Although the promise of reduced costs has appealed to many enterprises looking to migrate legacy network systems to virtualization, security experts warn that the move must not trump careful contemplation and scrutiny by today's CIOs and IT leadership.
The threats to applications are evolving beyond the simple notion of "find exploit, access system, steal current data."
Available solutions are challenged to detect and protect identity and authenticate users.
With massive DDoS attacks targeting specific accounts, online banking and other e-commerce activities are under seige.
The easiest way to compromise a corporate network is through a user running a browser application.
In the face of constant and insidious threats from organized companies and government agencies are often hard-pressed to know where to draw the line in the sand.
At a recent SC Magazine Rountable, information security and compliance professionals discussed how changes in technology are leading to an evolution in their roles.
More and more enterprises are embracing cloud computing, both through service agreements and private development, to gain greater efficiencies and better scalability in tough economic times.
The strong perimeter defenses that for years defined network security have, for the most part, become merely a small inconvenience to those determined enough to get in.
Global companies facing a slew of regional laws, as well as small and midsized companies required to meet regulatory demands, need governance, risk and compliance solutions.
Companies tout their privacy measures, but ensuring protection requires more than lip service.
While cost reductions are a leading factor in the migration to cloud environments, security in virtualized implementations is still a concern.
The theft or misuse of corporate assets and customer data poses challenges, but there are strategies and tools to put in place to help mitigate the possibility.
Exposing and defeating cyber criminal campaigns out for financial gain or trade secrets is the challenge of the day, but there are strategies and tools available to help.
Instead of spending billions of dollars to supply massive armies, today's adversaries hire code-writers to create attacks that run autonomously for years with little or no human intervention.
As targeted attacks scale up and become more sophisticated, expertise in risk management has become one of the most in-demand skill sets a security manager can have, reports Jim Romeo.
Keeping track of patient data is the most critical duty for health care security professionals. At a recent SC Magazine Health Care Roundtable, a number of leaders in charge of their company's network security operations got together to discuss the concerns and solutions available. Alarms were raised over the preponderance of data breaches and the attention they garner in the press. Damage to the company brand, adhering to compliance requirements, loss of customer trust, costs subsequent to an incursion, as well as costs for appliances and services to mitigate attacks, were all topics under discussion at the gathering. Dual-factor authentication, encryption, SIEM, awareness training, and identity management were among the technologies being rolled out by our panel. But, following policies, educating the workforce and knowing what users are doing is key as well.
Web applications are a major cause of network breaches, and new attacks are continually occurring just out of view. While a two-factor authentication approach can reduce vulnerabilities, this system alone will not eliminate the problem. Identifying network vulnerabilities requires adding multiple combinations of factors to guard against the possibility of credentials being stolen or misused.
In today's environment, potential attackers have all the time they need to mount a sustained intrusion against a target company or government agency. While companies need to understand past attacks so they don't happen again, it is crucial to look forward and protect data against future breaches. And, one way to achieve this is to put a greater emphasis on embedding security directly into enterprise data to stop outsider attacks, and to make data that is compromised unreadable and unusable. A number of other strategies are explored as well in this latest ebook from SC Magazine.
Leaders gathered at the SC Magazine Government Security Roundtable agreed that not just technology is needed to thwart attackers, but skilled personnel backed by the C-suite as well, reports Illena Armstrong.
In the old days, a cyberthief would play a numbers game, sending out millions of emails with a compromised link, for example, with the hope that one percent of recipients would respond. Nowadays, in an advanced persistent threat (APT) attack - such as recent, high-profile incursions Stuxnet and Operation Shady RAT - the perpetrator spends a considerable amount of time researching a specific target, often customizing malware so that its signature cannot be identified by any existing anti-virus or anti-malware software. Too, these attackers have significant resources, both financially and technologically, and motivation that might not have anything to do with pure financial gain. The good news: there are resources available for companies to combat APTs.
While IPv6, the latest internet protocol, has been an approved standard for more than a decade, and internet experts have been warning about the sharp decrease in available IPv4 addresses, it languishes as an unappreciated and under-used protocol - a solution waiting for the problem to be acknowledged. The move to IPv6 will alleviate some network management issues and it will enable IP addresses to be assigned automatically to any new device with virtually no fear of duplicating that address. Yet, owing to the lack of dire consequences and the potential high cost of migration, many companies are sitting tight on their legacy network infrastructure.
