Infosecurity Europe 2007: a selection of papers from exhibitors at Infosecurity Europe 2007, Europe's dedicated information security event. Now in its 12th year, providing an education programme, new products & services, over 300 exhibitors and 11,600 visitors from every segment of the industry. 24th - 26th April 2007, grand hall, Olympia. www.infosec.co.uk.The data leakage threat: perception and reality Mark Murtagh, Technical Director for EMEA (Europe, Middle East, Africa) Refers to that region of the world. For example, one might see products packaged differently for the UK, EMEA and Asia Pacific markets. , Websense When it comes to data leakage, sensationalism sensationalism, in philosophy, the theory that there are no innate ideas and that knowledge is derived solely from the sense data of experience. The idea was discussed by Greek philosophers and is shown variously in the works of Thomas Hobbes, John Locke, George has been the order of the day in the mainstream and trade press, with a continued popular emphasis on the threat posed by USB USB in full Universal Serial Bus Type of serial bus that allows peripheral devices (disks, modems, printers, digitizers, data gloves, etc.) to be easily connected to a computer. devices such as memory sticks and hardware keyloggers. Admittedly, many firms are still adopting a piecemeal approach to security which can, and often does, leave them exposed. There is also no denying the seriousness of the data leakage problem. According to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. a Ponemon Institute Customer Trust Survey, companies that suffer a breach of only 100,000 records containing personally identifiable information In information security and privacy, personally identifiable information or personally identifying information (PII) is any piece of information which can potentially be used to uniquely identify, contact, or locate a single person. can expect to lose almost a third of those customers for good and suffer total financial damages of about $23 million. These figures do not include indirect costs Indirect costs are costs that are not directly accountable to a particular function or product; these are fixed costs. Indirect costs include taxes, administration, personnel and security costs. See also
While virus attacks and spam tend to receive more media attention, the threat from company insiders who maliciously or inadvertently leak such information is on a scale at least as significant as these more familiar menaces. According to the most recent Annual Computer Crime and Security survey conducted by the Computer Security Institute and FBI, the top four security loss categories -- which accounted for almost three-quarters of the total percent of losses -- are viruses, unauthorised access, laptop theft Laptop theft is a serious threat to users of mobile computers. Many methods to protect the data and to prevent theft have been developed, including alarms, laptop locks , and visual deterrents such as stickers or labels. and theft of proprietary information. The same survey suggests more than one-third of the 537 participants believe at least 20 percent of the overall losses are a consequence of insider threats. Unfortunately there is a significant gap between popular perception and reality when it comes to the data leakage issue. The internet is becoming ubiquitous for communications, and the risks for data to leak out to be divulged gradually or clandestinely; to become public; as, the facts leaked out s>. See also: Leak of a corporate network go far beyond portable devices to any system which has internet access See how to access the Internet. . Today, the by-now firmly entrenched en·trench also in·trench v. en·trenched, en·trench·ing, en·trench·es v.tr. 1. To provide with a trench, especially for the purpose of fortifying or defending. 2. image of the information thief with memory stick in hand provides a very small--albeit easy to relate to--glimpse of the overall picture. The SANS Institute The SANS Institute (SysAdmin, Audit, Networking, and Security) is a trade name owned by the for-profit Escal Institute of Advanced Technologies. SANS provides computer security training, professional certification, and a research archive. , for example, identifies P2P See peer-to-peer and point-to-point. file sharing Copying files from one computer to another. See peer-to-peer network, file sharing protocol and file and printer sharing. applications as one of the most crucial Internet security ''This article or section is being rewritten at Internet security is the process of protecting data and privacy of devices connected to internet from information robbery, hacking, malware infection and unwanted software. vulnerabilities. Any kind of unsanctioned application downloaded by an employee is a threat because it can house malicious code, not to mention the legal implications of hosting--unknowingly or not--file-sharing applications. While companies are educating employees on the dangers of P2P applications, employees continue to use them at work. Even