STE WILLIAMS

Paris, September 12 2013 – Capgemini, one of the world’s foremost providers of consulting, technology and outsourcing services, and Sogeti, its local professional services division, today released the findings of the fifth World Quality Report1. The report, published in conjunction with HP, reveals that application Testing and Quality Assurance (QA) now accounts for almost a quarter of IT spend, as many organizations undergo the process of digital transformation and reliable software applications become increasingly critical to their operations and reputation.

As the importance of application quality increases, average spending on QA as a percentage of total IT budget has grown from 18% in 2012 to 23% in 2013. However, many organizations still struggle to demonstrate the true value of their testing function to the business. In addition, despite mobile being a primary channel of engagement for both employees and customers, almost half (45 percent) are still not adequately validating the functionality, performance and security of mobile applications and devices. Although the report highlights a rapid rise in mobile testing (from 31% in 2012 to 55% in 2013), over half of those surveyed (56 percent) cite a lack of specialized methods as the biggest barrier to mobile testing, and an additional 48% report that they still lack mobile testing experts.

With organizations increasingly reliant on IT systems and applications to support their core business functions without interruption, many are now taking a more strategic, centralized and business-led approach to QA. Compared to 8% in 2012, this year, over a quarter (26 percent) of those surveyed have consolidated their QA function across projects, lines of business or the whole company. Nearly one in five (19 percent) reported having a fully operational Testing Center of Excellence (TCOE) in place to serve the needs of the business, up from just 6% last year, as testing becomes a much more industrialized process within organizations. In addition, the report highlights growing demand for business and domain knowledge among testers, with nearly two thirds (63 percent) of executives surveyed saying that an understanding of the business is an important capability in their testers as QA functions seek to align more with strategic business priorities.

“The findings from this year’s research have again highlighted the growing strategic importance of Testing and Quality Assurance, along with the critical contribution it makes to ensuring operational business targets are achieved and customer expectations are met,” said Michel de Meijer, Leader Global Service Line Testing Capgemini Sogeti. “Increasingly, technology applications provide the main interface between businesses and their customers – often delivered across multiple channels and devices, with end-users becoming less and less tolerant of functional errors, poor performance or known security vulnerabilities.”

As QA continues to rise in strategic importance for many organizations, this year’s study highlights how some businesses are pioneering the value QA brings to business as part of a more strategic approach, capturing metrics related to wider business ROI, such as the contribution of QA to reduced time to market (45 percent) or cost savings by preventing defects (39 percent). However, many organizations still do not demonstrate the business value of QA to the wider business, as they still mainly capture and report operational information such as the number of defects found (73 percent) or cost per test case (55 percent). Additionally, 45% of those surveyed are involving testing leads too late in the delivery process to influence application quality beyond just finding and fixing defects.

For those organizations struggling to improve the maturity of their in-house QA function, the outsourced Managed Testing Services (MTS) model is an emerging option, with 12% turning to MTS providers to bring not just labor, but specialized knowledge of testing processes and a full array of tools to test with maximum efficiency to demonstrate ROI effectively. For example, when it comes to outsourcing their mobile application testing, the capacity to test across a wide range of platforms and devices is rated as the most important capability (60 percent), reflecting the need to ensure coverage across a broad variety of environments which many internal QA functions cannot deliver.

“With the research findings showing that almost a quarter of IT budgets are now being allocated to Testing and QA activities, measuring the ROI to the business based on financial as well as IT operational metrics is becoming ever more important,” said Matt Morgan, vice president, Product Marketing, Software, HP. “For organizations to take a more strategic approach to testing and QA, they need to have better visibility and reporting to illustrate both operational and business information value.”

Additional Resources: Watch the HP webinar “Emerging Trends in Testing: Conclusions from the World Quality Report 2013-14” on October 2 at 1 p.m. ET.

About the World Quality Report 2013-14

The World Quality Report 2013-14 is the fifth in a series of surveys examining the state of application quality and testing practises across industries and geographies. Since 2009, the Capgemini Group and HP have published the report to provide insight into the latest trends in application quality, methodologies, tools, and processes. As in previous years, the report includes detailed profiles on the state of QA in a number of specific industries: Consumer Products, Retail, and Distribution; Energy and Utilities, Financial Services; Public Sector; and Telecommunications, Media, and Entertainment. The report also examines IT trends and quality practices from a regional perspective with separate sections covering: Australia and New Zealand; Benelux; Brazil; China; Eastern Europe (Czech Republic, Hungary and Poland); France; Germany; The Nordics (Sweden, Finland, Denmark and Norway); North America and the UK.

