STE WILLIAMS

Agiliance Adds BI Training Ror Its Risk Management Platform

SUNNYVALE, Calif. – August 27, 2013 – Agiliance, Inc., the leading independent provider of Integrated Risk Management solutions for Governance and Security programs, today announced it is offering a four day virtual training program on advanced techniques for using the JaspersoftT business intelligence engine within the Agiliance RiskVisionT integrated risk management platform. The training will be provided by Column Technologies, Inc., a global Jaspersoft Authorized Learning Partner and Solution Provider.

Column Technologies, on behalf of Agiliance, will provide virtual and on-premise (upon request) Jaspersoft training services to Agiliance RiskVision customers to help them maximize the return on their software investment.

“We are pleased to have been selected by Agiliance as their training partner and look forward to working with Agiliance RiskVision customers that are using the Jaspersoft engine. Without training, many organizations fail to realize the full potential of their enterprise IT investments,” said Sam Friedman, business intelligence practice manager at Column Technologies. “We have helped hundreds companies deploy departmental, enterprise, or embedded business intelligence solutions.”

With the release of Agiliance RiskVision 6.5 SP1, Agiliance embedded the Jaspersoft business intelligence engine in its integrated risk management platform to enable customers to analyze risk across terabytes of data and hundreds of sources. This powerful BI reporting tool, which can be used to create a broad variety of reports, was mentioned as valuable addition to Agiliance RiskVision in a recent Gartner report, titled “MarketScope for IT Governance, Risk and Compliance Management”1. Agiliance received its fourth-consecutive “Strong Positive” rating in this annual report.

“We are always looking for ways to innovate and increase the value we offer to our customers, which includes working with a world-class training partner like Column Technologies,” said Torsten George, vice president of marketing, products, and support at Agiliance. “They have a proven track record for delivering advanced training solutions based on feedback we received from their customers and partners. We look forward to a long and successful partnership.”

Agiliance Jaspersoft Training sessions will begin on September 16th as a virtual class. Additional sessions will be scheduled on a regular basis and listed on both companies’ websites. For more details, please visit http://www.agiliance.com/services/education_courses.html.

About Column Technologies

Column Technologies is a global provider of infrastructure management and business intelligence solutions that help organizations better manage their internal and external services. The company provides infrastructure and customer support applications, application development, consulting, managed services, and training. Column implements only a select group of business processes and technologies. The team understands business processes and how they map back to the underlying technologies. The integrated process and technology approach enables quick delivery of solutions. Column has offices in the United States, Canada, the United Kingdom, South Africa, India, Singapore, Australia, and a worldwide partner network. Column is a global Jaspersoft Authorized Learning Partner and Solution Provider.

About Agiliance

Agiliance is the leading independent provider of Integrated Risk Management solutions for Governance and Security programs. Agiliance RiskVision is automating how Global 2000 companies and government agencies achieve continuous monitoring of big data across financial, operations, and IT domains to orchestrate incident, threat, and vulnerability actions in real time. Agiliance RiskVision customers demonstrate automation use cases within 30 days on-demand, and within 60 days on-premise, made possible by a configurable platform and applications, broad library of technology integrations, and vast domain and regulatory content. Agiliance RiskVision scales with businesses, effectively managing assets, data, people, and processes to achieve 100% risk and compliance coverage. Its real-time risk analysis leads to optimized business performance and better investment decisions. For more information, please visit www.agiliance.com.

Article source: http://www.darkreading.com/management/agiliance-adds-bi-training-ror-its-risk/240160515

Don’t Be The Tortoise

The fable of the Tortoise and the Hare has been passed on from generation to generation of children for over 2500 years. Most of us first hear it while curled up in our parents’ laps, or perhaps as one of our first story times at school. The tale, as most commonly interpreted, tells us that slow, steady, and determined beats impulsive yet agile and quick.

Which is, of course, absolute rubbish. Just ask Usain Bolt. Or stick a tortoise and a hare in front of a bear and see what happens. Go ahead, I’ll wait.

The security profession is entering what is most likely the most challenging period we have ever faced, as both a community and industry. The challenge isn’t from Chinese hackers, Russian cybercriminals, or the NSA, but rather from the decisions being made by the organizations we protect. Our infrastructure, architectures, creation, delivery, and consumption models are changing more rapidly and to greater extremes than ever before. More than the move to desktop computing. Greater than our adoption of the Internet.

I’m about to jump on the soap box for a bit and get all motivational, but before you think I’m all preachy, keep in mind that I don’t have anything personally invested in whatever decision you make, but this is sure as heck how I’m planning my own future.