though employees may know that file-sharing applications can propagate data loss and open the door to spyware and other malicious code, many believe that their firewall and anti-virus software anti-virus software n → Antivirensoftware f will protect them. While these tools work on a basic level, the software does not protect against new Web-based threats. Research labs log thousands of new crimeware exploits, such as Trojan downloaders, screen scrapers and keystroke logging Keystroke logging (often called keylogging) is a diagnostic tool used in software development that captures the user's keystrokes. It can be useful to determine sources of error in computer systems and is sometimes used to measure employee productivity on certain clerical software each month. No matter how good traditional security products are, the software simply cannot keep up with the volume and increased complexity of new Web-based threats. Instant messaging Exchanging text messages in real time between two or more people logged into a particular instant messaging (IM) service. Instant messaging is more interactive than e-mail because messages are sent immediately, whereas e-mail messages can be queued up in a mail server for seconds or and online storage sites are other vectors of data loss, and new threats such as financial ID theft Trojans and BOTS are keeping IT managers constantly on their toes. Collectively, companies spend millions every year securing e-mail systems. But, by using Web-based e-mail See Internet e-mail service and HTML e-mail. and instant messaging services, employees are circumventing the security precautions put in place by companies, and ultimately placing their own machines and their company's entire network at risk to data loss. Online storage Web sites can be particularly risky and harmful because of a lack of security. If we take a closer look at thepotential sources of the risk of sensitive information loss, there are really three types of these. The first is intentional theft by an employee within the organisation, which can be achieved by making copies of data and physically removing it on a storage device and/or transmitting them outside of the corporate network electronically. The second is targeted attacks from the outside, usingmalware to stealproprietary information for unfair business advantage, again using the internet as the mechanism both for infection and data transport. The third--which has been identified by Gartner as the greatest risk of all, but which has less dramatic appeal and as such is often overlooked--is completely unintentional data leakage. Honest employees can unintentionally leak sensitive information completely by accident, as simply as by sending an email or posting a web form with an incorrect attachment containing sensitive data. Both companies and employees must be aware of the potential risks that increasingly flexible computing practices pose towards the organisation and the employees. By taking active steps to institute best security practices, businesses can fight off most vulnerabilities associated with the multitude of data sharing The ability to share the same data resource with multiple applications or users. It implies that the data are stored in one or more servers in the network and that there is some software locking mechanism that prevents the same set of data from being changed by two people at the same time. applications and techniques. One of the most effective ways to reduce the risk of sensitive information loss is not just data access control, but controlling what actions can then be performed on the data by the users who have been granted access. Emerging technologies that are both content and user aware can help better reduce all three risk sources, through intelligently controlling not just user access to sensitive data, but how and where the employee can transmit copies of this information. The main point is that while the USB storage device poses some degree of risk, this is only the tip of the iceberg tip of the iceberg n. pl. tips of the iceberg A small evident part or aspect of something largely hidden: afraid that these few reported cases of the disease might only be the tip of the iceberg. . It may not make great headlines, but what board directors really need to recognise is that the vast majority of significant internal risks cannot be traced back to malicious intent on the part of the employee. It's not simply just a case of locking down the USB ports, then being able to sleep soundly at night. www.websense.com IT's Inexorable March Towards Better Security Joe Levy, Chief Technology Officer, SonicWALL, Inc. * Widespread accountability for data security will emerge * SSL (Secure Sockets Layer) The leading security protocol on the Internet. Developed by Netscape, SSL is widely used to do two things: to validate the identity of a Web site and to create an encrypted connection for sending credit card and other personal data. will start to encompass trust again * Virtualization An umbrella term for enhancing a computer's ability to