If you aren't already trying to figure out your mobile device security strategy, you soon will be, says Vicky Ames, former information system security officer at a federal medical research agency.
Mobile threats will soon be used to gain access to personal and business devices, says Sean Martin.
Portable media devices are being used to lift corporate data, but there are tools to defend against this practice, reports Deb Radcliff.
The growth in telework is not as robust as most people think, as managing remote workers and security are big problems. But "secure telework" is possible.
The TJX data breach has made wireless encryption a priority for retailers and other enterprises. Frank Washkuch Jr. finds out why.
John Penrod, CISO of The Weather Channel, discusses how the IT pro can manage business risk.
As the experience of one insurance broker proves, securing mobile devices requires a two-pronged approach.
IT pros need to move fast as RFID and Bluetooth threats move from the drawing board to the real world.
Some retailers are slow to embrace the new objectives required by the payment card industry.
Attacks on the firmware that sits within computers and enterprise networks is closer than you think.
Are multifactor solutions enough to protect today's financial customers?
This month our reviews section is unplugged. We look at security for portable devices, as well as security for wireless systems.
A recent survey of 100 IT managers and CIOs from the financial services, health care, retail, manufacturing and government business sectors shows that despite a torrent of bad press on data-security breaches involving FTP (file-transfer protocol), its use is prevalent and growing.
This is a very special issue to me and the team at SC Labs because it is based on a year of seeing the good and the not so good. We actually saw almost no bad products, so it was a pretty good year overall. It is special for you because it helps answer the question, "If we are going to buy security tools in the next 12 to 18 months, what should we be looking at?"
We handed out crystal balls to several analysts, consultants, professors and CSOs and asked them to answer questions about next year.
The top cybersecurity events of the year.
The end of yet another year sees in this final 2007 edition of SC Magazine our annual roundup of top thinkers, interesting happenings, business developments and criminal acts.
On the hunt for more innovative solutions to holistically safeguard organizations' growing networks, Peter Stephenson pinpoints the product categories and solutions you might consider next year.
Of the classifications we looked at, access control is among the most multidimensional. We defined access control fairly broadly as including identification, authentication and authorization. Network access control — NAC — is a very hot topic at the moment.
All levels of government face critical issues in securing their data - whether shared via the web or through email, USB sticks or IM.
As biometric technologies gain further acceptance, one retailer fights insider theft with fingerprint readers, reports Jim Carr.
Access control is the order of the day for this issue. All of our reviews focus on aspects of access control and management. This, of course, is a key aspect of enforcing the security of the enterprise. We address the topic with two First Looks and two Group Test reviews.
Organizations must catch on to the growing risks of smartphones, PDAs and other mobile devices before it is too late, reports Dan Kaplan.
Here is an update from the IT security industrys boardrooms.
Harry hack A hacker named Gabriel claimed to have breached the networks of the UKs Bloomsbury Publishing, uncovering the ending of Harry Potter and the Deathly Hallows prior to its release. Experts contended that the claim, posted on hacker websites, was likely a sham, saying that if accurate more evidence would otherwise have been offered.
In this special section, we look at how the IT security industry works to protect banks and financial institutions and keeps up with the rise of online transactions.
Campus exploit Hackers exploited an unpatched flaw and a disabled firewall to infiltrate a server at the University of Colorado, Boulder, compromising the personal information of nearly 45,000 students. Attackers exploited a flaw in Symantecs Norton AntiVirus to launch a worm into the server of the College of Arts and Sciences Academic Advising Center, making off with student info.
Just a week after taking home the Rookie Security Company of the Year prize at the 2007 SC Magazine Awards Gala, The 41st Parameter landed an unexpected meeting with an industry heavyweight. Ori Eisen, founder and chief innovation officer at the Scottsdale, Ariz.-based anti-fraud firm, says executives from Oracle who attended the annual awards ceremony were impressed with The 41st Parameter and wanted to learn more about the company after seeing it win.
Once considered a peripheral communication tool used primarily by only some workers, instant messaging (IM) is now feared by many as a security hazard. For many enterprises, the simple solution was to block IM and force employees to use existing email, phone and fax resources. But the evolution of communication channels is leaving that model in the dust.
Years ago, a friend's e-commerce company took a major hit when customer credit card information was stolen from the company database. Everyone initially assumed it was a network security breach — someone had hacked into the database and stolen the numbers. In fact, when the dust settled it was a far simpler heist — a former employee had walked into the server room and lifted the server.
Is endpoint security a more complete solution for corporations than NAC?
Can Google guarantee safe, secure online word processing and spreadsheet collaboration applications to enterprises? While only time will tell, the short answer appears to be yes. Google's new Google Apps Premier Edition — which offers enterprise-focused versions of Gmail, Google Talk instant messenger, Google Calendar, Docs & Spreadsheets, Page Creator, and Start Page via the Web — is really nothing more than software as a service (SaaS), or on-demand offering, popularized by Salesforce.com and others.