Much of this is encapsulated in the concept of DevOps; the collapse of traditional development and operational silos to enable more agile and rapid delivery models. Powered by cloud and mobile computing, using concepts like “immutable servers” and continuous delivery, it really is a different way of creating, releasing, and supporting applications. Everyone from Netflix to staid financial institutions is adopting DevOps, to different degrees, and we are creating a generation of developers and administrators that are highly unlikely to go back to “old” ways of doing things.

DevOps evolved to support highly competitive Web-based properties. In some cases it translates to dozens of software releases in a day, often pushed from development to production directly by the programmers. But the techniques are also used for more staid applications, like programmatically managing the configuration of thousands of servers using tools like Chef and Puppet, far more effectively than our more-traditional configuration management tools, which are better oriented to workstations.

DevOps brings tremendous security benefits, especially in the area of resiliency. A server acting up? Don’t bother debugging, just kill it and replace it with a new version and zero downtime. Managing developer keys on thousands of servers? There’s a script and a secure data bag for that. System compromised? Quarantine and snapshot it with a couple command lines, then redirect everything to a new, secure server with completely different credentials, in under 30 seconds. We manage our infrastructure more dynamically with code, templates, and automation.

The problem is that the security profession and providers are, generally, not attuned to working in a model of continuous change. We rely on standards, scanners, and slowing the rate of change to allow us to understand and implement appropriate security controls. We do this using tools with user interfaces that require ongoing manual tuning. And all too few of us maintain our skills as programmers and administrators, especially when many of our best and brightest are drawn to offensive research and incident response.

I’ve been spending a lot of time the past few years talking with, and teaching, security pros about cloud computing, mobility, and the rise of DevOps. I am met with far too many blank stares. And when I go into some of these organizations, I realize that security is blinded from the implementation of many security functions, which DevOps is now managing on their own.

It isn’t that security professionals (and providers) aren’t keeping up with any particular technology, it is that we are falling behind a cultural, architectural, and workflow shift that is only going to become more dominant. Why? Because it works. Companies deliver faster, things break less, and when they do they are fixed more quickly and cheaply.

I’m a pragmatist. This isn’t happening equally everywhere, and the world isn’t about to end. This isn’t a call to arms to change the industry, nor a criticism that security “isn’t getting it.” We have so much on our plates we don’t have time to keep up with every new little trend.

But consider this a piece of professional advice. If you want a long, fulfilling, and successful career in security, it’s time to learn some DevOps skills and adapt to that operational model. The hare isn’t slowing down anytime soon, and there sure seem to be a lot more bunnies than tortoises out there.

Article source: http://www.darkreading.com/management/dont-be-the-tortoise/240160523

Small Business Authority’s Survey Shows Overwhelming Majority of Independent Business Owners Believe Their Website Is Secure

NEW YORK, Aug. 28, 2013 /PRNewswire/ — Newtek Business Services, NASDAQ: NEWT, The Small Business Authority, with a portfolio of over 100,000 business accounts, announced today the findings of its SB Authority Market Sentiment Survey, a monthly window into the concerns of independent business owners. Based on a poll of over 2,700 respondents, one of the key findings from the August survey is 86% of business owners feel that their current website is secure.

Additionally, of those polled, 41% believe their website is the prime revenue driver for their business.

The full August 2013 results showed the following:

Poll Question Poll Answer 2013 Percentage

————- ———– —————

Do you feel that your current website is secure?
Yes 86%
No 14%

— —

Is your website the prime revenue driver for your business?
Yes 41%
No 59%

— —

Barry Sloane, Chairman, President and CEO of The Small Business Authority commented, “We value the responses our clients give us regarding their needs, concerns and business sensitivities. We do believe that our independent business owners are not very concerned about cyber-security, even though they should be.

Ironically, they do value their internet presence as an extremely important aspect of their business but seem to have a casual attitude regarding the secure nature of their content and data.”

About Newtek Business Services, Inc.

Newtek Business Services, The Small Business Authority, provides the following products and services:

— Newtek Advantage(TM): Mobile real-time operating platform for business

intelligence. The Newtek Advantage(TM) puts all critical business

transactions in real-time. Access data on your smartphone, tablet,

laptop or PC as it relates to eCommerce for credit/ debit transactions,

website statistics, payroll, insurance and business loans.

— Electronic Payment Processing: eCommerce, electronic solutions to accept

non-cash payments, including credit and debit cards, check conversion,

remote deposit capture, ACH processing, and electronic gift and loyalty

card programs.

— Managed Technology Solutions (Cloud Computing): Full-service web host,

which offers eCommerce solutions, shared and dedicated web hosting and

related services including domain registration and online shopping cart

tools.