The World Quality Report 2013-14 is based on a total of 1,500 detailed telephone interviews across 25 countries undertaken with CIOs, VP of Applications, IT directors/managers and QA directors / managers within private companies, government and public sector organizations.. This data was augmented by in-depth client interviews, and then analysis and commentary carried out by our own testing specialists and subject matter experts. Like last year, this report focuses on the enterprise market only, namely organizations with 1,000 or more employees locally to their region. The key goal of this report is to examine the state of application quality and testing practices across different industries and geographies.

About Capgemini and Sogeti

With more than 125,000 people in 44 countries, Capgemini is one of the world’s foremost providers of consulting, technology and outsourcing services. The Group reported 2012 global revenues of EUR 10.3 billion. Together with its clients, Capgemini creates and delivers business and technology solutions that fit their needs and drive the results they want. A deeply multicultural organization, Capgemini has developed its own way of working, the Collaborative Business Experiencetrade and draws on Rightshore, its worldwide delivery model.

Sogeti is a leading provider of technology and software testing, specializing in Application, Infrastructure and Engineering Services. Sogeti offers cutting-edge solutions around Testing, Business Intelligence Analytics, Mobile, Cloud and Cyber Security. Sogeti brings together more than 20,000 professionals in 15 countries and has a strong local presence in over 100 locations in Europe, USA and India. Sogeti is a wholly-owned subsidiary of Cap Gemini S.A., listed on the Paris Stock Exchange

Together Capgemini and Sogeti have developed innovative, business-driven quality assurance (QA) and Testing services, combining best-in-class testing methodologies (TMap and TPI) to help organizations achieve their testing and QA goals. The Capgemini Group has created one of the largest dedicated testing practices in the world, with over 12,000 test professionals (as of June 2013) and a further 14,500 application specialists, notably through a common center of excellence with testing specialists developed in India.

Learn more about us at:

www.capgemini.com/testing

www.sogeti.com/testing

Article source: http://www.darkreading.com/mobile/capgeminihp-report-reveals-half-of-compa/240161183

BETHESDA, Md., Sept. 12, 2013 /PRNewswire-USNewswire/ — Global Information Assurance Certification (GIAC), a leading provider of cyber security certifications, and representatives from a global industry collaborative announce today that they have formed a community initiative to establish an open body of knowledge for Process Control Design and Information Technology Security. The objective of the collaborative, involving organizations which design, deploy, operate, and maintain industrial automation and control system infrastructure, is to develop a vendor-neutral certification to be known as the Global Industrial Cyber Security Professional (GICSP) to debut this fall. The GICSP will be available to candidates in late November 2013. For more information, please visit: http://www.giac.org/info/139030

“Protecting industrial control and automation systems from constantly evolving cyber security threats is a very challenging task shared by all involved stakeholders. The foundation for any successful program is the people involved in developing, designing, operating and maintaining these systems. We are therefore proud to be part of the creation of the first professional certification program for industrial control system cyber security. The effort did not only result in a certification program that will advance workforce development, but it is also an industry commitment to improve the security of our critical infrastructure,” stated Markus Braendle, Group Head of Cyber Security, ABB, Zurich, Switzerland.

Warnings about attacks to critical infrastructure have been circulating for years, but in recent years real threats have been identified and have had an identifiable impact on critical infrastructure assets and systems. Critical infrastructures, such as power utilities and the oil and gas industry, must keep the operational environment safe, secure and resilient against current and emerging cyber threats to maintain the safety of workers and well being of customers and the communities they serve. One of the key challenges these industries are facing is educating and certifying a workforce that need to possess the knowledge, skills and abilities to securely deploy and maintain process control systems. The GICSP is being developed to meet this challenge.

