STE WILLIAMS

As embarrassing and costly as a big data breach may be for an organization, many security professionals will tell you that this kind of incident may be good news in the long run for the risk posture of the business. Sometimes even after numerous warnings from security and risk advisors, the only way for senior managers to sit up and pay attention to a set of risks is to have an incident from that risk detailed blow by blow in the business press.

“Once an organization has gone through all that pain, they’re forever changed,” says Lucas Zaichkowsky, an enterprise defense architect at AccessData. “Your whole outlook changes.”

For all of the problems that breaches bring, they also present a learning opportunity and potential for developing better processes that improve the day-to-day effectiveness of IT security. But that growth can only occur if organizations spend the time to do a thorough analysis of the event to find the fundamental risk factors that contributed to a compromise.

“If you haven’t taken the time to figure out what’s wrong in your program or your technology, then it’s pretty natural that it’s going to happen again,” says Vinnie Liu, managing partner for security consulting firm Bishop Fox.

[Are you getting the most out of security analytics? See Connecting The Dots With Quality Analytics Data.]

Unfortunately, some organizations today tend to engage in a type of whack-a-mole brand of incident response, responding to breaches and malware outbreaks only by cleaning up systems affected by the incidents but never delving into root causes, says James Phillippe, leader of threat and vulnerability services for the U.S. at Ernst Young. Meanwhile, he says, “the root cause–weak network controls, poor user education, weak policies, or perhaps improper architecture configurations–will persist.”

On the other end of the spectrum, many organizations recognize that they can’t simply clean up systems after a breach and carry on as before but because they react quickly without analyzing why things went wrong they end up wasting a lot of money. And then they still end up breached again.

“I think a lot of recidivism stems from the knee-jerk reactions,” Liu says. “You see something wrong, you buy a bunch of tools, you drop them in place, and you think you’re safe.”

This is why leveraging an breach for more executive buy-in, budget and meaningful change requires you use that event “in a balanced manner, not in a panic attack,” says Robert Stroud, international vice president of ISACA.

Once a thorough post-mortem is done, he recommends either using an existing risk model or developing a new one and running the operational and financial impacts of the breach outcome through that model to understand how that changes risk calculations. From there, an organization can more clearly understand if they only need to change a few controls, or if they need to make a major overhaul in security processes.

“More often than not, we see organizations go, ‘Hey, we’ve got to do something about that, let’s just do it,’ and they start executing immediately,” Stroud says. “Organizations will go without any assessment, spend significant money on potential vulnerability without any understanding of the business impact or risk exposure, potentially costing their business significant money. It might be more money than the risk itself.”

As the experts have explained, establishing the new normal following a breach is going to take post-mortem analysis and it’s also going to require changing risk models. But more significantly, it is going to involved sustained investment. The cost of upping the security game is easy to overlook amid all of the more picayune line-items of breach response, but process improvement should be part of the overall response budget once a breach has come to light.

“People talk about overlooking the cost of credit monitoring, reporting, fees and things like that,” Liu says. “But from what we’ve seen, I think some of the biggest investments that have to be made over the long term following a breach is for changing process.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/establishing-the-new-normal-after-a-brea/240161897

As security folks, we’re trained to look for holes. To identify threat vectors that could result in successful attacks and/or data loss. We need to go through the mental exercises (and sometimes real life pen tests) to feel good that we’re doing our best to meet our charter and protect our information. But at times this mindset can lead even experienced folks down dark alleys result in getting wrapped up in what I’ll call “edge cases.” You know, fixating on our inability to stop 5% of the attacks, while losing sight of the 95% of attacks you are far more likely to see.

I wish this epiphany was my idea, but per usual it’s because I spend a bunch of time talking to really smart folks kind enough to share their wisdom and perspectives to benefit the rest of us. As I was facilitating a meeting of 20+ CISOs earlier this week, one of the attendees made the point that we (as a business) get so wrapped up on blocking “all” the attacks that we lose sight that it’s not possible to block all the attacks. We want to give a thumbs down to something because there are very random and difficult ways to exploit it.

We’ve seen this over and over again, a point I made in my last column that some folks have a vested interest in dousing the flames of a new and hot innovative technology. Security research correctly focuses on whether something can be broken and how, not necessarily how scalable or practical an attack.

To illustrate my point, let’s revisit the attack the CCC published which showed how to beat TouchID with a 3D mold of a fingerprint captured from the device. From the article: “Essentially, CCC researchers demonstrated that an attacker with physical access to the phone could take a picture or scan the fingerprints of the device’s owner and use that to create a mold of the fingerprint to launch an attack.”

Good thing you got that MakerBot and have a stack of photo-sensitive PCB information lying around, right? Let’s be realistic about the value of that device. Are their launch codes on it? Does it posses the combination to the ten ton lock guarding Fort Knox? The map to the Holy Grail? There would have to be something similarly valuable to warrant producing a 3D mold to gain access to a phone.

It’s like I tell my kids after they get a bunch of money for their birthday: “Just because you have the money, doesn’t mean you should to spend all of the money.” Same goes for security. Just because an attack is possible, it doesn’t mean it’s probable. And we, as an industry, get wrapped up in new fangled ways to defend against the improbable.

