STE WILLIAMS

LONDON, October 15, 2013 /PRNewswire/ —

Elegantly simple interface for all levels of users, enhanced behavioural detection – and vulnerability detection, backups and tune-ups that run silently in the

background with minimal impact on system resources

– Improved behavioural detection engine identifies new threats and prevents

zero-day attacks*

– Enhanced user interface similar provides intuitive one-click functions for all

features

– Updated backup, tune-up and vulnerability scanner for faster and more

intuitive operation

– Silently runs in the background, identifying vulnerabilities and protecting

with minimal impact on the system

– Basic and advanced modes for all levels of user expertise

– Free 24/7 support and free upgrades

BullGuard [http://www.bullguard.com ] a global leader in internet and mobile security, has today announced the release of the new version of BullGuard Internet Security [http://www.bullguard.com/products/bullguard-internet-security.aspx ], its most progressive and intuitive security suite to date.

(Photo: http://photos.prnewswire.com/prnh/20131015/647332 )

BullGuard Internet Security is designed to offer industry-leading protection, silent and efficient background operation and to appeal to any level of user ability.

Alex Balan, Head of Product Management, BullGuard, said: “It is our most advanced security suite yet, and one that offers a significantly improved degree of control and operation.”

Improved behavioural detection

Notable enhancements include advancements in the behavioural detection engine which can prevent zero-day malware threats. Additional tools include a smart-filter for safe browsing, an advanced firewall and protection against Advanced Persistent Threats (APTs) and Targeted Attacks.

An all-new user interface and improvements to usability means default functions for all the key tools in Internet Security are accessible with one click.

Further control is available directly through the main interface.

Easy to use

Importantly, BullGuard Internet Security is designed to be used by anyone, from the complete novice to those who like to retain full control over the minutiae of system security. A choice of basic or advanced setting displays ensures that unnecessary or unwanted functions are hidden from sight to simplify core operation for new users, while those who desire more advanced control will find access to an impressive level of fine-tuning.

Redesigned backup

BullGuard Internet Security retains the rich array of tools that go beyond core security, helping to make it the most complete solution for system protection and maintenance on the market. A 5GB Backup module has been redesigned from the ground up so users can easily create a backup of a file or folder that is regularly synchronised with BullGuard’s servers.

Silent and efficient background scans

Before installation begins, the software scans a system for potential threats and eliminates any detected malware to ensure a system is clean. The installation process is streamlined to require virtually no user interaction.

When installed, BullGuard Internet Security regularly scans a system and performs automatic maintenance tasks such as vulnerability detection, backup and tune-up quietly in the background without using up valuable system resources or interrupting the user.

Building on a strong reputation

Balan adds: “As ever, we’ve placed a strong focus on ensuring that our excellent reputation in the security market remains intact by revising and improving core security. We’ve also further improved usability by ensuring that the majority of tasks can be set to run in the background, with as little user interaction and impact on system resources as possible. In short, once installation is complete a user can let it do its job with minimal interaction.”

Improving on its predecessors wasn’t easy. Over the last four years BullGuard has never missed a Virus Bulletin VB100 award. We also consistently score in the top three, in tests by independent assessors AV-TEST Lab and AV-Comparatives.

In addition to the improvements, all of the regular tools BullGuard Internet Security users have come to expect are present, including a powerful Spamfilter, advanced parental controls, a game mode and free 24/7 support for help with any of the software’s features or advice on threats and general security issues.

New BullGuard Internet Security is available for GBP44.95 for up to three users, with free upgrades to new versions. For more information visit http://www.bullguard.com.

* Zero-day attacks are new types of malware that have just been created and as a result their ‘signature’ is not yet known. At a general level they are difficult to protect against because they haven’t yet been identified which means many computers are potentially vulnerable.

About BullGuard:

Launched in 2002, BullGuard is one of the fastest growing internet and mobile security brands. Today, its product portfolio also includes award-winning antivirus, premium 24/7 protection suite, web-based identity and social media protection that works across all devices, as well as PC and mobile backup software solutions. BullGuard’s philosophy has always remained the same – to combine technical excellence with a genuine understanding of consumer needs, creating simple, easy-to-use products that deliver complete protection, and to enable customers to control and manage their digital footprint.

For two consecutive years (January 2012 and 2013), BullGuard Internet Security has won a coveted “Best Buy” award from Which?. BullGuard Internet Security comes with an award-winning Antivirus program, Parental Control and Online Backup for your most valued files and precious photos.

