CoSoSys to Protect SearchAmerica
CoSoSys, the leading provider of End Point Security solutions, has recently announced that SearchAmerica has selected Endpoint Protector 2008 to manage and enforce portable device security policies in their IT environment. The solution SearchAmerica chose is quite new and extremely powerful, and it will protect all company workstations, notebooks and servers against data loss, data theft and other forms of data leakage.
CoSoSys has added a rather important client to its portfolio, as SearchAmerica is the industry leader in financially clearing patients through address verification, prediction of payment and automated charity/Medicaid processing. See more in the official press release.
CollegeInvest Loses Data of 200,000 Customers
CollegeInvest, a non-profit division of the Colorado Department of Higher education offering scholarships, saving plans and other such services for students, announced one of their hard drives containing private records of their customers had been lost during a recent move. According to a North Denver News article, the company started sending out letters to about 200,000 customers who’s personal information was stored on the lost drive.As the data was stored in a format that would be difficult to access and was also password protected, CollegeInvest believes there is little risk of customers’ personal information being compromised.
DLP on the Right Track, but not Fullproof
Speakers at RSA 2008 state the Data Loss Prevention (DLP) segment of security solution is reporting impressive improvements, but it still not able to stop innovative attacks. While it might be the new hot shot of the entire security industry, DLP can fail when attempting to successfully fight off all data breaches.
In a Symantec-sponsored panel addressing DLP related issues, speakers were highly optimistic towards the future of this new technology, which, according to Dark Reading, “is designed to monitor, detect, and control the egress of sensitive enterprise data in an organization”. Yet the fact that insider-theft technology has been describes as omnipotence was acknowledged to be grossly exaggerated. Here’s a selection of the most interesting quotes Dark Reading published:
“The idea that you’re going to be able to protect every piece of data all the time is probably impossible,” said Joseph Ansanelli, former CEO of DLP pioneer Vontu and now vice president of DLP at Symantec, which bough Vontu last year. “It’s not going to happen.”
“DLP is a tool,” said Craig Shumard, CISO for CIGNA Corp., a Vontu user. “It’s one of a number of things you can use to help control the insider threat. But it’s not the whole solution.”
The key, Rich Mogull, founder of Securosis, says, is to define your “sensitive” data before deploying DLP. “You need to put all of your business people in a room and force them to choose which data is the most valuable,” he said. “Once you’ve done that, you can use DLP to start monitoring that data, to set policies for protecting it, and eventually, to enforce those policies.”
IBM Thinks the Securiy Business is Dead
At the RSA Conference 2008 taking place in San Francisco, IBM stated they are going to leave the security business to start providing sustainable solutions instead. This declaration has been given by Val Rahamani, general manager of IBM ISS and of security and privacy for IBM Global Technology Services and then quoted by Dark Reading:
The security industry is flying by the seat of its pants,” Rahamani said. “Security infrastructure has been dictated by the bad guys… as new threats arise, we put new products in place. This is an arms race we cannot win.”
So, how does IBM define the creation of sustainable business?
Business sustainability is all about building security into systems and processes, she said. “If we really want to get ahead of the threat, we need to start thinking about re-engineering our businesses and processes. We need to make them more secure and compliant by design, and we need to move more security and compliance technologies into the fabric of our standard infrastructure and application environments.”
“It’s time to give up on the fantasy that education and antivirus will cure consumer security woes. It is not up to consumers to protect themselves. It is not their problem. It is our problem, because online commerce is not sustainable if it is not inherently secure. And the only way to make it inherently secure is to take ownership of the security problem.”
Fighting Trojans, worms, insider attacks, and outsider attacks one by one is futile, she said.
Interesting approach indeed! However, I can’t help noticing how the security industry is limited to antivirus applications (antispam solutions are not even mentioned). In a technological world where most security solutions are moving towards standard compliance, where niche security fields, such as endpoint security, stress the need to manage threats and benefit from advantages instead of blocking threats and benefits alike, the IBM position seems to come a bit late. IT security is definitely more than trying to keep viruses away, maybe someone should tell IBM about it.
Stolen Hardware - Most Common Cause for Data Breaches
Stolen or lost hardware, from laptops to USB sticks and portable hard drives, were the most common cause of data breaches in 2007, outranking malicious software. These findings have been recently released by Symantec in its latest Internet Security Threat Report. As SecurityFocus shows, this is a significant conclusion, given that the number of unique variants of malicious software more than quadrupled in 2007.
the theft of computers and storage devices, not malicious code, accounted for the majority of lost data. In the latter half of the year, such physical theft accounted for 57 percent of data breaches, up from 46 percent in the first half of 2007, the report stated. While the government had only the second highest number of breaches — 20 percent of the total compared to 24 percent for the education sector — those breaches accounted for 60 percent of identity theft, the report stated.
