Security analytics company Interset wants to change the way IT pros think about security and bring the concept of reputation-based security scoring to a broader market, with the Interset Behavioral Analytics Engine. The offering can be best described a...
Interset Brings Reputation Scoring to the World of Insider Threats
↧
↧
PCI DSS Moving Security Ahead in 2016
Improved guidance on how organizations can comply with requirement for continuous monitoring and logging is on tap for this new year.
The Payment Card Industry Data Security Standard (PCI DSS) is one of the key components of security compliance, and it's set to improve in 2016. Among the areas of PCI DSS focus for the new year will be improved guidance on how organizations can comply with requirement for continuous monitoring and logging.
"The PCI DSS is a mature standard that has proven highly effective wherever it is adopted and used," Jeremy King, international director of the PCI Security Standards Council (PCI SSC), told eWEEK.
For PCI DSS to be effective, organizations must make security a priority and vigilantly maintain the standard's security controls at all times, King said. He added that it is only when organizations integrate people, processes and technologies, working together around the clock, that they really raise the bar on cardholder data security.
"PCI DSS is not just a once-a-year tick box exercise," King said. "Once that thinking is built into the DNA of a company, then they are where they need to be."
Among the many ways that security is integrated as a best practice in daily operations is through the use of continuous monitoring and logging. PCI DSS requirement 10 is titled "Track and monitor all access to network resources and cardholder data" and is among the most challenging components for compliance.
"Logging applications and systems is one of the fundamental best practices for information security," J. Andrew Brinkhorst, director of product management, Global Compliance and Risk Services, at Trustwave, told eWEEK. "It's essential to have logs that can provide information during or after an event in order to determine what's happening, or has happened."
In Brinkhorst's view, the challenge, not just for PCI DSS compliance but for good security overall, is knowing what systems, applications and events need to be logged. For a large organization, he said, logging at a level to be compliant with the PCI DSS specification can be overwhelming, as it likely requires capturing and retaining logs for many types of events, over many systems, and retaining them over a fairly long period of time.
"In a large organization, that likely means a complex system with a significant capacity, and the expertise to know what to log and how to effectively monitor it," Brinkhorst said. "That can be a real challenge for organizations that don't specialize in information security and is a reason companies might choose to outsource that aspect of their environment."
According to David Picotte, manager of security engineering at Rapid7, PCI DSS requirement 10 is and always has been a challenge for merchants. In Picotte's view, many organizations struggle with the sheer volume of log data being gathered, understanding what to alert on, and how to correlate multiple alerts into an indication of compromise (IoC).
"The challenge with the entire PCI DSS standard is that administrators often do the bare minimum to meet the requirement, interpreting to their advantage due to limited resources and time constraints," Picotte told eWEEK. "They should instead be looking to get value out of their logging process."
Merchants should work under the assumption that they will be breached, Picotte said. With that perspective in mind, logging can serve to detect a breach and help an organization react quickly to minimize impact.
Rob Sadowski, director of marketing at RSA, The Security Division of EMC, also emphasized the importance of logging and getting pervasive visibility into infrastructure that handles payment data.
"The challenges we see with requirement 10 are not necessarily meeting the letter of the requirement but complying with its intent," Sadowski told eWEEK. "It is not enough to simply collect logs and other data from the environment; it's about regularly reviewing the data collected to spot signs of compromise and then rapidly responding based on what's found to minimize damage or loss."
The PCI Security Standards Council is aware of the challenges that some organizations face in complying with the requirement 10 logging provisions of PCI DSS. King said it's an area PCI SSC is tackling with supporting guidance that will be enhanced this calendar year. To help organizations with this requirement, the council has created the special interest group called "Effective Daily Log Monitoring," he said.
"This special interest group will provide guidance and techniques to improve daily log monitoring to meet PCI DSS requirements, including available tools and examples/evidence from recent breaches," King said. "The 'Effective Daily Log Monitoring' group is working to finalize the Information Supplement and targeting publication in 2016."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
↧
Google’s First 2016 Android Update Fixes a Dozen Flaws
Google rated five of the 12 vulnerabilities as critical. Once again, flaws emerged in Android's much-maligned mediaserver.
Google came out with its first Android security patch of 2016, and it's fixing some fa...
↧
Hackers cause Ukrainian power cut – a reminder cyber attacks will become more dangerous in 2016
Ukrainian power outage 'sparked' by email-borne malware makes Ashley Madison hack seem trivial
↧
What Key Data Breach Trends Portend for Enterprise Security in 2016
As we return to our routines at the outset of the new year, it's a good time to reflect on the past year in enterprise security, to see if we've learned anything and to take a look at what lies ahead. The last 12 months saw a continued wave of data bre...
↧
↧
IT Security in 2016: Look Back, Not Forward
NEWS ANALYSIS: IT security in 2016 shouldn't be about trying to figure out what's coming next, but about dealing with issues that exist now.