Negotiating the minefield that is governance, risk and compliance (GRC) can be a daunting task for corporate, financial and IT executives alike. With companies facing significantly greater risks due to government and private industry compliance regulations that vary from country to country, combined with significantly increased litigation, most managers are searching for new ways to decrease their risk profile while continuing to scale back on costs and personnel. While software can help, it needs to understand the overall business goals and environment in order to judge risk appropriately.
If ever there was any doubt whether the security industry had found a way to stop cyberespionage, the activities of the past few months should put that to rest. Hactivist groups Anonymous and LulzSec have made it clear that no computer network, not even those of security companies, are immune from penetration. Enhanced spam-filtering technology and increased user awareness are critical in combatting cyber offenses, but companies must assume their systems are already breached and should therefore analyze their network for inappropriate activity. Perhaps today's top challenge facing senior IT personnel is to get the C-suite to sign off on implementing a 24/7 security system before the enterprise suffers a breach.
For many companies that process credit cards or retail customers' credit card data, the requirements of the Payment Card Industry Data Security Standard (PCI DSS) are all too familiar. But should companies that do not process credit cards implement the same data security restrictions as mandated for those that do? In this latest ebook from SC Magazine, we examine how even those companies not needing to adhere to the credit card guidance can benefit from the rules that PCI DSS lays out. Encryption and logging technologies are a boon to any company in need of protecting its internal or customer data. And some smaller companies are benefitting from promoting their businesses as PCI compliant.
Knowing what is going on so you can figure out what to do is one of the biggest challenges facing the enterprise today. Without situational awareness, investigations would require looking into a number of systems and collating incomplete information to get the bigger picture. For many IT administrators, the ability to monitor bandwidth, firewall use and VPN sessions has been simplified with the use of a security information and event management (SIEM) platform. The increasing flexibility of SIEM tools is especially important the more hazardous the threat landscape becomes. This latest eBook from SC Magazine surveys the SIEM landscape and digs into several actual use cases to examine the benefits and challenges faced by enterprises and the security teams running SIEM implementations.
Security experts agree that the health care industry is currently trying to digest a variety of data security and related laws, regulations and guidance. Adhering to standards is one thing, securing the infrastructure so that data leakage is thwarted is an entirely different ballgame. Many security tools are available to make the task easier, but appliances and software are only the beginning. Educating the workforce to be vigilant about security is another key ingredient. This latest eBook from SC Magazine examines specific ways that health care facilities - ranging from small clinics and medical offices to large, regional medical centers - can protect themselves from data losses due to cyber attacks, negligence and internal threats.
Cyberespionage attacks have been going on for years, although they haven't received much public disclosure or attention. But, an attack on Google and several other large companies early in 2010 changed that for the American multinational corporate stage. The so-called Aurora breach brought attention to the use of computers to invade domains anywhere in the world - to gather intellectual property, to jam up network operations, to siphon off financial assets, or any number of other misdeeds. And these efforts are growing. With the low-cost of computing resources, nearly anyone with some technical sense and a will to do harm can participate. To thwart such intrusions, proper risk management and layered security are key factors cited by some experts in this latest eBook from SC Magazine.
Instituting controls on all the data passing through an enterprise is a daunting challenge, even for seasoned security professionals. Getting a handle on transmissions over the network and the precious corporate assets stored in databases has become a lot trickier as more and more data is created and shared. Further, developments which push corporate data outside the perimeter - such as use of mobility technology, external social networking and public cloud services - have heightened the need for data-specific security. The good news is that the C-suite, owing to data breach regulations and penalties, is more aware about the need for diligent security processes, and there are tools available for IT security administrators to assist in encryption and automate logging tasks.
An insurance provider in Massachusetts had basic security measures in place, but these were not enough to be fully compliant with a strict, new state regulation, reports Greg Masters.
Brokerage services provider Aon Corp. found help in streamlining its network operations throughout its global reach into 120 countries, reports Greg Masters.
The virtualization scenario maximizes hardware capacity and eliminates singlepurpose systems, reports Buffy Cranford.