“Managing cyber risk is an issue effecting the entire energy industry ecosystem and in order to effectively implement and sustain security controls on industrial infrastructure, we’re all reliant on a complex ecosystem of people (system vendors, project engineering contractors, process operators, IT service providers and maintenance/support personnel) who require a blended set of IT/Engineering/Cyber Security competencies – a skill-pool which is unique and scarce in today’s marketplace,” said Tyler Williams, Manager, PCD IT Security Solutions at Shell and Chair of the industry consortium. “Developing and maintaining this workforce can be a challenge for any one organization and that is why we support this collaborative effort to establish a community developed body of knowledge and certification program for industrial cyber security. ”

GIAC and the industry leaders have worked to establish a panel of Subject Matter Experts (SME) to identify the knowledge, skills and abilities necessary to develop the certification objectives for the GICSP. The SME panel met in Houston, Texas in May 2013, to begin this process. A further outcome of the SME panel is to develop a Job Task Analysis survey, which is sent to a broad array of critical infrastructure participants to ensure the certification aligns to job duties. The GICSP expects adoption on a global basis as a gateway certification in the cyber security domain for industrial control systems.

“GIAC is actively engaging with industrial control systems (ICS) security and engineering experts to develop a broad based and foundational certification that will begin to prepare enterprises, global agencies and governments to mitigate and implement a process to address ICS cyber security concerns,” said Michael Assante, SANS ICS Director.

The global industry experts involved in this initiative include representatives from the following national and international companies:

— ABB

— BP

— Cigital

— Cimation

— Emerson Process Management

— Global Information Assurance Certification

— Industrial Automated and Control Systems Smart Grids Thematic Group,

ERNCIP project, European Commission’s Joint Research Centre

— Invensys

— KPMG

— Pacific Gas Electric

— Phoenix

— Red Tiger Security

— Rockwell Automation

— SANS Institute

— Schneider Electric

— Shell

— TNO

— Wurldtech

— Yokogawa

About GIAC

Global Information Assurance Certification (GIAC) is a certification body featuring over 25 hands-on, technical certifications in information security.

GIAC has certified over 51,000 IT security professionals since it was founded in 1999. The GIAC program is accredited under the IEC/ISO/ANSI 17024 quality standard for certifying bodies. GIAC is an affiliate of the SANS Institute.

(www.GIAC.org)

Article source: http://www.darkreading.com/management/new-industrial-control-systems-cyber-sec/240161189

COSTA MESA, Calif., Sept. 12, 2013 /PRNewswire/ — Despite the increasing awareness around the rise in data breaches and potential damage, not all organizations are taking the necessary steps to mitigate the fallout from a cyberattack. According to a 2013 Experian Data Breach Resolution and Ponemon Institute study, Is Your Company Ready for a Big Data Breach?, nearly 40 percent of companies that experienced a breach say they have not developed a formal preparedness plan even after the incident. To help businesses and institutions get started, Experian Data Breach Resolution has released its updated 2013-2014 Data Breach Response Guide.

(Photo: http://photos.prnewswire.com/prnh/20130912/SF78361)

An excellent tool for any organization looking to develop a data breach response plan, the content is appropriate for professionals handling security, risk and compliance, as well as senior leadership and executives responsible for business continuity. It contains information on how to create a plan and what to do during the crucial first 24 hours of a breach. The guide also addresses how to notify customers, patients or employees and work with a data breach resolution partner. Additional content in the guide provides recent information on the HIPAA Omnibus Rule and a snapshot of upcoming federal legislation on breach notification laws.

The guide can be downloaded for free at http://www.experian.com/responseguide.

“A company of any size, across industries, can fall victim to a data breach, and it is never too soon to prepare a plan,” said Michael Bruemmer, vice president at Experian Data Breach Resolution. “This guide is a valuable resource that will help organizations assess their levels of preparedness and understand the required steps to take in managing a data breach.”

The 30-plus-page handbook includes practical checklists and forms. It also outlines many key steps to begin a data breach preparedness plan:

— Identify an incident response team lead:
Start by selecting your incident lead. Think of someone from an internal
or external legal department or a chief privacy officer. Your incident
lead should be able to manage and coordinate the company’s overall
response efforts and team and act as an intermediary between C-level
executives and other team members to report progress and problems.
— Select the right people for the right roles:
Determine who is on the response team and what their role would be in
the wake of a breach. Include individuals from departments across the
organization such as legal, human resources, marketing, compliance and
information technology to ensure the appropriate stakeholders are at the
table. Include the company’s key decision makers as advisers to your
data breach response team to help ensure you have the needed leadership,
backing and resources to properly develop and test your plan.
— Conduct preparedness training:
In addition to a company-wide focus on data security and breach
preparedness, department-specific training should trickle down from the
data breach response team. Each member of the team has a unique
responsibility to apply prevention and preparedness best practices to
his or her own department.
For additional data breach resources, including Webinars, white papers, videos and more, visit http://www.experian.com/databreach.

