Top 12 2012: Readers' favorite GRC management articles of the year

Top 12 2012: Readers' favorite GRC management articles of the year

To Encrypt Email or Not to Encrypt Email? Practical Answers to a Question That Is Surprisingly Complex

10/5/2012

by

Poyner Spruill LLP

13
inShare

[author: Elizabeth H. Johnson]

Health care providers frequently ask us whether they have to encrypt emails, particularly those sent to patients who have asked for an emailed copy of their health records. Since patients have a right to receive electronic copies of their health records, emailing them a copy when they ask for it seems like the right thing to do.

Unfortunately, the decision actually is more complicated. HIPAA requires that all electronic transmissions of protected health information (PHI) be encrypted. That means ALL of them … fax, email, web-based and otherwise. The requirement applies regardless of the identity of the recipient or patient, and the recipient cannot “undo” or waive the requirement by consenting to the receipt of unencrypted emails.

Because encryption can be expensive and technically difficult to implement, HIPAA does include an exception of sorts. You may hear the encryption requirements and certain other HIPAA security requirements referred to as “addressable” — that designation means the requirements can be treated as optional if the following “exception” applies.

Before it can decide not to encrypt electronic transmissions of PHI, a HIPAA-covered entity must engage in a feasibility analysis. The analysis must consider each of the following factors:

• Size, complexity and capabilities of the covered entity
• Covered entity’s technical infrastructure, hardware and software security capabilities
• Costs of security measures
• Probability and criticality of potential risks to electronic PHI

If encryption proves to be too expensive and difficult in comparison to the covered entity’s size and capabilities and seems to add little value to the overall security of PHI, then HIPAA allows the covered entity to forego encryption. HIPAA requires, however, that the covered entity implement an equivalent, alternative security measure if it is “reasonable and appropriate” to do so (as determined using the same analysis described above), which invites covered entities to evaluate several options to determine which is the most appropriate. In all cases, the covered entity must document its analysis and decisions.

One more time in English? Health care providers are allowed to send PHI in unencrypted emails but only after they engage in the analysis described above and document their determination. It is a violation of the HIPAA Security Rule to send unencrypted emails containing PHI without first having performed and documented that analysis. A single violation can carry a penalty as high as $50,000, a useful figure to contemplate if you think encryption is too expensive to implement. Encryption also carries the benefit of qualifying for a “safe harbor” under HIPAA’s breach notification requirements. A security incident that would otherwise require notification is not considered a breach if the PHI affected were encrypted and the encryption key has not been compromised.

Other solutions besides encrypted email may be more prudent when patients request copies of their records. For example, physician practices that maintain patient portals are able to provide patients with access to records and (often) communications through a secure website. Another alternative is to ask patients to come by and pick up a copy of their electronic health record on a password-protected CD. It’s also appropriate to check some form of ID when patients arrive to pick up the records. Share the password with them only after verifying their identity.

For patients who simply insist on receiving email, if that email cannot be encrypted then a health care provider may be left with two unappealing choices. Choice one is to refuse, in which case patients may rightly insist that the provider has not respected their right (guaranteed by the HITECH Act) to receive a copy of their electronic health records. Choice two is to fulfill the request, send the unencrypted email, and risk violating the HIPAA Security Rule. We think the better choice is to send the email, but only after the health care provider engages in the required feasibility analysis and documents the outcome as described above to help ensure Security Rule compliance. It’s also a good idea to advise patients of the potential risks and insecure nature of email, and then ask again if they really want the record sent in that manner. To be clear, however, the patients’ informed consent to the insecure nature of email does not alleviate the provider’s requirement to engage in the feasibility analysis.

If unencrypted email is still the choice of both the provider and the patient, then as a precautionary move health care providers should consider sending records via email by appending a password-protected file. Once sent, the provider can call the patient to share the password by phone. That follow-up phone call facilitates two things: first, the provider can confirm that the patient actually received the email; and second, the password is not disclosed until the patient has received the records. If the email is accidentally sent to the wrong place, the recipient is less likely to be able to open the file and view health information without the password. Although taking these measures will not meet HIPAA’s encryption requirement (providers seeking an exception still have to do the feasibility analysis), they do minimize the likelihood of an inadvertent disclosure that could anger patients and lead to a HIPAA complaint.

---

Published In: Administrative Law Updates, Health Law Updates, Privacy Updates, Science, Computers & Technology Updates

Top 10 risks found by your auditor

KirkpatrickPrice offers a list of the most common risks they find.

1. No formal policies and procedures

Formal guidelines of policies and procedures help provide your employees with clarity of what’s expected of them. They define the accountability for each employee and also establish necessary training. Information security policies are mandated by the FTC Safeguards Rule, PCI Data Security Standards, and the HIPAA Security Rule. This means they are mandatory.

2. Misconfigurations

Standards need to be applied consistently. Organizations should utilize benchmark configuration standards from a recognized entity such as: Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS) Institute, and the National Institute of Standards Technology (NIST).

3. No formal risk assessment

Assessment should cover assets that are critical to your enterprise to continue business operations for the following: hardware, software, human resources, and processes (automated or manual). Some important things to consider when thinking about risk assessment are the threats to your assets as well as the likelihood of vulnerability being compromised. Threats can be both internal (employees or third party contractors or partners) as well as external (natural events or social engineering). Developing a proper risk assessment can help to mitigate potential risks that you face.

4. Undefined incident response

It is always important to have clear instructions on reporting procedures when determining incident response. It is suggested to build a culture within your work environment that encourages reporting of all incidents the moment they present themselves.

5. Lack of disaster planning

Disaster planning is important in a situation where written plans were available for others to follow in the event that key personnel are not available. A business impact analysis can help quantify what level of redundancy is required for disaster planning. Proactive arrangements should be made to care for the staff and to communicate with third parties. Walkthroughs and training scenarios can benefit organizations so employees are properly prepared in the event of a disaster.

6. Lack of testing

The concept of testing applies to all areas of your security. If your security is not tested, there is no way to determine whether or not vulnerabilities are present.

7. Insecure code

Developing secure coding is something we find lots of companies struggling with. To develop secure coding, training must be implemented as well as specific development standards and quality assurance.

8. Lack of monitoring/audit trails

Log Harvesting, parsing, and alerting methods must be determined to efficiently deal with massive event logs. The responsibility for review must be formally assigned as part of daily operations. Audit trails should be stored in such a way that system administrators cannot modify without alerting someone with and oversight role.

9. Data leakage

Some things we often forget are where the data is located and how long should it be retained? How is encryption implemented and verified? How is access to data granted and audited? These things are all very important and if not corrected, can keep you from complying with federal and industry standards and regulations.

10. Lack of training

A lack of training can prove to be a striking blow to the security of your organization. Employers should recognize the importance of properly training all employees on safety and security best practices. Standards and guidelines should be clearly set and determined in each organization. Several training opportunities are offered through KirkpatrickPrice to properly train you and your company on the basics of security awareness, awareness for managers, awareness for IT professionals, and awareness for credit card handling.

