STE WILLIAMS

Security and networking professionals are gearing up for the Interop show in New York next month. As we ramp into the show, Dark Reading caught up with John Pironti, chair of both the Risk Management and Security track as well as co-chair of the Applications and Collaboration track. Pironti is president of security consultancy IP Architects, LLC and is also an active member of ISACA.

Click here for more articles from Dark Reading.
Click here to register to attend Interop.

Dark Reading: John, tell us a little bit about some of the security themes you have helped to develop with the programming in the Risk Management and Security track at Interop this year.
Pironti: Not like a unlike at ISACA, at Interop we’ve really been trying to push the theme and kind of move the bar forward for security professionals to become more risk and security professionals and to be more embracing of a threat- and vulnerability-based and risk-based approach, not a technology-based approach to security. We want people to appreciate that, in some cases, it’s actually be better to be the trusted advisor than it is to be the guy with the hammer.

Dark Reading: Which is kind of makes Interop the perfect audience to bring that message to, considering how many security professionals come from the networking world, right?
Pironti: Yeah. The good news there is that we have a lot of maturity because of that. Network security is probably the area of security that is the most mature and has the most specialists available. But we’d like to start pushing lots of data conversations.

Networking, and technology generally, is really a vessel. WE have all these other angles we’re working on and all these other requirements at the business level that we have to address. So we’re trying to help that professional broaden their horizons and try to understand what their customers and management teams are struggling with.

One theme we’re trying to move forward is visibility, because you can’t protect what you don’t know. And then, really moving away from using the word risk too easily and really trying to appreciate what risk really means to the business person and what the security professional believe risk to be. These are usually two very different things.

Dark Reading:So better business context for risk?
Pironti:So a security professional can understand all the possibilities and probabilities of a threat and a vulnerability of a technology or of a concept. In order to factor in what’s a risk to the business, you have to have consciousness of things like operational risk, strategy risk, financial considerations, HR considerations, and legal considerations. We need to work with them to understand, how to we get on the same language page so when I say something’s a risk it’s couched in a way of saying it’s an information risk, but it has a potential impact on your business process

Dark Reading: That ties into some conversations we’ve had with people about generally having it risk rolled up into enterprise risk management? What are you seeing there?
Pironti: ISACA and I have been having that conversation for a while. Maybe we separate IT security operations from information risk management. But they are two things that are very heavily integrated and they should talk to each other and deal with each other regularly. Let the technology group still maintain the controls, and understand how we’re going to meet those controls. But let the risk group define what the control objectives need to be.

[Do you see the perimeter half empty or half full? See Is The Perimeter Really Dead?.]

Dark Reading: Looking at general trends, what would you say security people should be paying attention to that will be on the Interop radar, trends like software defined networking (SDN)?
Pironti: I think SDN is great. I think we’re at the fun time talking about SDN. At Interop you have networkers and we love this stuff. This is our bread and butter.

I think that like other standards we’ve had, we’re high in the hype cycle right now. We still have to wait for the standards to play. It is a logical step forward, though, from a provisioning and maintenance and management perspective. But I don’t think it’s going to replace overnight what we do for traditional networking, or traditional operations or application management or things of that nature.

Every couple of years we come up with something new that is going to change the world. SOA, cloud—this is the third time we’re trying cloud, we just keep calling it something different, NAC. Remember in 2001 and 2002, we were all going to do NAC? Now NAC is back. And it actually makes sense, finally. So I think the security professional needs to keep an eye on how data is becoming more pervasive and how it’s being extended beyond their boundaries and what that means. As well as understanding what are the capabilities of some of these new trends that are coming online and how they’ll impact not only their internal operations but how they interact with other organizations.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/risk/qa-security-in-the-spotlight-at-interop/240161571

If you live in the UK and listened to the radio earlier this week, you might have heard Chester Wisniewski and me talking to a number of local radio stations about the UK government’s proposal to introduce an emergency alerting service based on mobile phone text messages.

The plan, which will enter a trial stage later this month, is aimed at tapping into the ubiquity of mobile phones and the simplicity of Short Message Service (SMS) text messages to provide an effective method of giving clear and concise advice in the event of an emergency.

Radio and TV are highly effective tools that already get the news out rapidly in the event of local or national crises, but if you aren’t watching or listening at the moment that the alert goes out, you miss it.

Augmenting this with text messages may not be the most cutting-edge approach – texts are so 1999, after all – but it will work with just about every mobile phone in the UK, and just about everyone has a mobile phone.

It all sounds uncontroversial, doesn’t it?

You can probably imagine any number of local incidents that, were they to happen in your town, you wouldn’t mind hearing about without needing to be watching a TV or listening to a radio at the time.

At the risk of sounding a bit gruesome, examples might be: factory on fire, poisonous smoke billowing out; flood waters burst banks, CBD inundated; train accident, blood donations needed urgently; and so on.