Is a UTM solution right for your enterprise? Many say it depends on whether the multipurpose device can align with your enterprise architecture without drastically slowing network operations. Converged security has found a welcome home among small and midsize companies. But the debate over UTM's fit for larger enterprises rages on.
Even though it boasts of Silicon Valley - a region that many view as the top technological economic center in the country - California's government was far behind most IT innovations and practices of the day. That's when Mark Weatherford arrived as CISO, fresh from a similar position in Colorado. His goal was was to transform the state government into an enterprise organization. To achieve this, his first order of business was to establish California's first official IT security strategy. Standardizing IT operations statewide came next. Weatherford, industry observers say, has proven his proficiency in pushing security forward in state environments where many other CISOs give up.
Barack Obama appealed to many in the information security industry when, during his campaign for president, he addressed cybersecurity issues. Once elected, however, the wait began for substantive action. Then, in December 2009, Howard Schmidt, a well-known and long-time player in the information security marketplace, was appointed to the position of cybersecurity coordinator, reporting to President Obama. Most in the industry applauded the move, but given false starts and stops by the government on cybersecurity initiatives in the past, others wonder if passing months will see more of the same lurches and stumbles.
Raymond James Financial found itself needing to upgrade its network to better protect the integrity of transactions with customers, as well as its internal activities. The financial services holding company needed a solution that could better monitor its internal configurations against in-house and a number of regulatory requirements. Knowing that firewall policies have a tendency to become "swiss cheese" over time, and driven by the need for accuracy, reporting and cost, its IT team began assessing products and services from all of the major players in the space. It found a winner that could maintain overall diligence.
Financial services organizations have more than their fair share of regulatory mandates with which to comply. CSOs and their bosses are scrambling to ensure their companies have a handle on these, yet it is difficult to determine just which mandates are the most important. But, the cost for not complying, in terms of brand reputation as well as fines and penalties, is too great to ignore.
The cloud evolution is proceeding at a rapid rate, despite concerns over privacy, compliance, power outages and complexity. The cost-savings can be substantial and the convenience of outsourcing data storage needs is too alluring to pass up. Yet, say experts, if you are assessing a move to the cloud, there are a number of factors that need to be considered for a smart migration. To help you make informed decisions, the cloud landscape is thoughtfully examined in this latest eBook from SC Magazine to give a big picture view of all the issues involved in transitioning enterprise operations to cloud computing.
Cybersecurity at the federal level requires an evolution, one that shifts from a compliance-based security focus to one centered on security operations and monitoring. As the Obama administration pushes for legislation, federal CIOs and IT security specialists are rethinking strategy and layering in the technologies needed to fortify the nation¹s digital defenses. It is a difficult and challenging problem, and many things will contribute to the overall solution set, but with the federal government budgeting $80 to $90 billion this year on IT, and several large-scale initiatives in place, such as the DNSSEC standard, many experts have cause for optimism.
Following President Obama's call for generating savings in the federal budget by taking advantage of the cost-savings from using cloud computing, several federal cloud projects are underway, with some already serving user communities. The future of cloud computing in the federal government is bright, say many experts. The move to the cloud can result in significant cost savings, reduced environmental impact, and more efficient access to broadband networks. But, while government agencies hope to be able to leverage public clouds for a variety of applications, many still will need the security of private clouds.
The IT infrastructure of government, military and enterprise bodies needs to keep running after a disaster, reports Stephen Lawton.
Adoption of DNSSEC is gaining steam, says Lauren Price, chairwoman of the DNSSEC Industry Coalition. Dan Kaplan investigates.
New identification and authentication management solutions can help in today's dispersed IT landscape, reports Jim Romeo.
Every organization that maintains intellectual property should be aware of advanced persistent threats, reports Angela Moscaritolo.
Giving back It can be easy to overlook the spirited volunteerism in the IT space, says Jake Kouns of the Open Security Foundation. Dan Kaplan reports.
Like a beast from a 1950's sci-fi movie, rogue security software preys on victim's anxieties: Pop-up ads start appearing on a monitor proclaiming that the computer system has been infected, and the nervous user is told the "problem" can be fixed by downloading what turns out to be a phony anti-virus product. The scam has been around for years and continues to dupe users. But this is not only an annoyance, it may be destabilizing the industry as consumers lose faith in the market for anti-malware products. In this latest ebook from SC Magazine, Managing Editor Greg Masters looks at how rogue AV spreads, what law enforcement can do, what the security vendors are doing, and what effect the spread is having on the marketplace.