Hackers Steal Data from Pentagon, NASA, Federal Reserve

Ben Weitzenkorn, TechNewsDaily Staff Writer

Date: 12 December 2012 Time: 01:53 PM ET

 

Members of the Anonymous-affiliated Team GhostShell hacking collective have published what they claim is stolen information for 1.6 million accounts linked to government agencies, including the Pentagon, NASA and the Federal Reserve. The hackers appear to have breached the database with a malicious SQL code injection, ZDNet reported, stealing passwords and corresponding email addresses, phone numbers, home addresses and notes from defense tests.
"#ProjectWhiteFox will conclude this year's series of attacks by promoting hacktivism worldwide and drawing attention to the freedom of information on the net," Team GhostShell wrote in a Pastebin post that included links to the stolen information.

Team GhostShell gained notoriety when they leaked information from more than 100 websites, including those of the Thai Navy and MIT. The politically minded hackers made headlines again when they hacked 100 prestigious universities and leaked 120,000 records to protest what they called the deteriorating quality of education. This latest breach is another blow to NASA, where computer security breaches have occurred with embarrassing frequency over the past two years. The space agency said it had lost more than 48 portable devices in addition to laptops stolen from employee vehicles in March 2011 and October of this year.
Team GhostShell may be in hacking hibernation for now, but it's almost certain that the activist hackers will return in 2013.
"Happy holidays and who knows, maybe we'll see each other again next year, the hackers wrote. They signed it, "GhostShell."
This story was provided by TechNewsDaily, a sister site to SPACE.com. Follow Ben on Twitter @benkwx

ElcomSoft Decrypts BitLocker, PGP and TrueCrypt Containers

ElcomSoft Decrypts BitLocker, PGP and TrueCrypt Containers

	ElcomSoft Decrypts BitLocker, PGP and TrueCrypt Containers
	December 20th, 2012 by Vladimir Katalov

BitLocker, PGP and TrueCrypt set industry standard in the area of whole-disk and partition encryption. All three tools provide strong, reliable protection, and offer a perfect implementation of strong crypto.
Normally, information stored in any of these containers is impossible to retrieve without knowing the original plain-text password protecting the encrypted volume. The very nature of these crypto containers suggests that their target audience is likely to select long, complex passwords that won’t be easy to guess or brute-force. And this is exactly the weakness we’ve targeted in our new product: Elcomsoft Forensic Disk Decryptor.
The Weakness of Crypto Containers
The main and only weakness of crypto containers is human factor. Weak passwords aside, encrypted volumes must be mounted for the user to have on-the-fly access to encrypted data. No one likes typing their long, complex passwords every time they need to read or write a file. As a result, keys used to encrypt and decrypt data that’s being written or read from protected volumes are kept readily accessible in the computer’s operating memory. Obviously, what’s kept readily accessible can be retrieved near instantly by a third-party tool. Such as Elcomsoft Forensic Disk Decryptor.
Retrieving Decryption Keys
In order to access the content of encrypted containers, we must retrieve the appropriate decryption keys. Elcomsoft Forensic Disk Decryptor can obtain these keys from memory dumps captured with one of the many forensic tools or acquired during a FireWire attack. If the computer is off, Elcomsoft Forensic Disk Decryptor can retrieve decryption keys from a hibernation file. It’s important that encrypted volumes are mounted at the time a memory dump is obtained or the PC goes to sleep; otherwise, the decryption keys are destroyed and the content of encrypted volumes cannot be decrypted without knowing the original plain-text password.
“The new product includes algorithms allowing us to analyze dumps of computers’ volatile memory, locating areas that contain the decryption keys. Sometimes the keys are discovered by analyzing byte sequences, and sometimes by examining crypto containers’ internal structures. When searching for PGP keys, the user can significantly speed up the process if the exact encryption algorithm is known.”
It is essential to note that Elcomsoft Forensic Disk Decryptor extracts all the keys from a memory dump at once, so if there is more than one crypto container in the system, there is no need to re-process the memory dump.
Using forensic software for taking snapshots of computers’ memory is nothing new. The FireWire attack method existed for many years, but for some reason it’s not widely known. This method is described in detail in many sources such as http://www.securityresearch.at/publications/windows7_firewire_physical_attacks.pdf or http://www.hermann-uwe.de/blog/physical-memory-attacks-via-firewire-dma-part-1-overview-and-mitigation
The FireWire attack method is based on a known security issue that impacts FireWire / i.LINK / IEEE 1394 links. One can take direct control of a PC or laptop operating memory (RAM) by connecting through a FireWire. After that, grabbing a full memory dump takes only a few minutes. What made it possible is a feature of the original FireWide/IEEE 1394 specification allowing unrestricted access to PC’s physical memory for external FireWire devices. Direct Memory Access (DMA) is used to provide that access. As this is DMA, the exploit is going to work regardless of whether the target PC is locked or even logged on. There’s no way to protect a PC against this threat except explicitly disabling FireWire drivers. The vulnerability exists for as long as the system is running. There are many free tools available to carry on this attack, so Elcomsoft Forensic Disk Decryptor does not include a module to perform one.
If the computer is turned off, there are still chances that the decryption keys can be retrieved from the computer’s hibernation file. Elcomsoft Forensic Disk Decryptor comes with a module analyzing hibernation files and retrieving decryption keys to protected volumes.
Complete Decryption and On-the-Fly Access
With decryption keys handy, Elcomsoft Forensic Disk Decryptor can go ahead and unlock the protected disks. There are two different modes available. In complete decryption mode, the product will decrypt everything stored in the container, including any hidden volumes. This mode is useful for collecting the most evidence, time permitting.
In real-time access mode, Elcomsoft Forensic Disk Decryptor mounts encrypted containers as drive letters, enabling quick random access to encrypted data. In this mode files are decrypted on-the-fly at the time they are read from the disk. Real-time access comes handy when investigators are short on time (which is almost always the case).
We are also adding True Crypt and Bitlocker To Go plugins to Elcomsoft Distributed Password Recovery, enabling the product to attack plain-text passwords protecting the encrypted containers with a range of advanced attacks including dictionary, mask and permutation attacks in addition to brute-force.
Unique Features
The unique feature of Elcomsoft Forensic Disk Decryptor is the ability to mount encrypted disks as a drive letter, using any and all forensic tools to quickly access the data. This may not seem secure, and may not be allowed by some policies, but sometimes the speed and convenience is everything. When you don’t have the time to spend hours decrypting the entire crypto container, simply mount the disk and run your analysis tools for quick results!
More Information
More information about Elcomsoft Forensic Disk Decryptor is available on the official product page at http://www.elcomsoft.com/efdd.html

Tags: BitLocker, BitLocker To Go, Elcomsoft Forensik Disk Decryptor, PGP, TrueCrypt

This entry was posted on Thursday, December 20th, 2012 at 10:54 am     

1.  

88% of corporate databases vulnerable to cybercrime

88% of corporate databases vulnerable to cybercrime

EU to propose mandatory reporting of cyber incidents | EurActiv

EU to propose mandatory reporting of cyber incidents | EurActiv

The European Union may force companies operating critical infrastructure in areas such as banking, energy and stock exchanges to report major online attacks and reveal security breaches, according to a draft report by the European Commission.

