way [in a way that’s] reflective of our values.

Follow @LisaVaas

Follow @NakedSecurity

Image of President Obama courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/tFVmZC4ppE4/

Free Regcast : Microsoft Cloud OS

IBM has stumbled away from its legal tussle with Amazon over a strategically important contract to build a $600m cloud system for the CIA.

Today Big Blue withdrew its formal protest against the spooks’ decision to use the online bazaar’s technology, effectively ceding the massive contract to Jeff Bezos Co. It also marks a shift in the balance of power among federal IT contractors.

For years IBM and a coterie of other huge companies – Oracle, HP, Dell, SAP, SAS, Verizon, and so on – have taken the largest share of public cash for government computer projects.

But all things come to an end, and the CIA’s decision to plump for Amazon’s private cloud over IBM’s earlier this year signaled a changing of the guard. It also blew away some of the clouds of fear, uncertainty and doubt that incumbent suppliers had spread about upstarts.

IBM protested the CIA decision, and Amazon unleashed its own lawyers to fight back. A federal judge struck down IBM’s objection earlier this month, and now IBM has withdrawn its final complaint, effectively bowing out of the race.

Calls to Big Blue went unanswered at the time of writing, though the tech titan did tell gov trade mag FCW “in light of the government’s recent submissions emphasizing its need to move forward on the contract, IBM has withdrawn its motion.” Amazon had no comment when The Reg contacted it.

Now that Bezos Co can build a $600m private cloud for the CIA, perhaps they will consider doing a private cloud for the general hoi polloi as well – watch out, Eucalyptus, your partner might just be gearing up to trample you. ®

Email delivery: 4 steps to get more email to the inbox

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/30/ibm_amazon_court_ko/

5 ways to reduce advertising network latency

Remember that Adobe security breach from earlier this month that leaked the account records of some 3 million customers? Scratch that; the actual number was at least 38 million, it has emerged.

In early October, Adobe warned of “sophisticated attacks” on its network in which hackers gained access to data for what was then believed to be about 2.9 million customers: that data included names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders.

In addition, the company said, the cyber-crooks had managed to abscond with source code for “numerous Adobe products.”

But in a blog post on Tuesday, investigative journalist Brian Krebs said those early estimates were far too low, and that the actual list of accounts that had been compromised numbered in the tens of millions.

How does Krebs know? Because he’s seen the list. Over the weekend, he says, AnonNews.org posted a 3.8GB file called “users.tar.gz” that contained more than 150 million user and password pairs that had apparently been lifted from Adobe.

Adobe spokeswoman Heather Edell has since confirmed the breach to Krebs, adding that the company has contacted the owners of the affected accounts and has reset the passwords for all of the Adobe IDs that it believes were involved in the hacking incident.

“So far, our investigation has confirmed that the attackers obtained access to Adobe IDs and (what were at the time valid) encrypted passwords for approximately 38 million active users,” Edell said. “We are still in the process of investigating the number of inactive, invalid and test accounts involved in the incident.”

Edell also said that the attackers were able to gain access to at least some of the source code for Adobe Photoshop. Krebs was able to confirm that, too – a second, 2.56GB file posted to AnonNews.org contained what appeared to be Photoshop code.

Source code for Adobe Acrobat, Reader, and the ColdFusion web application server software is also believed to have leaked during the incident, but at least some of this data appears to have been password protected and may not be readily accessible.

Adobe seems to be taking its customer data breach seriously. The company has offered one year’s worth of free credit monitoring by Experian to any customer whose account was compromised in the attack. But as Krebs points out, this kind of service isn’t guaranteed to spot all of the forms of identity theft that might arise from such incidents, so Adobe customers are advised to place fraud alerts on their accounts and monitor their credit reports closely. ®

Email delivery: 4 steps to get more email to the inbox

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/30/adobe_data_breach_millions_of_accounts/

The crime packs used by criminals to create malware campaigns to compromise and control victims’ computers rarely use original attacks, instead relying on reusing techniques found in publicly released exploit code.