But many, if not most, of the radio interviewers were at best cautiously optimistic, and with good reason: they wanted to speak to computer security experts because they wanted to consider the potential security risks before endorsing the proposal.

Thinking through the privacy implications before implementing a plan that is “obviously” the right thing to do?

That’s a good sign, if you ask me!

Quantifying the risks

So, how might this work, and what are the risks?

• Knowing whom to tell

You can build a giant list of users, and send them each an SMS in turn when you have something to say. This makes the service opt-in (unless you compel the mobile operators to hand over their subscriber databases), so the people who will receive the alerts are those who genuinely want them.

But it’s inefficient, since you have to send thousands or millions of messages, one by one, and for local emergencies, it doesn’t automatically target people on the spot (they might be out of town for the day, or have their phone turned off).

And there’s the problem of maintaining and disseminating the list so it can be used in real time: that list would be a prized possession for cybercrimimals.

Or you can use SMS-CB, or “cell broadcasts,” where the mobile operator simultaneously sends a message to all the phones currently in a particular cellular area, thus promptly and efficiently reaching phones that are in range, and appropriately located.

But there’s no opt-in, and although many phones can opt out of CBs with a configuration setting, that’s usually an all-or-nothing approach.

• Authenticating the messages

Cybercriminals are adept at hijacking news stories, especially those involving tragedy and disaster, to peddle their own fraudulent information, or to spread misinformation and fear.

And they’re adept at copying the look and feel of genuine security warnings to give themselves an aura of legitimacy that misleads people, especially when they are in a hurry.

For web pages, there’s room in the browser’s interface for visual alerts that can’t easily be forged or disguised by the crooks (the HTTPS padlock in the address bar, for example), and those can help well-informed users to distiguish fake from real.

We don’t have similar protections for SMSes, and while the brevity of text messages is handy for clarity and simplicity in an emergency, it makes them easy to clone, or copy, or spoof, in a believable way.

• Tolerance for unexpected messages

Several of the interviwers noted that they suffer a similar problem to me: SMS fatigue.

We already receive so much SMS spam (what Naked Security jocularly calls SPASMS), urging us to consolidate our debts, or trying to sell us insurance we don’t need, that our tolerance for text messages is very low.

We’re probably the sort of people who wouldn’t opt in to any service, even a well-meant one, that required us to hand over our mobile phone details.

Unless we were expecting a message from a specific source (such as a two-factor authentication code we know is on the way), we wouldn’t pay much attention to it on the grounds that we never opted in to start with.

• Safeguarding the system

Similar emergency alerting systems, though admittedly not SMS-based ones, in other countries, have had terrible trouble with hackers.

Not because they were hacked frequently, but because they were hacked and abused at all – it only takes one fake emergency to cause panic, or to destroy trust for ever in the alerting system.

Indonesia’s disaster management adviser’s Twitter account was hacked; someone sent a bogus message claiming “Jakarta: tsunami arrives tomorrow.”

And in Montana, US, a TV-based alerting system was abused to send out warnings of a zombie apocalypse. (It might sound funny in hindsight, but it is a dire reminder of why security matters fourfold in alerting systems of this sort.)

Should it go ahead?

As one interviewer, desipte his own sceptical concern, pointed out, “The fact that there are lots of potential problems is no reason not to do it.”

He’s right.

What I applaud in this case is that the trials, which will involve up to 50,000 people, are to see if the system might work well enough in the UK to be adopted there.

In the post-9/11 security era, it seems that the trials of many security systems are more about seeing how to implement them, not to decide whether to do so.

And security systems put in place “because it’s obvious they’ll do good,” may end up having quite the opposite result.

Follow @duckblog

Image of hand holding mobile phone courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/r6QBRzQi-BU/

US citizens are now one step closer to being able to do (more or less) what they want with their gadgets – at least as far as choosing a wireless carrier goes.

On Thursday, six months after the White House publicly endorsed a citizens’ petition to regain the right to unlock smartphones and tablets so that they can be used on whichever wireless network the owner wishes, the government has set the ball rolling with a petition [PDF] to the Federal Communications Commission.

The petition, from the National Telecommunications and Information Administration (NTIA), asks the FCC to amend its rules so as to require carriers to unlock any wireless devices they sell, including smartphones and tablets.

The rationale is to both boost competition in the mobile industry and to give consumers a break.

It reads:

By giving consumers greater freedom to choose among alternative mobile service providers and use wireless devices that they lawfully acquire from others, the proposed rule would both increase competition in the mobile services market and enhance consumer welfare.

In March, the White House had thrown its weight behind some 114,000+ US citizens who signed a petition to make cell phone unlocking legal.

That citizens’ petition was against new regulations, handed down as an edict from the Library of Congress in January, that made it illegal for consumers to slip past software restrictions that keep cellphones from being used on different wireless networks than the networks the phone vendor had them on to begin with.

On February 21, two days before the deadline to get enough petition-signers to trigger the administration’s re-examination of an issue, 100,000 annoyed people had demanded the right to be given back.