Article source: http://www.darkreading.com/applications/bullguard-launches-new-version-of-intern/240162678

PARIS – October 16, 2013 –– The Information Security Forum (ISF), a global, independent information security body considered the world’s leading authority on cyber security and information risk management, will be hosting its 24th Annual World Congress in Paris, France, November 3-5 at the Marriott Rive Gauche. More than 750 security experts are expected to attend and discuss the key security challenges and opportunities that member companies and businesses are facing. Key topics of discussion include cyber-security, data privacy in the cloud, supply chain security, big data and mobile devices in the workplace.

“The ISF World Congress is our annual, global flagship event which offers attendees the opportunity to discuss and find solutions to today’s most important security challenges and gain practical advice from peers and leading industry experts from around the world,” said Michael de Crespigny, CEO of the ISF. “Organizations recognize the substantial benefits the ISF brings to its Member companies and our annual World Congress has become the place where the major players in the industry convene to meet and exchange ideas in a relaxed and intimate location.”

The ISF Annual World Congress has a series of keynote presentations, workshops and networking sessions, which provide participants with the opportunity to share knowledge, best practices and thought leadership in a confidential peer-group environment. Attendees will hear from world-renowned experts, learn from key industry players and gain insight into the latest ISF projects.

The Master of Ceremonies for this year’s event is Dr. Gary McGraw, CTO of Cigital. Notable sessions include:

Bruce Schneier – “Information Security – Where Next?”

Bruce Schneier is an internationally renowned security technologist, cryptographer, computer security and privacy specialist and author of several books on general security topics, computer security and cryptography. He is also a contributing writer for The Guardian news organization. Described by The Economist as “a security guru,” Schneier is best known as a refreshingly candid and lucid security critic and commentator. He has testified before Congress, is a frequent guest on television and radio, served on several government technical committees and is regularly quoted in the press. Schneier is also a fellow at the Berkman Center for Internet Society at Harvard Law School and a program fellow at the New America Foundation’s Open Technology Institute.

Sir Ranulph Fiennes – “There is No Success Without Risk”

After a career in the British Army and Special Air Service (SAS), Sir Ranulph Fiennes led The Transglobe Expedition which was the only expedition to complete a circumpolar navigation of the world, traversing both of the poles using only surface transport. Starting in 1979 (from Greenwich in the UK), they arrived at the South Pole on December 17, 1980 and the North Pole on April 11, 1982 returning on August 29, 1982. This is feat that nobody has managed to complete since. In 1992 Fiennes found the lost city of Iram in Oman. In 2000, he attempted to walk solo and unsupported to the North Pole but had to abandon the attempt after his sleds fell through the ice and he was forced to pull them out by hand, suffering severe frostbite. Despite undergoing a triple heart bypass surgery just four months earlier in 2003, Fiennes completed seven marathons, on seven continents, in just seven days. In 2009, he climbed the North Face of the Eiger and in 2012 reached the summit of Mount Everest.

Donna Dodson – “The Cyber Security Framework”

Donna Dodson is the Division Chief of the Computer Security Division and Deputy Cyber Security Advisor at the National Institute of Standards and Technology (NIST) in the United States. Dodson oversees the NIST’s cyber security program to conduct research, development and outreach necessary to provide standards, guidelines, tools, metrics and practices to protect the information and communication infrastructure. The Computer Security Division plays a role in both national and international security standards setting. Dodson recently received the Federal 100 Award and has been awarded the United States Department of Commerce’s Gold and Bronze Medal Awards.

Bruce Dickinson – “Becoming Strategically Important Through Innovation and Creativity”

Bruce Dickinson is the lead singer of Iron Maiden, a position he has held for 31 years including a sabbatical of six years during which he worked as a commercial pilot and became Marketing Director of Astraeus Airlines. In 2012, he founded Cardiff Aviation which specializes in the heavy maintenance of Airbus Boeing commercial aircraft. He is also involved in a venture that has a contract to develop surveillance air ships for the US Army and is setting up a training company Real World Aviation that provides training to commercial pilots. In 2013, Dickinson developed his own brand of beer distributed by Robinson’s Brewery, Trooper. He is passionate about Fencing (he has competed internationally representing Great Britain), Railway Technology, Aviation (he still flies the Iron Maiden Boeing 757, Ed Force One) and thinking creatively about business whilst looking for the next opportunity.