Ultimately security, like everything else, involves making a bet. You are betting your job that you’ve got the right people, processes and technologies in place to protect your critical devices and information. To be clear, that’s a bad bet — but it’s the only bet you have. To maximize your likelihood of success and minimize the need to start a job search, you need to play the odds. That means you may have to consciously decide to leave the edge cases unprotected, while making sure you can stop the most probable attacks.

Of course, it’s more art than science to figure out which of those attacks are most probable. But that’s another story for another day. Just keep in mind if the attack you read about in this here fine publication requires a MakerBot, or a can of dry ice, or an oscilloscope, or a soldering iron; and physical access to the device, then can address that risk when you get all of the likely attacks you’ll face mitigated. Which is basically the day before never.

Mike Rothman is President of Securosis and author of The Pragmatic CSO

Article source: http://www.darkreading.com/vulnerability/fixating-on-the-edges/240161884

A “small but very potent” botnet run by an identity theft service has tentacles reaching into computers at some of the country’s largest consumer and business data aggregators, security journalist Brian Krebs has revealed following a seven-month investigation.

The service, which sells the Social Security numbers, birth records, credit and background reports of millions of US residents, has for the past two years run at ssndob[dot]ms (Krebs calls it simply SSNDOB, and I’ll follow suit).

SSNDOB markets itself on underground cybercrime forums as “a reliable and affordable service that customers can use to look up SSNs, birthdays and other personal data on any U.S. resident”, Krebs writes, charging from 50 cents to $2.50 per record and from $5 to $15 for credit and background checks.

The transactions are carried out mostly via largely unregulated and anonymous virtual currencies, including Bitcoin and WebMoney.

The source of SSNDOB’s data remained a mystery until earlier this summer, when the service was attacked and its database raided.

The alleged attackers – teenage hackers apparently associated with the hacktivist group UGNazi – pilfered personal information for celebrities including Beyonce, Kanye West, Jay-Z, First Lady Michelle Obama, CIA Director John Brennan, and then-FBI Director Robert Mueller.

They then exposed the data on exposed.su.

Exposed.su – which has apparently been taken down – is a Soviet Union domain that lists SSNs, birthdays, phone numbers, and current and previous addresses for dozens of top celebrities, Krebs says.

KrebsOnSecurity.com obtained and reviewed the database that the hackers stole from SSNDOB.

Analysis of the networks, network activity and credentials used by SSNDOB administrators eventually revealed that they were running a botnet – i.e., a network of hacked computers that they could remotely control to carry out their dirty work.

Two of the hacked servers belonged to LexisNexis, which maintains a massive database of legal and public records-related information.

LexisNexis confirmed to Krebs that the two systems listed in an interface for the botnet – both public-facing LexisNexis servers – had been compromised, while the botnet’s dashboard indicates that the infection was planted as far back as 10 April 2013.

Two more compromised servers were located inside the networks of Dun Bradstreet, a data aggregator that licenses information on businesses and corporations for use in credit decisions, business-to-business marketing and supply chain management, Krebs writes.

The botnet administration panel shows the Dun Bradstreet machines as having been infected at least as far back as 27 March 2013.

A fifth server on the botnet was located at internet addresses assigned to Kroll Background America, a company that provides employment background, drug and health screening, Krebs reports.

The company has since been taken over by HireRight, a background-checking firm managed by Altegrity, a holding company that owns both the Kroll and HireRight properties.

The Kroll/HireRight machine’s takeover extends back to at least June 2013.

LexisNexis confirmed to Krebs that its servers did in fact appear to have been compromised starting in April but that the company didn’t find any evidence that “customer or consumer data were reached or retrieved” from the breached systems. It’s still investigating the breach.

For its part, Dun Bradstreet said that it’s investigating, but it gave no further details. Altegrity declined to confirm or deny the apparent breaches.

The FBI confirmed to Krebs that it’s “aware of and investigating this case” but declined to comment further except to say that the investigation is ongoing.

Beyond PII

Beyond the potential loss of personally identifiable information (PII) that can be used to perpetrate identity theft, something far more valuable is at stake, fraud experts told Krebs.

Namely, the breached firms have control of massive amounts of data about consumers’ and businesses’ habits and practices – a collection of data known in the industry as knowledge-based authentication (KBA) that’s used to determine how likely it is that a given credit application is valid or fraudulent, mostly based on how accurately an applicant answers a set of questions about their financial and consumer history, Krebs writes.

Avivah Litan, a fraud analyst with Gartner, told Krebs that KBA has become “the gold standard of authentication” among nearly all credit-granting institutions:

Let’s say you’re trying to move money via online bank transfer, or apply for a new line of credit… There are about 100 questions and answers that companies like LexisNexis store on all of us, such as, “What was your previous address?” or “Which company services your mortgage?”

They also have a bunch of bogus questions that they can serve up to see if you really are who you say you are.

Litan says that Dun Bradstreet does more or less the same thing for businesses.

Paradoxically, problematically, the people who fail to answer some of the questions likely don’t remember the answers, Litan said, whereas the criminals are the ones breezing through, since they have the data right at hand.