At the beginning of every new year, vendors and tech pundits alike look ahead to what's next for IT security. While I understand the need to do so to help identify coming threats and emerging trends, the simple truth is that for the vast majority of IT users (and people reading this column), emerging threats are not the primary risk—rather, it is existing threats that should be the prime concern.
Cyber-crime is a business and, like most modern businesses, speed of infection and economies of scale are critical to success. That's why exploit kits, be it Angler, Rig or otherwise, were popular in 2015 and will be popular for years to come. With an exploit kit, a would-be attacker gets access to a bundled package that enables easy exploitation of users. An exploit kit is not a one-off tool, but rather is intended for mass exploitation. The path to that exploitation, more often than not, is a vulnerability that has already been patched by the impacted software vendor.
Just because a software vendor has issued a patch doesn't mean a vulnerability isn't still being exploited. Take your pick of industry studies that report on patch rates, but no matter which report or statistic you look at, the vulnerability patch rate in 2015 (or any year ever) has never been 100 percent—or anywhere near that. End-user patching is a nontrivial concern and a significant challenge. The patching challenge isn't a new trend for 2016, and it wasn't a new trend in 2015 or 2014, but it's the root cause of a large volume of breaches in any given year.
To be fair, the challenge of patching will be easier in 2016 than it was in past years. It is now an increasingly common best practice for many operating system and application vendors to provide automated update mechanisms. Among the best examples is Google's Chrome browser, which by default provides automated updates. Adobe's Flash and Acrobat Reader also provide automated updates, as does the popular open-source WordPress content management system.
Other technologies, including operating system vendors like Microsoft with Windows and Apple with OS X and iOS, do not have automated updates by default, but they all try to inform users in a clear manner when it's time to update.
There are, however, many applications that don't have automated update systems and aren't properly integrated with operating system-level notifications. The issue of integrated updates is simplified in some cases through the use of app stores; for example, OS X, iOS and Google Play provide users with a single interface to update apps. The same is true with Linux servers and desktops for users who install packages from their Linux distributions software repositories.
With non-automated updates, it is incumbent upon the user to check to see if an update is available. That's not a new challenge, and it's one that will continue to be a risk in 2016.
What never ceases to amaze me, though, is how often I find outdated software (even on my own systems sometimes) that somehow evaded automated updates or my own semi-regular update checks.
The issue of updating isn't always about user inaction either. A real risk in the mobile world today is unsupported Android phones that no longer get security updates from handset vendors. A further risk comes from Android handset vendors that aren't keeping up with the new monthly update cycle from Google. In the last six months alone, Google has issued 93 patches for different security vulnerabilities. While Google has made all of the patches available to its handset partners, not all of those vendors have in turn issued timely updates to all impacted devices.
So to recap, there are myriad vulnerabilities disclosed in any given year across desktop and mobile operating systems and applications, and not all of them are patched by users. The result is a vast orchard of low-hanging fruit that attackers can seemingly pick off at will with exploit kits. That's not a new trend for 2016, but it is an unpleasant truth.
Another unpleasant—and persistent—truth in IT security is that the weakest link is often the user password. Again, not a new trend, but one that has existed since the dawn of modern IT. What has changed in recent years is the increasing use of two-factor authentication (2FA) systems to provide a second layer of protection. As I've said many times to many groups of people, no one would live in an apartment in New York City and only have one lock on the door, so why would you secure your online account with a single password?
Often, attackers in a database breach walk away with usernames and passwords. For those accounts that have 2FA, the information isn't nearly as useful and the risk is reduced. This is a lesson not new to 2016, but it is one that needs to be relearned year after year.
The other large concern for IT security in 2016, as it was in 2015, 2014 and for more than a decade, are common classes of vulnerabilities. On the server side, the ancient issue that continues to yield data breaches is SQL injection. With SQL injection, an application doesn't properly perform input validation for a database. There are many tools that organizations use to scan for SQL injection, and the fix is often a few simple lines of code.
Certainly, there are new zero-day threats that do emerge, and no doubt a few will show up in 2016. But when it comes to breaches, my humble prediction is that the vast majority in this calendar year will come from known issues that can be mitigated.
When looking at IT security in 2016, don't shy away from learning about new threats, but don't forget to first look at existing risks.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
↧
Brazilian Cyber-crime Flourishes, Catching Up to Russian, Chinese Groups
Studies of cyber-crime in Russia, China, Brazil and other nations find that each has its strengths.
Computer education in public schools, lightly enforced computer crime laws, and a deep divide between the haves and the have-nots have resulted in a vibrant cyber-criminal underground in Brazil, causing significant troubles for Latin American law enforcement agencies, according to research published on Jan. 5 by security firm Trend Micro.
The report, part of a series profiling criminal undergrounds in different countries, placed Brazilian cyber-criminals just behind those in Russia and China in terms of technical expertise. And, because of their focus on financial crimes, Brazilian cyber-criminals are second only to those from Russia in their ability to attack banks and other financial institutions, Tom Kellermann, chief cyber-security officer at Trend Micro, told eWEEK.