— eCommerce: A suite of services that enable small businesses to get up

and running on-line quickly and cost effectively, with integrated web

design, payment processing and shopping cart services.

— Business Lending: Broad array of lending products including SBA 7(a) and

SBA 504 loans through our lending subsidiary, Newtek Small Business

Finance, Inc.

— Insurance Services: Commercial and personal lines of insurance,

including health and employee benefits in all 50 states, working with

over 40 insurance carriers.

— Web Services: Customized web design and development services.

— Data Backup, Storage and Retrieval: Fast, secure, off-site data backup,

storage and retrieval designed to meet the specific regulatory and

compliance needs of any business.

— Accounts Receivable Financing: Receivable purchasing and financing

services.

— Payroll: Complete payroll management and processing services.

The Small Business Authorityis a registered trade mark of Newtek Business Services, Inc., and neither are a part of or endorsed by the U.S. Small Business Administration.

Newtek Business Services, Inc., The Small Business Authority, is a direct distributor of a wide range of business services and financial products to the

small- and medium-sized business market under the Newtek(TM) brand. Since 1999, Newtek has helped small- and medium-sized business owners realize their potential by providing them with the essential tools needed to manage and grow their businesses and to compete effectively in today’s marketplace. Newtek provides its services to over 100,000 business accounts and has positioned the

Newtek(TM) brand as a one-stop-shop provider of such business services.

According to the U.S. Small Business Administration, there are over 27.5 million small businesses in the United States, which in total represent 99.7% of all employer firms.

Article source: http://www.darkreading.com/small-business-authoritys-survey-shows-o/240160557

Syrian Electronic Army Strikes Again In ‘Modern-Day Defacement’

The Syrian Electronic Army (SEA)’s hijacking late yesterday of the Internet domains of The New York Times, two Twitter services, and The Huffington Post’s UK site initially set off alarm bells over a potential domain-name system (DNS) security meltdown, but it appears the political hacktivist group’s modus operandi and mission were much more simple and straightforward.

It all started with a spearphishing email that duped a U.S. reseller of domain registrar Melbourne IT, which hosts The New York Times, Twitter, The Huffington Post, and other sites. But despite the SEA basically acquiring keys to the kingdom with potential access to Melbourne IT’s other high-profile domain customers, such as Google.com, Microsoft.com, Yahoo.com, Cisco.com, and Adobe.com, the hacktivists merely concentrated on controlling the domains of The New York Times, Twitter’s twimg.com image service and t.co URL-shortening service, and huffingtonpost.co.uk.

“There were tons of other domains [registered with Melbourne IT] that were a much better target. And they didn’t have a ‘lock’ in place — like mcafee.com, symantec.com, and cisco.com,” says HD Moore, chief research officer at Rapid7 and creator of Metasploit, who has been tracking the attacks. “They were really focused … The hack was really clunky, the redirects didn’t work for very long.”

What remains unclear is just what restrictions, if any, were in place for the compromised domain reseller to modify other domains under Melbourne IT’s purview, Moore says.

Moore says The New York Times’ email and other domains also were exposed in the attack, but it doesn’t appear the attackers went after them. “Any of the companies who did not have a lock in place would have been potentially vulnerable to unauthorized changes to their DNS servers, which, in turn, could allow incoming email to be stolen, which can also lead to rogue SSL certificates being created in their name via domain name validation,” he says.

A Cisco spokesperson says the company’s CSIRT team is working on locking down cisco.com with a registry lock.

Employing a so-called registry lock would have deflected the attack, a technique that Melbourne IT is now recommending for its high-profile customers. This measure basically prevents any modification by the registrar or any other registrar to the domain name or its contact information. Moore in his research found that twitter.com did, indeed, have such a lock in place, which saved the social network from massive disruption, but others did not.

In the past 16 hours, Moore found that the huffingtonpost.com, mapquest.com, patch.com, starbucks.com, techcrunch.com, tweetdeck.com, twimg.com, and vine.co domains, as well as others, all had applied the lock feature. Twitter’s t.co URL-shortening service that was hit by the attack has now been moved to a different registrar, he says.

There’s no evidence the SEA altered any of the exposed domains, he says, but it would have been possible with the access they gained in the hack. “Things could have been much worse,” Moore says.

Among the domains hosted by Melbourne IT that have not been locked down as of this posting are adobe.com, barnesandnoble.com, bbandt.com, cisco.com, ibm.com, mcafee.com, norton.com, prnewsire.com, symantec.com, tweetdeck.com, and vmware.com, according to Moore’s data.