She told Krebs this story, heard from a fellow fraud analyst who had the chance to eavesdrop when a mortgage lender was asking KBA questions of a credit applicant who was later determined to have been a crook:

The woman on the phone was asking the applicant, “Hey, what is the amount of your last mortgage payment?”, and you could hear the guy on the other line saying hold on a minute… and you could hear him clicking through page after page for the right questions.

In fact, Litan told Krebs, the death knell is likely tolling for KBA.

That’s probably a good thing, given that she and others have been saying for years that the major KBA providers have been compromised.

The problem, she says, is that we just don’t have any good alternatives that are easy to implement. We lack a sufficient software alternative.

Nor are there biometric identifiers ready to be rolled out for use by the entire US population at this point, and perhaps there never will be.

As always, Krebs’ report is thorough and fascinating, so please do give it a read. He offers tons more detail on the investigation, including, for example, the finding that the identity theft service has served more than 1.02 million unique Social Security numbers to customers and nearly 3.1 million date of birth records since its inception in early 2012.

What he doesn’t offer, of course, is an alternative to the KBA on which these data brokers rely.

That’s a problem that needs time and serious work to figure out, Litan has written.

In the meantime, she says, service providers must be made aware that they can’t count on “the veracity and reliability of the process to indeed authenticate the ‘right’ and legitimate individual.”

One stark example of this that received much media attention was that of Mat Honan, the journalist whose Twitter account went berserk and whose devices were wiped after a fraudster called up Apple support and tricked them into handing over control to his iCloud account in August 2012.

How do you defend against such knowledge-dependent attacks?

It’s hard, as Paul Ducklin notes in his writing about Honan.

KBA attacks seem to be harder still, given the wealth of information to be stolen from data brokers.

Entrepreneurs, there’s a big, fat, potentially very profitable business opportunity waiting for you.

Oh, and while Cybersecurity Awareness Month in the US doesn’t start until next week, there’s no reason to delay getting rid of potential zombies (bot infections) on your own computer.

Remember that while this botnet is particularly valuable to the crooks because the infected computers are inside networks with juicy content, any zombified computer is a usable and useful tool for cybercriminals.

Be part of the solution, not part of the problem!

Sophos Anti-Virus on all platforms detects and blocks the various components of this malware as Troj/Delf-FPW.

Follow @LisaVaas

Follow @NakedSecurity

Image of Social Security theft, credit history and fingerprint security courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/xBdiNe-5Vyk/

Italian computer scientist Michele Spagnuolo recently wrote about what he considered a security issue in Dropbox’s popular iPhone and iPad email app Mailbox.

His report is extremely simple to describe: the Mailbox app runs any JavaScript that appears in the content of an HTML email.

And that’s the long and short of it.

Spagnuolo has street cred as a security researcher, including a recent Google reward of $3113.7 (he won the larger sum of $5000 the month before that, though it doesn’t sound so cool), but not everyone seems happy about his “vulnerability.”

Over on self-styled alpha geek technology website Ars Technica, Spagnuolo has had a bit of a hammering from some commenters.

They’re saying, “So what?”

Almost every web page, like almost every email, is in HTML, and web sites are packed with JavaScript – in fact, JavaScript was developed to jazz up HTML, and the modern web simply wouldn’t work without it.

We know there are risks, notably that JavaScript makes it easy for cybercrooks to hide malicious content in web pages so that it springs into play only at the last possible moment.

→ Malicious JavaScript is often heavily obfuscated (deeply and cunningly disguised) so that while it is in transit across the internet, it looks like shredded cabbage. When loaded into, and executed by, your browser, it unscrambles itself to produce or download more malevolent content. This often includes additional scripts, which may themselves be heavily obfuscated, and so on.

But no-one is reporting JavaScript as a vulnerability to the browser makers.

Sure, some of us like and use tools like NoScript that heavily regulate the execution of JavaScript while we browse, but we’re not seriously suggesting that JavaScript be banned outright from all web pages.

Imagine if you banned JavaScript. No Facebook! No Outlook.com! No interactive doodles on Google! No YouTube!

Therefore, the naysayers are confronting Spagnuolo with remarks along the lines of, “Sensationalist claptrap. This is not a vulnerability. This is Web 2.0. Nothing to see here. Move on.”

The fact is, however, that few, if any, modern email clients, execute JavaScript in email, at least not by default.

Even webmail sites, which rely utterly on JavaScript in their own web pages, suppress JavaScript inside the emails they display for you.

And, do you know what?

Spagnuolo is right, and so is that almost-unanimous majority of email software: JavaScript in email shoudn’t be executed, and that’s that.

So now the question is, “Why?”

Why should we consider JavaScript unexceptional in web pages, but dangerous in the body of an email?

I was interested to know what various experts and educators thought, so I set about looking and asking around.

Here’s colleague and fellow Naked Security writer Mark Stockley on the issue:

I think context is everything. Email is reading something on your computer whereas using the web is more like reading something on somebody else’s computer. They’re functionally no different but I think the underlying mental models are very different. The difference between the mental model and reality is a gap into which security problems can sprout.