The cultures are different, however. Where both Russian and Chinese cyber-criminals have a complex relationship with their governments, Brazilian cyber-criminals are more likely to thumb their noses at officials, he said.
"The Brazilians are much more brazen and they act like Robin Hood, stealing from the rich and giving to themselves, with minimal operation security," Kellermann said.
The report on the Brazilian cyber-criminal underground is the sixth study that Trend Micro has released on the developing technical capabilities of criminals in different countries.
While many of the basic skills developed in each country are the same, there are regional differences. Japan's hackers are focused on forging documents and access to and exchanging information, while Germany's underground is strong in encryption and operation security. The U.S. underground focuses more on providing illicit goods, and while Russia and China are known for their espionage attacks against U.S. systems, their cyber-criminals are more focused on financial crimes and the creation of criminals tools, such as credit-card skimmers, respectively.
"The Russians have essentially created an alliance with the government," Kellermann said. "You need to act patriotic with your activities. If you do have a footprint on a system that is worthwhile, the understanding is that you will share that with the regime."
In many ways, Brazilian operators mimic the techniques and methods of Russian hackers, because they have a lot of shared history, Kellermann said.
"Brazilian operators used to be the consumers of the developers from Russian underground cyber syndicates until three or four years ago, when they started using more homegrown tools," he said.
Brazilian developers—those who make the malware—and operators—the people who use the tools—still emulate the tactics of the Russian underground. Russia has the most sophisticated attacks on financial systems, with Brazil taking second, Kellermann said. In the third quarter of 2015, about 5 percent of banking trojans were detected in Brazil.
The improvement in their techniques has led to an uptick in cyber-crime in the Latin American region, Kellermann said.
"We were told by the major Latin law enforcement agencies and CERTs [computer emergency response teams] that the most trouble was coming from the Brazilian underground, but [in addition] the Brazilian developer community was enabling the criminal syndicates in their own countries," he said.
A popular service in the underground are training videos and courses to teach would-be hackers the techniques and technologies necessary to conduct crimes. Brazil's cyber-criminals are also focused on using ransomware and creating Android malware, according to the report.
↧
Microsoft is ending support for Internet Explorer 8, 9 and 10 next week
You have until Tuesday to get on 11 or Edge
↧
Ultra Payment’s PayGate Payment solutions now conform to the latest Bacs connection and SHA-2 Internet protocols
Available to customers at no extra cost ahead of the 1 June deadline.From 1 June 2016, Bacs withdrawal of support for older connection protocols, together with changes to internet security, could affect access to the services which are used for collecting Direct Debit or making Bacs Direct Credit payments.Letchworth, UK (January 6, 2016) Ultra Payments (formerly Barron McCann Payments), a business unit of Ultra Electronics, is pleased to announce five months ahead of the deadline that its PayGate Payment solutions now conform to the latest Bacs connection protocols and upcoming internet security and browser changes. All existing customers of Ultra Payments will receive the upgrade at no cost as we continue to move to a no end-of-life policy across its product range. Bacs direct submitters that are not Ultra Payment customers should contact us to discuss migrating to a payments solution with no end of life guaranteed, that is tested and ready to deploy in readiness to meet the 1 June 2016 deadline. PayGate is available either as a cloud-based payment gateway, a hosted and managed Enterprise solution or on premise solution for direct submitters; migration can be accomplished easily and quickly with minimum disruption and cost.Why is the change taking place?A new and more sophisticated level of internet security, known as SHA-2, is being adopted by the likes of Microsoft and Google. Organisations that use Bacs to collect or make payments, including paying salaries and pensions, should ensure they can accommodate these changes. Failure to do so could result in being unable to access Bacs’ services after 1 June 2016. At the same time as this change is being made by the internet community, Bacs will withdraw support for older connection protocols to provide even more protection for the communications pipeline between the internet-based service access points, Bacstel-IP and the Payment Services Website, and the service user. After 1 June 2016, only TLS 1.1 and 1.2 will be supported. It will not be possible to access Bacs via Bacstel-IP or the Payment Services Website after 1 June 2016 if service users do not have in place a web browser, operating system, and if used, a Bacs Approved Software Solution that support these changes.Nick Newman, Ultra Payments Business Manager, said “Our goal is to provide the best Payments solutions to our customers with no end-of-life. The solution we offer has recently been expanded to incorporate BACS, Faster Payments, SWIFT, SEPA, NACHA and other payment methods. In addition we have been adding some new features including Direct Debit Management System (DDMS). We will continue to respond to the needs and requests of our customers as our first priority.” # ENDS #About Ultra PaymentsUltra Payments specialises in the development and supply of strategic payment processing software, data validation and services to support automated banking and e-commerce.Robust design with security pedigree ensures that Ultra Payments’ products are fully scalable, highly secure and capable of accommodating any level of transaction processing. Ultra Payments’ commitment to customer quality extends from development using over 30 years of expertise to class-leading technical support and renowned data integrity. Ultra Payments is a business unit of Ultra Electronics, an internationally successful security & cyber, defence & aerospace, transport & energy company with a long, consistent track record of development and growth. For more information, please visit http://www.ultra-payments.com/payments-services/security.aspxEnquiriesJohn Bailey, Marketing Manager +44 (0) 208 813 4738Spencer Callow, PayGate enquiries +44 (0) 1462 483 333PayGate is a trademark of Ultra Electronics LimitedSource: RealWire
↧
↧
Linode Resets Passwords as DDoS Attacks Continue
The cloud hosting provider forces users to change passwords after an unauthorized log-in is detected.