The NTIA had strongly supported maintaining the expired exception to the Digital Millenium Copyright Act (DMCA), which had outlawed carrier unlocking, and the White House agreed with it.

As it was, the DMCA, passed in 1998, was originally intended to fight piracy but ended up also criminalizing phone unlocking.

Mind you, that didn’t really stop consumers from unlocking their phones.

From November 2006 up until October 2012, as Forbes’s Elise Ackerman notes, the uptick in smartphone adoption was met by repeated exemptions to the DMCA for unlocking.

That all stopped in 2013, after lobbyists for the carriers argued that unlocking threatened how they offered wireless devices and services and would actually undermine the systems of subsidies that allows them to sell phones for prices below list, making up the difference by having consumers commit to a monthly service contract.

The NTIA, on the other hand, doesn’t think the sky will fall for the mobile industry if legal unlocking experiences rebirth, and it seeks to require carriers to unlock devices at no extra charge.

The petition puts it this way:

As long as a consumer continues to adhere to any existing service agreement – or pays the specified fees or penalties for prematurely terminating that agreement – the unlocking rule’s benefit for consumers does not unduly burden the original providers.

Thanks, NTIA, for pushing forward this consumer rights issue. I, for one, agree with you: it’s hard to see how unlocking could be so pernicious, given that the mobile industry didn’t wither away all those years when it was legal.

What does this have to do with security? As with earlier discussions, unlocking is the sole focus, with no mention of jailbreaking or rooting that I can see.

In 2012, EFF actually asked for – and won – exemptions for jailbreaking or rooting mobile phones to run unapproved software. That didn’t extend to tablets, however.

A petition to make it legal to jailbreak or root tablets expired without meeting its signature threshold around the same time that citizens had petitioned to get their unlocking rights back.

Unlocking is a consumer issue, whereas jailbreaking introduces dangers such as worms that only work on jailbroken phones.

So, hurray for the progress of consumer rights in the realm of unlocking.

But don’t forget: once you push past the jail, things can get a little dicey.

Follow @LisaVaas

Follow @NakedSecurity

Image of unlocked smartphone and smartphone threat courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/WBkMv6M9Z5o/

Fire sprinklers and clearly marked escape routes are a great way to save lives in the event of fire. But smoke alarms save both life and property, and they do so at a much earlier stage.

It’s much the same with cyberattacks: malware rarely gets into your network without signs of smoke beforehand.

Learning to spot smoke, and react accordingly, is not only a smart way to protect your physical property, but a handy metaphor for keeping your network safe, too.

As with fire, there are many ways that malware and other threats can get a foothold in an organization.

That’s why bigger companies have IT staff, firewalls, security policies, anti-virus software, and more. But, even with strong defensive mechanisms, a threat only becomes a problem if it has an opportunity, and opportunity often boils down to a user decision.

Malware is designed to be devious: it searches for ways to circumvent a defensive perimeter. And users can be surprisingly good at finding ways around defensive processes, especially if they feel they get in the way of productivity.

Cybercriminals, of course, exploit this propensity with social engineering: actively persuading users to take shortcuts or to indulge in behaviors that get the attacker past the smoke alarms.

Training users to recognize suspicious on-screen behavior is the best security measure that any family or organization can take. It goes far in curtailing inadvertent participation. It goes beyond policies and mechanisms.

That’s because it doesn’t just prevent inadvertent participation, it recognizes a basic tenet of human nature: security policies and mechanisms are sometimes circumvented when faced with individual authority or sympathy.

Many cyberattacks begin when we do everyday things: check email, browse the web, click on a tempting news story, or agree to some sort of update. They are initiated by activity that should not have been approved.

With just a little training and occasional reinforcement, your users will recognize the seductive signs of phishing and malware knocking at the door, from the clumsy and prurient (Check out these hot babes), to the falsely authoritative (You need to update Adobe Flash).

Educated users who are knowledgeable of trends and wary of unexpected behavior become your first line of defense. They feel empowered. They are proud to participate in security and they play a more important role in suppressing threats than policies, procedures and technology.

It’s impossible to cover all of the sneaky ways in which malware circumvents suspicion and gains temporary trust – just enough that it can get in the door. But a few simple examples can give users a defensive edge.

So, show users the suspicious signs. Cultivate their antennae. Remind them of the most common hooks used in social engineering. These hooks play either on one of several deep-seated, natural desires such health, wealth, sex and status, or (ironically) on a user’s desire to maintain and even to help improve security.

Here are some examples:

• Trust this brief exception! (Threat poses as important maintenance.)
• Check this out! (Inducement appears to be from a friend.)
• Get more friends! (Appeals to sex, money or personal status.)
• Limited time offer! (Urgency: act fast, or miss out on a bargain.)
• Enjoy life more! (Who doesn’t want greatly enhanced anatomy?)