“For mission critical names we recommend that domain name owners take advantage of additional registry lock features available from domain registries including .com – some of the domain names targeted on the reseller account had these lock features active and were thus not affected,” Melbourne IT said in a statement to its customers that was included in a blog post by Matthew Prince, co-founder and CEO of CloudFlare, a Web infrastructure and security company. “The credentials of a Melbourne IT reseller (username and password) were used to access a reseller account on Melbourne’s IT systems. The DNS records of several domain names on that reseller account were changed — including nytimes.com.”

Melbourne IT had not responded to requests for comment as of this posting. Several reports quote the registrar as confirming that the attack came from a spearphishing email sent to one of its resellers.

CloudFlare’s Prince also recommends using a registry lock on domains. “There is one sensible measure that domains at risk should all put in place immediately. It is possible to put what is known as a registry lock in place for your domain. This prevents even the registrar from making changes to the registry automatically. If you run a whois query against your domain, you can see if you have a registry lock in place if it includes three status lines: serverDeleteProhibited, serverTransferProhibited, and serverUpdateProhibited,” Prince said in his post.

The trade-off of employing a registry lock is that it makes automatic renewal more complicated. “There is more administrative overhead,” says David Ulevitch, CEO at OpenDNS. “It can be super-effective, and it can also be a pain. The trade-off is flexibility … that’s the nature of security.”

Malware Mystery
Meanwhile, the malware component of the attack still has security researchers baffled. The New York Times’ URL was redirected to a malware-poisoned site, which was up and down during the attack.

The fact that the SEA incorporated a malware redirect is “significant,” says Andre DiMino, a security researcher with DeepEnd Research. “If their sole purpose was to deface and get their message out, yet they are still piggybacking malware redirection to monetize [their attack], that’s a significant development.”

DiMino says without knowing what the malware is or does, it’s difficult to determine what this twist to the attack means.

It’s not clear why the malware was involved, Rapid7’s Moore says. It could have been in place to set up a longer-term attack, he says, but given how short the malware site was up and running, it wouldn’t have made much of an impact.

“From 3 p.m. and on, the website only loaded once or twice,” Moore observed.

The one sure thing is that the end user continues to be the weakest link, and phishing remains the tried-and-true method of snaring victims. “You can have all the technical controls, patching, and pen test your networks to death. But just a simple email that looks really great allows access to the network,” DeepEnd Research’s DiMino says.

Know Your Registrar
The SEA’s attacks were a vivid reminder of the delicate trust relationship with a domain registrar, one that is often forgotten until it’s time to renew the domain registration. The way the attackers breached The New York Times and the others via Melbourne IT and gained control of its registry records is a supply chain wake-up call, experts say.

“It makes it all the more compelling for companies today — to understand and secure the digital linkages they’re making with their partners, suppliers, social networks, and content vendors, as in this particular case. The application layer remains an easy target that hackers exploit to retrieve the company’s most sensitive data, financial information, and records,” says Bala Venkat, chief marketing officer for Cenzic.

Rapid7’s Moore recommends keeping tabs on your domains and regularly confirming that you “still own them.”

[From the Washington Post and CNN to the Twitter feeds of the Associated Press and Reuters, hacktivists have news outlets — and their social-media presence — in their crosshairs. See How Hacktivists Have Targeted Major Media Outlets.]

The relatively good news was that the SEA, which supports Syrian president Bashar al-Assad, kept to its hacktivist roots. “They were brilliant and stupid at the same time,” OpenDNS’s Ulevitch says, noting how the redirected URLs struggled to remain online. A worst-case scenario would have been that they would have used their attack to embed a zero-day Flash exploit via Twitter and amassed a 10 million-host botnet, he says.

“It was high-profile, certainly — they got a lot of publicity for it,” Ulevitch says. “But there aren’t a lot of IT admins cleaning up today because 10 million computers were infected by a botnet.”

“This was more of a modern-day defacement than a real intrusion,” Rapid7’s Moore says.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/syrian-electronic-army-strikes-again-in/240160551

StrikeForce Technologies Inc.’s GuardedID Keystroke Encryption Patent Granted

Edison, NJ (August 28th, 2013) – StrikeForce Technologies, Inc. (SFOR.OB), a company that specializes in Cyber Security for the prevention of Data Breaches, announced today that it has received an official Notice of Allowance from the United States Patent Office stating that their patent application “Methods and apparatus for securing keystrokes from being intercepted between the keyboard and a browser” has been allowed for issuance and a patent.

“We are extremely excited about getting the patent for our GuardedID Anti-Keylogging Keystroke Encryption technology,” says Mark L. Kay, CEO of StrikeForce. “GuardedID is in a league of its own. It proactively encrypts each and every keystroke typed on a keyboard. One thing that all security experts can agree on is that the use of encryption is the best way to protect your data,” says Kay, “and until GuardedID, there wasn’t any way to encrypt data at the point of origin, when typed on a keyboard including our Cryptocolor user visualization feature.”