Linode is having a rough start to 2016. The cloud hosting provider has been suffering from a series of distributed denial-of-service attacks that were first reported on Dec. 25, impacting multiple Linode data center locations, including Dallas; Atlanta; Newark, N.J.; Fremont, Calif.; Singapore; Frankfurt, Germany; and London. Adding to Linode's woes, on Jan. 5, after an unauthorized access was discovered, the company informed its customers that they all need to reset their passwords.
The Linode status page provides a running tally of the ongoing attacks and Linode's attempts to mitigate to the issue. The company optimistically wrote on Dec. 26 that "the attacks have subsided for long enough that we believe this incident can be considered resolved." Unfortunately for Linode and its customers, attacks have continued against various pieces of Linode's global footprint.
"Over the course of the last week, we have seen over 30 attacks of significant duration and impact," Alex Forster, network engineer at Linode, wrote. "As we have found ways to mitigate these attacks, the vectors used inevitably change."
As Linode worked tirelessly to mitigate the DDoS attacks, it also discovered unauthorized access into three user accounts. A security investigation into the unauthorized access turned up another disturbing detail—that an external machine had a pair of Linode user credentials on it.
"This implies user credentials could have been read from our database, either offline or on, at some point," Linode warned in a status update. "The user table contains usernames, email addresses, securely hashed passwords and encrypted two-factor seeds."
To mitigate the risk of a user database breach, Linode is triggering a password reset for its users. At this point, Linode is not aware of any link between the potential user access breach and the ongoing DDoS attacks.
"We have not been contacted by anyone taking accountability or making demands," Linode stated. "The acts may be related and they may not be."
Security experts contacted by eWEEK had mixed views about the Linode security incident. Scott Petry, co-founder and CEO of Authentic8, said Linode has had security-related issues in the past.
"They had a similar database breach in April of 2013 that forced a password reset for all their users," Petry told eWEEK. "So I guess the thing that surprises me is that they're still having these issues."
Justin Harvey, chief security officer at Fidelis Cybersecurity, is taking a positive spin on the incident, in terms of how Linode is communicating to its users about what is happening. "They [Linode] shared a lot of information and as an external observer, they're doing all the right things: being upfront about the issues, exposing their thought process and offering up the plan," Harvey told eWEEK. "This is a great example of how it should be done."
↧
Mass surveillance and bulk data collection won’t prevent terrorism, warns ex-NSA director William Binney
Binney tells Joint Committee of MPs and Lords that targeted surveillance, not bulk collection, could've prevented 9/11
↧
Exploiting Silent Circle’s Secure Blackphone
The highly secure device could have been exploited, were it not for the responsible disclosure by a security researcher.
Any modern device is made up of multiple hardware and software components, any one of wh...
↧
Cisco Security Researchers Disrupt RIG Exploit Kit
The popular exploit kit, which enables attackers with packaged vulnerabilities to infect users, is still out there, but new efforts are helping curb its growth.
The RIG exploit kit is under attack, thanks to the efforts of Cisco's security research group. Among the most popular exploit kits, RIG enables attackers with packaged vulnerabilities to infect users.
Cisco monitored the operations of the RIG exploit kit and discovered that two primary service providers out of Russia were hosting much of the operational infrastructure. Cisco contacted both service providers about the issues and got a mixed response. Webzilla, which was hosting a large number of RIG-related traffic, responded positively and shut down the offending hosts. However, Eurobyte did not respond to Cisco's pleas and has not shut down any RIG traffic.
"As servers were reported or shut down by Webzilla, hosts continued to pop up from Eurobyte¹s address space," Nick Biasini, a threat researcher in the Cisco Talos Security Intelligence and Research Group, told eWEEK. "This appears to still be the case."
Cisco is not sitting idly by while Eurobyte continues to serve up RIG-related traffic, though. Eurobyte address space that is known to be hosting RIG-related traffic is now being blocked by Cisco across multiple Cisco technologies, including its Advanced Malware Protection (AMP) and OpenDNS services. According to OpenDNS' own analysis, there are approximately 25,000 domains hosted by Eurobyte that are associated with RIG.
Going a step further, Cisco has launched a new effort called Project Aspis to help report issues to service providers. Biasini explained that the project's name is derived from "aspis," a heavy wooden shield used in Ancient Greece.