An analysis of 18 exploits used by the top-20 crime packs found that the crucial code used in each attack could be traced back to information released by a security researcher, a blog post posted by a security firm describing the exploit, or a sophisticated attack created for an espionage campaign. The analysis, presented by Trail of Bits’ CEO Dan Guido at last month’s BruCon security conference, highlights the dangers that exploit code can pose in a software ecosystem that is slow to patch known vulnerabilities.

“There are pros and cons: The APT groups get by fine totally on their own, they create their own exploits totally in house, and there is value from a defensive point of view to understanding how these exploits work and what their limitations are,” says Guido. “On the other hand, when you see all these security researchers beating up on Java, you know that code is going to slot right into a space waiting for it.”

In his analysis, Guido found that eight of the attacks included in the crime packs targeted Adobe Flash and Reader and Internet Explorer, but would only work on Windows XP. Half of the attacks targeted more modern platforms but relied on vulnerabilities in Oracle’s Java software platform. Only a single attack, which targeted the Windows TrueType parsing vulnerability, could work on all Windows platforms at the time it was released. That exploit was publicly disclosed in 2011 in an analysis of the Duqu espionage Trojan.

For the most part, the exploits are unreliable and poorly written, he says.

“The only way that these crime packs seem to be able to get really good exploitation capabilities is if they are handed to them on a silver platter by some incredibly complicated and sophisticated APT group,” Guido said during his BruCon presentation.

The situation is much different from half a decade ago when the authors of major exploit packs would compete on having unique exploits for certain vulnerabilities in their software, says HD Moore, chief research officer at Rapid7, a vulnerability management firm. Now, once an exploit is publicly discussed, everyone jumps on developing a version of the attacks, he says.

“They need exploits from somewhere, and they might as well use the ones that are available,” Moore says. “There is no economic reason why they would go out of their way to build new exploits for what they are doing.”

[Windows XP machines six times more likely to be infected by malware than newer versions of the OS, according to new Microsoft Security Intelligence Report (SIR). See Microsoft Software, Overall Operating System Vulnerability Disclosures Rise.]

The data suggests that quashing the publication of exploit code could have a positive effect on the security of the software ecosystem. Yet, such approaches have already been tried and largely failed. While defenders have frequently sought to limit the access of criminals and bad actors to the tools needed to circumvent security measures–such as lock picks and knowledge of safe construction–software security will not likely benefit from such measures.

Software vulnerabilities are often discovered independently, suggesting that silencing the disclosure of a vulnerability and how to exploit the flaw would merely allow a bad actor more time to use an attack, says Darren Meyer, senior security researcher at Veracode, an application security firm.

“It is really important for the disclosure, or even the release of code, to be a possibility,” he says. “The legal restraint of that would be a very bad practice.”

In addition, attackers’ laziness can benefit defenders: The quick adoption of publicly available exploits by the creators of crime packs is also a weakness, says Brian Gorenc, manager of the Zero Day Initiative for HP Security Research.

“The key take away here is that a crime pack author’s strength is simultaneously one of its greatest weaknesses,” he said in an e-mail interview. “This predictability can give enterprises a leg up on defending their networks.”

In his presentation, Trail of Bits’ Guido found that a relatively small number of tactics could eliminate much of the risks of crime packs. Companies that opt for more modern platforms are much safer, he says.

“You have all this incremental work going into updating minor versions of applications,” he says. “But forget about that, spend the time on updating to the next major version, because then you get the new mitigations.”

Eliminating Java plugin from the enterprise and using a different browser to access internal resources than is used to surf the Web can also remove known dangers, he says.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/attackers-crib-exploit-code-but-net-bene/240163314

Email delivery: Hate phishing emails? You’ll love DMARC

RSA Europe 2013 A dogmatic allegiance to anonymity is threatening privacy, according to Art Coviello, executive chairman of RSA.