The European Commission is due to present a proposal on cybersecurity in February once it has received feedback from the European Parliament and EU countries.
The proposal was initially announced in May for the third quarter this year but has been delayed.

>> Read: EU to impose compulsory cyber defence rules

EU moves to protect critical infrastructure echo similar concerns worldwide amid an increasing number of cyber attacks globally that can disrupt important areas of the economy, from online banking to stock exchanges.
"Minimum security requirements should also apply to public administrations and operators of critical information infrastructure to promote a culture of risk management and ensure that the most serious incidents are reported," the report said.
Unlike the United States where companies are required to report online attacks, which supporters say forces companies into keeping cyber defences tight, the EU has a piecemeal approach.
Some countries like Britain oppose mandatory reporting, which it believes would encourage companies to cover up online breaches because they do not want to alarm their customers.
An EU official said the aim of the report was to get companies to be more open about cyber attacks and help them fend off such disruption.
"We want to change the culture around cyber security from one where people are sometimes afraid or ashamed to admit a problem, to one where authorities and network owners are better able to work together to maximise security," the official said.
European companies in critical areas of the economy "lack effective incentives to provide reliable data on the existence or impact" of network security incidents, the report said.
Companies fear that revealing their vulnerability could cost them customers, but authorities are eager for increased transparency to try and shut down methods hackers use to exploit networks before they can do widespread damage.
"Cyber security incidents are increasing at an alarming pace and could disrupt the supply of essential services we take for granted such as water, sanitation, electricity, or mobile networks," the report said.
The EU proposal would require companies in critical infrastructure areas to conduct risk assessments and work with national authorities to ensure a minimum standard across the 27-country bloc.
Inconsistent measures on cyber security also carry an economic cost. In 2012, 38% of the EU's internet users say they were concerned about making payments online, an EU poll showed.

Next steps:

• Feb. 2013: European Commission expected to table proposal on mandatory reporting of cyber incidents.

EurActiv.com with Reuters

• ALL companies that process citizens' personal details should be required to disclose breaches immediately. Is it not unethical to prioritise and privilege companies' concerns abou the impact on their market share over the privacy, dignity and personal security of citizens?

  By :

  jlodge

  - Posted on :

  18/12/2012

  • reply
    
  • Flag as abusive
  
  
• Back in 2004/5 I did a report on Critical Infrastructure one part of it looked at CERTs (Computer Emergency Response Teams) which are supposed to respond to “cyber attacks”. Telcos and other large organisations have them, as do banks. Think of a CERT as a “fire-brigade” – external (professional ones) and internal ones. There are also private CERTS.
  I spoke to an external private “CERT”. They specialised in banks and were a fund of entertaining stories of what goes wrong. One massive German bank suffered a serious DDOS attack and were unable to handle it (despite the bank having thrown considerable amounts of money at their internal CERT). So the bank CERT called in the real experts – who cracked the problem in short order (or so the external CERT claimed). Here’s the kicker, the internal CERT did not tell anybody (e.g. the main board) that they had to pull in outside help – and pretended that they cracked the problem themselves – which in a sense they did. If the internal CERT is a bit coy telling upper management of a problem (despite a requirement to do so) – why would they tell anybody else. The private CERT claimed the problem was endemic.
  In the case of “real” critical infrastructure, such as control of power transmission networks – back in 2005 there were few problems. Generally speaking these were run on wholly private networks. However, as one UK guy noted, “the suits want more information” i.e. non-engineering managerial types want more systems operation data. This can lead to openings in systems that were previously wholly closed to “the Internet”.
  The UK, as usual is talking bollocks. They already have a confidential/invitation only group (of utilities) which meets on a regular basis (attendance is obligatory) to exchange info on attacks etc.
  Basically it comes down to this: keep customer facing systems (the retail operation as it were) wholly separate from network operation systems unless you want entertainment of the sort you will regret later. This is not hard to do – but usually costs a bit more – which means that the suits in the interests of economy will probably try and converge the two systems. So when the lights go off or the gas fails – you know who to blame – some half wit in a suit who thought he could save money for his utility.

  By :

  Mike Parr - Posted on : 19/12/2012

  •  

Tufin is rethinking enterprise security with an application-centric model

Summary: Managing security policies is a big headache for large organizations...

 

By Tom Foremski for Tom Foremski: IMHO | December 20, 2012 --

• Email
• Print
• Google+
• Del.icio.us
• Digg
• StumbleUpon
• Reddit
• Technorati
• Pinterest
• Slashdot

I recently spoke with Ruvi Kitow, CEO and co-founder of Tufin Technologies, which provides firewall policy management tools for very large companies.

Tufin is interesting because it is rethinking the way firewalls should be managed. And it's because of rise in the number of applications being produced by enterprises.

Firewall administrators are spending more of their time dealing with application related change requests. Yet the app developers know little about firewalls and potential conflicts, or security holes. Earlier this year, Tufin launched SecureApp, a suite of admin tools to help manage this important security relationship between apps and firewalls.

This application centric approach is a different way of thinking about enterprise security. Here are some notes from our conversation:

- Our latest survey shows that nearly half of all firewall changes are related to application connectivity. And most companies report that they don't have confidence in their IT staff being able to fully address the compliance and security risks that arise when managing application connectivity.

- We realized that the best approach is to address security through the app layer first, to document the resources an app needs and how it behaves, and then to communicate what's needed in the firewalls. Our new product helps to automate this process. And it's integrated with our two other firewall products, SecureTrack and SecureChange.

- It's a paradigm shift and it might take some time for this to be understood but you have to tackle security first through the app layer not the network.

- Here's why: Large enterprises have a high degree of complexity because of multiple locations, multiple IT systems and hundreds of firewalls to manage with multitudes of rules. Developing new applications is tough because they must work across all of a corporations firewalls.

- The situation becomes more complex when changes are made to an application and those changes have to be communicated to hundreds of firewalls.

- If firewalls aren't configured right, apps will fail. But the apps developers have to be better at communication, and documenting, how their apps behave, so that the right changes can be made by the network security teams.

- Anytime you change the configuration of firewalls, other things can break. A key feature of SecureApp is that you can simulate the entire network and test changes safely.

- CIOs want to deploy apps faster but this can compromise security if there is little communication between the app developers and the security teams.

- There's often a cultural problem within large corporations in that the apps developers don't understand the security issues and the security people don't understand the apps.

-There is often little or no documentation, and when people leave a company, a lot of knowledge about an app leaves too. SecureApp makes sure that there is documentation and that knowledge isn't lost when people leave.

Foremski's Take: Tufin's application centric approach to improving enterprise security makes sense and it won't take corporations long to realize its the right approach.

What will take longer is the internal shift in culture, in the app developer teams, which traditionally have not been very security minded.

It's a leadership move by Tufin and one that's well timed. The explosion of apps in the consumer web is driving a tremendous amount of app development in the enterprise. Firewalls can quickly become brick walls or leave security holes open because of badly designed apps.

Managing hundreds of firewalls while trying to support a deluge of apps will quickly turn into a nightmare unless the whole process of application development can be mapped against an organization's firewalls. The app and the firewall have to be in sync and that requires new sets of tools.