The interesting thing about these offers is that they create a seductive path between truth and desire. It’s easy to joke about offers for Viagra – after all, who gets lured into these things? – yet Viagra is one of the best selling drugs in the world. So, the key to persuading family or staff to mitigate threats is not to change human nature.

Instead, get them to recognize the risks and to understand that those risks are mitigated the most when they decide to initiate online activities themselves, rather than to be talked into an action by an invitation from a stranger.

Find your own way

Here are a few ways to make sure you are following your own path to an online web destination, rather than being (mis)guided by an outsider:

1. Enter important URLs directly, or use a bookmark.

If you have an account on a website, and you plan to log in, don’t be lazy and use a search engine to get you there: type the full URL into the address bar, or use a bookmark that you previously created. (Many browsers automatically initiate search queries from the address bar if you enter something that doesn’t look like a URL, so be sure to type thecompany.example, not just thecompany.)

Cybercriminals spend plenty of time and money trying to poison search engines so that their malicious sites supplant legitimate ones at or near the top of search results.

2. Look for the HTTPS padlock.

If you plan to do anything that involves logging in, or viewing or uploading information you wouldn’t want anyone in the world to know about, look for “https” (secure HTTP) in the address bar.

Don’t bother looking for assurances of security and privacy within the actual window, such as pictures of padlocks or mention of cryptographic key lengths. Simply saying something doesn’t make it true.

3. Don’t be influenced by words or images.

It’s common for friends to send links within an email and, personally, I don’t think that it is necessary for organizations to prohibit this sort of email use, or to block links in messages.

But there are some links that we should learn to shun instinctively.

Never use email links to web pages where you have an account, or to any site which requires login. With email, it is difficult to verify the original sender, or to be certain of the integrity of the path between sender and recipient.

Check, and check again

So, when you visit a website where you have an account, follow the advice given in (1) above. When the web page opens, look at the URL again, and follow the advice in (2).

Check that the page is secure (https), and that the domain name is exactly what you expect. Watch out for unfamiliar characters, or a variant of the domain name you are looking for, immediately before the first slash. (E.g. check you are going to bank.example/ and not something like bank.example.198.51.100.12/.)

As with all security threats, alert users are the best prophylaxis against infection. If in doubt, leave it out!

Follow @NakedSecurity

Image of smoke alarm with smoke courtesy of Shutterstock.

Image of pointy click-me hands courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/D6x9HCf6dec/

Happy day, USA: When we click “Like” on Facebook, we are now constitutionally protected from getting fired!

If you’re thinking, “Well, duh, wasn’t I already?”, join the club.

In fact, at least one court had hitherto decreed that the First Amendment to the US Constitution, which (more or less) ensures the right to free speech, didn’t apply to Facebook Likes.

The case came to court after a sheriff from the state of Virginia fired six employees for supporting his opponent in an election.

Mashable’s Lorenzo Franceschi-Bicchierai reports that B.J. Roberts, the sheriff of Hampton, Virginia, had fired the employees who supported Jim Adams, his opponent in the sheriff’s election.

One of the fired employees, Former Deputy Sheriff Daniel Ray Carter, had Liked Adams’s Facebook page.

The fired employees, Facebook and the American Civil Liberties Union (ACLU) joined forces to fight the dismissals.

Together, they argued that a Facebook Like must be considered free speech, which would in turn mean that employers couldn’t legally fire employees for expressing their opinions on the network.

In the first federal ruling on the case, a federal district judge had said that a Like was “insufficient speech to merit constitutional protection”, as Mashable reports.

The judge ruled that a Facebook Like didn’t involve an “actual statement”, unlike Facebook posts, which have hitherto been granted constitutional protection.

On Wednesday, that decision got its own thumbs-down in a federal appeals court.

Judge William Traxler, who authored the decision, said that clicking Like is much the same as putting up a political sign supporting a candidate in your front yard:

“Liking a political candidate’s campaign page communicates the user’s approval of the candidate and supports the campaign by associating the user with it. … It is the Internet equivalent of displaying a political sign in one’s front yard, which the Supreme Court has held is substantive speech.”

Both the ACLU and Facebook’s legal counsel are applauding the decision.

The decision reinstates the claims of Carter, along with two other fired employees, but they haven’t yet actually won the case. If they do, they might get their jobs back, Franceschi-Bicchierai reports.

As commenters on the Mashable story have noted, Facebook Likes can be convoluted creatures. In order to continue to see posts appear in our news streams, we need to click Like, whether that aligns us with candidates we detest or news we abhor.

But regardless of why we click Like, it shouldn’t come back to haunt us. Facebook is now very much an outlet for speech that deserves protection, whether it’s to support a candidate or to follow news about, for example, cancer research.

We follow things. We Like things. We shouldn’t be punished for it.

That doesn’t mean you shouldn’t clean up your slimy Facebook trail if you post about your drunken binges or how much you hate your boss.

As far as I know, the First Amendment doesn’t cover dumb.

Good luck with the case, Mr. Carter, et al. I hope you get your jobs back.