For the fourth consecutive year, the ISF is opening its doors to a select number of non-member organizations. This world class platform offers the opportunity to interact and build peer-to-peer relationships with senior global decision-makers and share in the ISF experience. For more information on the Congress, or for further details on any aspect of the ISF, please contact Steve Durbin at [email protected].

About the Information Security Forum

Founded in 1989, the Information Security Forum (ISF) is an independent, not-for-profit association of leading organizations from around the world. It is dedicated to investigating, clarifying and resolving key issues in cyber, information security and risk management and developing best practice methodologies, processes and solutions that meet the business needs of its Members.

ISF Members benefit from harnessing and sharing in-depth knowledge and practical experience drawn from within their organizations and developed through an extensive research and work program. The ISF provides a confidential forum and framework, which ensures that Members adopt leading-edge information security strategies and solutions. And by working together, Members avoid the major expenditure required to reach the same goals on their own.

Further information about ISF research and membership is available from www.securityforum.org

Article source: http://www.darkreading.com/information-security-forum-world-congres/240162679

Some Google users who don’t want their faces used to pimp bagel shops (or spas, or Nexus 7, or whatever ads Google can squeeze money out of) are replacing their photos with one of Executive Chairman Eric Schmidt.

The backlash – the scope of which could be tiny, for all I know, given that news of it apparently comes solely from a retweet by Daring Fireball’s John Gruber – apparently is in reaction to Google’s announcement to grab user’s profile pictures, names, photos and product reviews as harvested from Google+ and plug them into advertisements.

Google is calling the planned advertisements Shared Endorsements.

Google announced new Terms of Service that will go live on 11 November which explain that it will use content in this way.

On top of our images, Google will also display reviews of restaurants, shops and products, as well as songs and other content reviewed or bought on the Google Play store, when our friends and connections search on Google.

Of course, the move is a no-brainer for Google.

The company’s revenues come almost entirely – reportedly 96% in 2012, and at 97% in 2011 – on ad revenue.

Google doesn’t make any bones about it. The company said in an annual report from 2012, “We generate revenue primarily by delivering relevant, cost-effective online advertising.”

The move is identical to Facebook’s Sponsored Stories boondoggle, with one exception: It’s looking to not be a boondoggle. Google is doing it right.

Namely, Google is offering users a way to opt out, and that will in all likelihood sidestep the legal swamp that Facebook fell into over Sponsored Stories.

For its part, Facebook paid out $20 million in a personal ads class action lawsuit settlement in August 2013, and another $10 million to settle a lawsuit in 2012.

Antagonising Google by swapping a profile photo for Schmidt’s may feel like fun, in-your-FACE-Google! hijinks, but the chances that Google will roll back the tasty revenue source are approximately, in rounded percentage points, “hahahahahaha!”

It’s likely that the only way to opt out is to opt out.

Here’s how to opt out of Google’s Shared Endorsements:

1. Sign into your Google account. If you’re in the process of setting up an account, finish that first, then come back.
2. Go to the Shared Endorsements setting page. If you’re not already a Google+ user, you will be asked to upgrade your account.
3. Toward the bottom, you’ll see a checkbox that says “Based on my activity, Google may show my name and profile photo in shared endorsements that appear in ads.”
4. Uncheck it and click Save to opt out of the new program.

Google will grab at your ankle to try to drag you back into advertising land, but one extra click saying “Yes, I do, in fact, want to unpeel my mug from your advertisements” won’t kill us, I suppose.

Follow @LisaVaas

Follow @NakedSecurity

Image of Eric Schmidt courtesy of Guillaume Paumier, CC-BY via Wikimedia Commons

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/hj_GQUbbqeg/

Members of the embedded systems hacker collective /dev/ttys0 spend their time playing around with devices like home routers and set-top boxes.

They like to see what interesting facts these devices’ proprietary hardware and firmware might reveal.

Part of the hackers’ motivation is to get the devices to do things that the vendor may not have bothered to implement, thus improving their functionality.

And why not, if it’s your device that you bought outright with your own money?

But hacking on embedded systems can also help to improve security, or at least help others to avoid insecurity, by revealing and helping to fix potentially exploitable vulnerabilities that might otherwise lie dormant for years.

Indeed, in recent times, we’ve written repeatedly about security problems in consumer embedded devices.

We had a botnet that unlawfully mapped the internet by jumping around from router to router and taking measurements without permission.

We described a flaw that allowed attackers to force your router to open up its administration interface to the internet, something you would never normally do.