Prior to GuardedID, consumers and organizations relied on anti-virus software to keep them safe, but as the world has seen, anti-virus software is no match for today’s sophisticated hackers armed with zero-day threats. The growth in cybercrime is a staggering eye opener. In a CNBC article which was published on August 14th, 2013 titled, “The Threat from cybercrime? You ain’t see nothing yet,” it was cited that cybercrime is now estimated at a staggering $400 billion annual market and continually increasing. It was noted that a large portion of those annual losses were due to the lack of a real-time anti-keylogging solution.

“The timing of this patent couldn’t be more perfect for StrikeForce,” says Kay. “In addition to the almost six million people that have downloaded our keystroke encryption technology over the last several years, this patent enables us to expand on our current patent litigation strategy.”

About StrikeForce:

StrikeForce Technologies helps to prevent cyber security online. Its products help protect consumers and their families while banking and shopping online, and businesses in “real time” against data loss and breaches. StrikeForce Technologies, Inc. (SFOR.OB) is headquartered in Edison, N.J., and can be reached at www.strikeforcetech.com or by phone at (732) 661-9641 or toll-free at (866) 787-4542.

Article source: http://www.darkreading.com/authentication/strikeforce-technologies-incs-guardedid/240160565

Finjan Holdings Subsidiary Files Patent Infringement Lawsuit Against Blue Coat Systems

NEW YORK, Aug. 28, 2013 /PRNewswire/ — Finjan Holdings, Inc. (OTC MKT: FNJN) (the “Company”) today announced its subsidiary, Finjan, Inc. (Finjan) has filed a patent infringement lawsuit against Blue Coat Systems, Inc., alleging infringement of Finjan patents relating to endpoint, web, and network security technologies.

The complaint, filed Wednesday in the U.S. District Court for the Northern District of California, Oakland Division alleges that Blue Coat System’s products and services infringe upon six of Finjan’s patents. In the complaint, Finjan is seeking undisclosed damages from Blue Coat.

Recognized internationally as a pioneer and leader in web and network security, Finjan’s decade-long investment in innovation is captured in its patent portfolio including 40 issued and pending patents with worldwide coverage, centered around software and hardware technologies capable of proactively detecting previously unknown and emerging threats on a real-time, behavior-based basis. Finjan has successfully licensed its patents to five major software and technology companies around the world.

For Additional Information: www.finjan.com

ABOUT FINJAN:

Finjan is a leading online security and technology company which owns a portfolio of patents, related to software that proactively detects malicious code and thereby protects end-users from identity and data theft, spyware, malware, phishing, trojans and other online threats. Founded in 1997, Finjan is one of the first companies to develop and patent technology and software that is capable of detecting previously unknown and emerging threats on a real-time, behavior-based basis, in contrast to signature-based methods of intercepting only known threats to computers, which were previously standard in the online security industry.

Cautionary Note Regarding Forward-Looking Statements:

This press release contains statements, estimates, forecasts and projections with respect to future performance and events, which constitute forward-looking statements within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934, as amended.

Those statements include statements regarding the intent and belief or current expectations of the Company and its affiliates and subsidiaries and their respective management teams. These statements may be identified by the use of words like “anticipate”, “believe”, “estimate”, “expect”, “intend”, “may”, “plan”, “will”, “should”, “seek” and similar expressions and include any projections or estimates set forth herein. Investors and prospective investors are cautioned that any such forward-looking statements are not guarantees of future performance and involve risks and uncertainties, that actual results may differ materially from those projected in the forward-looking statements.

Important factors that could cause actual results to differ materially from our expectations include, without limitation, those detailed in our filings with the Securities and Exchange Commission (“SEC”). Neither the Company nor any of its affiliates undertakes any obligation to update and forward-looking statements for any reason, even if new information becomes available or other events occur in the future.

The Company will continue to file annual, quarterly and current reports, proxy statements and other information with the SEC. The filings with the SEC will contain important information regarding the Company, its business, financial condition, results of operations and prospects. One should assume that information contained in any of the filings with the SEC is only accurate as of the date specified in such filings. The business, financial condition, results of operations and prospects may have changed materially since any such date. One is advised to carefully review the “Risk Factors” set forth in the Current Report on Form 8-K filed with the SEC on June 3rd, 2013.