Follow @LisaVaas

Follow @NakedSecurity

Image of suited bloke telling you to get your coat courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/FJ8JzH8DtKs/

Supercharge your infrastructure

Hackers have taken to crowdfunding in a bid to raise a bounty to hack the iPhone 5S fingerprint scanner.

The IsTouchIDHackedYet.com site has so far received cash offers exceeding $3,250 – and 7.13 Bitcoins, which is a shade over $900 at current exchange rates – from more than 30 people prepared to chip in to offer a “reward to the first person who can reliably and repeatedly break into an iPhone 5S by lifting prints (like from a beer mug)”.

The kitty also includes offers to supply bottles of wine, whisky and – in one case – an “under the door tool” (we’re not sure what that is either).

It’s the sort of thing that might be dreamt up at a boozy post-hacker-con pool party at DefCon in Vegas, except in this case the wheeze is being lubricated through Twitter instead of tequila. The beer mug reference is a bit of a giveaway in explaining the sensibility of the contest.

Linked terms and conditions from the IsTouchIDHackedYet.com site refer to Twitter updates outlining what might be required to win the prize, if not how to go about collecting it.

“All I ask is a video of the process from print, lift, reproduction and successful unlock with reproduced print. I’ll put money on this,” explains Nick DePetrillo, one of the Twitter users behind the istouchidhackedyet.com site – which was set up by Robert David Graham, who describes himself as a “cyber-insecurity expert”.

“Satisfactory video evidence of the print enrollment, lift, reproduction and successful application of the print without locking out will do,” he adds.

Apple’s decision to bundle a fingerprint scanner with the iPhone 5S, due out on Friday, has excited a great deal of security commentary. Fingerprint authentication has been bundled with laptops and handheld computers for years, of course, but the inclusion of the “Touch ID” fingerprint authentication in the iPhone 5S propels it into the mainstream – or perhaps more to the point, into the pockets of corporate big wigs (CEs, directors etc).

That means the technology is directly relevant to corporate CISOs and, by extension, intriguing to hacker types, which helps explain the appearance of a “Capture the Flag”-style Jesus phone hacking competition.

There is no word as yet on whether using classic techniques – such as Gummi bears – to defeat fingerprint scanners will earn bonus points in this particular competition. ®

Free ESG report : Seamless data management with Avere FXT

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/19/iphone5s_fingerprint_crack_bounty/

SAN JOSE, Calif., September 17, 2013 – Zscaler, the global security cloud for the mobile enterprise, today announced Zscaler for APTs, the industry’s first cloud-based security solution to address the entire advanced persistent threat (APT) and advanced targeted attack (ATA) defense lifecycle, including protection, detection and remediation. Zscaler for APTs provides continuous coverage of any user on any device in any location with proactive protection and real-time advanced security analytics, a significant advance over today’s narrowly-focused point appliance and niche behavioral analysis solutions that fail to provide a complete view of the enterprise threat landscape or address the entire defense lifecycle.

In “Strategies for Dealing With Advanced Targeted Attacks,” Gartner Research Directors Jeremy D’Hoinne and Lawrence Orans note, “Targeted attacks, often called APTs, penetrate existing security controls, causing significant business damage. Enterprises need to focus on reducing vulnerabilities and increasing monitoring capabilities to deter or more quickly react to evolving threats.”1

APTs and ATAs probe networks and users for vulnerabilities, utilize zero-day exploits for infection, establish botnets and maintain communication with command and control servers before exfiltrating data or sabotaging systems – all while evading traditional security and detection solutions.

“Many security vendors have overhyped APTs, blurring its definition to distract the market from the fact that their solutions are simple features that should be included in a greater platform,” said Michael Sutton, vice president of security research, Zscaler. “Advanced threats are more than just social engineering, zero-day attacks or data exfiltration; they are the sum of these parts and more, requiring a comprehensive solution to address each individual attack surface as a whole.”

The advanced threat protection lifecycle includes protection, detection and remediation; however, the first generation of APT solutions, such as behavioral analysis, has been limited in addressing the entire lifecycle. Behavioral analysis is an important feature for identifying advanced threats, but it is not a complete solution on its own. The results from behavioral analysis must be combined with other preventative and detective controls to ensure comprehensive protection.

Delivered from the world’s largest and most scalable global direct-to-cloud network, Zscaler for APTs breaks new ground in the fight against the most difficult and pervasive cyber threats, providing multiple layers of advanced security protection and utilizing the broadest range of inspection technologies and techniques. Only Zscaler for APTs consolidates the commoditized features of existing point appliances to provide a comprehensive security platform that addresses all major phases of APT defense:

Protection – Zscaler for APTs delivers proactive and real-time protection from potentially malicious code, enhancing its static anti-virus and vulnerability shielding with its newly-introduced dynamic behavioral analysis engine to block initial infections.