Stephen Chapman, advisor and educator, writing on About.com:

With web pages it is the person browsing the web who decides which web pages that they visit… With emails it is the sender who has the most control over what emails are sent and the recipient has less control. Because emails that we don’t want can get through our spam filter we want the emails that we do see to be made as harmless as we can.

And an anonymous commenter on Quora.com, replying to someone who had asked that very same “Why?”:

I think it’s simply that people don’t want more interactive emails. Most person-to-person email is text-based: other than maybe some HTML formatting, people send email to each other via written paragraphs, maybe with a picture attachment or two… Since email is pushed onto the user, it makes sense that the content being pushed is as unintrusive as possible.

There are other important reasons, too.

Perhaps the most significant is what browsers call the same origin policy.

This basically says that scripts are limited to reading data from, and sending data to, the same source as the page they’re running in.

By this restriction, for example, scripts on your favourite social networking site can’t see or use the session cookies set by your webmail client; data uploaded via a page on a technical support site can’t inadvertently be sent somewhere else; and so forth.

But how would you decide the “same origin” for an email you’d received?

How would you usefully limit the behaviour of JavaScript inside an email body, short of limiting it completely by not executing it at all?

For webmail, the same origin policy is even trickier: if you allowed JavaScript in email, cybercriminals would be able to inherit the origin of your webmail domain in scripts they sent in from anywhere, which would be a security disaster.

Dropbox, to whom the Mailbox.app belongs, seems to agree, albeit with some reservations: this morning, the company announced that it would strip out JavaScript before delivering emails to mobile devices.

[T]oday we implemented a process that strips javascript from messages before delivering them to mobile devices.

That’s one security measure, of course, but it’s nowhere near as good as adapting your app so it refuses to execute JavaScript altogether, just in case some JavaScript does get through your scrubbing filters.

→ This reasoning, defence in depth, is why running an email spam filter to strip malicious attachments isn’t a substitute for endpoint anti-virus, but a complement to it. To be fair: Dropbox may be planning a two-pronged fix, but updating an app on the App Store is not an instantaneous process.

Sadly, when Spagnuolo went to validate Dropbox’s claims, he found that although JavaScript is supposed to be scrubbed, the filters could easily be bypassed.

And, since the Mailbox app still runs JavaScript if it doesn’t get filtered out, we’re back to Step One.

By the way, my opinion is that I don’t want JavaScript to run at all in my email client, so I agree with Mr Spagnuolo.

What do you think? Is this a vulnerability of sorts? Or a fuss about nothing?

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/4JsMH05tMKM/

Apple has shown an open pair of ears and a lively pair of heels in dealing with two lockscreen bugs that it introduced with iOS 7.

Well done, Cupertino!

(To all hardcore Apple fans reading this: that’s not irony. I really mean it.)

The fruity company has just released iOS 7.0.2, fixing the following:

• The flaw found by videodebarraquito that allowed your photos to be shared online from the lockscreen.
• The flaw found by Karam Daoud that meant you could use the emergency call feature to call anyone you liked while the phone was locked.

Apple isn’t saying too much about the first hole, letting on neither how it came about nor what needed fixing.

But the company has been reasonably frank in revealing what caused the second vulnerability:

A NULL dereference existed in the lock screen which would cause it to restart if the emergency call button was tapped repeatedly. While the lock screen was restarting, the call dialer could not get the lock screen state and assumed the device was unlocked, and so allowed non-emergency numbers to be dialed. This issue was addressed by avoiding the NULL dereference.

There are three interesting issues buried in here, and it’s probably worth glancing at all of them.

NULL dereferences

Firstly, translating into English, a NULL dereference, also known as a null pointer error, is caused by mismanagement of memory.

When you ask the operating system to reserve a block of memory for your program to use, it typically hands you back the actual memory address you’ve been given, as a numerical value.

If you use the wrong address things will usually break; the operating system may or may not notice, and may or may not be able to do something about it.

It’s a common sort of bug to get the address wrong by a small amount – that’s a buffer overflow, where you overshoot or undershoot, possibly only by a single byte.

It’s also a common sort of bug to access some utterly improbable memory address, by completely messing up the pointer variable where the address is stored.

→ A stored address is known as a pointer, because it points at a memory location. That is about as close to “literary” as programming terminology gets.

And it’s also surprisingly common to try to access memory location zero, because in any operating system that takes security seriously, program variables that haven’t yet been initialised automatically have the value zero.

That’s a consistent way of making sure that uninitialised variables don’t contain data left over in memory from before.

A memory address, or pointer, that has the value zero is a NULL pointer, and any attempt to use it is a NULL dereference.

Most operating systems, therefore, deliberately ensure that memory address zero is off limits to all programs, and always trigger an error if anyone tries to access it.

This handily and automatically catches all null pointer errors, as happened here.

Of course, it’s almost impossible to determine what the programmer intended – who knows what memory location was supposed to be used instead?

So the operating system has little choice but to terminate any program that dereferences a null pointer.

Race conditions

Secondly, the interaction between the restarting lockscreen and the call dialling software is what’s known as a race condition.

There’s a point at which the call dialler checks the state of the lockscreen.