Two new federal laws, ARRA and the HITECH Act, aim to do what many say HIPAA has failed to do for the past 14 years: force health care practitioners to get serious about protecting patient health care records. As well, the Obama administration aims to wean health care data off of paper and over to electronic medical records by 2011. Doctors say protection of patient privacy and confidentiality is an integral aspect of their professional practice. However, with budget challenges and lack of security awareness, many health care practices are a long way from compliance. This special ebook from SC Magazine examines how practices around encryption, privacy and security can aid health care practitioners.
An increasing number of individuals, some working on behalf of foreign countries, have the resources to, in a worst-case scenario, manipulate the process control systems that regulate U.S. critical infrastructure systems, causing widespread outages and catastrophic effects. For example, the Supervisory Control and Data Acquisition (SCADA) systems - used to manage electric power generation plants, water systems, oil and gas pipelines, and other systems - are becoming interconnected with enterprise networks, making them accessible from the internet. For this ebook from SC Magazine, we spoke with a number of industry experts to investigate the steps being taken by owners of critical infrastructure to mitigate the vulnerabilities.
Cloud computing is more than a buzzword, it is one of the biggest developments to take place in the security market in 20 years. Many experts agree that the shift presents an opportunity to do security better, but the technology is still a work in progress and cloud computing also introduces new risk to applications, data and the internal data center. This ebook from SC Magazine surveys the pros and cons of this new phenomenon in the security marketplace, eliciting opinions from experts who agree on one main point: data center transformation is here to stay, and will only grow.
SC Magazine's first eBook of 2010 takes an over-arching view of the SIEM marketplace, a sector that is expected to grow to $1.4 billion in 2013, according to IDC. In fact, SIEM is driving overall growth in the security and vulnerability management technology sector, with a compound annual growth rate for the five-year period ending in 2013 expected to reach 16 percent. This special eBook offers case studies and input from several experts on how enterprises can benefit from an automated process that can not only help with log management, event filtering and correlation from multiple data sources, but assist with complex queries for investigations, forensics and analysis, as well as bring companies into compliance with many regulations and industry best practices. And the benefits for IT administrators can be rewarding.
After a number of attacks on the networks within the House of Representatives, legislators got the message: it was time to to begin mandatory security awareness training of all House members and their staffs. Dan Beard, chief administrative officer of the House of Representatives, was tasked with revamping the House's security policies, notably the training of end-users. SC Magazine Executive Editor Dan Kaplan spoke with Beard, as well as a number of other IT experts in similar positions, on the need to educate employees on proper digital safeguards. He found that the human element is the largest security risk in any organization. Technology solutions are one part of the fix, but holding classes is another vital step.
In this latest eBook from SC Magazine, Managing Editor Greg Masters takes a broad look at the mobile market and speaks with a number of experts in the field and a number of vendors servicing the explosive market to examine the challenges and trends taking place in this fast-moving sector.
Cloud computing is more than a buzzword, it is one of the biggest developments to take place in the security market in 20 years. Many experts agree that the shift presents an opportunity to do security better, but the technology is still a work in progress and cloud computing also introduces new risk to applications, data and the internal data center. This ebook from SC Magazine surveys the pros and cons of this new phenomenon in the security marketplace, eliciting opinions from experts who agree on one main point: data center transformation is here to stay, and will only grow.
A new privacy regulation in Massachusetts evokes anxiety for many, but getting in line may prove to be no big deal, reports Greg Masters.
While whitelisting technology, the process of defining which applications can run on a client machine, has been around for 10 years, lately it has gained new buzz. It has become abundantly clear that anti-virus companies are lagging in the struggle to keep up with the rise in malware, a problem that experts say will elevate application whitelisting technology from just a good idea to a mainstream, widely deployed security defense. This ebook from SC Magazine examines the topic, picking the brains of a number of experts in the field to assess the latest developments as technology advances have seen numerous whitelisting tools become available today that have made the solution more flexible and workable for the mainstream desktop environment.