"Cisco will do everything possible to encourage providers to remove threats from their network, including, in the case of Project Aspis, direct support," Biasini said. "Aspis is a way for providers to have a reliable and trusted resource, which helps them to protect their network and improve security of all users by providing intelligence that can be leveraged and shared publicly."
RIG isn't the first exploit kit ring that Cisco has disrupted. In October, Cisco helped to impede the operations of the Angler exploit ring, which was affecting up to 90,000 victims per day.
Beyond just trying to help shut down RIG, Cisco's Talos research group spent months learning how RIG works to infect users. Cisco has now published a comprehensive report on its findings about how RIG works. The primary exploit used by RIG is CVE-2015-5119, an Adobe Flash vulnerability that Adobe patched in July 2015. Cisco isn't the only group that has identified patched Flash vulnerabilities as RIG's primary exploit. A review of the RIG 3.0 exploit kit by Trustwave in August 2015 came to the same basic conclusion.
While Flash is the vulnerability of choice for RIG today, that might not be the case in the future, as the exploit kit will likely continue to develop over 2016.
"[RIG] will change and evolve like other exploit kits and will likely move away from Eurobyte to another provider or providers," Biasini said. "Additionally, as more browsers and users move away from Flash, the exploit kits are likely to follow that trend as well."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
↧
↧
Software Security Startup SourceClear Names New President
SourceClear, a developer code security vendor, is ramping up for 2016 with some new efforts and a new president.
Jim Morrisroe, newly named president of software security startup SourceClear, worked at the dawn of the modern unified communications and cloud eras and is now keen to lend his management talents to the world of security—which he said he considers the most pressing needs in technology today.
The vision for SourceClear, founded in 2013, is to enable organizations to use open-source code securely.
Morrisroe was previously CEO of OpenStack Piston Cloud Computing, which Cisco acquired in June. Prior to Piston, Morrisroe was at messaging vendor Zimbra, which Yahoo acquired in 2007 and then sold to VMware in 2010.
Morrisroe will report to SourceClear founder and CEO Mark Curphey, whose background includes working at Foundstone, a division of McAfee, where he helped build tools and services to enable security.
SourceClear is an online platform that connects into an existing development pipeline, Curphey said. As such, SourceClear can integrate with continuous integration and deployment technology to identify potential risks as part of a DevOps workflow.
With open-source code libraries, developers can potentially use code in their own applications that hasn't been updated and has known vulnerabilities. That's one of the use-cases for the SourceClear service, which can check to see if the code a developer is using in an application has known vulnerabilities.
SourceClear is also able to identify non-publicly disclosed vulnerabilities, Curphey explained, adding that the company has developed technology that can identify patterns in software that can be indications of a potential vulnerability. There are often more unknown vulnerabilities in source code than issues that have already been publicly disclosed, he said.
There are multiple challenges with discovering unknown vulnerabilities that have not yet been publicly disclosed. SourceClear is in the process of determining how it should be reporting issues to upstream projects in a way that doesn't jeopardize users or potentially empower attackers, Curphey said. The risk is that if SourceClear's service is able to identify a vulnerability that isn't publicly known that, if leaked, that vulnerability information could potentially be weaponized by an attacker.
Today, SourceClear works with Java, Ruby and node.js, with goals to have Python coverage in the coming weeks. Morrisroe said that the plan is to have a set of announcements in the first quarter of this year to help fuel the developer momentum.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
↧
Keep Hillary Clinton in Mind When Enforcing Email Security Policies
NEWS ANALYSIS: Regardless of your politics, there are plenty of reasons to think of Hillary Clinton and U.S. Secretary of Defense Ashton Carter as poster children for bad email security.
Here it is nearly a year after the disclosure that former U.S. Secretary of State Hillary Clinton, currently seeking a new job, had violated a series of regulations about the use of government email and we're still seeing more damaging revelations.
Compounding the issue are recent reports that current U.S. Secretary of Defense Ashton Carter used his personal email account after he took office, even though he knew it was wrong. Why can't high government officials follow clearly-established policies for email security and preservation?
Ms. Clinton has claimed various excuses as to why she didn't use government email channels saying that it was more convenient to use her own, or that all of the other secretaries were doing it, or that she didn't use it for classified information, anyway.
Subsequent revelations have shown her claims to be inaccurate, but I'll leave it at that. Mr. Carter, who says he knew better, apparently used his personal email for expediency, because it was on his iPhone.
As entertaining as this political reality show may be in Washington, you really don't want your company to be like that. You especially don't want to find out that your key employees are carrying sensitive company information around on their personal phones, and you don't want to find out that information that's subject to compliance regulations is somehow showing up on Gmail.
This means that you need to examine your own email practices, and your company's practices and policies. In addition, you also need to pay attention to what your employees are actually doing and, if you see them violating your company email policy, you need to take corrective action.
Your company should have a communications policy in place. If it doesn't, it should set one up soon. If you really don't care where your company data goes or who has access to sensitive internal information, then you don't need a policy. But you might need a lawyer, sooner rather than later. While you have to decide what will work for your company's culture, there are a couple of things to keep in mind.