Read Experian’s blog at http://www.experian.com/dbblog.

About Experian Data Breach Resolution
Experian is a leader in the data breach resolution industry and one of the first companies to develop products and services that address this critical issue. As an innovator in the field, Experian has a long-standing history of providing swift and effective data breach resolution for thousands of organizations, having serviced millions of affected consumers. For more information on the Experian Data Breach Resolution division at ConsumerInfo.com, Inc. and how it enables organizations to plan for and successfully mitigate data breach incidents, visit http://www.experian.com/databreach.

About Experian
Experian is the leading global information services company, providing data and analytical tools to clients around the world. The Group helps businesses to manage credit risk, prevent fraud, target marketing offers and automate decision making. Experian also helps individuals to check their credit report and credit score, and protect against identity theft.

Article source: http://www.darkreading.com/attacks-breaches/experian-data-breach-resolution-releases/240161147

New York, N.Y., September 11, 2013 — Intralinks Holdings Inc. (NYSE: IL), a leading, global SaaS provider of inter-enterprise content management and collaboration solutions, today announced the latest release of Intralinks VIATM, its secure and scalable enterprise collaboration solution that helps organizations take lifetime control of their most important information and frees employees to reach new levels of productivity. The new release provides even greater visibility, governance and control over how an organization’s information is shared, while providing an easy-to-use experience that encourages collaborative working.

This latest release brings expanded capabilities for Intralinks VIA administrators, allowing them to gain control and manage policies that guide how users and business groups share and use information, all while providing complete visibility into their Intralinks VIA environment. For example, administrators can mandate the level of security that users must apply to their collaboration projects or can prevent certain users from syncing content with their personal devices.

“Working within the highly regulated healthcare industry, we needed a solution that provides the best security and controls, but was still simple to use for our employees, partners and customers,” said Simon A. Corman, director, Business Operations at IRB Services. “IRB Services independently approves, monitors and reviews biomedical and behavioral research involving humans and works with many of the largest pharmaceutical and research organizations. We needed a robust collaboration solution that protects the sensitive information we share with customers, and we knew we could trust Intralinks.”

Some of the additional capabilities available with this latest release include:

Setting policies for sharing work streams: Enables administrators to limit a business group’s ability to create specific types of work streams, providing a standard for security on documents. For example, administrators can disable business group users’ ability to share documents with public work streams and require that users create work streams with digital rights management enabled by default, which helps avoid inadvertent data leakage issues.

Determining on which desktop devices users can access their Intralinks VIA Drive: Enables administrators to track the devices a business group member uses to log in and, depending on the type of device, either allows or disallows access. Also enables administrators to disallow devices that were previously allowed – for example, if someone loses a laptop.

Enabling Remote Wipe: Allows administrators to remotely wipe all content from all synchronized devices that are no longer trusted or that fall outside of their control. Significantly, this feature works whether the device is online or offline.

Defining work stream archive dates: Enables administrators to easily comply with corporate archiving policies and manage the complete lifecycle of files.

Creating enhanced reports: Enables administrators to generate granular audit and usage reports that provide a holistic view of the Intralinks VIA environment. This facilitates IT teams’ efforts to comply with audit requirements and analyze business users’ usage of the application.

Provisioning trial accounts for new users: Enables administrators to easily self-manage accounts and add users for free trials or paid accounts for members of their business groups without needing to go back to an account team for service.

Built upon a proven technology used by over 99% of the global Fortune 1000, Intralinks VIA goes beyond file sharing to ensure that productive work gets done and protects that work wherever it travels. Intralinks VIA can be trusted by busy professionals as they work across a network of increasingly complex external business communities, knowing that they can UNshareTM access to shared content at any time with the click of a button, even after it has been sent beyond the firewall.

Pricing and Availability

This latest release of Intralinks VIA is immediately available as a free 30-day trial at http://www.intralinks.com/via.

About Intralinks

Intralinks Holdings, Inc. (NYSE: IL) is a leading, global technology provider of inter-enterprise content management and collaboration solutions. Through innovative Software-as-a-Service solutions, Intralinks solutions are designed to enable the secure and compliant exchange, control, and management of information between organizations when working through the firewall. More than 2.7 million professionals at 99% of the Fortune 1000 companies depend on Intralinks’ experience. With a track record of enabling high-stakes transactions and business collaborations valued at more than $23.5 trillion, Intralinks is a trusted provider of easy-to-use, enterprise strength, cloud-based collaboration solutions. For more information, visit www.intralinks.com.