Tools such as Tufin's not only provide an easy interface for managing security policies and compliance but they can also be used as an agent of cultural change within organizations because they offer a common ground for the apps and security teams. It helps them communicate with each other, which should lead to better apps.

Topic: Enterprise Software

About Tom Foremski

Tom Foremski reports on the business and culture of Silicon Valley at the intersection of technology and media.

 

 

Reinvent your security approach

Reinvent your security approach

Increasing cloud adoption puts enterprises at risk

Increasing cloud adoption puts enterprises at risk

December 12, 2012

Enterprises are running one-third of their mission-critical applications in the cloud today and expect to have half of all critical applications running in the cloud by 2015, according to SailPoint.


In many cases, IT organizations are not fully aware of which cloud applications are in use across the enterprise, which makes it more difficult than ever for enterprises to monitor and control user access to mission-critical applications and data. In fact, only 34% of companies bring IT staff into the vendor selection and planning process when a cloud application is procured without using IT's budget, making it very difficult to proactively address security and compliance requirements for those applications.

SailPoint's survey found that business users have gained more autonomy to deploy cloud applications without IT involvement, yet they do not feel responsible for managing access control. In fact, 70% of business leaders believe that IT is ultimately responsible for managing user access to cloud applications. Adding to IT’s challenge, more than 14% of business leaders admit they have no way of knowing if sensitive data is stored in the cloud at all. This lack of visibility and control greatly increases an organizations risk of security breaches, exposure to insider threats and failed audits.

"As organizations adopt cloud applications, they are very likely to increase their risk exposure by putting sensitive data in the cloud without adequate controls or security processes in place," said Jackie Gilbert, VP and GM of SailPoint's Cloud Business Unit. "And this year's survey illustrates how 'at risk' companies already are. Many companies lack visibility not only to what data is in the cloud, but also to who can access that data. It's imperative that companies put in place the right monitoring and controls to mitigate these growing risks."

The consumerization of IT has led to employees taking advantage of new technologies, but will require organizations to evolve their identity and access management processes. For example, while work-based policies such BYOD give business users the flexibility to use their own mobile devices, those very same mobile devices are being used to access corporate applications in more than 95% of cases.

The ability for users to access corporate applications and data outside of the corporate network puts identity and access management under further strain because IT must now account for user access from a wider variety of devices not completely under their control.

This "consumerization" phenomenon is not only affecting devices but also applications, as many corporate employees are moving beyond BYOD to "bring your own application" (BYOA). BYOA means that today's business users are much more comfortable using consumer or “non-approved” applications for work activities. Less than a third of companies are fully locked down when it comes to application usage at work, which means that these activities frequently take place outside the purview of IT.

Alarmingly, the trend also extends to employees using the same passwords for a variety of accounts spanning their personal and professional lives. About half of the business leaders surveyed stated they frequently use the same password for personal web applications as they do for sensitive work applications. This exposes enterprises to new risks and security vulnerabilities should any of those personal applications experience a security breach.

"For the third year in a row, our Market Pulse Survey shows that the majority of large companies remain very concerned about security breaches and their ability to meet regulatory compliance requirements," said Kevin Cunningham, president of SailPoint. "This is due in part to the ever changing IT landscape that make existing identity management issues even larger. The consumerization of IT has put enterprises in a difficult position: they want to provide business users the convenience and flexibility promised by cloud and mobile devices, but they must also make sure controls are in place to monitor and manage who has access to what. Regardless of where customers are with their IAM strategy, they need to proactively consider how to govern these new technologies and behaviors within their corporate policies."

- Information Security in the Era of Big Data - PKWARE Blog

Subscribe to blogSubscribe via RSS

Information Security in the Era of Big Data

Posted by Joe Sturonas on Wednesday, 05 December 2012 in Data Security

The modern business world is faced by the challenge of ever-expanding data volumes. While mountains of information are normally associated with analytics trends such as big data, the amount of digital content in general is rapidly expanding. According to IDC's predictions for 2012, the total amount of digitally stored content will reach 2.7 zettabytes (2.7 billion terabytes) by the end of the year. This represents a 48 percent increase from 2011, and total volume is expected to reach 8 ZB by 2015.
IDC's projections signal a growing data migration to mobile and cloud solutions, with third-party technologies expected to drive 20 percent of IT spending in the coming years. Particularly in emerging markets, mobile devices will play a significant role in the lives of technology professionals.
"As the number of intelligent communicating devices on the network will outnumber 'traditional computing' devices by almost two to one, the way people think about interacting with each other, and with devices on the network, will change," an IDC report stated.
Preparing for the data shift
There are numerous data security questions that must be answered as companies grapple with these trends. Decision makers must be careful in the planning stages to ensure technology partners follow security best practices. Even then, migrating data to the cloud represents a significant risk because the business loses control over the protections used to guard its information, but will still be held responsible if the vendor's system is breached - or when a negligent insider compromises cloud-stored data. Particularly in the era of big data, with information itself a valuable asset, businesses would be wise to keep some control over their data security postures.
Writing for Dark Reading, the CTO of security consulting firm Securosis, Adrian Lane, made note of several security practices that are used in today's technology architecture. Data encryption software is the best solution for protecting files at-rest and archival information. This technology makes critical data unreadable to any third party without the encryption key. Lane noted that it is important to leverage a comprehensive mixture of perimeter-based defenses such as network security and data-centric solutions such as file encryption. This will become increasingly important as big data architectures become more common, since most analytics solutions do not provide data protection functionality by themselves.Information Security in the Era of Big Data - PKWARE Blog