First, you need to reflect on your company's exposure to regulations for data protection. If you handle sensitive information that belongs to others, whether it's credit, health, financial or any other type of data that's subject to compliance rules, then you will need an email policy, and it needs to satisfy those compliance requirements. It needs to be in writing and it needs to be enforced.
Second, if your company has other sensitive information in the form of customer lists, inventory, trade secrets or personnel files, then you need a policy. While the loss of some of those items may not be illegal, it could cost you your business. The loss of sensitive personal information could attract the worst possible type of attention from unfriendly lawyers.
Third, every business handles money, usually lots of it that you need to keep safe—otherwise, you won't have any.
↧
Datum showcases its business critical data centre service to the Public Sector
FARNBOROUGH – 11 January 2016 – On Tuesday 12 January, the 2016 Government ICT conference will take place within the QEII Centre in the heart of Westminster. This long standing event brings together technology and business change leaders from Central Government, Executive Agencies, Non Departmental Public Bodies, Local Government and the wider public sector to discuss major IT infrastructure and digital service transformation projects throughout central and local government. Conference delegates will have the opportunity to meet with industry leading solution providers capable of supporting different elements within the digital services strategies. One such provider is Datum Datacentres, sister company to leading UK managed service and cloud platform provider, Attenda. As a supplier to public and private sector organisations who place high value on the stringent security and resilience, Datum Datacentres will be showcasing their business critical data centre co-location service. Sited within the List-X Cody Technology Park just outside the M25 in Farnborough, Datum’s highly resilient, ultra secure and accredited data centre is conveniently located 35 minutes from London Waterloo and with easy access to the UK motorway network. Datum Farnborough is carrier and cloud neutral and connection-rich with latencies to the City of less than a millisecond. For organisations looking to maximise the value of their digital strategies, Datum’s data centre supports hybrid compute and connected DR, and delivers always-on availability and high power densities backed by enterprise class service. Part of the Attenda IT Services group, Datum is trusted by public and private sector clients within sensitive areas such as defence and security as secure environments for content, data and business critical IT to connect with a neutral choice of networks and cloud service providers.About DatumDatum Farnborough (FRN1) Key FeaturesStrategic, London-edge, secure campus LocationPressurised free cooling providing Leading-Edge Environmental EfficiencySLA backed 100% Power AvailabilityEnhanced, Government-grade SecurityDynamic & Flexible support for High-Density deployments (up to 30kW per rack as standard)Carrier & Cloud NeutralComprehensive Accreditations including ISO 9001, ISO 27001:2013, ISO 50001, PCI DSS, DCA Class 3 Fully Operational, EU Code of Conduct for Data CentresHighly Resilient infrastructure design & operations to support business critical ITwww.datum.co.ukPress Contact:Lexie GowerT: 0845 5680123E: lexie.gower@datum.co.uk Source: RealWire
↧
Planview Top Rated for its Cloud Security by Skyhigh’s CloudTrust™ Program
Reading, UK, – Jan. 11, 2016 – Planview® has been awarded the Skyhigh CloudTrust™ rating of enterprise-ready for Planview Enterprise, its solution for portfolio and resource management. Skyhigh Enterprise-Ready cloud services fully satisfy the most stringent requirements for data protection, identity verification, service security, business practices and legal protection. “As Planview Enterprise is implemented at the core of the business, data security is an absolute top priority for us,” said Planview Chief Information Officer Jerry Sanchez. “The Skyhigh CloudTrust™ rating of enterprise-ready is a valuable proof point which eases the evaluation and process for our customers.”Skyhigh identifies and classifies cloud services and provides an objective and detailed evaluation of the enterprise-readiness of each cloud service based on a detailed set of criteria developed in conjunction with the Cloud Security Alliance (CSA). The evaluation spans five attribute categories for: data, user and device, service, business and legal.“Companies seek enterprise-ready services such as Planview Enterprise, but vetting the capabilities and policies of a provider consumes a great deal of time and resources,” said Kamal Shah, vice-president of products and marketing at Skyhigh Networks. “The Skyhigh CloudTrust Rating™ shortens the evaluation process from weeks to hours by offering an objective, holistic assessment of a service provider’s security capabilities and enterprise readiness."Planview’s project collaboration and work management solution Projectplace has previously been rated as enterprise-ready. About the Skyhigh CloudTrust™ Rating The Skyhigh CloudTrust™ Rating provides an objective and comprehensive evaluation of a service's security controls and enterprise readiness based on a detailed set of criteria developed in conjunction with the CSA. Because Skyhigh produces the most extensive, current and credible trust ratings for cloud services, enterprises rely on the Skyhigh CloudTrust™ Rating to inform both decisions and policy pertaining to the use of cloud services in their environment. For more information, visit: http://www.skyhighnetworks.com/cloud-trust-program/ For more information:Charlotte HansonAscendant Communicationschanson@ascendcomms.net 020 8334 8041About Planview Planview enables organizations to get the most out of their resources and achieve their goals. We are the global leader in solutions that optimize resources and work, spanning strategic planning, portfolio and resource management, project collaboration, and enterprise architecture. From small teams to large enterprises, companies in every industry use Planview’s products: Planview Enterprise, Projectplace and Troux. Headquartered in Austin, Texas, our 600 employees worldwide serve more than 1,000 enterprise customers and one million users. For more information, visit http://www.planview.com/. Source: RealWire