Article source: http://www.darkreading.com/end-user/finjan-holdings-subsidiary-files-patent/240160595

5 Factors Of Better SMB Security Software

The complexity of the information security threats, regulations, and risks to a small or midsized business (SMB) can make the selection of security software a complex task in itself. Thankfully, there are a great many solutions available to address the confidentiality, integrity, and availability concerns SMBs have for sensitive data and critical systems. Unfortunately, choosing the right one is not that simple.

To guide SMBs in the selection of security software, I have listed five factors to consider that will not only help to ensure that the software addresses the SMBs concerns but integrates effectively into the business. These are scalability, simplicity, integration, automation, and compliance.

1. Scalable: Mature security software has typically evolved to deploy into large organizations, integrate with other popular applications, and inherited functions derived from many customers over the years. If these same solutions cannot offer a model that scales (function and pricing) to the SMB, fitting these solutions into the SMB is typically more trouble than it’s worth. Security solutions aiming to address the concerns of the small business need to have a pricing model that scales, without a high cost for administrative consoles or other required elements.

2. Simple: “SMBs investing in security software should focus on solutions that are easy to setup, configure and maintain,” says Mark Austin of Avecto. Utilizing existing infrastructure and services such as Active Directory and avoiding the cost of additional servers are among the examples Mr. Austin cites.

3. Integrated: Software solutions that take advantage of existing infrastructure (e.g., servers, Active Directory) provide additional value to SMBs. Mr. Austin adds that “solutions that are configured through familiar management consoles, such as Group Policy, have a shorter learning curve than proprietary management consoles.”

4. Automated Updates: Based on the changing threat environment and frequency of discovered flaws in deployed software it is imperative that these solutions can be set to ensure updates are automatically applied. Updates need to affect not just the consoles but software on user desktops as well. Consoles should be able to force desktops to update and provide reporting for instances that are out of sync with the current updates.

5. Intuitive Compliance: Lastly is the issue of compliance. Far too many software solutions boast “PCI compliant,” “HIPAA/HITECH solution” and other claims without a reasonable explanation of what that means or assistance to get there. Software solutions that come with white papers or configuration guidelines that explain the regulation, what requirements this solution addresses, and how to configure the product to do so are in higher demand at SMBs.

Software solutions targeting the SMB market need to consider not only the functions of the software but the five (5) elements of software that make a good SMB solution, namely scalability, simplicity, integration, automation, and compliance.

Doug Landoll is the CEO of Assero Security, a firm specializing in SMB Security. You can follow him on Twitter as @douglandoll

Article source: http://www.darkreading.com/smb/5-factors-of-better-smb-security-softwar/240160604

HP Fortify Static Code Analyzer 4.0 Speeds Software Security Assessment By 10 Times

PALO ALTO, Calif. — HP today announced HP Fortify Static Code Analyzer (SCA) 4.0, delivering a new approach that enables organizations to assess the security of software up to 10 times faster than previous versions of the solution through more accurate and parallelized static application security testing.(1)

The explosive growth in new cloud and mobile technologies has significantly increased the demand for new software development. This in turn has put a strain on many organizations’ ability to do thorough security testing prior to application deployment. As a result, secure development practices have declined, decreasing the effectiveness of software vulnerability discovery. From 2011 to 2012, the total vulnerabilities disclosed increased by 19%,(2)and in a 2012 application survey, 99% of the applications tested had one or more serious security vulnerabilities.(3) Further, in the last five years, mobile application vulnerability disclosures have increased almost 800%.(2)

“Software security vulnerabilities are becoming more prevalent as the demand to support new technology needs escalates,” said Mike Armistead, vice president and general manager, Enterprise Security Products, Fortify, HP. “A holistic approach to software security is imperative, and with the HP Fortify portfolio, organizations have the ability to assess vulnerabilities across all of their software, assure security flaws are resolved before deployment, and protect applications from attacks once in production.”

Building on HP Fortify’s flagship offering, HP Fortify SCA 4.0 delivers a new approach to improving overall scan performance with heightened precision to support faster vulnerability detection and resolution. This approach enables the analysis of multiple software application threads in parallel to enable:

Ten times faster scans and reduced false positives by 20% over previous versions of the product, enabling organizations to evaluate more software at a quicker pace and with improved results.(1)

Improved software security intelligence reports that equip IT departments with risk-ranked lists of issues for mobile, web, client and server applications, ensuring the timely resolution of high-priority vulnerabilities.

Reduced application development time through more frequent security testing by enabling full application scanning without impacting development process.

Flexible deployment options to fit any organization’s business needs through either on-premises or on-demand access. HP Fortify SCA 4.0 is already powering faster, more accurate static application security assessments in the HP Fortify on Demand cloud-based application security-as-a-service solution.