do work. Following are the ways virtualization is used. Hardware Virtualization Partitioning the computer's memory into separate and isolated "virtual machines" simulates multiple machines within one physical computer. emerges as a security tool * Two-factor authentication The use of two independent mechanisms for authentication; for example, requiring a smart card and a password. The combination is less likely to allow abuse than either component alone. See authentication. will begin to see mass adoption It is an age-old dilemma faced by IT vendors: Provide unimpeded unimpeded Adjective not stopped or disrupted by anything Adj. 1. unimpeded - not slowed or prevented; "a time of unimpeded growth"; "an unimpeded sweep of meadows and hills afforded a peaceful setting" access to all functions at the risk of security, or favour security at the cost of usability. Somewhere between 'superuser-access-for-all' and 'cranking- the- security-dial-to-11' lies harmony and balance. Unfortunately, identifying that point of accord remains elusive, and at best IT vendors can provide a free range of options, leaving the configurations to IT and security administrators. Some argue that this is not enough, and that strict security must be enabled by default. While well intentioned, this position largely betrays a lack of familiarity with the onerous nature of IT support. Others submit that IT is too complex, that user education is futile, and that computers need to be as easy to use as home-appliances. Despite the lack of a unanimously agreed course, IT continues its march toward security that is better in terms of its strength, availability and usability. While there are many variables, I believe there are a few key items we are likely to begin to encounter in 2007: * Widespread accountability for data security will emerge. There will be an effort to extend regulation to mid-tier businesses. Much to the dismay of consultants, auditors, and examiners, it will quickly become clear, however, that smaller operations could not bear the complexities and costs of arcane and sprawling compliance processes. Of all functional business areas affected by the current regulatory climate regulatory climate The extent to which a regulated firm or industry is permitted to earn an adequate return on the stockholders' investment. This term is nearly always used in reference to utilities, which are required to obtain approval for rate changes. , many regard the impact to IT as perhaps the most manageable because it is delineated by implementations of existing technologies, such as current encryption methods and standards for data storage and transmission, practicable password and authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. policies and platforms, and enforceable methods of malwareprevention andsystem integrity protection. Consistent with this, requirements will be tokenised and compartmentalised Adj. 1. compartmentalised - divided up into compartments or categories; "most sciences have become woefully compartmentalized" compartmental, compartmentalized , with the burden of accountability being placed on IT hardware and software vendors. In a sequence of events likely to begin with a precedent setting lawsuit brought against the creator of a product found to have exploitable flaws, vendors will find themselves obligated ob·li·gate tr.v. ob·li·gat·ed, ob·li·gat·ing, ob·li·gates 1. To bind, compel, or constrain by a social, legal, or moral tie. See Synonyms at force. 2. To cause to be grateful or indebted; oblige. to perform comprehensive testing on their source code to preventatively protect their users against common vulnerabilities such as buffer overruns and privilege escalations. Although they've been around for years, the Years, The the seven decades of Eleanor Pargiter’s life. [Br. Lit.: Benét, 1109] See : Time use of exhaustive code path analysis tools, such as those from Coverity and Klocwork, will become a critical development-cycle component so that flaws have a better chance of being uncovered and remedied prior to product release. Companies providing these sorts of source code analysis tools will become integral to the security landscape. * SSL will start to encompass trust again. SSL was developed, as described by its inventor Netscape, "to provide privacy between two communicating applications (a client and a server) ... [and also] to authenticate the server, and optionally the client." Today, SSL has lost half of its point, and much of its real value. Earlier, when the Internet was a safer place, users quickly became inured in·ure also en·ure tr.v. in·ured, in·ur·ing, in·ures To habituate to something undesirable, especially by prolonged subjection; accustom: to pop-up warnings, which were usually the result of a typo typo - typographical error or harmless error The legal doctrine of harmless error is found in the Federal Rules of Criminal Procedure, extensive case law, and state statutes. It comes into use when a litigant appeals the decision of a judge or jury, arguing that an error of law was made at trial