Bank Agrees to Reimburse Hacking Victim $300K in Precedent-Setting Case

By Kim Zetter

11.30.12

6:30 AM

Edit

In a case watched closely by banks and their commercial customers, a financial institution in Maine has agreed to reimburse a construction company $345,000 that was lost to hackers after a court ruled that the bank’s security practices were “commercially unreasonable.”
People’s United Bank has agreed to pay Patco Construction Company all the money it lost to hackers in 2009, plus about $45,000 in interest, after intruders installed malware on Patco’s computers and stole its banking credentials to siphon money from its account.
Patco had argued that the bank’s authentication system was inadequate and that it failed to contact the customer after its automated system flagged the transactions as suspicious. But the bank maintained that it had done due diligence because it verified that the ID and password used for the transactions were authentic.
The case raised important questions about how much security banks and other financial institutions should be reasonably required to provide commercial customers.
Small and medium-sized businesses around the country have lost hundreds of millions of dollars in recent years to similar thefts, known as fraudulent ACH (Automated Clearing House) transfers, after their computers were infected with malware that swiped their bank account credentials. Some have been lucky to recover the money from banks that valued their business, but others, like Patco, were told by their banks that they were responsible for the loss.
Although the assets of customers with personal bank accounts are protected under federal law, commercial bank accounts are not. The only recourse such customers have when their bank refuses to assume responsibility for stolen funds is to try to pursue their money in state courts under the Uniform Commercial Code.
People’s United Bank agreed to the settlement only after an appellate court indicated that the bank’s security system and practices had been inadequate under the UCC.
“This case says to banks and to commercial customers … that there are circumstances in which the bank cannot shift the risk of loss back to the customer, and we’re not going to assume that security procedures are commercially reasonable just because the bank has a system that they say is state of the art,” says attorney Dan Mitchell, who represented Patco.
Last year, a U.S. District Court in Maine ruled that People’s United Bank wasn’t responsible for the lost money, and granted the bank’s motions for a summary dismissal of Patco’s complaint. A magistrate agreed with the ruling saying in part that although the bank’s security procedures “were not optimal,” they were comparable to those offered by other banks.
But judges with the First Circuit Court of Appeals ruled last July that the bank’s security system wasn’t “commercially reasonable,” (.pdf) and advised the two parties to try to come to a settlement, which they did about a week ago. Patco will not be reimbursed attorneys fees in the settlement.
Patco, a family-owned business in Sanford Maine, sued Ocean Bank, which is owned by People’s United Bank, after discovering in May 2009 that hackers were siphoning about $100,000 per day from its online bank account. The hackers had sent a malicious e-mail to employees that allowed them to surreptitiously install the Zeus password-stealing trojan on an employee computer.
After obtaining Patco’s banking credentials and waiting for its account to fill up with money, the hackers used the credentials to initiate a series of electronic money transfers over seven days. Nearly $600,000 worth of transfers were made out of the account via six transactions before Patco realized it had been hacked.
Ocean Bank, after being notified of the fraud, was able to block about $240,000 in transfers. But Patco was unable to retrieve the rest.
Patco, which had been banking with Ocean Bank for 24 years, sued the bank for failing to notice the fraudulent activity and stop it, saying that its security system was not “commercially reasonable” under the Uniform Commercial Code. Under Article 4A of the code, a bank receiving a payment order generally bears the loss of any unauthorized requests for fund transfers. The code also maintains that the “burden of making available commercially reasonable security procedures” belongs to the bank, because they “generally determine what security procedures can be used and are in the best position to evaluate the efficacy of procedures offered to customers to combat fraud.”
Patco maintained that the bank’s security system was inadequate and that the bank did not comply with its own security procedures.
Although the bank’s security system flagged the transactions as unusually “high-risk” because the timing, value and geographical location of the transactions were inconsistent with the pattern of other transactions Patco had made, the bank didn’t notice the alerts and let the transfers go through without notifying Patco.
Patco generally only made transfers once a week on Fridays, to make payroll payments, and the company made them from computers housed in its offices in Maine, which all used the same IP address. The most it ever transferred was about $36,000. Most of the fraudulent transactions were made in amounts exceeding $90,000, and they were initiated from different IP addresses. The money was also transferred to multiple people who had never received payments from Patco before. The fraudulent activity was caught only after some of the transactions were sent to bank accounts that didn’t exist, causing the transfer to fail. When Patco was notified about the failed transactions, they determined the transactions had never been authorized.
Patco accused the bank of failing to implement “best” security practices, such as requiring customers to use multifactor authentication.
The bank used a system called NetTeller, made by Jack Henry & Associates, a firm that works with numerous banks. Jack Henry uses the same system for 1,300 of its 1,500 bank customers. The system offers a number of authentication options, but the bank rejected most of them, and also configured the system in a way that made it more risky for customers like Patco.
“They had a decent system, but they configured it improperly and they didn’t use it properly,” says Mitchell.
Although the system used challenge questions to ferret out fraudsters, the system only used three security questions, and asked one or more of them at every transaction Patco made. Because the hackers had installed keystroke logging software onto Patco’s computers, they were able to record not only the user name and password for the account, but the responses to the three security questions that Patco employees set up for the account.
The appellate court ruled that the bank had substantially increased the risk of fraud by asking the security questions with every transaction and that this, in conjunction with a number of other failures, rendered the security system unreasonable.
Although the UCC places some burden on the customer to “exercise ordering care,” the court found that it was unclear what obligations a customer had when the bank’s security system was found to be commercially unreasonable.
Patco is not the first company to sue its bank over fraudulent money transfers. Experi-Metal sued its bank, Comerica, in 2009 after losing more than $550,000 in fraudulent wire transfers. Other cases are wending their way through courts around the country.
In 2010, the FBI disrupted a multinational cybertheft ring involving fraudulent ACH transfers. The thieves, using the Zeus malware, targeted small and medium-sized businesses, municipalities, churches and individuals. The scammers were able to steal more than $70 million from victims.

Security experts debate moving critical infrastructure online

Security experts debate moving critical infrastructure online

Paul Simmonds, Co-Founder of The Jericho Forum, has suggested that companies attempting to reduce costs by moving critical systems online could be opening themselves up to cyber attacks. Speaking at the Cybergeddon 2012 event, Mr Simmonds’ comments were echoed by other security experts – citing the discovery of highly advanced malware this year as a reason for greater caution.


This comes shortly after a researcher at security firm Exodus Intelligence discovered 23 vulnerabilities in industrial control systems from a variety of manufacturers, and the identification of further SCADA application vulnerabilities by Italian security company ReVuln last week.

Paul Davis, Director of Europe at FireEye has made the following comments:

The message is clear – when it comes to critical infrastructure, extreme vigilance is needed when taking the leap of faith into the online world, and cost saving cannot be the cause of any premature decision making. As our world becomes increasingly connected, with the internet controlling more aspects of daily life – the change needs to be reflected in the way that we think about security.

The security implications of Internet of Things are enormous, and are still widely misunderstood. However, while data loss and fraud are terrible outcomes of a breach, an intrusion on our control systems could have significantly more devastating consequences.

For SCADA systems in particular, it is essential that the security of the management platforms behind them is absolutely bulletproof – as any web-based attack on these systems would first have to penetrate this layer before moving on to the final target. As such, rapid detect and response solutions must be in place to thwart any threats immediately – and as evidenced by the calibre of malware being discovered today, traditional security tools simply do not go deep enough.

The rate at which international cybercrime is evolving has created a very steep learning curve for us all. GCHQ and other government organisations are doing a good job of publicising their efforts to boost collaboration, funding and overall cyber readiness initiatives – and hopefully with the right investment in the most appropriate defences, we will be well on our way to becoming a centre of cyber security excellence.

1 million dolar hacked in 60 seconds from CitiBank

Posted by Mohit Kumar on 10/31/2012 03:38:00 AM | Save as PDF

FBI have arrested 14 people over the theft of $1 million from Citibank using cash advance kiosks at casinos located in Southern California and Nevada.

Authorities say the suspects would open accounts at Citibank, then go to casinos in California and Nevada and withdraw the money from cash-advance kiosks as many times as they could in a 60-second span. Someone had figured out that a glitch prevented Citibank from recording the extra withdrawals.

FBI agents assisted by the Glendale Police Department and the Los Angeles Police Department arrested 13 of the defendants in the Los Angeles area Wednesday and Thursday.

The suspects used the money to gamble and were given comped hotel rooms because of the amount they were spending, according to the FBI. Withdrawals were kept under $10,000 to avoid federal transaction reporting requirements, the FBI release read.

FBI Special Agent in Charge Daphne Hearn commented, “While advancements in technology have created a world of accessibility to users and a convenience for consumers, they have also left room for criminals to exploit even the smallest of loopholes. For over 100 years the FBI has kept pace with technological and communication changes in the business world where these types of electronic transactions are the standard and we will continue to do so in order to help protect commercial enterprise and our nation’s economy.”