We’ve talked about how the Wi-Fi Protected Setup (WPS) feature, intended to improve security, typically makes your wireless access point easier to break into.

And we wrote up a widepsread flaw in the way that many routers implement a popular system known as Universal Plug and Play (UPnP).

UPnP is a protocol that is supposed to make it easier to configure your system correctly, but may instead leave you open to the world.

You can probably guess where this is going: another security hole.

This one was found in the firmware of a number of D-Link routers – the author suggests at least the models DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+ and TM-G5240.

I’ll skip the details – you should read the original author’s analysis, since he did the hard yards to identify the flaw – and cut to the almost unbelievable conclusion.

If you browse to any page on the administration interface with your browser’s User Agent (UA) string set to a peculiar, hard-wired value, the router doesn’t bother to ask for a password.

→ Browsers send a User Agent string in the headers of every HTTP request. This is a handy, if clumsy, way to help web servers cater to the programmatic peccadillos of each browser.

Let’s be perfectly clear what this means: these routers have a hardwired master key that lets anyone in through an unsupervised back door.

“What is this string,” I hear you ask?

You will laugh: it is xmlset_roodkcableoj28840ybtide.

Geddit?

Ignore the xmlset, which probably just means “Configure Extensible Markup Language (XML) setting.”

Flip round the part after the underscore, in reversible-rock-music style, to get the hidden message:

Edit by 04882 Joel: Backdoor.

Can you believe it?

If you tell your browser to identify itself as Joel’s backdoor, instead of (say) as Mozilla/5.0 AppleWebKit/536.30.1 Version/6.0.5, you’re in without authentication.

Fortunately, the administration interface isn’t accessible from the internet-facing port of these routers by default, which limits the exploitablity of this vulnerability.

(If you have one of these models, check right now that you can’t access the management interface directly from the outside!)

This is a shabby feature to put in any product, let alone in a router than aims to provide at least some additional security.

It begs the question, “Why have Joel’s code there at all?”

A good guess is that the backdoor probably wasn’t put there to enable illicit surveillance, or for any other nefarious purpose, but as a favour to special-purpose D-Link software, so it could make configuration tweaks without needing a password.

Or it was put in to save time in development and debugging, but never taken out again.

Sadly for the world, though, 04882 Joel made it easy for anyone at all to make configuration tweaks without needing a password.

For the second time this year, we’d therefore like to say, “Hardwired passwords were a design blunder back in the 1970s. In the 2010s, they are simply unacceptable, so never succumb to the temptation to include them in your code.”

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/8PhKkFq2XeA/

Yahoo has confirmed it will finally enable encryption by default for its web-based email starting on 8 January 2014, according to The Washington Post – one year to the day after it rolled out the option of protecting users’ webmail privacy with HTTPS.

Its webmail brethren have been way ahead of Yahoo for years now.

Google offered SSL as an option for webmail in July 2008 and made it the default setting in January 2010.

Microsoft followed, offering HTTPS as an option for Hotmail in November 2010 and switching to default during Hotmail’s rebranding to Outlook.com in July 2012.

Facebook made secure web browsing a default for US users in November 2012 and for all users worldwide (well, except if they use certain mobile phones and carriers that don’t fully support HTTPS) in July 2013.

As we noted when Yahoo first made secure browsing available, without full-session HTTPS turned on, anybody on your WiFi network could read any of the emails you write and receive, by using a tool like Firesheep, as they’re transmitted from Yahoo to your browser.

Does Yahoo’s head-scratching lateness still entail greatness?

As The Register’s Neil McAllister points out, recent revelations about the work of the US’s National Security Agency (NSA) and the UK’s Government Communications Headquarters (GCHQ) to decipher SSL-encrypted communications means that Yahoo’s decision to switch to default HTTPS might not only be “very late” but also “very little.”

But then again, NSA secret leaker Edward Snowden himself confirmed in a QA with Guardian readers in June that encryption works if properly implemented.

In fact, Snowden said, properly implemented, strong crypto systems are “one of the few things that you can rely on”, although, he added, the NSA can frequently find ways around it as a result of weak security on the computers at either end of the communication.

As Yahoo said in the email statement sent to The Washington Post:

Yahoo takes the security of our users very seriously.

Let’s hope it means business.

Follow @LisaVaas

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/T7InAAATFUE/

Supercharge your infrastructure

The National Security Agency is hurting the US economy with its “dragnet” surveillance, says uber-leaker Edward Snowden.