Security - Necessary Evil for Businesses
Discussions taking place at the RSA 2008 Conference held in San Francisco point out that security concerns are more and more of a drag on business innovations. According to RSA president Art Coviello, quoted by Dark Reading, this results in holding back companies’ creative thinking.
Coviello backed his opinion with statistics from research conducted by IDG and commissioned by RSA:
“More than 80 percent of IT, security, and business executives surveyed admit that their organizations have shied away from business innovation opportunities because of information security concerns,” he told the RSA audience in a keynote address Tuesday morning.”
Security policies place quite a significant pressure on users who are always told one click can lead to disaster and are always faced with cryptic dialogs boxes that aren’t at all helpful.
Worse, in most organizations security is viewed at best as a necessary evil, due to IT’s primary focus on trying to constrain behavior and prevent some desktop mishap, “Although well-intentioned, the inevitable result is that security practitioners are not viewed as enablers but people preventing the business from doing what it needs to do,” said Bill Boni, corporate vice president of information security and protection for Motorola, and one of the IDG survey respondents quoted by the RSA exec.
After identifying the negative effects of security on business innovation, Coviello also came with a solution. The best way to address downsides is a change in security mentality, a switch from saying “no” to potentially harmful actions to showing how they should be safely performed.
“The next time a new idea comes up, don’t start by saying it isn’t secure — start by evaluating exposures, the probability of the exposures being exploited, and the materiality of the consequences. Then put forth a plan to reduce risk in all three areas. Nothing should be done unless it is in the context of risk.”
This situation fully applies to Endpoint Security. There’s been a lot of buzz on how portable storage devices, such as USB sticks, smart phones and iPods can cause the ugliest virus infections, how they enable data theft and how loosing one with sensitive data can endanger the identities of millions. This leads to restrictive measures such as cutting all access to these devices. The negative result is less mobility of employees, less space for them to work and innovate, less effectiveness on their side.
The actual response to ongoing threats is learning how to handle portable storage devices safely, so as to benefit from all their advantages without overlooking their embedded threats.
Gains from Online Fraud Aim for the Sky
According to the latest data released by the FBI’s Internet Crime Complaint Center, damages caused by online fraud have significantly increased, going up by 20 percent.
The report cited by SecurityFocus shows that, while the number of complaints has been a little lower, the reported damage originated from online fraud grew from $198 million in 2006 to $239 million in 2007. FBI’s IC3 online portal where cybercrime complaints are received processed a little under 207,000 such reports last year, just a few less than in 2006. The criminal activity is in no way discriminatory, affecting victims aged from 10 to 100 years old.
“The Internet presents a wealth of opportunity for would-be criminals to prey on unsuspecting victims, and this report shows how extensive these types of crime have become,” James E. Finch, assistant director of the FBI’s Cyber Division, said in a statement. “What this report does not show is how often this type of activity goes unreported.”
While the media reports often on the crime of identity theft, the largest number of people, more than a third, complain about online auction fraud, the IC3 report stated. Other online crimes, such as industrial espionage by other nation states, largely go unreported. Earlier this month, the Council of Europe requested that Internet service providers help battle cybercrime by sharing information about their users.
Employees Are Great at Circumventing IT Security Policies
According to a survey conducted by Palo Alto Networks and quoted by DarkReading, employees in most enterprises are constantly circumventing corporate security policies by deploying unauthorized applications, including video viewers, streaming audio, P2P, and Google applications.
Palo Alto Networks used data from 20 different enterprises, gathered during vulnerability assessments, to reach the study results.
Employees are using a broad variety of tactics for circumventing IT policies on network usage, Palo Alto found. For example, approximately 80 percent of the enterprises are supporting proxy applications, such as KProxy or CGI proxies, which mask the user’s identity and surfing habits from IT monitoring tools.
“There’s no business reason for using proxies in the enterprise, other than to hide your activity from IT,” Mullaney says. “But we see at least some use of them in most of the enterprises we [assess].”
Hannaford - An Inside Job
Recent details on the Hannaford security breach point to an inside job. It appears Hannaford employees are most likely to have planned and then infected over 300 servers of the grocery chain.
Experts said the breach should serve as a big lesson for retailers: It’s as important to limit the network access of employees and regularly monitor system activity as it is to purchase security technology to block attacks from the outside. Furthermore, it’s foolish for a company to consider itself bulletproof because they achieved PCI DSS compliance, as Hannaford’s claims it did.
“The overarching conclusion I have that keeps getting reinforced is that the low-hanging fruit is inside the company and insiders are always getting more network privileges,” said Mark MacAuley, a York, Maine-based IT security consultant who shops at Hannaford’s regularly. “I don’t see how anyone at Hannaford could get that level of access unless they were a very well-known entity.”
The Hannaford data breach has exposed over 4 million credit card accounts, thus being the second largest breach ever reported.