Coviello cast anonymity as the “enemy of privacy” because it gives “free reign to our networks to adversaries” with “no risk of discovery or prosecution.”

The head of EMC’s security division told delegates at the RSA Conference Europe that security and privacy need to be aligned like two poles of a magnet in a trusted environment for internet commerce to flourish.

An imbalance between privacy and security was causing customers decisions to deploy Big Data technologies that could give them a much clearer picture of hacking attacks, Coviello claimed.

“Customers are caught in a Catch-22. They’re afraid to deploy technology for fear of violating workers’ privacy” even though security intelligence tools are ultimately the best way to protect personal information, Coviello argued.

The security leader’s remarks follow on from criticism at the same show last year that privacy concerns were hampering intelligence-sharing efforts. The combined pitch caused one French wag to note that there’s only one letter of difference between the NSA and RSA.

Mindful of such unflattering comparisons, Coviello admitted Big Data systems could be “misused”. He said: “Big Brother, ethics aside, will stifle innovation.”

Anonymising services and technologies that offer anonymity, such the Tor network and VPNs, have been in the news recently because of law enforcement action and intelligence agency leaks. Coviello’s line was a controversial one to peddle to European audiences in the wake of the latest Snowden revelations, which put figures on the extent of NSA’s dragnet spying on the phone calls of French, German and Spanish citizens.

“Many privacy advocates hold the polar opposite view to Coviello, believing anonymity online is a fundamental ingredient for online privacy,” writes security consultant and blogger Dave Whitelegg. . “Art’s perspective also highlights the difference in attitudes towards privacy harboured between the United States and Europe,” added Whitelegg. “The European Union was built on its citizens’ rights, including the right to privacy, a right the EU wishes to see exercised online, whereas the US view tends to be ‘privacy is dead’, believing the right to online privacy has been given up and the privacy fight lost.”

Less controversially, Coviello added that security industry needs to act less like a police headquarters that simply responds to attacks and more like beat cops who know their environment and can recognise and respond to anomalies. Big Data technologies were key moving away from a purely reactive security model to an intelligence-driven approach.

“When we understand the context of people’s ‘normal’ behaviour or how information flows on our networks, we can more clearly and quickly spot even a faint signal of any impending attack or intrusion, ” Coviello explained, “This is what makes intelligence-driven security future-proof. It eliminates the need for prior knowledge of the attacker or their methods.” ®

Supercharge your infrastructure

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/29/coviello_keynote_rsa/

Irvine, CA – October 29, 2013 – Cylance, Inc., a global cybersecurity company, is reinventing the way companies think about security. The first to apply mathematical science to security in a scalable way, Cylance announced today the official worldwide release of CylanceVtrade, a new cloud and on-premise solution to find what others miss in detecting advanced malware.

CylanceV delivers a new threat detection model that instantly and mathematically determines what is safe and what is a threat in the broadening “grey list” spectrum of unknown data – without the use of signatures, heuristics, behavioral analysis, sandboxing detonation or micro-virtualization.

“One of the best approaches to security, ‘defense in depth,’ has produced one of the biggest problems in hunting down advanced threats today – an avalanche of information that blinds even the best security teams,” said Stuart McClure, Cylance CEO. “The security industry is handicapped by the notion that we need to see a threat before we can call it one. Cylance is proving that handicap unnecessary. While known white lists and black lists will always have their place to single out the known good and bad, they cannot keep up with the increasing volume of malware, nor the sophisticated nature of the advanced attacks and targeted threats like APTs.”

CylanceV categorizes files, applications, executables, services, drivers, libraries and others as “safe” or “threat” using sophisticated, patent-pending mathematical analysis. Traditional black lists identify only the known bad – attacks that are successful either in the real world or in a virtual sandbox environment. But this reactive approach requires both expert malware analysts and a victim, or “sacrificial lamb” – Cylance needs neither.