that resulted in an incorrect . When real threats began to arrive, the system was already compromised, and SSL only offered privacy, but no meaningful identity verification Noun 1. identity verification - the automatic identification of living individuals by using their physiological and behavioral characteristics; "negative identification can only be accomplished through biometric identification"; "if a pin or password is lost or . Even worse, this familiarity allows SSL to work to the advantage of the ill-intentioned. Once an "unverified" SSL connection is set up, today's protective content analysis, such as URL URL in full Uniform Resource Locator Address of a resource on the Internet. The resource can be any type of file stored on a server, such as a Web page, a text file, a graphics file, or an application program. filtering or deep-packet inspection, can not easily be performed, allowing malicious payload to be delivered undetected. Now the pendulum is starting to swing back the other way. New web-browsers include integrated anti-phishing features, but like the SSL warnings, these will soon be neutered neu·ter adj. 1. Grammar a. Neither masculine nor feminine in gender. b. Neither active nor passive; intransitive. Used of verbs. 2. a. by the same "it's nothing--just click OK" conditioning. Microsoft's Internet Explorer Microsoft's Web browser, which comes with Windows starting with Windows 98. Commonly called "IE," versions for Mac and Unix are also available. Internet Explorer is the most widely used Web browser on the market. It has also been the browser engine in AOL's Internet access software. 7 has cleverly, if not frustratingly, changed the presentation of SSL certificate Refers to the digital certificate used with the most popular security protocol on the Internet. When you make a purchase on the Web and notice the closed lock icon at the top or bottom of your browser or the HTTPS:// prefix in the URL, it means you have established a secure SSL connection. warnings: When a session's SSL parameters are questionable, IE7 can present a severe full page warning where "it's nothing--just click OK" shuts down the browser session. It's effectively reverse-psychology, and it succeeds in being disruptive. This will draw the industry's attention back to the meaning of SSL and there will be a movement to restore transparency to legitimate SSL connections. To achieve this, administrators who had never before used a well-known Certificate Authority service will increasingly turn to these conveyances of trust. In particular, commonly accessed systems and portals will demand a "high-assurance" certificate rather than a self-signed or local CA issued certificate. If broadly implemented, this will create a differentiated user experience where a certificate warning is something worth heeding. * Virtualisation begins to emerge as a security tool. Moving beyond productivity, scalability, and space and power economies, virtualised desktops will provide users with a computing environment that is relatively impervious to corruption. As malware infections become more insidious, and more difficult to detect and clean, it is becoming increasingly common for IT staffs to turn to virtual machine snapshots for easy restoration of a known-good state without the need to re-install or re-image an entire PC or server. Security software vendors will produce products designed to run on improved hypervisor and virtual machine monitor See VMM. architectures, providing relatively incorruptible in·cor·rupt·i·ble adj. 1. Incapable of being morally corrupted. 2. Not subject to corruption or decay. in , real-time inoculation inoculation, in medicine, introduction of a preparation into the tissues or fluids of the body for the purpose of preventing or curing certain diseases. The preparation is usually a weakened culture of the agent causing the disease, as in vaccination against against malware within their virtual machines. Virtualized layers of operation (such as those provided by Altiris' Software Virtualization Solution Wikipedia is not the place for advertisement or self-advertising.  This article or section appears to contain a large number of buzzwords and may require cleanup. or by Microsoft's
SoftGrid or to some extent Vista's UAC (User Account Control) The management of user accounts in Windows Vista. Because malware has greater control of the computer when it is running in administrator mode, UAC was designed to enable more users to run their computers as a standard user rather than as file and registry
virtualization for legacy applications) will become commonplace,
providing a sandbox A restricted environment in which certain functions are prohibited. For example, deleting files and modifying system information such as Registry settings and other control panel functions may be prohibited. in which programs can be installed without risk to
the host. High-capacity centralised storage with strong authentication
and a sound continuous data protection (backup) solution will house and
secure the virtual image libraries.