Detection – Zscaler for APTs bolsters its bi-directional, in-line traffic scanning with its newly-introduced DNS analysis to detect suspicious traffic patterns indicative of botnet callbacks to minimize dwell time of APTs, identifying botnets before they can take root.

Remediation – Zscaler for APTs augments its advanced “big data” security analytics with its newly-introduced integration into leading security information event management (SIEM) solutions, providing information security teams with the real-time global visibility into network, payload and endpoint traffic required to isolate botnets and remove infection.

Zscaler for APTs is delivered from the Zscaler Direct-to-Cloud Network, the world’s largest and most scalable global security cloud, which leverages community threat intelligence from its more than 10 million deployed users – an install base ten times greater than any other community defense platform – to provide on-going visibility and protection from emerging threats, regardless of device or location. The Zscaler Direct-to-Cloud Network enables enterprises to eliminate traditional security appliances, streamlining management and vastly reducing network infrastructure costs by securing users as they travel “direct-to-cloud.”

“It seems a single day cannot pass without some interesting new botnet emerging in the news,” said Tony Fergusson, IT architect, MAN Diesel Turbo. “It is reassuring to know that Zscaler for APTs leverages the depth of its behavioral analysis with the breadth of its Direct-to-Cloud Network visibility to deliver a uniquely comprehensive solution.”

The Zscaler behavioral analysis engine featured in its APT solution is the same technology used to conduct security research by ThreatLabZ, the Zscaler security research team. Powered by Zscaler behavioral analysis, Zscaler ThreatLabZ has recently identified and published seminal industry research focused on CookieBomb, Expack and Kelihos.

Zscaler for APTs is available now. For more information, please visit www.zscaler.com.

[1] Gartner “Strategies for Dealing With Advanced Targeted Attacks” by Jeremy D’Hoinne and Lawrence Orans, 6 June 2013

About Zscaler

Zscaler is transforming enterprise networking and security with the world’s largest Direct-to-Cloud Network, which securely enables the productivity benefits of cloud, mobile and social technologies without the cost and complexity of traditional on-premise appliances and software.

The Zscaler Direct-to-Cloud Network processes daily more than 10 billion transactions from more than 10 million users in 180 countries across 100 global data centers with near-zero latency. Learn why more than 4,000 global enterprises choose Zscaler to enable end-user productivity, enforce security policy and streamline WAN performance. Visit us at www.zscaler.com

Article source: http://www.darkreading.com/management/zscaler-announces-cloud-based-apt-soluti/240161523

The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) today announced more than $7 million in grants to support the National Strategy for Trusted Identities in Cyberspace (NSTIC). The funding will enable five U.S. organizations to develop pilot identity protection and verification systems that offer consumers more privacy, security and convenience online. These new pilots build on the successful launch of five NSTIC pilots awarded in 2012.

Launched by the Obama administration in 2011 and housed at NIST, NSTIC is an initiative that aims to support collaboration between the private sector, advocacy groups and public-sector agencies. The selected pilot proposals advance the NSTIC vision that individuals and organizations adopt secure, efficient, easy-to-use, and interoperable identity credentials to access online services in a way that promotes confidence, privacy, choice and innovation.

“The Obama administration is committed to supporting public-private partnerships that both enhance consumer privacy and ensure the Internet remains a driver of innovation and economic growth,” said U.S. Secretary of Commerce Penny Pritzker. “The grants announced today will support privacy-enhancing technologies that help make Internet transactions more secure, including better protection from fraud and identity theft, and are an important step toward giving American companies and consumers greater confidence in doing business online.”

“These new NSTIC pilots span multiple sectors, benefitting children, parents and veterans, as well as online shoppers and social media users of all ages,” said NIST’s Jeremy Grant, senior executive advisor for identity management. “Collectively, these five pilots will drive innovation in online identity management, helping to foster a marketplace of more secure, convenient, privacy-enhancing identity solutions available to all Americans online.” Grant is head of the NSTIC National Program Office at NIST.

The grantees announced today include the following:

Exponent (Calif.): $1,589,400

The Exponent pilot will issue secure, easy-to-use and privacy-enhancing credentials to users to help secure applications and networks at a leading social media company, a health care organization and the U.S. Department of Defense. Exponent and partners Gemalto and HID Global will deploy two types of identity verification: the use of mobile devices that leverage so-called “derived credentials” stored in the device’s SIM card and secure wearable devices, such as rings and bracelets. Solutions will be built upon standards, ensuring an interoperable system that can be easily adopted by a wide variety of organizations and companies.

Georgia Tech Research Corporation (GTRC) (Ga.): $1,720,723

The GTRC pilot will develop and demonstrate a “Trustmark Framework” that seeks to improve trust, interoperability and privacy within the Identity Ecosystem. Trustmarks are a badge, image or logo displayed on a website to indicate that the website business has been shown to be trustworthy by the issuing organization. Defining trustmarks for specific sets of policies will allow website owners, trust framework providers and individual Internet users to more easily understand the technical, business, security and privacy requirements and policies of the websites with which they interact or do business.