Snowden made his remarks at an event in Russia last week, footage of which surfaced on Monday. He also alleged, via The Washington Post, that the NSA has been slurping the contents of some 250 million electronic address books a year.

“These [surveillance] programs don’t make us more safe. They hurt our economy. They hurt our country. They limit our ability to speak and think and to live and be creative, to have relationships, to associate freely,” said Snowden, who has been accused of aiding terrorists and America’s enemies. The footage of his speech appeared on Democracy Now.

One such program is a scheme that sees the secretive agency collect the contact books associated with widely used email services, such as Hotmail and Gmail, and instant-messaging clients such as Yahoo! Messenger, according to The Washington Post on Monday.

The agency grabs this data as it passes over major internet transit points, so it does not need to slurp it from internal Google or Yahoo! servers and therefore doesn’t need to make an official request for the information.

Major web providers are thought to have added SSL encryption to their services in response to programs like this, but there is evidence the NSA has been trying to smash internet encryption by performing man-in-the-middle attacks using compromised cryptographic certificates.

Though the NSA insists that American citizens are not specifically targeted, it does proactively collect network traffic from numerous international arteries, such as submarine cables connecting up continents. If traffic passes through these inspection points, then the agency slurps the data indiscriminately.

“The assumption is you’re not a U.S. person,” one spy source told The Washington Post. As Reg readers know, this is a rather strange way to view intercepted communications.

Snowden said: “There’s a far cry between legal programs, legitimate spying, legitimate law enforcement, where it’s targeted, it’s based on reasonable suspicion and individualized suspicion and warranted action, and sort of dragnet mass surveillance that puts entire populations under sort of an eye that sees everything, even when it’s not needed.”

We imagine the NSA would bridle at this description, given the shadowy organization’s recent claim that it isn’t spying on digital interactions, rather it is “seeking to understand online communication tools technologies”.

Just as Uncle Sam’s spooks are trying to understand what we do online, Snowden says in his speech that he felt compelled to leak the information on the programs so citizens can do the same.

“If we can’t understand the policies and programs of our government, we cannot grant our consent in regulating them,” he said. ®

5 ways to prepare your advertising infrastructure for disaster

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/15/snowden_nsa_snooping_hurts_our_economy/

Supercharge your infrastructure

Mobile messaging service WhatsApp came for criticism over the robustness of its cryptography last week after a fix for a January security snafu was slammed for not being robust enough.

Back at the beginning of the year WhatsApp was investigated in Canada and the Netherlands for indefinitely retaining users’ email address book data that it snaffled when they joined the service.

It was also criticised for generating cryptographic keys from data such as a mobile phone’s IMEI (International Mobile Equipment Identity) number or their network MAC (Media Access Code) addresses.

The IMEI number is programmed into a mobile phone during the manufacturing process. Under certain circumstances it can be broadcast in clear text messages from a phone. They are a terrible choice for passwords because every network packet has the MAC address within it.

WhatsApp revised its encryption in the wake of these criticisms. However, a review of the fix by Dutch mathematics and computer science student Thijs Alkemade has revealed that WhatsApp’s approach, while improved, remains deeply flawed.

WhatsApp generates a session key that it uses to initialise a stream cipher. But the same cipher stream is used for both outgoing and incoming messages.

This is a cryptographic mistake akin to using a one-time pad more than once, which creates serious security shortcomings in the system, as Sophos security researcher Paul Ducklin explains:

“A stream cipher works as a pseudorandom number generator, emitting an unpredictable string of bytes that you XOR with the plaintext to encrypt,” Ducklin writes on Sophos’ Naked Security blog. “In other words, you mustn’t use the same string of bytes to encrypt anything else, because that would make it predictable, and that is a cryptographic disaster.”

“A stream cipher works like a pseudo one time pad. A crypto-system that relies on a string of hardware random numbers to create an unbreakable cipher if – and only if – the pad is used just once,” he added.

In addition, WhatsApp uses the cryptographically flawed RC4 cipher instead of more robust alternatives.

The upshot is that, as things stand at the time of writing, anyone capable of eavesdropping on your WhatsApp connection would also be able to decrypt messages with minimal difficulty.

Ducklin advises WhatsApp users only to use the service for messages they are happy to be considered public until a more robust encryption scheme is introduced.

Alkemade, the Dutch researcher who created a buzz in the security community by publicising the flaws last week, suggests that WhatsApp should use Transaction Layer Security, or TLS – the same end-to-end encryption used by secure websites.