Article source: http://www.darkreading.com/end-user/intralinks-announces-latest-release-of-s/240161146

SAN FRANCISCO, Sept. 12, 2013 /PRNewswire/ — Today, Black Hat, the world’s leading family of information security events, announced the first ever West Coast Trainings. Over the course of four days, the security community’s brightest researchers will unleash highly technical, hands-on Training courses to attendees in downtown Seattle, Washington. These Trainings include many of the most popular courses from Black Hat’s events, as well as several new sessions on today’s latest research and intelligence. The event will take place December 9 – 12, 2013, at the Washington State Convention Center. For more information and to register, please visit http://www.blackhat.com/wc-13/.

“At the core, Black Hat’s mission is to encourage growth for information security enthusiasts at all levels in their professional careers,” explained Trey Ford, General Manager, Black Hat. “These Trainings are not for the faint of heart and offer an unprecedented opportunity for hands-on learning with some of the best in our community.”

Some highlights of the upcoming West Coast Trainings include:

— Advanced C/C++ Source-Code-Analysis: Leaf SR will teach students how to
dive into large C/C++ source code projects to find exploitable memory
corruption vulnerabilities armed with nothing more than a text editor.
— Advanced OSINT Target Profiling AKA OSINT Target Profiling Like a Pro:
Shane MacDougall of JL Bond Consulting, will outline a gamut of tools,
websites, and procedures that every penetration tester/attacker should
have in their toolkit, while showing that proper profiling can yield a
huge lift for the attacker, all without sending a single packet to the
target network.
— Hands-On Hardware Hacking and Reverse Engineering: Joe Grand of Grand
Idea Studio, Inc., will teach hardware hacking and reverse engineering
techniques commonly used against hardware products, including proper use
of tools, circuit board analysis, embedded security and more.
— Pentesting with Kali Linux: Offensive Security, the team behind Kali,
has re-written this course from the ground up to reflect the most modern
and effective techniques that all penetration testers need to know.
— The Exploit Laboratory: Red Team: Saumil Shah will provide participants
a hands-on approach to exploiting modern day operating systems, bringing
students up to speed on the complexities of the exploit writing
required.
As with all popular Black Hat courses, the West Coast Trainings will undoubtedly fill up quickly, as they were selected due to the high demand for their content.
Be sure to reserve a spot in the Training course(s) of your choice while they are still available. You can find the full list of Trainings available here.
Please visit the registration page for additional information.

Future Black Hat Dates and Events
Black Hat Regional Summit, Sao Paulo, Brazil, November 26-27, 2013 Black Hat Trainings, Seattle, Washington, December 9-12, 2013 Black Hat Asia 2014, Singapore, March 25-28, 2014 Black Hat USA 2014, Las Vegas, Nevada, August 2-7, 2014 Black Hat Europe 2014, Amsterdam, The Netherlands, October 14-17, 2014

Connect with Black Hat
Twitter: https://twitter.com/BlackHatEvents – hashtag #BlackHat
Facebook: http://www.facebook.com/blackhat LinkedIn Group: http://www.linkedin.com/groups?home=gid=37658
Flickr: http://www.flickr.com/photos/blackhatevents/

About Black Hat
For more than 16 years, Black Hat has provided attendees with the very latest in information security research, development, and trends. These high-profile global events and trainings are driven by the needs of the security community, striving to bring together the best minds in the industry. Black Hat inspires professionals at all career levels, encouraging growth and collaboration among academia, world-class researchers, and leaders in the public and private sectors. Black Hat Briefings and Trainings are held annually in the United States, Europe and Asia, and are produced by UBM Tech. More information is available at: http://www.blackhat.com.

About UBM Tech
UBM Tech is a global media business that brings together the world’s technology industry through live events and online properties. Its community-focused media and events provide expertly curated content along with user-generated content and peer-to-peer engagement opportunities through its proprietary, award-winning DeusM community platform. UBM Tech’s brands include EE Times, Interop, Black Hat, InformationWeek, Game Developer Conference, CRN, and DesignCon. The company’s products include research, education, training, and data services that accelerate decision making for technology buyers. UBM Tech also offers a full range of marketing services based on its content and technology market expertise, including custom events, content marketing solutions, community development and demand generation programs. UBM Tech is a part of UBM (UBM.L), a global provider of media and information services with a market capitalization of more than $2.5 billion.