Typical white lists attempt to solve the problem the opposite way, by restricting acceptable files to only known good software providers like Microsoft or Adobe, but that is only a fraction of the publishers in the world. The vast majority of files in the world are unknown by the security industry, and therefore must be processed in some fashion to determine their maliciousness. This is the dynamically growing world of the “grey list” CylanceV’s next generation, predictive modeling quickly processes and classifies those unknowns in milliseconds – almost instantly determining “safe” from “threat.”

Cylance’s Infinitytrade fabric of highly intelligent, decision science in the cloud empowers CylanceV to quickly process large volumes of data at scale to improve the effectiveness of identifying modern day malware. By reducing the total amount of information that traditional security misses or cannot classify, CylanceV enables IT departments, incident response and forensics teams to save time, improve accuracy and reduce unnecessary investments required to stop and rectify the threat.

“The average organization gets millions of notices daily from its combined security infrastructure when it identifies malware, attacks and unusual behavior, making once highly valuable information now overwhelming for IT managers to process and impractical for today’s technology to determine,” said Glenn Chisholm, CTO of Cylance. “Finding that needle in the needle stack is what Cylance is all about. Processing the sea of unknowns manually is unsustainably tedious and impossible to stay ahead of, extending the time to discover breach compromise. Existing advanced malware technologies work to discover new threats, but their capability has financial and operational limits.”

CylanceV also makes smart solutions smarter by adding detection intelligence to what is good and what is bad, improving the efficiency and accuracy of security teams by identifying the true threats present in the “grey list.” Complementing existing security infrastructure, 3rd party technologies and home grown tools, like SIEMS, sandboxing and custom code, respectively, the combined solution improves the context surrounding suspicious activity. This helps security teams prioritize threat remediation actions.

In practice, Security Operations Centers (SOC) almost universally require integration with other analysis systems to provide context around the alerts received, as well as additional segmentation from CylanceV to help separate a legitimate incident or attack from a phantom or red herring. CylanceV allows any SOC to harness the power of Cylance’s Infinity to instantly determine whether a case needs to be opened and processed, saving thousands of dollars every year.’

Additionally, with more impactful and time sensitive attacks, forensic and incident response personnel can use CylanceV and the real time connection to Cylance Infinity via a cloud API to send both hashes and/or files, in a secure way, for deep interrogation of what’s safe and what’s a threat.

Applying Science to Security

Infinity is a cloud-based, non-signature, non-heuristic and non-behavioral predictive analytics engine that couples advanced mathematical analysis and machine learning with data science modeling to make highly accurate decisions. Applied to cyber security, Infinity identifies advanced threats through “deep interrogation” of data, allowing true classification of good and bad. Cylance is the first to apply existing principles of algorithmic science (used today in high frequency trading, insurance and pharmaceuticals) to the world of security. Unlike traditional security infrastructure, Infinity has the intelligence to attribute features of disparate objects and never before seen elements into data that predictably qualifies that element into a threat or non-threat at accuracy far greater than what exists today.

Cylance first released Infinity in June 2013 with its launch of the free, public use beta of PrivateDETECT. This consumer grade endpoint offering uses Infinity as part of a weighted formula to detect and quarantine advanced threats and elements considered “bad” in real time. It supplements existing anti-virus to provide unparalleled security on the endpoint.

About Cylance, Inc.

Cylance is the first company to apply artificial intelligence, algorithmic science and machine learning to cyber security and improve the way companies, governments and end users proactively solve the world’s most difficult security problems. Using a breakthrough predictive modeling process, Cylance quickly and accurately identifies what is safe and what is a threat. By coupling sophisticated math and algorithms with a unique understanding of a hacker’s mentality, Cylance provides the technology and services to be truly predictive and preventive against advanced threats. www.cylance.com

Article source: http://www.darkreading.com/management/cylancev-exposes-unknown-threats-lurking/240163279

Tettnang, Germany — October 29, 2013 – Security expert Avira announced today a 2.0.1 version remake of its award-winning Avira Free Mac Security–now supporting the new Apple Mac OS X 10.9 (Mavericks) and sporting important new security features.