If the restarting lockscreen wins the race, and fires up before the dialler gets there, everything works fine; if the dialler wins the race, the lockscreen can’t tell the dialler what it needs to know.

Race conditions can be very hard to debug because they often occur only under unusual or contrived circumstances, as happened here.

(In this case, you can argue that Apple should make other software wait while the lockscreen is restarting, because of the key security function it performs.)

Failing open

Thirdly, the fact that the dialler assumes the best if it can’t query the lock screen status is a fail open situation.

Fail open can be desirable and correct, even if some aspects of security are reduced: that’s why electrically-operated security doors are typically held locked shut by the presence of power, so a power failure will release the lock and ensure the doors can be opened to let you escape.

(In this case, you can argue that Apple should code things to fail closed: if the lockscreen software doesn’t know or can’t tell you whether the phone is locked or unlocked, treat it as locked, for security’s sake.)

What to do?

You don’t need to know anything that I just told you about pointers, races and failure modes.

Just apply this patch.

Don’t listen to what the hardcore Apple fans might have said, in commenting on our earlier articles, about these not really being bugs “because all you have to do is not lose your phone.”

A locked phone should be locked.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/gLQcYk6m3eM/

Egham, UK, 25 September, 2013 — The perceived level of maturity attached to organizations’ privacy activities has decreased since 2011, as many organizations deem their existing privacy activities to be inadequate, according to a survey by Gartner, Inc. The survey found that 43% of organizations have a comprehensive privacy management program in place, while 7% admitted to “doing the bare minimum” regarding privacy laws.

“More than a third of organizations still ‘consider privacy aspects in an ad hoc fashion’ and it is surprising that so many companies are saying that they are not conducting privacy impact assessments before major projects. Sixty-two percent do not scan websites and applications, or conduct an organization-wide privacy audit every year. Organizations must put these activities on their to-do list for 2014,” said Carsten Casper, research vice president at Gartner.

These results are based on 221 respondent organizations surveyed in April and May 2013 in the U.S., Canada, the U.K. and Germany that are responsible for privacy, IT risk management, information security, business continuity or regulatory compliance activities.

“Organizations continue to invest more in privacy due to ongoing public attention and a number of new or anticipated legal requirements,” said Mr. Casper. “They also show that previous investments have not always paid off and that organizations need to refocus their privacy efforts if they want to raise the maturity level of their privacy programs back to that of 2011.”

Mr. Casper added that many organizations are looking to boost their privacy activities through increased staffing and budgets to initiate comprehensive privacy programs to deal with cloud, mobile, big data and social computing challenges. Creating the right staffing model is crucial to the long-term success of privacy programs and central to that is the role of a privacy officer.

“Gartner’s consistent observation is that privacy programs are only successful if someone is driving them. Almost 90% of organizations now have at least one person responsible for privacy. However, having privacy programs that are owned by this individual is still not the norm,” said Mr. Casper. “Only 66% of survey respondents said they have a defined privacy officer role – although the number is as high as 85% in Germany and similar countries where this role is a legal requirement.”

Mr. Casper added that a privacy officer should have broad expertise and solid relationship management and communication skills, because they must monitor a variety of (sometimes conflicting) business and IT requirements and collaborate with different internal and external business functions. In larger organizations, privacy officers will not only require a budget and a team, their success is also dependent on support from senior management.

Fortunately, it seems that the need to address privacy concerns more decisively is already being reflected in the amount of investment by organizations. Thirty two percent of survey respondents said that their organizations have increased privacy-related staff from 2012 to 2013 — the most significant increase since Gartner started its privacy surveys in 2008.

Once the right team is in place, businesses must prioritize privacy programs as the number one objective. This will enable effective monitoring of privacy-related performance and allow suitable adjustments processes and technologies, particularly for data masking, encryption, data storage and document retention.

The handling of personal information for employees, customers and citizens tops the list of requirements respondents believe should be included in a privacy program. Some organizations — concerned about violating domestic privacy laws and the risk to their reputations — do not store personal data in locations where it can be seized by foreign authorities or is at great risk from cyber attacks. However, central global storage of personal data is becoming increasingly widespread. For the first time this year, more organizations stored their customer data in a central global place rather than in a regional or local data center, which was the dominant model previously.

The survey found that 38% of organizations transform personal data before transmitting it abroad (with masking, encryption or similar), thus keeping sensitive data local, while allowing some functionality abroad. This is the preferred option compared to domestic storage (29 percent), remote storage with only local access (27 percent) and with a focus on legal protection (22 percent).

“When storing and accessing personal data, organizations face a number of options. They can store data locally or in a low-cost country, allow access to domestic or remote staff, use a provider for application management or for infrastructure management, or implement legal and technical controls, such as data masking, tokenization and encryption,” said Mr. Casper. “There is no right or wrong answer. Organizations have to decide which type of risk they want to mitigate, how much money they want to spend and how much residual risk they are willing to accept.”

Privacy trends and strategies will be discussed in more detail at Gartner Symposium/ITxpo 2013.