SOURCE Black Hat

Article source: http://www.darkreading.com/black-hat-announces-first-ever-west-coas/240161193

Mobile Work Exchange Town Hall Meeting, Washington, D.C., September 12, 2013 – Mobile Work ExchangeSM, a public-private partnership focused on demonstrating the value of mobility and telework, today launched the Secure Mobility Hot Zone, which includes a self-assessment tool and mobile security resource center, in coordination with Cisco. In 2013, mobile-connected devices will exceed the world’s population[1]. With skyrocketing adoption, recent Mobile Work Exchange research shows 55% of Federal smartphone users use their personal phone for work[2]. The question begs – are we secure? Within the Hot Zone, Mobile Work Exchange developed the Secure Mobilometer, a self-assessment for individuals and organizations to better understand their security pressure points and vulnerabilities.

The Secure Mobilometer allows employees and organizations to understand their mobility pitfalls and take the next steps to help ensure that they are safe and secure in the future. Mobile Work Exchange conducted extensive research to understand risky habits of both end users and organizations in a mobile environment. Criteria are based on a weighted scale and include factors such as password protection, data loss prevention, bring your own device policies, and IT and security training.

“With a growing demand for a more mobile work environment, agencies need to optimize security in granting access to IT networks, mission-critical information, and resources to better protect, serve, and educate citizens,” said Charles “Charlie” Garcia, Cisco enterprise networks and security operations director, U.S. Public Sector. “IT departments need to know who is accessing the network remotely, what type of devices they are connecting from, and what information they seek. The Secure Mobility Hot Zone enables users and IT organizations to validate their security and take corrective measures to help ensure they are providing the safest mobile environments.”

In addition to the assessment, the Secure Mobility Hot Zone program offers an aggregate calculator that accrues key end-user and organization information, as well as a resource center and the option to connect with mobility experts on the topic.

“With the recent surge in mobile device use and the associated, evolving threat, the need for security is more critical than ever,” said Cindy Auten, general manager of Mobile Work Exchange. “The Secure Mobilometer is unique in that it allows organizations and individuals to instantly assess pitfalls and receive real-time feedback to take corrective action for the future. It is critical that we continue to support the growing mobile workforce and ensure security is always top of mind.”

For more on the latest secure mobility resources or to test your secure mobility pressure, please visit www.mobileworkexchange.com/hotzone.

About Mobile Work Exchange

Mobile Work Exchange, the new Telework Exchange, is a public-private partnership focused on demonstrating the value of mobility and telework, and serving the emerging educational and communication requirements of the Federal mobile/telework community. The organization facilitates communication to more than 33,000 Federal IT directors/managers, CIOs, CHCOs, telework managing officers, and key stakeholders–all focused on building a sustainable and effective mobile workforce. For more information on Mobile Work Exchange, please visit www.mobileworkexchange.com or follow us on Twitter @MobileWorkX.

Article source: http://www.darkreading.com/vulnerability/cisco-and-mobile-work-exchange-launch-se/240161194

AUSTIN, TX – September 12, 2013 – SolarWinds (NYSE: SWI), a leading provider of powerful and affordable IT management software, in conjunction with SANS, today released the results of a security survey* of more than 600 IT professionals representing a broad range of industries and organization sizes. The survey was conducted to identify the impact of security threats and the use of security analytics and intelligence to mitigate those threats.

Survey findings:

Survey respondents generally agreed that support for managing security today was inadequate. Many are working with a limited budget to manage “information security, compliance and response,” with nearly half of respondents reported spending 20% or less of their IT budget on security. A majority also expressed their need for greater security data visibility and context, and said they plan to invest in training to address those issues.

Targeted attacks that are missed by antivirus and other point solutions were a problem for most respondents. Forty-five percent of respondents reported that in the past two years their organization experienced one or more attacks that were difficult to detect. Another 21% reported that they lacked enough visibility to even answer the question.