Michael Sutton, director of security research at Zscaler, criticised WhatsApp for basic cryptographic mistakes.

“WhatsApp made a very basic error when implementing their message encryption by leveraging the same encryption key for both incoming and outgoing messages,” Sutton said. “While compromise of the flaw is not simple, it is quite possible and as such, WhatsApp communication cannot be considered secure until this issue is addressed. It is not yet clear if the implementation flaw is uniform across all WhatsApp implementations but for now, all implementations should be considered insecure.”

The Register forwarded these criticisms to WhatsApp last week, inviting it to comment. We are yet to hear back. So it’s unclear whether or not WhatsApp acknowledges that there’s a problem, much less how and when it might deliver a fix.

A successful social engineering attack last week against domain name firm Network Solutions, used by WhatsApp, meant that the messaging app was one of a number of firms to suffer a DNS hijack attack in turn. Surfers attempting to visit its site were redirected to a pro-Palestinian propaganda website instead.

While that particular problem was resolved within hours on Tuesday, the crypto problem may take a far greater effort to resolve. ®

5 ways to prepare your advertising infrastructure for disaster

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/15/whatsapp_crypto_snafu/

As is the case in any other business, IT security leaders must contend with finite resources and as a result they must depend on smart decisions about where to target their budget to ensure they leave as few gaps as possible. The only problem, one which security folk have dealt with for years, is that they tend to be seduced by the latest innovation over the fundamental management tools necessary to implement enough control over network and system infrastructure to properly manage their risks.

“When it comes to security budget, security organizations are very much like my children: they want to buy whatever they’ve seen last and is shiny and new and promises unbelievable results,” says Alan Shimel, managing partner of The CISO Group. “A serious dose of pragmatism and maybe just a little maturity would go a long way.”

Shimel says he’s written about it and stomped his feet until blue in the face, mostly to no avail. It’s a trend that Eric Cowperthwaite, former CISO of Providence Health and Services and now vice president of advanced security and strategy for CORE Security, has seen unfold time and again.

[Your organization’s been breached. Now what? See Establishing The New Normal After A Breach.]

“All too often the spending is on things that will provide for compliance with laws and regulations or that are glitzy and sexy and in the trade news a lot,” he says, explaining that an organization may make big investments in next-generation firewalls or a huge single-sign on system while failing to attend to simple tasks like patch management or configuration management on their systems. “We see organizations being exploited by social engineering and the compromise of systems that were not patched, even though the vulnerability was known for weeks, even months.”

On the network side, network change management and firewall rules management falls squarely within this “blue-collar, meat-and-potatoes” kind of security management market, Shimel says, “it’s just not as sexy to the guy who is looking for the security flux capacitor.”

These kind of management tools that offer more network controls and enable policy orchestration are foundational, but may be a budgetary afterthought. And the more they’re back-burnered, potentially the harder it will be politically to add them in after the fact. As Shimel explains, if an organization spends several million over the course of two to three years to pick up next generation firewalls and update traditional firewalls, coming in after that is over and asking for another half a million dollars for firewall management to keep the rules properly configured on those systems may anger the CFO or CIO.

But as IT organizations look into more iterative devops processes that require changing the network more frequently than ever and as they start to dive into projects such as software-defined networking to increase the dynamic nature of the network, they may well be forced to bake in security and change management into the budget cycle much earlier in the process, says Jody Brazil, president and CTO of firewall management firm FireMon.

“All of these great things get spun up at the click of a button within minutes of saying go and then either the access doesn’t exist, the access control systems aren’t in place,” says Brazil, “or the reverse–access is automatically allowed but now you don’t have scanning set up to run against this new system or the IPS isn’t configured in tune for the fact this is a new application.”

Brazil believes that as organizations are dragged into this more “operational world” of networking, security management is getting thrust front and center. He believes there could be a tide shifting, as he’s seen clients begin to worry more about those security management needs first before sparing change for those shiny new toys. For example, he mentions a customer in the federal space that is engaging his company before putting in a new slate of network security tools and next generation firewalls, so the agency can lay the groundwork for day-to-day controls first.

“Security management is becoming part of that budget conversation,” he says. “Whereas we often used to get brought in after the fact, they’re starting with management and saying ‘Let’s get this figured out first, then well worry about expanding the rest of the infrastructure.'”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/perimeter/rejiggering-it-security-budgets-for-bett/240162636

SAN JOSE, Calif., Oct. 14, 2013 – Today, CipherCloud, the leader in cloud information protection, has delivered ground breaking techniques to improve the searchability, usability and security of cloud data protected with AES 256-bit encryption. Through these breakthrough advancements, the company continues to extend its technical leadership in cloud information protection by combining the highest levels of security and usability available.