Supporting consistent, machine-readable ways to express policy can enhance and simplify the user experience, raise the level of trust in online transactions and improve interoperability between service providers and trust frameworks. Building on experience developing the National Identity Exchange Federation (NIEF), GTRC plans to partner with the National Association of State Chief Information Officers (NASCIO) and one or more current NIEF member agencies, such as Los Angeles County and the Regional Information Sharing Systems (RISS).

Privacy Vaults Online, Inc. (PRIVO) (Va.): $1,611,349

Children represent a unique challenge when it comes to online identity. Parents need better tools to ensure safe family use of the Internet, while online service providers need to comply with the requirements of the Children’s Online Privacy Protection Act (COPPA) when they deal with minors under the age of 13. PRIVO will pilot a solution that provides families with COPPA-compliant, secure, privacy-enhancing credentials that will enable parents and guardians to authorize their children to interact with online services in a more privacy-enhancing and usable way. Project partners, including one of the country’s largest online content providers and one of the world’s largest toy companies, will benefit from a streamlined consent process while simplifying their legal obligations regarding the collection and storage of children’s data.

ID.me, Inc. (Va.): $1,204,957

ID.me, Inc.’s Troop ID will develop and pilot trusted identity solutions that will allow military families to access sensitive information online from government agencies, financial institutions and health care organizations in a more privacy-enhancing, secure and efficient manner. Troop ID lets America’s service members, veterans, and their families verify their military affiliation online across a network of organizations that provides discounts and benefits in recognition of their service. Today, more than 200,000 veterans and service members use Troop ID to access benefits online. As part of its pilot, Troop ID will enhance its current identity solution to obtain certification at Level of Assurance 3 from the U.S. General Services Administration’s Trust Framework Providers program, enabling Troop ID credential holders to use their solution not only at private-sector sites, but also when interacting online with U.S. government agencies through the recently announced Federal Cloud Credential Exchange (FCCX). Key project partners include federal government agencies and a leading financial institution serving the nation’s military community and its families.

Transglobal Secure Collaboration Participation, Inc. (TSCP) (Va.): $1,264,074

The TSCP pilot will deploy trusted credentials to conduct secure business-to-business, government-to-business and retail transactions for small and medium-sized businesses and financial services companies, including Fidelity Investments and Chicago Mercantile Exchange. As part of this pilot, employees of participating businesses will be able to use their existing credentials to securely log into retirement accounts at brokerages, rather than having to obtain a new credential. Key to enabling these cross-sector transactions will be TSCP’s development of an open source, technology-neutral Trust Framework Development Guidance document that can provide a foundation for future cross-sector interoperability of online credentials.

The NSTIC National Program Office will invite pilot project awardees to give presentations on their initiatives at the planned January 2014 plenary meeting of the independently led Identity Ecosystem Steering Group (IDESG), which will be held in Atlanta. The next IDESG plenary meeting will be held Oct. 16-18, 2013, at NIST headquarters in Gaithersburg, Md. For further information about these meetings and NSTIC, visit www.nist.gov/nstic.

As a non-regulatory agency of the U.S. Department of Commerce, NIST promotes U.S. innovation and industrial competitiveness by advancing measurement science, standards and technology in ways that enhance economic security and improve our quality of life. To learn more about NIST, visit www.nist.gov.

Article source: http://www.darkreading.com/end-user/nist-awards-grants-to-improve-online-sec/240161524

LastPass, the company that’s helping the world remember their passwords and better manage their online lives, announced it now supports multifactor authentication with Toopher, online security’s “user experience company”. Toopher provides more flexibility for LastPass users and furthers the mission of helping consumers be proactive about their online security.

Multifactor authentication requires the use of a second piece of information or a device that generates that information before allowing access to an online account. Two pieces of data must be entered by a user – a username and password, then the user provides a code or generated key from a device or app. Adding multifactor authentication creates a significantly more secure authentication process, so that even a compromised password does not translate to a compromised account. By enabling multifactor authentication with their LastPass account, users are mitigating the risk posed by ever-increasing breaches of online sites.

The key advantage to LastPass’ implementation of Toopher is that there is zero user intervention required once enabled, unlike traditional two-factor security solutions.

Toopher can be downloaded from the app stores on the user’s Android or iOS device. Once downloaded, the user will go through steps to enable the multifactor authentication method via their LastPass account settings. After enabling Toopher with a LastPass account, the user will be prompted to “allow” access via the notification sent to their phone or this authentication process can be automated in known and approved locations.

“Providing as many multifactor options for our customers as possible allows them to protect their LastPass account in the way that works best for them,” says LastPass CEO and Co-Founder, Joe Siegrist. “If LastPass generates and fills your passwords, and you utilize multifactor options like Toopher, you’re essentially protecting all of your services with multifactor.”