* Two-factor authentication will begin to see mass adoption. Two-factor authentication (2FA) methods, named after the use of a combination of "something you know" (a password) and "something you have" (a smartcard, SMS (1) (Storage Management System) Software used to routinely back up and archive files. See HSM. (2) (Systems Management Server) Systems management software from Microsoft that runs on Windows NT Server. phone, or token) or "something you are" (biometrics) has been well adopted by the enterprise, particularly for remote access, but has seen limited use elsewhere. 2FA uptake has been slowed by its disruptiveness and by the burden it places on IT and technical-support staffs. Despite these obstacles, we're at the verge of recognising that the cost of not using 2FA is greater than the cost of implementing it. Spurred by the European banking industry and by increasing fraud costs, US financial institutions will quicken their pace of adoption of 2FA, which will in turn serve to acclimatise consumers to the technology. To mitigate the resistance of having to carry and track a dedicated 2FA token device, existing ubiquitous mobile computing Using a computing device while in transit. Mobile computing implies wireless transmission, but wireless transmission does not necessarily imply mobile computing. Fixed wireless applications use satellites, radio systems and lasers to transmit between permanent objects such as buildings platforms (such as mobile phones) will become increasingly popular as 2FA client platforms. Simultaneously, just as the cost of fraud largely drove the banking industry to adopt 2FA, so too will it be a primary driver for e-commerce as payment card industry bodies begin mandating the use of 2FA. The mechanism will become part of our authentication vernacular, and we will soon look back with disbelief on the use of password-only systems. Security initiatives in general must accept that there is no panacea in the form of hardware or software. But this should not discourage the effort from being made: the locks on your front-door are probably vulnerable to break-ins, and the door itself is probably vulnerable to an axe, chainsaw, torch, or explosives, but you don't keep the door wide-open or unlocked just because the security system isn't perfect. Every additional measure helps in the incremental battle between attacker and protector. But perhaps the best way to win the security race is to change the parameters by making data-crime less profitable for the criminals. www.sonicwall.com Yapbrowser: Directing you to Illegal Content in One Click or Less Christopher Boyd Christopher Boyd, better known as his online pseudonym Paperghost, is webmaster of computer security organization Vitalsecurity.org, a Microsoft Security MVP, and Director of Malware Research for security company FaceTime. , Director of Malware Research FaceTime Communications Web-browsers. They're all around you, on every PC across the length and breadth of the planet, yet you probably don't stop to think about them too much. Why would you? They're just there, and that's all that matters, like the mouse or the keyboard--a tool you just plug in to do something else, without worrying about what they happen to be doing internally. Your gateway to the online world, we have a voracious voracious said of appetite. See polyphagia. appetite for the latest hot new browser, the Firefox killer, the latest features and functionality. We give up our trust to these browsers wholeheartedly whole·heart·ed adj. Marked by unconditional commitment, unstinting devotion, or unreserved enthusiasm: wholehearted approval. whole ; let them save our passwords, keep hold of our browsing habits and much more besides. For all the new features, bells and whistles A slang English term for exceptional features in some product. In the computer field, it typically refers to functions in software that may be greatly appreciated by some users, even though they may not be necessary most of the time. , there used to be one thing you could be guaranteed when using a browser: Type in a URL, and that's the page you'll see. Right? In April 2006, a new web-browser that came bundled with Zango Adware was launched, to little or no fanfare. Sure, it came with Adware but there was no hijack, disclosure was good and you had to go to their website to download the software. So far, so good--especially as the browser installed with no problems and a minimum of fuss. Imagine the look on your face then, when you decided to try out Yapbrowser, installed it, agreed to the Zango Adware, opened up the browser and typed in a URL--any URL--and hit the green "Go" button; only to be immediately redirected to hardcore child pornography Child pornography is the visual representation of minors under the age of 18 engaged in sexual activity or the visual representation of minors engaging in lewd or erotic behavior designed to arouse the viewer's sexual interest. . Regardless of what you typed into the browser, you were taken to go-to-jail inducing material completely out of the blue with no warning. How many times have you downloaded an application and installed it without thinking beforehand, hey, I wonder if this will lead me to illegal porn? Probably never. But with the advent of Yapbrowser (which, thinking about it, probably stood for Young Adult Porn), everything changed. Here was an application which in my opinion was far worse than any random piece of Malware that turns off your security settings, or a random Myspace phish. You can recover from those--imagine running Yapbrowser on your business network, or on your home PC which breaks the day after and you're faced with the choice of taking it in for repairs, or throwing it off a cliff. Think those PC repair guys will believe you? What's that, a kiddy porn Noun 1. kiddy porn - the illegal use of children in pornographic pictures or films child