↧
↧
Datacloud 2016 Highlights Cloud Connectivity, Fiber Networks, Data Center as Critical Eco System for Business Users
London/Monaco, 11 January 2016 – Datacloud Europe 2016 (http://www.datacloudcongress.com/) which meets this June 7-9 in Monaco, will feature the critical eco system of cloud connectivity, fiber networks and data centers as the utilities to the world’s businesses. The enterprise driven programme for the international forum and exhibition, now in its 12th year with 60 countries represented, will extensively draw on business users from financial services, transport, auto, media and gaming, pharmaceutical, retail, oil and gas, telco and other key verticals. The congress will explore how they are responding to the challenges of energy, security, connectivity, interoperability, and using Cloud enablement, continuous delivery and DevOps lifecycles for faster rollout of new features and applications and for sustaining business innovation.“The content focus is extremely timely with most enterprises shifting at least half of their infrastructure to Cloud-based platforms over the next 24 months,” commented Philip Low managing director of BroadGroup, the event researchers and producers.“The need to connect outside of the data center to business Cloud users is not only critical, but also more complex as already evidenced in the selection of location for new facilities.”Kathy Schneider, SVP Product and Marketing EMEA, Level 3 Communications said: “Leveraging the cloud successfully should be underpinned by a solid network strategy. Level 3 is a trusted connection to the networked world, including the cloud, providing network services that enable organisations to achieve their growth, efficiency and security goals. As the Platinum Cloud Sponsor of Datacloud Europe, we are focused on helping organisations to maximise cloud connectivity opportunities, regardless of their cloud provider or architecture.”Datacloud Europe 2016 in Monaco will for three days be home to many of the most influential thought leaders, business minds and decision makers in the data center and cloud industry and once again reflects the core offering of high level content, leadership networking and a place where business deals are done. The programme includes the Datacloud Awards ceremony and dinner on the evening of 7 June, followed by two days of conference and exhibition. New for 2016, the event co-locates the first ever summit, Invest in Data Center Africa, for Investors, financiers, data center operators, subsea and fibre developers and pioneers responding to the challenges of creating the African data center network.Sponsors include Digital Realty, Siemens, Level3 Communications, Invest in Finland, MigSolv, Munters, ISG, StarLine, Active Power, Tate, and ebrc.About BroadGroup:Established in 2002, BroadGroup is an Information Media Technology and Professional Services company providing a value chain of consulting and research, publications, and innovative conference brands focused on data center, cloud and IT infrastructure and investment. The company is headquartered in London and incorporated as a limited company in the United Kingdom.(http://www.broad-group.com/)Press contact:Julia Vockrodt, Julia@vp-pr.com Tel0204 282 7144Source: RealWire
↧
AppSense Receives “Nutanix Ready” Validation to Simplify Virtual Desktop Deployments Leveraging Hyperconverged Infrastructure
Together, AppSense and Nutanix Speed VDI Implementations with the Ease of Configuration and Flexibility that Delivers Rapid “Time to Solution” BenefitsSunnyvale, Calif., January 11, 2016 – AppSense, the global leader of user environment management (UEM) solutions for the secure endpoint, today announced that it has joined the Nutanix Elevate Technology Alliance Partner Program and has received “Nutanix Ready” validation. When AppSense and Nutanix solutions are used together, enterprises can leverage hyperconverged infrastructure to simplify the deployment of virtual desktops for the speedier delivery of more secure, more responsive, more consistent, fully personalized desktops and applications. “AppSense is a valued member of the Nutanix Elevate program,” said Venugopal Pai, Vice President, Strategic Alliances and Business Development, Nutanix. “Together we are delivering open, innovative and transformative solutions that enable enterprises to more quickly benefit from VDI deployments and realize the expansive value of hyperconverged infrastructure.”