Reported “difficult to detect” attacks took, on average, one full week to detect. The root cause was usually visibility, with specific causes such as:

Not collecting appropriate operational and security data

Lack of context to observe normal behavior (and set baselines)

Lack of system and vulnerability awareness

IT pros seeking to avoid breaches used data from a variety of sources in their security analytics. The data most frequently used included:

Log data from networks and servers

Network monitoring data

Access data from applications and access control systems

In the next 12 months, respondents said they also plan to use the following data to improve their security monitoring:

Security assessment data from endpoint, application and server monitoring tools

Monitoring and exception data pertaining to internal virtual and cloud environments

Access data from applications and access control systems

IT pros plan to invest in the following to get better visibility and response through security analytics and security intelligence:

SIEM tools

Training

Vulnerability management

“Since the responsibility of securing IT is not just the role of a security expert anymore, it’s important for all IT pros to be equipped to tackle security challenges,” said Sanjay Castelino, VP and Market Leader, SolarWinds. “For IT pros that don’t have a lot of time or budget to invest in managing security, we offer affordable and easy-to-use tools that provide visibility and insight right out of the box. Along with SolarWinds’ wider suite of IT management products, our security products have a broad set of features and functionality built in, making security and compliance management accessible to all.”

Security Management for Every IT Pro, Organization

Security is everyone’s problem. For IT pros that don’t spend their day thinking about security yet need the tools to tackle everyday operational security challenges, SolarWinds offers a number of powerful, easy-to-use and affordable products with out-of-the-box security and threat management. From Security Information and Event Management (SIEM) to firewall and patch management and more, IT pros can assess their environments and deploy SolarWinds’ IT management products on a need-by-need basis to achieve end-to-end security visibility, including:

SolarWinds Log Event Manager (LEM) – SIEM; real-time event correlation, endpoint data loss monitoring, active threat responses

SolarWinds Firewall Security Manager (FSM) – Firewall auditing and configuration management

SolarWinds Patch Manager – Endpoint vulnerability management

SolarWinds User Device Tracker (UDT) – Network user and device tracking

SolarWinds Serv-U Managed File Transfer (MFT) Server – Secure file sharing and file transfer

Join SolarWinds at SANS Network Security 2013 Las Vegas

Network Security attendees are invited to stop by booth No. 14 on September 18 to see live demos and to learn from the product experts about SolarWinds LEM, SolarWinds FSM, SolarWinds Patch Manager, SolarWinds UDT, and SolarWinds MFT Server, and to grab some geeky gear.

*The survey was conducted from June 10 – July 19, 2013, resulting in 647 survey responses from IT practitioners, managers and directors in the U.S. and Canada from public- and private-sector small, mid-size and enterprise companies. Public-sector specific results available upon request.

About SolarWinds

SolarWinds (NYSE: SWI) provides powerful and affordable IT management software to customers worldwide from Fortune 500 enterprises to small businesses. In all of our market areas, our approach is consistent. We focus exclusively on IT Pros and strive to eliminate the complexity that they have been forced to accept from traditional enterprise software vendors. SolarWinds delivers on this commitment with unexpected simplicity through products that are easy to find, buy, use and maintain while providing the power to address any IT management problem on any scale. Our solutions are rooted in our deep connection to our user base, which interacts in our online community, thwack, to solve problems, share technology and best practices, and directly participate in our product development process. Learn more today at http://www.solarwinds.com/.

Article source: http://www.darkreading.com/management/it-pros-lack-security-management-support/240161148

Naked Security reader Haemish Edgerton just gave us a very polite but effective scolding (Linus Torvalds, take note!) for neglecting to mention the Adobe fixes that came out on Tuesday.

As Haemish pointed out:

I realize that the Apple iPhone 5S fingerprint sensor was automatically going to get a lot of attention in the context of security, but Adobe updates are important too :)

Sorry, Haemish.

For the record: there were three bulletins, four platforms affected (Windows, Linux, OS X and Android), five products updated, and fourteen vulnerabilities (CVEs) covered.

The bulletins are: APSB13-21, APSB13-22 and APSB13-23

All three bulletins list the vulnerabilities as potentially exploitable for Remote Code Execution (RCE), or, in Adobe’s own words, as bugs that could “allow an attacker to take control of the affected system.”

As is often the case with Adobe’s updates, there are lots of version numbers to take into account.

That’s especially true of Flash Player, where it seems that the product’s source code for the various platforms supported is currently at a wide range of different stations in Adobe’s railway network. (Platforms. Stations. Geddit?)

Here is what to look for if you want to see if you are vulnerable:

Confused?

Spare a thought for the guys in Adobe Quality Assurance!

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/mCONtaVgUh0/

Assume that it’s time for Bob’s performance review.

Bob’s boss says he’s a great addition to the team. Easy to work with!

And the sales numbers? Hot mama, Bob’s smokin’! Mr. Bob surely has worked himself toward a big, fat raise!