Central to the new version of Avira Free Mac Security, in addition to Mavericks support, is the ability to perform a quick scan of vulnerable directories on the computer even as the security software is being installed, which eliminates the possibility of an already-infected computer being able to thwart security software installation and detection systems. Moreover, Avira Free Mac Security retains its most popular features such as one-click repair, on-access scanning, and a Security Status screen where you can manage all your Mac’s security info in one spot. Another new feature is the ability to update both the product and the detection simultaneously, therefore ensuring that the application always provides the highest possible level of protection.

“Not quite a year ago, Avira was a new-comer to the Mac sector. But today we have an enormous customer base using our Mac antivirus and even more using our free Mobile Security product for iPhone and iPad,” said Travis Witteveen, CEO of Avira. “Our reputation for high detection rates and reliable security that ‘just works’ seems to resonate with Apple users. So we will continue to invest in developing more security features for Apple devices.”

Avira Free Mac Security, which recently earned the ‘Approved Security Product’ award by AV-Comparatives, is available now, for free, for English and German languages and works on any Mac running OS X 10.8 (Mountain Lion) or higher.

Links

Download Avira Free Mac Security 2.0.1: http://www.avira.com/en/for-business-avira-mac-b2b

Install Avira Mobile Security for iOS: https://itunes.apple.com/us/app/avira-mobile-security/id692893556?mt=8

Follow Avira’s TechBlog: http://techblog.avira.com/en

Find community, support and tips on Facebook: www.facebook.com/avira

Show us what else you would like Avira to protect through our Vine contest: http://tinyurl.com/lm34dl4

About Avira

More than 100 million consumers and small businesses depend upon Avira’s security expertise and award-winning antivirus software. Avira is ranked #1 in technology innovation according to ABI Research; recommended by Consumer Reports for its free antivirus software; cited by OPSWAT as the #1 fastest-growing antivirus vendor in 2012 and the #2 largest vendor worldwide in 2011; and has received a nearly unbroken string of Virus Bulletin VB100 awards for the past decade.

Article source: http://www.darkreading.com/management/avira-revamps-free-mac-security-for-os-x/240163280

CHATHAM, N.J. and LONDON, Oct. 29, 2013 /PRNewswire/ — Tufin Technologies, the leading provider of Security Policy Orchestration, today announced the results of a recent survey exploring the changing face of network security operations.

The Tufin survey reveals that C-level managers and IT professionals are tackling increasingly complex enterprise networks, with trends such as virtualization,

IPv6 and the Cloud requiring more automation of network management. The Research also demonstrates an ever-changing IT network with companies from financial services, telecom, technology and public sectors facing frequent network configuration changes, and suffering from human error and recurrent firewall outages. The research was conducted by ResearchNOW, which surveyed more than 500 C-level managers and senior IT professionals from companies of 1,000 or more in the US and the UK.

Key findings of the research include:

— End-to-end, coordinated security policy is vital: almost 9 out of 10 IT

and business decision-makers felt that coordination of security policy

across the entire network is “essential”.

— Network management moving towards automation: 67% of senior IT and

decision-makers think security policy management across the network will

become more automated over the next few years. Network configuration and

server configuration are the IT areas most likely to become automated.

— Changing job roles impact Policy Management: 71% had to adopt new

processes, learn new technologies and interact with new people because

of trends like Cloud, IPv6 and virtualization. 55% report these new

business initiatives require security’s input, and almost 1/3 report

they require data from new stakeholders in order to design proper

security policies.

— The Cloud makes a big impact: 50% of all respondents said the Cloud will

have the most impact on network security in the short term. Other key

areas are network operations applications, outsourcing and

virtualization.

— Virtualization: Nearly half of respondents reported more than 50% of

their network was virtualized.

— IPv6 is considered a big priority: 44% believe IPv6 is either important

or very important to their network.

— Increasing network complexity: 56% said that system complexity was the

number one root cause undermining and jeopardizing IT security efforts.