Prosecutors said the suspects allegedly withdrew about $1 million during an eight-month period. FBI agents said the loophole in the Citibank system has now been closed.

5500 ABN-klanten slachtoffer fraude internetbankieren

Bron: www.security.nl 25 november 2012

In de eerste elf maanden dit jaar zijn 5500 klanten van de ABN AMRO het slachtoffer van fraude met internetbankieren geworden, zo laat de bank in een uitzending van het televisieprogramma Zembla weten. Het gaat dan zowel om phishing als malware, zoals banking Trojans. Vorig jaar werden 8.000 Nederlanders volgens de banken slachtoffer van fraude met internetbankieren.

Aangezien alleen ABN AMRO dit jaar al op 5500 slachtoffers zit is de kans dan ook groot dat met de nog onbekende cijfers van ING en Rabobank dit aantal gepasseerd wordt.

In 2011 werden er door phishing en banking Trojans 35 miljoen euro buitgemaakt. Zembla stelt dat banking Trojans dit jaar voor mogelijk 50 miljoen euro schade kunnen zorgen. In de eerste helft van dit jaar bedroeg de schade als 27,3 miljoen euro, aldus de Nederlandse Vereniging van Banken.

Ransomware
Naast banking Trojans gaf Zembla ook aandacht aan ransomware. De malware die computers voor losgeld vergrendelt en sinds 2005 steeds meer gebruikt wordt. Eén van de slachtoffers beweert dat ze ransomware heeft opgelopen bij het bezoek van de website van de Belastingdienst.

Pim Takkenberg, teamleider High Tech Crime Unit (HTCU), laat weten dat van de 250 aangiftes bij de politie, er 50 slachtoffers ook daadwerkelijk het losgeld betaalden. Aangezien de meeste ransomware in Nederland 100 euro vraagt, zou dat op zo'n 5.000 euro neerkomen.

Oplossing
Opmerkelijk genoeg wordt geen enkele keer in de uitzending genoemd op wat voor eenvoudige wijze consumenten zich tegen dit soort ransomware en banking Trojans kunnen beschermen zodat ze toch veilig kunnen internetbankieren. Eén van de slachtoffers weet nog steeds niet hoe het kon dat ze besmet raakte en is tijdens het internetten continu bang dat het weer gebeurt.

De meeste banking Trojans en ransomware weten nog steeds computers te infecteren omdat eindgebruikers hun software niet updaten of bijlagen en bestanden openen die ze niet zouden moeten openen.

Tech Journal: How to Protect Your Emails

By Amit Agarwal

Scott Eells/Bloomberg News

The odds that someone is snooping on your emails could be low, but even so, the communication may not be as private as you might like, says Amit Agarwal

When you send an email, it goes through your Internet Service Provider and a series of mail servers before reaching the recipient’s computer.
Can someone else – such as your network administrator, your ISP, or law-enforcement agencies – intercept and read that confidential message without you knowing?
The odds that someone is snooping on your emails could be low, but even so, the communication may not be as private as you might like. Here are some basic steps you can take to secure your emails:
First, turn on HTTPS Everywhere. When you access your email accounts over a secure HTTP connection (or https), all the traffic flowing between your computer and the mail server will be encrypted, so the bytes, if intercepted, appear as gibberish to any potential snooper.
Second, if you are accessing your email accounts on a public Wi-Fi network – like in a hotel lobby – it might be a good idea to use a VPN service to access the web. Unlike HTTPS, which works only for select websites, a VPN service will encrypt all traffic between your computer and the Internet, protecting your data from the Wi-Fi eavesdroppers. TunnelBear is free VPN software available for PCs and Macs. It doesn’t require configuration – all you have to do is turn the knob to “ON” and you are protected.

More In Tech Journal

• Tech Journal: Instapaper Vs. Pocket
• Tech Journal: Careful What You Tweet
• Tech Journal: Windows 8, Your Questions Answered
• Tech Journal: Look Who's Calling
• Tech Journal: Make Money on YouTube

Next, if you are sending confidential messages via email, you should encrypt them before they leave the computer. Encryption may sound like a complex word to most users, but the concept is easy to understand and implement.
It works something like this: Write an email message in plain text and an encryption program will scramble your words into something incomprehensible. When you send this encrypted email, the intended recipient can apply a secret key to reveal your original message. If the message is intercepted, the text won’t make any sense without that secret key.
There are different algorithms to encrypt messages but the most popular and secure of them all is PGP, or Pretty Good Privacy.
To get started, you need to enter your email address and a secret passphrase, which the PGP program will use to generate a unique public key and a private key for you. Share this public key among friends with whom you wish to exchange encrypted messages. They can also generate their own public and private keys using their email addresses (and secret passphrases) and then pass on the public key to you. This is a one-time process.
You can now compose an email message as before, but before hitting the send button, let the PGP program scramble your message using the public key of your friend. When this scrambled message reaches their mailbox, they can easily decrypt it using their private key. If they want to send a reply to you, the process will be similar except they will now use your public key to encrypt the reply message.
That’s broadly how PGP works. Implementing it is simple with Mailvelope, a Chrome add-on that integrates encryption and decryption capabilities into your web email program. The add-on will generate your secret keys, store the keys of your friends and, best of all, it will automatically detect incoming messages that contain encrypted text, allowing you to decrypt them with a click.

Amit Agarwal writes a tech blog and is also on Twitter, YouTube and Facebook
You can follow India Real Time on Twitter @indiarealtime

Sonia Beedie: 'Europese privacywetgeving legt bewijslast volledig bij ondernemer' - Ondernemen - Z24.nl

Sonia Beedie: 'Europese privacywetgeving legt bewijslast volledig bij ondernemer' - Ondernemen - Z24.nl

NASA Encrypting Laptops After Breach

Stolen Device Contained Sensitive Information

By Howard Anderson, November 15, 2012.

The National Aeronautics and Space Administration is ramping up efforts to encrypt all laptops following the recent theft of an unencrypted device containing sensitive personal information.
Commenting on the Oct. 31 breach, NASA spokesman Michael Braukus tells Information Security Media Group: "Currently, it is estimated that 10,000 people have been affected, but the final number could be higher. Affected individuals identified to date include people who have applied for access to NASA information or facilities. The effort to identify all those who were affected is ongoing."

 

Related Whitepapers

• USA Encryption Trends Study 2011

Braukus would not reveal details about the personal information that may have been exposed in the breach.

Details of Theft

In an e-mail to employees, Richard Keegan Jr., NASA's associate deputy administrator, reveals that the laptop was stolen from an employee's locked vehicle. The device contained personally identifiable information on "a large number of NASA employees, contractors, and others," according to the e-mail, obtained by the news site SpaceRef.
Braukus offers further details. "The computer was password-protected, but some of the specific files were not encrypted as required by NASA policy," he says. "The hard drive also had not yet received the whole-disk encryption software as part of the ongoing agency-wide effort."
NASA is assessing whether the data breach resulted from any violations of the agency's security policy and procedures, Braukus adds."Effective immediately, no NASA-issued laptops containing sensitive information can be removed from a NASA facility unless whole disk encryption software is enabled or the sensitive files are individually encrypted," the e-mail announcement from Keegan states.
"Center CIOs have been directed to complete the whole disk encryption of the maximum possible number of laptops by Nov. 21," the announcement notes. NASA plans to complete its stepped-up laptop encryption effort by Dec. 21, "after which time no NASA-issued laptops without whole disk encryption software, whether or not they contain sensitive information, shall be removed from NASA facilities," according to the e-mail.