“We are pleased to receive Nutanix Ready validation for our AppSense solutions which are designed to secure, manage and optimize desktops,” said Jed Ayres, Senior Vice President of Marketing, AppSense. “Hyperconverged architecture is the infrastructure of the future, enabling IT to focus on the end-user experience and not the tactical speeds and feeds that have plagued VDI deployments of the past. Nutanix and AppSense solutions deliver the optimal virtual desktop experience organizations need to improve endpoint security and performance for good.”One example of the value of the combined AppSense / Nutanix solution is the Virtual Clinical Workstation delivered by Coretek Services. This integrated solution enables customers to deliver VDI faster hence boosting user productivity and minimizing desktop management time. “By using AppSense and Nutanix at the core of our solution, we are able to finish projects faster delivering a truly integrated solution to improve our customers’ desktop productivity,” said Ray Jaksic, CTO and Founder, Coretek Services.The Coretek Virtual Clinical Workstation, based on AppSense and Nutanix, has been implemented by Torrance Memorial Medical Center, reducing log in time by more than 50% and helping clinicians to reclaim up to an hour a day for improved patient care. “Overall, hardware issues have declined because it’s much easier to manage the endpoints,” said Steve Lantz, Director of IT Infrastructure and Operations, Torrance Memorial Medical Center. “We’re solving issues much more quickly, which is a benefit to my team.”Nutanix delivers invisible infrastructure for next-generation enterprise computing by natively converging compute, storage and virtualization into a turnkey hyperconverged solution. The world’s most advanced enterprise datacenters rely on Nutanix web-scale technology to power their mission-critical workloads at any scale.The Nutanix Elevate Technology Alliance Program provides partners with technical resources, testing and documentation processes, marketing support, and sales enablement to develop comprehensive customer solutions. Nutanix Elevate Partners deliver validated solutions to market in the areas of Application Development, Applications and Operating Systems, Backup and Disaster Recovery, Desktop and Application Virtualization, Hybrid Cloud, Management and Operations, and Networking and Security.Hear more about the value of using AppSense, Nutanix and Dell together in the joint webinar, “Decoding the DNA of Productivity with VDI: Torrance Memorial and Promise Healthcare Unlock ‘Healthcare Everywhere,’” to be held on Thursday, January 28 at 9 a.m. pacific. Register today. About AppSenseAppSense is the leading provider of UEM solutions for the secure endpoint. AppSense user virtualization technology allows IT to secure and simplify workspace control at scale across physical, virtual and cloud-delivered desktops. AppSense Solutions have been deployed by over 3,500 enterprises worldwide to over 8 million endpoints. The company is headquartered in Sunnyvale, CA with offices around the world. For more information please visit www.appsense.com.###Media Contact:Erin JonesAvista Public Relations for AppSense704-664-2170appsense@avistapr.com Source: RealWire
↧
Juniper Networks Moves to Replace Vulnerable Code
After a backdoor is found on its ScreenOS, Juniper Networks takes steps to replace potentially compromised cryptography components.
At the end of 2015, Juniper Networks publicly disclosed that it had found previously unknown backdoor code on some of its firewalls. Juniper patched the issues and is now going a step further by replacing a core cryptography component in its ScreenOS operating system to further reduce any potential risk.
A core element of many forms of cryptography is the use of random number generators. The ScreenOS operating system makes use of the Dual_EC DBRG (Dual Elliptic Curve Deterministic Random Bit Generator) and ANSI X9.31random number technologies. Back in 2014, reports emerged alleging that Dual_EC DBRG was intentionally weakened in order to enable the placement of a backdoor by the U.S. National Security Agency (NSA).
Bob Worrall, senior vice president and CIO of Juniper Networks, is now moving to have his company remove Dual_EC DBRG from ScreenOS entirely.
With the initial patch for ScreenOS that protects users against backdoor code, Dual_EC remains in place.
"We remain confident that the patched releases, which use Dual_EC, remediate both the unauthorized administrative access issue, as well as the VPN decryption issue," Worrall wrote in a blog post.
ScreenOS is the core operating systems used on Juniper's Netscreen firewalls, which have largely been superseded in the company's product portfolio in recent years by the SRX Firewall product portfolio. The SRX runs on Juniper's Junos operating system, which is the same operating system that powers most of the company's switches and routers.
After the initial discovery of the backdoor code on ScreenOS, Worrall commented that Juniper started a comprehensive investigation into both ScreenOS and Junos source code. The end result of that investigation is that there is no evidence to suggest any unathorized code or backdoor in Junos.
"The investigation also confirmed that it would be much more difficult to insert the same type of unauthorized code in Junos OS," Worrall said.
One reason it would be more difficult to insert unauthorized backdoor code in Junos that it uses a different random number generation system. To that end, Juniper is going to replace Dual_EC in ScreenOS 6.3 and instead make use of Junos' random number generation technology. The change is expected to land in a ScreenOS update that is set to become available in the first half of the year.
Itay Glick, CEO of security specialist Votiro, is not surprised that Juniper is replacing the DUAL_EC component and suggested that other vendors do the same and move to a well-validated algorithm.
"Every company that uses compromised components should strive not to use them," Glick told eWEEK.
Areg Alimian, senior director of solutions marketing at security specialist Ixia, is also not surprised that Juniper is moving to replace potentially vulnerable cryptography components in its software. A key lesson that can be learned from this incident is that entropy needs to be more automatic and easier to add into security systems, he said.
"Random number generators (RNG) are essential but can't be the lynchpin to any system," Alimian told eWEEK.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
↧
More Pages to Explore .....