— Firewall outages are frequent: 33% of UK and US IT and business

decision-makers said that their company had suffered five or more

firewall-related outages in the last year – the equivalent of nearly one

every other month. 17% of financial services companies reported 11 or

more outages in the last 12 months.

— Human error is common: A quarter of UK and US business have had to re-do

more than 60% of all firewall changes because they weren’t

implemented correctly the first time.

“This research shows that network security has become too complex to manually manage, especially with the introduction of new technologies such as Cloud, virtualization and IPv6,” said Reuven Harrison, co-founder and CTO, Tufin. “The key to meeting these challenges is automation and orchestration which will increase IT agility while maintaining security and compliance across the network.”

Read the full report.

These findings align with Tufin’s expanded vision and rebranded solution set, announced last week. Version R13-3 of the Tufin Orchestration Suite(TM) reflects Tufin’s vision for Security Policy Orchestration, a new paradigm for automated implementation of network infrastructure changes across heterogeneous environments. Security Policy Orchestration goes beyond traditional configuration of individual firewalls. It improves operations between systems, integrates with different network security devices and enhances automation that enables network engineers to efficiently and accurately share policy data with new stakeholders.

For more on ‘Why you should care about Security Policy Orchestration’ please register for the upcoming the webinar: https://www.brighttalk.com/r/DHs

About Tufin Technologies

Tufin is the leader in Security Policy Orchestration, automating and accelerating network infrastructure changes while maintaining security and compliance. By improving network change processes, organizations using the Tufin Orchestration Suite will have a positive impact on the business by reducing the time and cost spent implementing network changes by up to 80%. Taking a holistic view of IT, Tufin’s Orchestration Suite helps organizations automate security and efficiency into day-to-day operations, enabling them to be more agile and leverage technology to gain a competitive advantage.

Founded in 2005, Tufin serves more than 1,200 customers in industries from telecom and financial services to energy, transportation and pharmaceuticals.

Tufin partners with leading vendors including Check Point, Cisco, Juniper Networks, Palo Alto Networks, Fortinet, F5, Blue Coat, McAfee, Stonesoft and BMC Software, and is known for technological innovation and dedicated customer service.

For more information visit www.tufin.com, or follow Tufin on:

— Twitter: http://twitter.com/TufinTech

— Facebook: http://www.facebook.com/Tufintech

— LinkedIn: http://www.linkedin.com/companies/tufin-technologies

— BrightTalk:

https://www.brighttalk.com/community/it-security/channel/9591

— YouTube: http://www.youtube.com/user/Tufintech

— The Tufin Blog: http://www.tufin.com/blog Media Contacts:

Article source: http://www.darkreading.com/management/tufin-survey-reveals-end-to-end-orchestr/240163298

AMSTERDAM, Oct. 29, 2013 /PRNewswire/ — RSA CONFERENCE EUROPE 2013

News Summary:

— Expert consultants and security leaders from EMC, Raytheon and RSA

assert that organizations large and small are recognizing they have a

responsibility to improve their security posture not just for themselves

but also for business and supply chain partners.

— Security consultants report more organizations are commissioning

security assessments on a proactive basis, not just following a breach.

— RSA Security Brief highlights that basic security lapses still

contribute to most security incidents.

— New reportidentifies top areas for improvement and provides practical

guidance on measures that deliver the greatest impact on organizations’

ability to respond to cyber attacks and data breaches.

Full Story:

Authors of a new Security Brief released today by RSA, The Security Division of EMC (NYSE:EMC), titled “Taking Charge of Security in a Hyperconnected World”

observe that more organizations are proactively improving their readiness for cyber threats. While concerns arise about the escalating threat environment, the report asserts that efforts to improve readiness and response capabilities are also driven by growing recognition among today’s interconnected business communities that organizations must assume broader responsibility for protecting themselves and their business partners.