About Gartner Symposium/ITxpo

Gartner Symposium/ITxpo is the world’s most important gathering of CIOs and senior IT executives. This event delivers independent and objective content with the authority and weight of the world’s leading IT research and advisory organization, and provides access to the latest solutions from key technology providers. Gartner’s annual Symposium/ITxpo events are key components of attendees’ annual planning efforts. IT executives rely on Gartner Symposium/ITxpo to gain insight into how their organizations can use IT to address business challenges and improve operational efficiency.

Additional information for Gartner Symposium/ITxpo 2013 in Orlando, October 6-10, is available at www.gartner.com/us/symposium. Members of the media can register for the event by contacting Christy Pettey at christy.pettey@gartner.com.

Additional information from the event will be shared on Twitter at http://twitter.com/Gartner_inc and using #GartnerSym.

Upcoming dates and locations for Gartner Symposium/ITxpo 2013 include:

October 6-10, Orlando, Florida: www.gartner.com/us/symposium

October 15-17, Tokyo, Japan: www.gartner.com/jp/symposium

October 21-24, Goa, India: www.gartner.com/in/symposium

October 28-31, Gold Coast, Australia: www.gartner.com/au/symposium

November 4-7, Sao Paulo, Brazil: www.gartner.com/br/symposium

November 10-14, Barcelona, Spain: www.gartner.com/eu/symposium

About Gartner

Gartner, Inc. (NYSE: IT) is the world’s leading information technology research and advisory company. Gartner delivers the technology-related insight necessary for its clients to make the right decisions, every day. From CIOs and senior IT leaders in corporations and government agencies, to business leaders in high-tech and telecom enterprises and professional services firms, to technology investors, Gartner is a valuable partner in more than 13,000 distinct organizations. Through the resources of Gartner Research, Gartner Executive Programs, Gartner Consulting and Gartner Events, Gartner works with every client to research, analyze and interpret the business of IT within the context of their individual role. Founded in 1979, Gartner is headquartered in Stamford, Connecticut, USA, and has 5,500 associates, including 1,402 research analysts and consultants, and clients in 85 countries. For more information, visit www.gartner.com.

Article source: http://www.darkreading.com/privacy/gartner-survey-says-many-organizations-f/240161803

BETHESDA, Md., Sept. 26, 2013 /PRNewswire-USNewswire/ — SANS announces the results of it’s first-ever survey on awareness and use of analytics and intelligence to augment current monitoring practices. In it, only 10% of respondents felt confident in their organization’s ability to analyze large data sets for security trends, although 77% are collecting logs and monitoring data from various systems and security devices.

“Respondents are trying to add intelligence and improve analytics of the security data they’re collecting, but they’re struggling in various ways,” says Deb Radcliff, executive editor of the SANS Analyst Program. “The primary issue is they’re not able to make the associations to detect security events among their event and log data.”

The survey had 647 respondents and was cosponsored by Guidance Software, Hewlett-Packard, Hexis Cyber Solutions (a KeyW Company), LogRhythym and SolarWinds. This survey is a follow-up to the SANS Eighth Annual Log Management Survey, which revealed that organizations were falling behind in their ability to detect security threats because they were — quite literally — gathering too much information to sift through.

This new survey on analytics and intelligence indicates that most organizations are still relying heavily on their Log Management (49%) or SIEM Platforms (47%), while only 17% are making use of advanced threat intelligence and profiling databases.

“While most security operations teams are still relying on traditional SIEM and log management, there are new challenges facing many organizations that these products may not address,” says senior SANS Analyst Dave Shackleford, who authored the report. “More scalable and flexible analytics platforms are gaining interest and attention from the security community, and will likely continue to do so; given the threats and attacks we face today.”

Join our two-part webcasts on Oct. 1 and Oct. 3 at 1 PM EDT to learn the full set of results. Those who register for these complimentary webcasts will be given an advanced link to the associated report developed by Dave Shackleford.

Please visit webcast links, to register and attend:

Part one on Oct. 1: http://www.sans.org/info/140115 Part two on Oct. 3: http://www.sans.org/info/140120

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted and, by far, the largest source for world-class information security training and security certification in the world, offering over 50 training courses each year. GIAC, an affiliate of the SANS Institute, is a certification body featuring over 25 hands-on, technical certifications in information security. SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet’s early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to help the entire information security community.

(www.SANS.org)

Article source: http://www.darkreading.com/management/survey-analytics-and-intelligence-being/240161865

DALLAS and BEIJING, Sept. 26, 2013 /PRNewswire/ — NQ Mobile (NYSE: NQ), a leading global provider of mobile Internet services, today announced that it has entered into broad contracts with Huawei, ZTE and Lenovo to preload mobile security solutions onto the manufacturers’ smartphones. The deals will increase the availability of NQ Mobile’s award-winning security technology, which to date has attained more than 370 million registered user accounts around the world.

Huawei will provide NQ Mobile antivirus solutions on certain of their Android devices sold in the international markets. Lenovo will provide its overseas customers with latest NQ Mobile security services. ZTE has extended its agreement to preload mobile security for certain Android devices in the global market.

“By incorporating NQ Mobile’s industry-leading mobile security technology and user-friendly experience into their devices, our manufacturing partners are providing their customers with the best solution on the market for protecting their devices and the valuable data they hold,” said Omar Khan, Co-Chief Executive Officer, NQ Mobile. “By helping to keep their customers safe from nefarious mobile threats, these manufacturers are also giving them important peace of mind at the point of purchase and beyond.”