Never mind the Fourth of July, New Year's Eve or even his birthday. The occasion George Dolicker celebrated most merrily last year was International Computer Security Day. After all, the 19-year-old annual event marked the day that Dolicker, chief information security officer of computer maker Lenovo, unveiled the company's first home-grown information security program, complete with a comprehensive user education component.
IT security and education: Wireless IT should focus on secure communications rather than secure networks
When you're responsible for securing a wireless network connecting staff and over 23,000 students to resources at a major university — like I am — you see that traditional "hard perimeter" security models no longer apply in today's wireless network.
Is SSL VPN a better choice for mobile email than proprietary solutions?
This month, we continued to see innovative approaches to security in the labs. We concentrated on two areas: reviewer Justin Peltier ran several wireless security products through the test procedures, while Lab Manager Mike Stephenson and I worked on USB security. What we found in both cases was that technologies we thought had matured still are breaking some new ground.
When two 17-year-old Washington, D.C. students used school computers to plan a sexual tryst two summers ago, little did they know a cutting-edge security solution was watching their every keystroke.
Here is a roundup of the latest IT security news included in April's SC Magazine:
The hotel you're staying in is great. It even has a computer center for you to surf the internet or tweak the last of the network diagrams for your meeting in the morning. You open the document on your USB pen drive and within minutes you've completed what you deem to be absolute perfection. A quick print and a save and you're done for the night.
The heyday of massive salaries, extravagant raises and unrestrained bonuses that this industry experienced at the start of the 21st century has long since passed by the information security professional.
Laptop computers get lost and stolen in almost every imaginable, and some not so imaginable, ways. Following many well-publicized losses of laptop computers and calculating the costs to mitigate an event, encryption is a logical and uncomplicated decision.
Another buySymantec announced its intention to acquire enterprise management software provider Altiris in an $830 million deal. The purchase, intended to better Symantec's standing in the endpoint-management market, came as Symantec representatives said that endpoint security and management markets were converging.
Good luck using the internet these days at Royal Food Service, an Atlanta-based wholesale produce distribution company. Only the company's high-level executives have access to the web's full offerings.
When Verdasys co-founder and CEO Seth Birnbaum was heading up engineering at NeoGenesis Pharmaceuticals, three employees thought they had a foolproof plan to steal drug formula secrets in hopes of forming their own company. "We wouldn't have known anything about it if they didn't order CD-ROMs through our IT purchasing department on the same day," he recalls of the incident, which happened about four years ago. "That's the only reason we interdicted that. We had never even thought this kind of thing could happen."
2006 will be recorded as the year that security breaches reached the consciousness and awareness of the mainstream consumer. Breaches are certainly not a new phenomena, especially to security professionals. Although events in 2005 all made the headlines, such as the ChoicePoint identification theft that affected 163,000 records, the stolen laptop at the University of California, Berkeley, with more than 98,000 records, and the Boeing stolen laptop with Social Security numbers and bank account information of 161,000 people, the data breach incidents in 2006 occurred at an astounding, costly rate and gained much more media attention.
Virtualization is the Great Hope of data centers and consolidated infrastructures. As software is moved into virtual machines and other exotic vehicles the efficiencies will be massive, enabling greater application density, more flexible server configurations and the ability to cook a turkey at the same time. Consequently, the notion that virtualization might have a role in wireless networks - essentially edge systems - seems counterintuitive and positively turkey-like.
Ever since the emergence of iPod back in 2004, GFI and other experts including Gartner analysts, Ruggero Contu and John Girard have been warning that iPods are a potential danger to the corporate network. Yet, nearly one-third of medium-sized companies remain unconcerned about leaking sensitive data through devices that are highly portable with large storage capacities, according to Osterman Research.
As part of SC Magazine's year-end roundup, the U.S. editorial team compiled lists of the most memorable - and sometimes most outrageous - news to cross your screen this year.
Is implementing network access control enough to secure a LAN?
Long viewed as a major vector for incoming threats such as viruses, malware and worms, organizations are also increasingly viewing laptops as a primary weakness in the fight against the theft, loss and misuse of information. The trouble with mobile devices is they make your data mobile too, which is the last thing you want for data security. Every night critical, sensitive data leaves the confines of an organization, crossing the firewall and network defenses on the hard drives of laptops stashed in briefcases.
With the ubiquity of the internet, Wi-Fi hotspots and USB devices, the possibilities for unauthorized software on company PCs now seem endless. You are likely plagued by incidents around the clock: spyware such as keyloggers, adware, viruses, trojans, worms, non-licensed software, vulnerable applications and user-downloaded software (sometimes inadvertently). The list goes on and on. Even with the proliferation of anti-virus and anti-spyware solutions, desktops and laptops have become the weakest link in enterprise networks.
Hearing news about yet another lost or stolen laptop and exposure of personal information is almost like having seen too many horror flicks. Shock has shifted to disbelief - plus numb outrage at the apparent inability of corporations and government to protect our private personal data.