This Searchable Strong Encryption (SSE) solution comes at a time when companies and government agencies are moving increased amounts of information into the cloud, while seeking to proactively protect their sensitive data from breaches, hackers, cyber warfare attacks and forced disclosures. Since its founding in 2010, CipherCloud has led the industry in innovation through developing the most advanced security techniques to protect information in the cloud.

CipherCloud provides organizations with the ability to strongly encrypt their sensitive information in real time before it’s sent to the cloud, and exclusively retain their encryption keys. The solution also enables organization to comply with government regulations and industry mandates including – GLBA, PCI, HIPAA and HITECH, the EU Data Protection Act, UK ICO guidance, the Australian Privacy Amendment Act and US State Privacy laws.

“Business users demand security to be transparent,” said Pravin Kothari, founder and CEO of CipherCloud. “Applying strong encryption, AES 256-bit, to data while keeping it entirely searchable has been a long-standing challenge. CipherCloud has now raised the bar by enabling the full usability of encrypted data in the cloud, without compromising security or performance.”

CipherCloud delivers full protection of an organization’s structured and unstructured information in popular cloud applications including – salesforce.com, Box, Microsoft Office 365, Google Gmail, Amazon Web Services and many more. Additionally, CipherCloud for Any App and CipherCloud for Databases enable organizations to extend data protection to hundreds of third-party cloud and private cloud applications and databases.

“Compliance for sensitive data frequently requires the use of encryption when it is sent across public communication networks,” said Brian Lowans, Principal Research Analyst at Gartner. “In fact, this should be considered as standard practice for all cloud-based applications accessed via public networks to avoid eavesdropping.”[1]

CipherCloud’s SSE technology leverages its gateway architecture to provide secure local index and search operations while sending the strongly encrypted data to the cloud and protecting it from all external threats. This solution enables natural language, wild cards and Boolean searches of AES 256-bit encrypted data. Other available techniques on the market lack searchability or require complex deployments of local databases or rely only on partial data encryption. CipherCloud’s solution now combines the highest levels of usability and security.

CipherCloud’s Searchable Strong Encryption (SSE) key capabilities include:

Comprehensive Protection Platform – Delivers advanced searching of strongly encrypted data while preserving security, usability and performance. The platform provides the ability to select a preferred protection scheme for each individual field for maximum security and usability.

Advance Intuitive Search – Supports flexible search terms, such as “starts with,” “ends with,” wild cards, natural language matching and Boolean phrases, compatible with today’s Internet search conventions.

Strong AES 256-bit Encryption – Delivers AES 256-bit encryption, the highest commercially available level of encryption with unlimited initialization vectors to maximize randomness.

Robust Key Management – Provides enterprise key management capabilities in compliance with NIST SP 800-57 standards. Multiple key storage options enable keys to be stored securely on the CipherCloud platform or separately on a KMIP-compliant key management server.

FIPS Certification – CipherCloud is the only vendor in the cloud information protection market that has completed certification testing by an independent NIST-certified testing lab as part of the FIPS 140-2 certification process.

High-performance Scalable Architecture – Delivers near zero latency while supporting the largest number of companies and government agencies with demanding throughput requirements. Over 2 million users are protected across 14 countries.

[1] Gartner Report, “Tackle Six Security Issues Before Encrypting Data in the Cloud,” March 9, 2013

About CipherCloud

CipherCloud, the leader in cloud information protection, enables organizations to securely adopt cloud applications by overcoming data privacy, residency, security, and regulatory compliance risks. CipherCloud delivers an open platform with comprehensive security controls, including AES 256-bit encryption, tokenization, cloud data loss prevention, cloud malware detection and activity monitoring. CipherCloud’s ground breaking technology protects sensitive information in real time, before it is sent to the cloud while preserving application usability and functionality.

CipherCloud has experienced exceptional growth and success with over 2 million business users, more than 250 million customer records, in over 10 industries, and with marquee customers around the globe.

The CipherCloud product portfolio protects popular cloud applications out-of-the-box such as salesforce.com, Box, Google Gmail, Microsoft Office 365, and Amazon Web Services. Additionally, CipherCloud for Any App and CipherCloud for Databases enable organizations to extend data protection to hundreds of third-party cloud and private cloud applications and databases.