Authors of the new RSA Security Brief also claim that most breaches today result from organizations stumbling on basic security practices. Common problems found to contribute to most breaches include:

— Neglecting “security hygiene” – In forensic evaluations following

security attacks, missed software updates frequently surface as

exploited vulnerabilities.

— Relying exclusively on traditional threat prevention and detection tools

– Most security teams still wait for signature-based detection tools to

identify problems rather than looking for more subtle indicators of

compromise on their own, even though traditional firewalls, antivirus

scanners and intrusion detection systems (IDS) cannot discover the truly

serious problems.

— Mistaking compliance for good security – Most compliance mandates

reflect best practices that should be interpreted as minimum standards,

not sufficient levels, of security.

— Inadequate user training – Many companies don’t invest enough time and

resources in user training, even though users today are the first line

of defense against many cyber attacks.

The report’s authors–all seasoned security consultants and leaders of corporate security operations centers–recommend that organizations proactively undertake objective evaluations of their security posture. Such evaluations can generate hundreds of recommendations for improvement. The authors contend that in most cases, 20% of recommended improvements will typically account for 80% of potential security benefits.

Depending on the unique needs of each organization, identifying which recommendations will yield the greatest impact can prove challenging. To help organizations determine which potential security improvements to prioritize, the RSA Security Brief identifies and elaborates on eight recommendations that, in the authors’ experience, often deliver outsized positive results:

1. Conduct all-inclusive risk and security assessments

2. Locate and track high-value digital assets

3. Model threats and address top vulnerabilities

4. Master change management processes

5. Deploy security staff selectively and strategically

6. Integrate security processes and technologies to scale resources

7. Invest in threat intelligence capabilities

8. Quantify the impact of security investments Executive Quotes

Art Coviello, Executive Chairman, RSA, The Security Division of EMC, Executive Vice President, EMC

“We believe organizations are taking a stronger interest in improving security not only to protect their information assets but also their business relationships. As more organizations take a broader community-minded view of their risks and security practices, information security will improve for all of us.”

Peter M. Tran, Senior Director, Advanced Cyber Defense Practice, RSA, The Security Division of EMC

“We see security assessments trending toward improvement and a more proactive approach. There’s recognition that when buyers or business partners get hacked, more and more organizations are making it a priority to evaluate the relative effectiveness of their cyber security programs.”

Dylan Owen, Cybersecurity Manager for Cybersecurity and Special Missions, Raytheon Company

“Attackers look for the easiest means of compromise. That’s why attacks are moving from more security-mature organizations down to less mature, typically smaller, partners. Attackers can exploit the trust relationships between companies to infiltrate well-protected targets through supply chain partners with less security experience.”

About RSA Security Briefs

RSA Security Briefs provide security leaders and risk management executives with essential guidance on today’s most pressing information security threats and opportunities. Each Brief is created by a select team of experts who connect experiences across organizations to share specialized knowledge on a critical security topic. Offering both big-picture insight and practical technology guidance, RSA Security Briefs are vital reading for today’s forward-thinking security and risk management practitioners.

Additional Resources:

— Download RSA Security Brief, “Taking Charge of Security in a

Hyperconnected World”

— RSA Speaking of Security Blog: “Remedies for SOC Enterprise Amnesia”

— Connect with RSA via Twitter, Facebook, YouTube, LinkedIn and the RSA

Speaking of Security Blog and Podcast About RSA

RSA, The Security Division of EMC, is the premier provider of intelligence-driven security solutions. RSA helps the world’s leading organizations solve their most complex and sensitive security challenges:

managing organizational risk, safeguarding mobile access and collaboration, preventing online fraud, and defending against advanced threats.

Combining agile controls for identity assurance, fraud detection, and data protection, robust Security Analytics and industry-leading GRC capabilities, and expert consulting and advisory services, RSA brings visibility and trust to millions of user identities, the data they create, the transactions they perform, and the IT infrastructure they rely on. For more information, please visit www.EMC.com/RSA.

Article source: http://www.darkreading.com/vulnerability/new-rsa-security-brief-provides-road-map/240163299