Credit Monitoring Offered

NASA is offering those affected by the breach free credit monitoring and related services from ID Experts, the e-mail from Keegan states. "Because of the amount of information that must be reviewed and validated electronically and manually, it may take up to 60 days for all individuals impacted by this breach to be identified and contacted."
The e-mail reminds employees that they must not store sensitive data on smart phones or other mobile devices. And it states that sensitive files that are no longer required for immediate work needs should be purged from laptops but maintained on a shared drive if necessary for records retention purposes.
This is the second incident of a stolen unencrypted laptop at NASA this year. Braukus confirms that a human resources staffer at NASA's Kennedy Space Center reported on March 5 that an agency laptop was stolen the previous night from the employee's personal vehicle parked outside her private residence in Florida. The laptop, which contained personally identifiable information, was not recovered, he adds.

NASA Statement

The following is the official statement on the incident that NASA provided to Information Security Media Group:"NASA takes the issue of information technology security very seriously, and the administrator has ordered a complete review of this incident and a report on the agency's progress to better protect its information technology systems, including laptop computers. NASA's inspector general is investigating the theft of the laptop in cooperation with local authorities. NASA regrets this incident and the inconvenience it has caused for those whose personal information may have been exposed.
"The agency is in the process of assessing the loss of the computer, reviewing procedures, and alerting individuals who may be affected. NASA is taking immediate steps to prevent future occurrences of personally identifiable information data loss. The administrator and the chief information officer have directed that, effective immediately, no NASA-issued laptops containing sensitive information can be removed from a NASA facility unless whole disk encryption software is enabled or the sensitive files are individually encrypted. In the meantime, employees who are teleworking or travelling will need to use loaner laptops if their NASA-issued laptops contain unencrypted sensitive information."

Protecting against cyberterrorism

November 1, 2012, 7:24 pm

) - The gravest threat to businesses and governments these days may not be recessions, hurricanes or wars - it may be cyberterrorism.

The latest example comes from Aramco, the Saudi Arabian oil company, which was hit by a sophisticated virus a few months ago, making it one of the most destructive attacks ever on a single company.

Three-quarters of their hard drives were erased, and replaced with a burning American flag.

The virus was believed to be the work of Iran.

What's more it that it was, according to the New York Times, retaliation for viruses the U.S. and Israel have aimed at Iranian computer systems in the past few years.

Aramco may have been more vulnerable because of the way it handled its administrative and privileged computer accounts and passwords.

Joining NECN to take a closer look at this threat and what you can do to better protect your company is Udi Mokady, president and CEO of the Newton, Mass.-based cyber security company, Cyber Ark Software.

Watch the attached video for the complete interview.

Tags: businesses , cyberterrorism, governments, Aramco, Udi Mokady, Cyber Ark Software, computer viruses

A White House order on cyber security would be a step in the right direction for safeguarding networks.

FOR

Richard C. LaMagna, president, LaMagna and Associates

State-sponsored cyber attacks require a state-led response. President Obama's planned executive order (E.O.) in response to the defeated U.S. Cybersecurity Act of 2012 (CSA) will allow federal agencies to propose new security standards for critical infrastructure industries. It will also create a council of federal agencies, led by the Department of Homeland Security, to report on cyber threats, many state-sponsored by China.

The [failed cyber security] bill called for voluntary standardized security practices, liability protection, priority assistance and access to classified information for companies that control the nation's critical infrastructure.

Critics argue the provisions are hallmarks of an intrusive government, that liability protection is inadequate, that non-participating companies would be penalized and that voluntary standards will stifle innovation.

Such ideological myopia is both wrong and dangerous. The federal government must play a lead role in protecting the country and its institutions.

AGAINST

Liz Wright, principal systems engineer, Lockheed Martin

The business of government is government, not private sector. Government safeguarding government assets is appropriate; however, declaring private sector part of the government “critical infrastructure” is a nebulous definition at best.
Collaboration among partners is laudable given an equal footing, but when one partner holds authority or provides direction to other partners, the collaborative facade evaporates. Information sharing is desirable among teammates; dialogue is bi-directional. Open communication is key.
Cyber security needs responsible, accountable, technically savvy individuals to drive vision and create the way forward, not politicians who drive meaningless mandates. In the ever-changing landscape where cyber space meets business, private sector in America still means businesses are accountable to shareholders, employees, and customers.
Who knows business best? Who protects our assets? He who owns a thing, controls the thing. That's how democracy works.

Gartner Says IT Supply Chain Integrity Will Be Identified as a Top Three Security-Related Concern by Global 2000 IT Leaders by 2017

by Press Releases on October 18, 2012

Gartner’s Maverick Research Special Report Sparks New, Unconventional Insights

STAMFORD, Conn., October 18, 2012 — Enterprise IT supply chains will be targeted and compromised, forcing changes in the structure of the IT marketplace and how IT will be managed moving forward, according to Gartner, Inc. By 2017, IT supply chain integrity will be identified as a top three security-related concern by Global 2000 IT leaders.

These findings are produced as part of Gartner’s Maverick research. Maverick research is designed to spark new, unconventional insights. Maverick research is unconstrained by our typical broad consensus-formation process to deliver breakthrough, innovative and disruptive ideas from our research incubator.

Supply chain integrity is the process of managing an organization’s internal capabilities, as well as its partners and suppliers, to ensure all elements of an integrated solution are of high assurance. The need for integrity in the IT supply chain is necessary, whether the solution is developed in-house or purchased from a third party.

“IT supply chain integrity issues are real, and will have mainstream enterprise IT impact within the next five years,” said Neil MacDonald, research vice president and Gartner Fellow. “In the shorter term, the market for information security offerings will fragment along geopolitical lines. In the longer term, the same will happen for OSs and other IT system infrastructure software, reshaping the IT landscape moving forward. Enterprise IT departments must begin to make changes today to protect their systems and information in a world where all IT systems are suspect. These changes in information protection strategies will help enterprises embrace and adopt cloud computing and consumerization, which have strikingly similar issues with untrusted systems.”

“IT supply chain integrity issues are expanding from hardware into software and information,” said Ray Valdes, research vice president at Gartner. “They are growing more complex as IT systems are assembled from a large number of geographically diverse providers, and, now of mainstream concern to enterprise IT. These issues are not just about defense and intelligence. This has significant implications for businesses, governments and individuals moving forward in a world where the integrity of the IT supply chain is no longer completely trustable, and where all layers of the IT stack will be targeted for supply chain compromise.”