Shake-up at McAfee An internal McAfee probe spurred by Securities and Exchange Commission inquiries has led to a shake-up at the security giant. George Samenuk retired as chairman and CEO, while Kevin Weiss was fired. Board of Director Dale Fuller took over as interim president and CEO, while Charles Robel, another board member, was named chairman. A special committee's investigation determined insiders were participating in a questionable stock options practice known as backdating. News of the departures led some analysts to conclude that McAfee is ripe for acquisition. Fuller said: "All options are on the table."
No one questions that email is universally adopted. It is in the mainstream. And despite the huge advantages of personal and corporate productivity, the open nature of the internet has made email vulnerable to interception and even alteration by malicious parties. As the risks to the privacy and security of email messaging have grown, so have efforts to protect it.
Today's workforce is more efficient than ever, utilizing communications and storage devices that make the transfer of information fast and convenient. However, the time these tools save can be lost as a result of the data security risks the devices pose for the companies that use them.
The recent controversy at this year's Black Hat conference highlighted a growing trend in vulnerability research and reporting — the inability of some to make a distinction between technically interesting, novelty attacks versus real threats.
The mobile, wireless world in which we now live has created a shift in the focus of venture capital investments in security technology. Today's investors tend to target technology that directly protects people and information, a marked change from a few years ago when the focus was the protection of corporate computer systems as a whole.
San Francisco. Houston. Philadelphia. Annapolis. Step into any of these cities in the near future and you should be able to check your email, chat with friends, or surf the web wirelessly. But how safe will your experience be with municipal wireless local-access networks (WLANs) as you connect to the web in a car, office building or the middle of a park?
At the Pacific Northwest National Laboratory (PNNL), the name of the game is discovery. This Department of Energy multidisciplinary lab in Richland, Wash., has scientists working in an open environment on projects that range from mathematics to physics to genetics.
A big part of what we do here in the research group at Exploit Prevention Labs involves studying the behavior and distribution of malicious websites, and it's really interesting, as we poke around the web, to see different patterns come to light.
Feds: Improve security Federal agencies worked against an August deadline to implement improved security controls designed to better protect the private information of U.S. citizens in the hands of government officials. A memo on the sweeping changes was sent out in late June by the White House's Office of Management and Budget. OMB said it will work with inspectors to ensure agencies are in compliance. "We intend to work with the general community to review these items to ensure we are properly safeguarding the information the American taxpayer has entrusted to us," OMB Deputy Director Clay Johnson III said in a memo.
Ask IT security experts to forecast the future of mobile device security, and their crystal ball might become a little murky — possibly because of looming storms on the horizon.
Nothing says "good fortune" louder than the clatter of coins cascading into the winner's tray of a slot machine. But these days that jangle is nothing more than set dressing. Instead of bucketfuls of quarters, lucky gamblers are rewarded with the pre-recorded sound of falling coins and a printed voucher for their booty.
Can CISOs and CSOs make a difference in the companies for which they work? Can they shape a successful IT security program that promotes a flourishing, trusted and respected business? And, in the end, does it really matter if a company has a lead professional in place to oversee and usher in IT security practices, or can a company do without yet still maintain a strong IT security posture that begets consumer and investor confidence?
A dedicated federal civil servant took work home. Unfortunately, the federal agency he worked for had not taken easy steps to make that practice safe and secure. Thus, when a neighborhood gang of thieves broke into his house and stole the laptop, identity information about millions of veterans and members of the armed forces was potentially compromised. It was a typical Washington story, typical because no one suggested doing anything to solve the real problem revealed by the incident. It reminded me of the two giant paintings in the piazza in Sienna, Italy. One image is of dysfunctional Bad Government, the other of progressive Good Government.
Tarron Weir and Joseph Raquel might well be "poster boys" for the Secure Sockets Layer (SSL) virtual private network (VPN) movement. In fact, their experience with the latest in secure remote-access technology more or less epitomizes what's going on in the VPN marketplace right now.
There's yet another IT security bandwagon onto which any number of vendors are jumping. And, whether companies refer to it as network access management (NAM), network access control (NAC), or network access protection (NAP), the main question is: Who has the real deal?
If I say the word security to you, what comes to mind? Do you think of the access card keys that allow you into your buildings; firewalls to protect your IT infrastructure; or cameras to monitor facilities? Perhaps you think of how to protect the data on your laptop if it is stolen.
Wireless local area network (WLAN) technology was deployed at Mount Allison University to enhance on-the-go productivity of our students, faculty, staff and administrators. Whether it's conducting research, exchanging ideas or gaining access to useful operational information, campus users can now perform such functions in real-time without breaking stride from their daily routines.
SC Magazine Articles
- USAA members hit with multiple phishing attacks
- Industry pros react to Cisco, Fortinet advisories after possible Snowden NSA leak
- Trust exercise: Symantec's new website security expert is reaching out to hacker community
- Three zero-days found in iOS, Apple suggests users update their iPhone
- Two-thirds of IT security pros surveyed expect a breach to hit their company, report
- Microsoft Office 365 hit with massive Cerber ransomware attack, report
- Wendy's POS breach 'considerably' bigger than first thought
- No hacking required: Israeli researchers show how to steal data through PC components
- Don't connect your charging cell to a computer or you may get hacked!