HP was recognized as an IT leader in the Application Security Testing (AST) market by Gartner in the 2013 Gartner Magic Quadrant for Application Security Testing report.(4) By bringing together SPI Dynamic and Fortify Software, HP was instrumental in the creation of a combined category that includes both static and dynamic application security testing.

Additional information about HP Fortify listing as a leader in the 2013 Magic Quadrant for Application Security Testing can be found at www.gartner.com/technology/reprints.do?id=1-1GTXLFBct=130703st=sb.

Availability

HP Fortify SCA 4.0 will be available worldwide beginning September 2013.

HP’s premier EMEA client event, HP Discover, takes place Dec. 10-12 in Barcelona, Spain.

HP’s annual enterprise security event, HP Protect, will take place Sept. 16-19 in Washington, D.C.

Article source: http://www.darkreading.com/applications/hp-fortify-static-code-analyzer-40-speed/240160611

Talking Threats With Senior Management

Have you ever walked into your office after a nice relaxing weekend, and seen an article ripped out of an airline magazine sitting on your chair? You know, the article where they talk about small business fraud and how it’s now an epidemic. There are a few vendors quoted in there fanning the flames of FUD talking about how vulnerable business are, and an analyst or two in their Chicken Little suit. Yeah, that’s a lot of fun — but it gets better. Then you read the sticky note on it that says: “Hey, saw this on my flight. What are we doing about this? Let’s talk. Signed, CEO”

Awesome. So you dial up the CEO’s admin and schedule a time to chat. The CEO has a 15-minute opening two days from now, will that work? Yup, and that means you have two days to figure out what you’re going to say. Of course, you present to the board once a quarter and have break outs with the audit committee. But they want to know about the security program, the latest incidents, and the upcoming compliance audit.

Basically, at the board level, they are worried about covering their behinds and tend to focus your 15 minutes around that. For those presentations, you get to figure out what’s important for them to hear and how you want to position the message. The airline magazine situation is different. The CEO is worked up, since a bunch of other firms have lost significant money from computer attacks. She read all the FUD in the article and needs to understand whether these attacks could impact results or an upcoming deal that she can’t tell you about.

You’ve got a few choices. You could revisit your board presentation and reiterate what the program is about, your successes, and why you’ve got a handle on the situation. You want to seem in control and make it clear you aren’t concerned about some mass market nonsense on security published in an airline magazine. You could take a different approach and go through all of your operational metrics to provide substantiation that you don’t think there has been a big data loss and that you’ve got controls in place to deal with the attacks mentioned in the magazine.

Or you could go for the throat. A third option is to walk in and thank the CEO for finally paying attention to what you’ve been saying for years. That your team is underfunded, under-resourced, and the adversaries are getting much better. You could admit that you go into work every day wondering if today is the day you get popped. You worry that the decisions you made to protect certain resources to the exclusion of the others may have been wrong. And then you could ask for more funding and more resources.

Basically your third option is to tell the CEO the truth.

Here’s the deal: the CEO doesn’t want to know the truth. The CEO probably can’t handle the truth. I mean, they need to know a portion of the truth, but they don’t need to know how the sausage is made. If there are significant control deficiencies, you need to mention those, especially if they relate to the stuff in the airline magazine. But don’t make you points from the standpoint of fear or worry. The CEO doesn’t want to see the security person blink. Even if you need toothpicks to keep your eyes open after staying up all night dealing with the latest incident.

What you want to find is the middle ground. You can’t shy away from your concerns. But you don’t want to pull the fire alarm until you really need to. Start the discussion by addressing the issues presented in the magazine first and be very candid about what you can block and what you can’t, and why those decisions were made. Then you should take the opportunity to reiterate what you can can do with your current level of funding and resources.

Then make the case for increased funding from the standpoint of a business decision. Remember the CEO makes resource allocations every day. She needs to decide whether to upgrade your perimeter defenses, deploy an anti-malware box, or build a new factory in Eastern Europe. So you need to talk in business terms and make the case for how increased security spend can impact corporate results, and be very specific about what you would do with the additional funding.

To be clear, your bosses may not be ecstatic that you’re going directly to the CEO with this kind of information. Understand they may have pet projects they’ve been pushing and you could put a wrench in their plans, especially if you make a good case. Of course, the CEO asked, so you had to answer, right? You had to tell the CEO what you thought, right? That should provide some air cover.

Ultimately, you have very limited opportunities to educate senior management about security and the threats your organization face. When they do you a favor and ask the question, you should answer it. So you’ve got two days to get ready. Get to work…

Mike Rothman is President of Securosis and author of the Pragmatic CSO.