The IT supply chain has become more complex, fine-grained, globally distributed and volatile in the sense that rapid change provides the opportunity to introduce compromises. Hardware vendors are increasingly outsourcing not just manufacturing, but also design to OEM suppliers and contractors located in Asia and India. In some cases, established Asian suppliers are outsourcing to emerging economies, such as Brazil, Vietnam and Indonesia. This is a complex problem, since most hardware systems are a conglomeration of components and subsystems procured from a large number of individual providers.

However, Gartner analysts said most hardware systems include software-based elements (at a minimum, firmware and drivers), with the trend to shift more intelligence out of hardware and into software. In an information- and software-based economy, IT supply chain integrity must extend to include the following:

Software supply chains — This includes components, frameworks, middleware, language platforms, virtual machines (VMs) and operating systems (OSs), but also the software infrastructure and environment for software distribution and updates (such as DNS, identity, application store packaging and digital certificates).

Ensuring the integrity of software supply chains is a more difficult problem because of the increased use of offshore development, the relative ease of cloning software, and the ongoing need to keep software patched and updated via trusted mechanisms.

Information supply chains — Information is now becoming available from a variety of sources — from partners, suppliers and cloud-based services, such as data from Google Maps, Twitter, Facebook and Amazon. This information can be incorporated into connected applications, information marketplaces and the information integrated from partners in an extended supply chain ecosystem. Critical decisions will be based on information assembled from many other sources, creating a similar supply chain integrity issue to that of hardware and software.

Additional information is available in the report, “Maverick* Research: Living in a World Without Trust: When IT’s Supply Chain Integrity and Online Infrastructure Get Pwned.” The report is part of the Gartner Special Report “Drive Disruptive Innovation with Maverick* Research.” This Special Report explores high-impact future scenarios that help companies think differently to uncover opportunity and enable innovation. This collection of research is intentionally disruptive and edgy to help IT leaders get ahead of the mainstream and take advantage of trends and insights that could impact their IT strategy and their organization. The Special Report is available at http://www.gartner.com/technology/research/maverick/.

Mr. MacDonald and Mr. Valdes will provide additional analysis at Gartner Symposium/ITxpo in Orlando, October 21-25.

About Gartner Symposium/ITxpo

Gartner Symposium/ITxpo is the world’s most important gathering of CIOs and senior IT executives. This event delivers independent and objective content with the authority and weight of the world’s leading IT research and advisory organization, and provides access to the latest solutions from key technology providers. Gartner’s annual Symposium/ITxpo events are key components of attendees’ annual planning efforts. IT executives rely on Gartner Symposium/ITxpo to gain insight into how their organizations can use IT to address business challenges and improve operational efficiency

IBM releases ten integrated security solutions

IBM releases ten integrated security solutions

Posted on 18 October 2012.

IBM announced a broad set of security software to help holistically secure data and identities.


IBM’s new software capabilities help clients better maintain security control over mobile devices, mitigate internal and external threats, reduce security risks in cloud environments, expand database security to gain real-time insights into big data environments such as Hadoop, and automate compliance and data security management.

Along with IBM Security Services and IBM’s world-class research capabilities, this set of scalable capabilities supports a holistic, proactive approach to security threats spanning people, data, applications and infrastructure.

“A major shift is taking place in how organizations protect data,” said Brendan Hannigan, General Manager, IBM Security Systems. “Today, data resides everywhere—mobile devices, in the cloud, on social media platforms. This is creating massive amounts of data, forcing organizations to move beyond a traditional siloed perimeter to a multi-perimeter approach in which security intelligence is applied closer to the target.”

According to the 2012 IBM Global Reputational Risk and IT Survey, global senior executives identified IT risks -- ranging from data thieves to the use of emerging technologies including cloud, mobile and social media -- as a major cause of concern. IBM is unveiling ten new products and enhancements to help organizations deliver real time security for big data, mobile and cloud computing.

Real time security for big data environments

As information grows in volume, variety, and velocity, organizations are looking beyond relational data sources to find insights, to make businesses more agile and to answer questions that were previously considered beyond their reach. Today, state of the art technologies including Hadoop based environments have opened the door to a world of possibilities.

At the same time, as organizations ingest more data, they face significant risks across a complex threat landscape and they are subject to a growing number of compliance regulations. Traditional approaches to data protection are often unable to meet these requirements.

With today’s announcement, IBM is among the first to offer data security solutions for Hadoop and other big data environments. Specifically, Guardium now provides real time monitoring and automated compliance reporting for Hadoop based systems such as InfoSphere BigInsights and Cloudera. With federated controls across data sources, clients can understand data and application access patterns, help prevent data leakage and enforce data change controls.

Built-in audit reporting can be used to generate compliance reports on a scheduled basis, distribute them to oversight teams for electronic sign-offs and escalation, and document the results of remediation activities. Organizations can also automate the detection of vulnerabilities and suggest prioritized remedial actions across heterogeneous infrastructures. In addition, IBM offers data masking to de-identify sensitive data as it moves into and out of big data systems.

Mobile security framework improves access and threat protection

Today IBM is announcing risk-based authentication control for mobile users, integration of access management into mobile application development and deployment as well as enhanced mobile device control. IBM is also announcing a comprehensive Mobile Security Framework to help organizations develop an adaptable security posture to protect data on the device, at the access gateway and on the applications.

With the launch of its new access management capabilities, IBM now offers greater context aware access control for mobile users, improved mobile threat protection, and enhanced mobile device control. With a broad portfolio of solutions for mobile security and management – including solutions for mobile application security and mobile security intelligence, IBM can help protect against security breaches, whether malicious or unintentional through risky employee access of data and applications - anytime, anywhere from any device.

Furthermore, with the simplicity of these mobile devices making them pervasive and seamlessly integrated into consumers’ everyday lives, new threats are evolving based on popular mobile-based activities such as retail purchases, managing bank accounts and updating social networks. The ubiquitous nature of mobility across both businesses and consumers requires that securing the smartphone encompass the device, the network and the applications on the device so that employees, consumers and even partners know their transactions are being executed across a secure environment.

IBM transforms cloud security from an inhibitor to an enabler

While the cloud can increase productivity with anywhere, anytime information access, it can also introduce additional challenges for enterprise security. To realize the value that cloud computing presents, organizations are looking for integrated security solutions to help address the risks.

IBM today is announcing security portfolio enhancements designed to address these new challenges, providing improved visibility and increased levels of automation and patch management to help demonstrate compliance, prevent unauthorized access and defend against the latest threats using advanced security intelligence.

With IBM’s new SmartCloud for Patch Management solution, patches are managed automatically regardless of location and remediation cycles are reduced from weeks to hours thereby reducing security risks. Additionally, IBM is announcing enhancements to its QRadar Security Intelligence Platform that provides a unified architecture for collecting, storing, analyzing and querying log, threat, vulnerability and security related data from distributed locations, using the cloud to obtain greater insight into enterprise-wide activity and enable better-informed business decisions.

The new IBM Security Privileged Identity Manager is designed to proactively address the growing insider threat concerns and help demonstrate compliance across the organization. IBM Security Access Manager for Cloud and Mobile which provides enhanced federated single sign-on to cloud applications is now available with improved out-of-the-box integration with commonly adopted SaaS applications and services.