“We are excited to offer Toopher’s ease of use and enhanced security to LastPass customers,” says Josh Alexander, Toopher’s CEO. “Toopher is the next generation of information security – that is, security that adds convenience and ease of use to its users, versus the traditional model where incremental barriers are added to the user experience. We are excited to partner with LastPass, as both our enhanced security offerings are all about improving the user experience.”

Availability

LastPass currently supports Toopher on iOS and Android, and is free for LastPass consumers. Toopher can also be added on to LastPass Enterprise accounts with additional licenses.

About LastPass

LastPass (www.LastPass.com) is the leading password and data management service, providing online users worldwide an easy, fast, and secure way to manage access to their digital life. It’s free to install on all browsers and computers, with a Premium upgrade for mobile access and added features. LastPass Enterprise provides a centralized and cost-effective password management platform for organizations, with the option to add SAML-based single sign-on for federated identity management of cloud applications. LastPass is a Fairfax, VA-based company founded in April 2008.

About Toopher

Toopher is an invisible, location-based authentication solution designed around user behavior and powered by your phone’s location awareness. By marrying the strongest state-of-the-art, true out-of-band pervasive technology with decidedly lean and thoughtful user experience, Toopher automates the authentication process via your phone–not only preventing online fraud and identity theft, but creating a security solution that people actually want to use. No more password hacks, no more codes. It’s simple, secure, and your phone stays in your pocket. Founded in 2011 by a University of Texas PhD student and an adjunct professor, Toopher is funded by Alsop Louie and is a portfolio company of the Austin Technology Incubator. To learn more and try it for yourself, visit http://toopher.com and follow us @toopher

Article source: http://www.darkreading.com/intrusion-prevention/toopher-partners-with-lastpass/240161525

DALLAS, Sept. 17, 2013 –Trend Micro (TYO: 4704; TSE: 4704), a pioneer in security software and solutions, today officially announced the grand opening of its Global Operations Headquarters in Irving/Las Colinas, Texas, located near Dallas. The new location will house business units, including: threat research, finance, legal, customer support, commercial sales and marketing, and human resources. Initially, 220 employees will work from the office with potential for additional expansion.

This announcement also coincides with the company’s 25th anniversary, as well as the launch of a new program to support K-12 schools across the nation. A ribbon-cutting ceremony will be held today at 225 E. John Carpenter Freeway, Suite 1500.

“Although we have become one of the largest companies in our industry, we maintain an entrepreneurial spirit that is deeply committed to making the world safe for sharing digital information,” said Eva Chen, CEO, Trend Micro. “With our new base of operations in the United States, we are further demonstrating a relentless dedication to customers as we enter a new era after our first quarter century in business. We are excited that ‘Trenders’ from all around the world will experience the vibrant business community the Dallas-Fort Worth area has to offer.”

Trend Micro was founded in 1988 by Steve and Jenny Chang, along with her sister, Eva Chen, in Los Angeles. As the company’s top competitors have diversified into other businesses, Trend Micro has emerged as the largest company in the world that is solely focused on cyber security software and solutions.

Global research firms have also reinforced the company’s leadership position. In a recent report[1], IDC ranked Trend Micro No.1 in worldwide corporate server security revenue with a 30.8 percent overall market share. The Experton Group ranked the company first in cloud security in its 2013 Cloud Vendor Benchmark report.

“It is truly exciting that, as we celebrate our 25th anniversary, we are also announcing a new headquarters in one of the most dynamic economic centers in the world,” said Kevin Simzer, senior vice president, marketing and business development, Trend Micro. “This location will serve a vital role for the company as we continue to gain momentum worldwide. The Dallas-Fort Worth office affords us an ideal location to be successful, with access to an exceptional talent pool and the ability to travel anywhere in the world with ease.”

In addition to its new D/FW location and anniversary, Trend Micro is launching its Educational Grant program with a gift to the Irving Independent School District. This initiative will support “technology-safe” education at K-12 public schools and districts across the country. A total of $25,000 in cash, software and technology services will be awarded to each recipient to help keep students safe online with both training and Trend Micro’s innovative security software. The program will also include an Internet Safety Awareness assembly to teach best practices for online safety.

For the latest developments on the grand opening, anniversary and new grant program, follow @trendmicro on Twitter and visit blog.trendmicro.com.

About Trend Micro

Trend Micro Incorporated a global leader in security software, rated number one in server security (IDC, 2013), strives to make the world safe for exchanging digital information. Built on 25 years of experience, our solutions for consumers, businesses and governments provide layered data security to protect information on mobile devices, endpoints, gateways, servers and the cloud. Trend Micro enables the smart protection of information, with innovative security technology that is simple to deploy and manage, and fits an evolving ecosystem. All of our solutions are powered by cloud-based global threat intelligence, the Trend Microtrade Smart Protection Networktrade infrastructure, and are supported by over 1,200 threat experts around the globe. For more information, visit TrendMicro.com.

Article source: http://www.darkreading.com/management/trend-micro-announces-new-hq-in-texas/240161528