Or not. Bob would have gotten a raise, that is, but he got fooled by a phishing email and unwittingly invited the bad guys in through the front door, torpedoing Widget Industries Ltd’s multimillion-dollar investment in security systems.

Fiction! But can you imagine if this were really the way employees were assessed? They answer a phishing scam email, they trigger a major security breach, and then they’re held accountable?

This is an approach that big companies might actually think of adopting, according to Dave Clemente, a research associate in the field of security who works at Chatham House, a London-based think tank on international affairs.

Speaking to Business Reporter, Clemente suggested that reprimands, at the very least, might help companies whose employees undo millions of dollars of security expenditures by doing something as simple as opening a bad email:

Even if it’s innocent, you can spend millions on firewalls and one of your employees can undo that by opening a dodgy email. … One idea would be to encourage employees to be more careful. You could have a system where, if you open two or three of them [phishing emails], you get a reprimand.

I think people would comply, particularly if your behaviour regarding cyber security was linked to your annual assessment.

Of course, beyond the misdeeds of Bob and his ilk are the security disasters that companies manage to bring down a bit more systematically onto their own heads, particularly when jumping on the bandwagon for new trends and technologies without first figuring out the security implications, Clemente says:

For bigger companies, one problem is efficiency drives which push companies into insecure behaviour, like moving into the cloud or doing BYOD [Bring Your Own Device] before you realise the security implications, because everyone else is doing it. It’s done as a reaction to what other people are doing and done without being integrated into the company’s technology strategy.

Moving data to the cloud can be particularly tempting to small firms with limited resources who struggle with the burden of dealing with cyberthreats, Clemente noted.

It’s not such a bad idea, given that cloud services can have a decent amount of security, he said, but the downside is that small businesses lose control over data stored in someone else’s hands.

If we move toward holding employees accountable for goofy clicking, should C-level types likewise be held accountable for security fiascos that erupt out of their jumping on technology bandwagons such as BYOD and cloud services?

Call me a liberal weenie, but I’d suggest that decent training might produce better effects than whipping employees.

It all reminds me of a July 2012 article by Immunity Inc. CEO Dave Aitel in which he discussed whether security training might be futile.

Aitel said at the time that in spite of a conscientious approach to security training, his clients still have, on average, a click-through rate for client-side attacks of at least 5 to 10 percent.

Even the training software his clients use has “glaring flaws,” he said, including SQL injection and cross-site scripting – the two most common vulnerabilities in OWASP’s Top 10 list of application security risks.

What’s the answer? Reprimands? Performance assessments that take people to task for security snafus?

I’d say no. I’d suggest that better training might be the way to go.

After all, there are scads of training success stories, many of them posted in reply to Aitel’s PCWorld article.

What do you think? Should we put scam-clicking employees in stocks and toss tuna sandwiches at them, or is there a better way to improve security?

Let us know in the poll below:

Follow @LisaVaas

Follow @NakedSecurity

Take Our Poll

Image of Employee Shouting courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/tQRlmROWj4E/

Free ESG report : Seamless data management with Avere FXT

The Internet Engineering Task Force (IETF) has posted “PRISM-Proof Security Considerations” aimed at making it much harder for governments to implement programs like the PRISM effort whistleblower Edward Snowden exposed as one of the tools in the NSA’s spookery toolbag.

The proposal has just one author – Phillip Hallam-Baker of the Comodo Group – which makes it a little unusual as most IETF proposals are the work of several folks in pursuit of a common goal. The document is only a draft hoped to one day reach the standards track of the IETF’s various efforts, so has little weight at present.

The proposal suggests the internet be re-engineered with “a communications architecture that is designed to resist or prevent all forms of covert intercept capability. The concerns to be addressed are not restricted to the specific capabilities known or suspected of being supported by PRISM or the NSA or even the US government and its allies.”

Sadly the paper is a little light on for actual ideas about how the internet can be PRISM-proofed, offering “a security policy infrastructure and the audit and transparency capabilities to support it” as one item that should be on any hardening effort’s to-do list. More use of cryptography is also proposed, so that “two layers of public key exchange using the credentials of the parties to negotiate a temporary key which is in turn used to derive the symmetric session key used for communications”. That regime should, Hallam-Baker suggests, make it harder to snoop on everyday traffic. ®

Free ESG report : Seamless data management with Avere FXT

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/12/ietf_floats_prismproof_plan_for_harder_internet/