NQ Mobile’s flagship app, NQ Mobile Security(TM) detects and deletes viruses, malicious URLs, and other threats. NQ Mobile Security outperformed all competitive mobile security platforms in a West Coast Labs Comparative Test. It was also a top performer in effectiveness in research conducted by AV-TEST Institute, a leading international and independent service provider in the fields of IT security and anti-virus research. The app has won accolades including a “Shining Star in Consumer Security Apps” from Mobile Village, 5 out of 5 stars from CNET and has ranked on top security app lists from Phones Review (UK), eSecurity Planet, Android Authority and the Droid Guy.

NQ Mobile Security and the company’s other award-winning products including NQ Family Guardian(TM) and NQ Mobile Vault(TM) for Android are also available through the Google Play store.

About NQ Mobile

NQ Mobile Inc. (NYSE: NQ) is a leading global provider of mobile Internet services. NQ Mobile is a mobile security pioneer with proven competency to acquire, engage, and monetize customers globally. NQ Mobile’s portfolio includes mobile security and mobile games as well as advertising for the consumer market and consulting, mobile platforms and mobility services for the enterprise market. As of June 30, 2013, NQ Mobile maintained a large, global user base of

372 million registered user accounts and 122 million monthly active user accounts through its consumer mobile security business, 87 million registered user accounts and 16 million monthly active user accounts through its mobile games and advertising business and over 1,250 enterprise customers. NQ Mobile maintains dual headquarters in Dallas, Texas, USA and Beijing, China. For more information on NQ Mobile, please visit http://www.nq.com/.

Article source: http://www.darkreading.com/mobile/nq-mobile-announces-preload-deals-for-mo/240161847

Newton, Mass. – September 25, 2013 – CyberArk, the company securing the heart of the enterprise, today announced the availability of Master Policy, a bold new ‘policy engine’ that enables customers to set, manage and monitor privileged account security in a single, simple, native language interface. The once complex process of transforming business policy and procedures into technical settings is now easily manageable and understandable to an organization’s stakeholders, including security operations, risk officers and auditors. Master Policy is embedded at the core of all of CyberArk’s privileged account security products, providing simplified, unified and unequaled policy management. The release is available in version 8.0 of CyberArk’s privileged account security solution released today and will ship with all new installations of CyberArk’s Privileged Identity Management (PIM) and Privileged Session Management (PSM) suites.

Privileged accounts have been identified as the primary target in internal and advanced external attacks, and have been implicated in 100% of breaches[1]. As the risk of advanced threats increases, compliance regulations like PCI DSS, Sarbanes Oxley, NIST, NERC-CIP, HIPAA and others have become stricter. Master Policy enables organizations to set policy first to better meet their security and compliance needs.

Key benefits of Master Policy include:

A simplified process for creating and managing privileged account security policy, that can now be set up in minutes rather than days or weeks;

Improved security posture of the organization by approaching privileged account security with policy first;

Meets business demands by quickly and accurately translating written policy into privileged account security controls;

Enables organizations to meet and demonstrate compliance regulations like PCI DSS, Sarbanes Oxley, NIST, NERC-CIP and more;

Allows enterprise global policy to be set while providing controlled, granular level exceptions to meet the unique operational needs of the business;

Decreases resource strain by empowering security risk and audit teams to enforce policy in their native language.

“Policy is the foundation of a sound security infrastructure. It has been difficult to enforce written policy throughout the enterprise, as it is time-consuming and difficult to translate that written policy to technical settings for operational departments,” said Sally Hudson, Research Director, IDC. “With today’s advanced threat landscape, the enterprise can no longer afford to overlook the importance of accurate policy settings and enforcement. Simplifying this process gives control back to the security, risk and audit teams and allows them to use their expertise to mitigate the risks posed by insider and outsider threats and comply with strict regulations.”

In addition to Master Policy, CyberArk’s version 8.0 includes the Universal Connector, empowering organizations to extend privileged session monitoring to virtually any component of their IT infrastructure, including networks, servers, hypervisors, databases, applications and more. Using customizable solutions, efficient automation and offering 200+ existing connectors, CyberArk is able to support nearly all current enterprise systems.

“With the introduction of the Master Policy engine, as well as the extended capabilities of the Universal Connector, CyberArk continues its leadership to remain at the forefront of security,” said Roy Adar, vice president of product management, CyberArk. “We are proud to be the only solution that ties together uncompromised core security with a deep understanding of policies and regulations. As privileged accounts continue to be exploited by cyber attackers and rogue insiders, it is our goal to put an end to this vulnerability by arming our customers with the strongest possible defense.”

Version 8.0 of CyberArk’s privileged account security solution, including the Privileged Identity Management and Privileged Session Management suites, is available today.