Article source: http://www.darkreading.com/vulnerability/talking-threats-with-senior-management/240160615

No Proof Of Malware In New York Times DNS Hijacking Attack

Dropping malware isn’t the usual M.O. for The Syrian Electronic Army (SEA): the pro-Assad hacktivist group is best known for loudly spreading its message–or even fake news–via hijacked high-profile websites and Twitter accounts of media and other organizations, not amassing bots or infecting machines. So when some security experts yesterday reported that malware may have been embedded in the Web pages the attackers redirected The New York Times website to, it signalled a possible shift in strategy by the group.

There is still no official confirmation yet whether the pages were infected, but security researchers at OpenDNS and AlienVault Labs say they did not see malware on the pages SEA used to redirect New York Times website traffic. The New York Times, meanwhile, has not yet ruled it out: in an email response today asking whether the newspaper could confirm that malware was present or not, a spokesperson for The New York Times said: “At this point, we are still investigating.”

[The Syrian Electronic Army (SEA)’s hijacking of the Internet domains of The New York Times, two Twitter services, and The Huffington Post’s UK site initially set off alarm bells over a potential domain-name system (DNS) security meltdown, but it appears the methd and mission were much more simple and straightforward. See Syrian Electronic Army Strikes Again In ‘Modern-Day Defacement’.]

Matthew Prince, co-founder and CEO of CloudFlare, says there was some initial confusion yesterday as security experts worked via teleconference to investigate the attacks. The IP addresses used by SEA in the redirects were ones that were notorious for malware, which led to a misunderstanding that there was definitely malware on the pages. Prince and others on the call initially understood that OpenDNS had seen malware on the pages, which he clarified in an update late yesterday to his blog post detailing the genesis of the attacks.

It turned out that no one on the call had actually scanned for malware on the pages, so Prince says he updated his post to reflect the lack of malware evidence at this point. “There’d been malware on those IPs before, [but I’m] not sure whether there was at the time,” Prince says.

As his updated post explains: “Technical teams from CloudFlare, OpenDNS and Google jumped on a conference call and discovered the site to which the NYTimes.com site was redirected was in internet space (the IP addresses) full of phishing and possible malware, although no malware distribution was witnessed. (Earlier, this read: “…discovered what appeared to be malware on the site to which the NYTimes.com site was redirected.” The confusion was that the IP range contained malware and phishing according to scans run by OpenDNS. I misinterpreted that to mean that there was malware on the site itself.).”

Now that the dust has settled, security experts are more skeptical that the SEA used malware in the attacks.

“It seems like serving malware would be counter to their message,” says HD Moore, chief research officer at Rapid7 and creator of Metasploit. Moore says he had heard malware was present and he had seen a screenshot of the page, but had no evidence or logs to confirm it was serving up malware.

Adam Meyers, director of intelligence with CrowdStrike, says he has yet to see any evidence of malware. “I have yet to see a single hash or even a copy of the malware, so I’m unable to verify it,” he says. Delivering malware would have been uncharacteristic of the SEA, he says, which is better know for its defacements, pro-Assad messaging, and “rabble-rousing” such as when it recently hacked the AP’s Twitter account and posted a phony tweet that the White House had been bombed.

Another researcher, Paul Ferguson, doesn’t believe that the redirected NYT pages were infected with malware. “It could have been a lot worse if that had been the case … we’ve seen that happen before in domain hijackings,” says Ferguson, who is vice president of threat intelligence for Internet Identity.

The SEA sent a spearphishing email that duped a U.S. reseller of domain registrar Melbourne IT, which hosts The New York Times and many other high-profile domains, and gained the hacktivist group credentials to alter the newspaper’s DNS records and redirect traffic to their own servers for several hours Tuesday evening.

Meanwhile, Melbourne IT today responded to a press inquiry for more details on the attack. “Staff of an overseas-based reseller unwittingly responded to a spear phishing attack which allowed attackers to access sensitive information, including usernames and passwords, which was used to access the reseller’s account on Melbourne IT systems. This resulted in unauthorized changes to the DNS records of two domain names associated with providing news related to the Syrian conflict,” a spokesperson said in a email statement.

Bruce Tonkin, chief strategy officer for Melbourne IT, said in an email response today that the attackers logged into a reseller account at Melbourne IT to change the DNS name server records of nytimes.com and twimg.com, Twitter’s image domain. The attacker also obtained credentials that allowed him or her to log into the reseller account directly via the .co.uk registry, leading to the huffingtonpost.co.uk and twitter.co.uk DNS record compromises, Tonkin says. “We didn’t have a record of this on our systems, but the .co.uk registry was able to confirm the changes were made at the registry. Reseller staff did use our systems to restore the names at the .co.uk registry.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/no-proof-of-malware-in-new-york-times-dn/240160636