CipherCloud, named as SC Magazine’s 2013 Best Product of the Year, is backed by premier venture capital firms Andreessen Horowitz, Index Ventures, and T-Venture, the venture capital arm of Deutsche Telekom. For more information, visit www.ciphercloud.com and follow us on Twitter @ciphercloud.

Article source: http://www.darkreading.com/authentication/ciphercloud-delivers-searchable-strong-e/240162639

Natick, MA – October 9, 2013 – ITADSecurity, Inc., a developer of enterprise-wide IT asset discovery and inventory management solutions, today announced a free offering of its WatchDog SnapShot service to provide enterprise-wide visibility into devices evading detection on company networks–including smartphones, tablets, laptops and PCs. With SnapShot, organizations can better mitigate the risk of potential data breaches while also reducing the unnecessary costs of recurring monthly service and license fees for lost, stolen, missing and otherwise forgotten devices by clearly identifying these troublesome unaccounted-for “zombie” assets.

Victoria Barber, research director at Gartner, wrote, “Organizations frequently lose valuable assets when staff or contractors leave their employment. Without proper controls, significant financial liabilities and losses can go unmanaged. Investigating changes in the status of managed devices often uncovers process failures that allow assets and data to be lost to the organization.”

The free WatchDog SnapShot service collects a one-time comprehensive inventory of an organization’s data-bearing devices. Raw data is collected and analyzed. Once complete, the user will receive actionable reports allowing them to take the appropriate next steps to reconcile inactive devices on the network, devices with known security flaws that may need upgrading, dormant devices that are still incurring licensing fees and devices that have not been properly data-wiped.

Statistics show that, at any given time, 10% to 15% of an organization’s PCs and mobile endpoints are dormant but still accruing license and operating expenses, according to Amtel. When unaccounted for over prolonged periods, these zombie devices expose organizations to many forms of risk including potential security breaches, unnecessary spending and missed opportunities to maximize the value of the asset. Studies indicate a majority of data breaches are not cyber-attacks, but rather are related to zombie devices.

“Companies continue to invest in mobile endpoint technologies, yet risk for zombies grows due to the difficulty of managing the rapidly expanding IT infrastructure,” said Robert Rinaldi, co-founder and CEO of ITADSecurity. “Allowing zombie devices to exist on the network is much more dangerous than many companies realize. Just last month, a Midwest healthcare organization lost four desktops, containing four million patient records. The impact is estimated to cost over $100 million in fines, legal fees, credit counseling and lost revenue.”

Roger Marino, co-founder of EMC (NYSE: EMC) and founding member of ITADSecurity’s Board of Directors, said, “Today, device mishandling and data breaches account for more financial loss than cyber-attacks. Correct asset management will reduce data breach risk, while at the same time increase the value recovered from retired assets. WatchDog SnapShot provides the data required to accomplish this.”

WatchDog Snapshot allows users to reduce both expense and risk while also addressing e-waste disposal and sustainability concerns. These issues are not just of concern on a domestic level; companies around the globe face the threat of zombie devices while also grappling with differing privacy and security mandates regionally.

“In Europe, data security mandates are amongst the most punitive,” Steve Mellings, founder of ADISA, relates. “Corporate IT often focuses almost exclusively on the downstream external ITAD processes to try to manage the risk of displaced equipment, but we see some of the greatest vulnerabilities sitting inside the business itself. We advocate device data collection at the very point of decommission as being the key starting point in managing the chain of custody for retired IT and telecommunications equipment.”

Now through December 31, 2013, users can initiate the secure, free WatchDog SnapShot service simply by entering minimal corporate contact information at http://itadsecurity.com/snapshot/. Instructions on how to proceed will be returned immediately by email. ITADSecurity is a certified partner in the Secured by RSA program and an e-Stewards Enterprise.

About ITADSecurity, Inc.

Founded in 2011, ITADSecurity develops enterprise-wide data-bearing device discovery, ITAD process management and continuous monitoring solutions. ITADSecurity leverages existing tools such as SCCM and ActiveSync to make them more effective, providing a closed loop, cradle-to-grave automated management of zombie devices. The company’s WatchDog cloud-based platform and associated services deliver IT asset visibility and automated intelligence to organizations of all sizes and in all industries.

Article source: http://www.darkreading.com/perimeter/itadsecurity-offers-free-watchdog-snapsh/240162622