About CyberArk

CyberArk is the only security company focused on eliminating the most advanced cyber threats; those that use insider privileges to attack the heart of the enterprise. Dedicated to stopping attacks before they stop business, CyberArk proactively secures against cyber threats before attacks can escalate and do irreparable damage. The company is trusted by the world’s leading companies – including 40 of the Fortune 100 – to protect their highest value information assets, infrastructure and applications. CyberArk is a vital security partner to more than 1,300 global businesses, including 17 of the world’s top 20 banks. Headquartered in Newton, MA, CyberArk also has offices throughout EMEA and Asia-Pacific. To learn more about CyberArk, visit www.cyberark.com, read the company blog, http://www.cyberark.com/blog/, follow on Twitter @CyberArk or Facebook at https://www.facebook.com/CyberArk.

Article source: http://www.darkreading.com/management/cyberark-unveils-master-policy-revolutio/240161866

San Francisco, Calif. — September 26, 2013 – CloudPassage, the leading cloud infrastructure security provider, today announced the availability of Halo Enterprise, a security-as-a-service solution built specifically for large-scale, heterogeneous cloud infrastructure environments.

Halo Enterprise extends CloudPassage’s patented Halo cloud security platform to large enterprises with complex security and compliance requirements. Halo currently protects over 400 production cloud deployments and automates security for more than 10,000 new cloud instances monthly.

According to an August 2013 Forrester Research report “Security’s Cloud Revolution Is Upon Us” by Ed Ferrara and Andras Cser, “2013 will turn out to be remembered as the year cloud disrupted the information security market. It’s clear that cloud architectures (IaaS, PaaS, and SaaS) have already had significant disruptive effects on security technology and services… This means that security and risk pros need to develop hybrid security architectures to protect not only their on-premises infrastructure but cloud-based workloads as well.”

“Large organizations have heterogeneous infrastructure environments, usually a dizzying mix of hardware, virtualized systems, and multiple cloud service providers. It’s also the norm in large enterprises to have many thousands of systems across a complex maze of business units and subsidiaries,” said Carson Sweet, CEO and co-founder, CloudPassage. “Legacy security tools and models were built for another time and are inflexible to the point of being breaking cloud models. Halo was built to be flexible, lightweight and incredibly easy to deploy and scale, regardless the environment. No other security technology provides the same level of visibility and protection at large scale, in real-time, and that keeps up with complex infrastructure models.”

Unlike legacy security tools that were built for static environments and fixed perimeters that don’t exist with cloud computing, Halo is the only massively scalable, portable security solution that can provide immediate visibility and control over any cloud infrastructure environment, including private cloud, virtualized data centers, public cloud, virtual private or managed clouds, and even bare-metal servers.

Within minutes of deployment, Halo’s lightweight agents establish real-time streams of security data between every cloud instance and the Halo Grid, a cloud-based security analytics engine that continuously evaluates thousands of cloud security and compliance data points per instance. By moving security analytics overhead from protected cloud instances to the elastic cloud-powered Halo Grid, Halo automates defense-in-depth with almost zero impact on protected cloud infrastructure.

With Halo Enterprise, CloudPassage delivers the following capabilities designed for heterogeneous, large-scale enterprise cloud environments:

● Real-time, centrally managed automation of comprehensive security capabilities including configuration security monitoring, vulnerability assessment, integrity monitoring, firewall automation, access control and account management.

● Enhanced deployment, management and integration support for private cloud, software-defined and traditional data center infrastructure including VMware, Microsoft, and OpenStack among others.

● Seamless integration with advanced enterprise security and operations tools such as single sign-on gateways, security information event management (SIEM) systems, and systems management and orchestration systems.

● Hierarchical policy and control management allowing security organizations to centrally administer security and compliance for large numbers of applications distributed across complex, multi-cloud infrastructure environments.

Supporting Quotes

“Cloud computing is a cornerstone of Adobe’s business strategy. We expect software-as-a-service to be a primary software delivery model across our product portfolio, making it critical to have a security solution that is purpose-built for and works across this highly agile and complex environment. Halo allows security teams to quickly attain visibility and control across cloud infrastructure environments.”

Dave Lenoe, Director of Software Engineering, Adobe

“As organizations increasingly adopt cloud technologies, maintaining security efficacy and operational efficiency across heterogeneous cloud and data center environments is difficult if not impossible with traditional security tools. CloudPassage Halo, with its built-for-cloud design, can provide security and compliance across this complex heterogeneous enterprise infrastructure, and help companies pursue the benefits of cloud.” – Jon Oltsik, Enterprise Strategy Group

“Within cloud and software-defined datacenter environments, it’s easy to forget that you’re creating, managing and cloning real systems, each with real vulnerabilities. Halo’s extensive automation addresses that problem.” – Wendy Nather, 451 Research

About CloudPassage

CloudPassage is the leading cloud infrastructure security provider and creator of Halo, the industry’s only security and compliance platform purpose-built for elastic cloud environments. Halo operates seamlessly across public, private and hybrid clouds. Industry-leading companies trust Halo to protect their cloud and software-defined datacenter environments. Headquartered in San Francisco, CA, CloudPassage is backed by Benchmark Capital, Tenaya Capital, Shasta Ventures, and other leading investors. For more information, please visit http://www.cloudpassage.com

Article source: http://www.darkreading.com/management/cloudpassage-extends-cloud-infrastructur/240161868