pornography, kiddie porn erotica, porn, porno, pornography, smut - creative activity (writing or pictures or films etc. browser? Yeah right, buddy. Pull the other one. Now wait right there while we call the police .... Previously, I don't think anyone had considered the humble web browser The program that serves as your front end to the Web on the Internet. In order to view a site, you type its address (URL) into the browser's Location field; for example, www.computerlanguage.com, and the home page of that site is downloaded to you. as an offensive weapon but over the course of 2006 everything has changed. Alongside Yapbrowser, we've had the wonderfully named "Safety Browser" (which installs itself without permission as part of an Instant Messaging Hijack, and Browsezilla (which made secret calls to pornography websites). There's probably more still flying under the radar This article is about the magazine. For other uses, see Under the Radar (disambiguation). Under the Radar is an American magazine that bills itself as "The solution to music pollution." It features interviews with accompanying photo-shoots. , ready to be discovered in the worst possible circumstances. The question is, what can we do about it? As this is a relatively new area of web-based depravity, all I can do is give you my oft-repeated advice to spend a few minutes Googling the name of any new browser you happen to come across. Considering the kind of trouble you could avoid by doing so, it's well worth the time and effort. The possibilities for attack are almost endless in this brave new world Brave New World Aldous Huxley’s grim picture of the future, where scientific and social developments have turned life into a tragic travesty. [Br. Lit.: Magill I, 79] See : Dystopia Brave New World of Malware making. For one thing, you have ease of distribution--it's not like you have to hack servers and hide your dubious infection files from public view. The very nature of a web browser is that it's universally trusted and geared towards many kinds of distribution, be it viral, word of mouth or flashy ad campaigns. As long as the bad guys can keep the real intention behind their program hidden until the last moment, that's all that matters so openly pushing it to all and sundry all collectively, and each separately. See also: Sundry is really no big deal for them. If the bad guys didn't want to go down the route of incendiary INCENDIARY, crim. law. One who maliciously and willfully sets another person's house on fire; one guilty of the crime of arson. 2. This offence is punished by the statute laws of the different states according to their several provisions. illegal content redirection, Yapbrowser style, they could always take a more subtle approach. How about accepting money for rogue banner ads built into the browser? There are plenty of rogue applications out there that would be all too happy to pay for such a deal. Maybe they could come up with a twisted version of the password storing features so commonplace in modern browsers, where they steal the stored information instead of keeping it safe. Now that I've terrified ter·ri·fy tr.v. ter·ri·fied, ter·ri·fy·ing, ter·ri·fies 1. To fill with terror; make deeply afraid. See Synonyms at frighten. 2. To menace or threaten; intimidate. you with the frankly dismal promise of what could be coming down the "new developments in web-based awfulness" pipeline, I think I'll close this cautionary tale A cautionary tale is a traditional story told in folklore, to warn its hearer of a danger. There are three essential parts to a cautionary tale, though they can be introduced in a large variety of ways. with something vaguely approaching a happy ending. Let's face it; you're dying to know what happened to Yapbrowser, yes? Well, within a day of revealing what this program did, Zango cut off their distribution with the Russian based application and shortly after that, the company behind it collapsed, the browser itself was killed off and the site hosting the images that caused all the fury was finally taken offline. Sure, a few months later Yapbrowser returned with the bizarre claim that it could guarantee 100% "that no malicious system infection will occur when using the software", but I guess you can't have everything. At the very least, the connection to the dubious pornography websites was severed and the browser was bought out by search portal Searchwebme, which was intended to add a little respectability to what must be the most unfortunate web browser in living memory. Sadly(!) things don't appear to have worked out quite as the creators of Yapbrowser would have liked, because I recently saw the Yap domain on sale for the low, low price of ...... ten thousand dollars. You couldn't make it up. www.facetime.com Unravelling Crypto Dr Nicko van Someren, founder and CTO (Chief Technical Officer) The executive responsible for the technical direction of an organization. See CIO and salary survey. of nCipher, looks at how the use of encryption is spreading and sorts out fact from fiction when it comes to talk about new developments. With breached databases, stolen laptops full of customers' personal information and leaks of healthcare details, IT security is rarely out of the news these days. However, with much of the coverage ill-informed or based on exaggerated claims, it's hard to work out what should most concern hard-pressed security managers and what should be dismissed. IT managers have to sort out the fact from the fiction and hype coming from over 300 vendors promising to solve vital pieces of the security jigsaw. Then, of course, there is the question of how seriously to take new developments that are always 'just around the corner'. The truth is that security developments move very slowly. Behind every usable innovation are years of testing and peer review. Cryptography, one of the technologies that underpins IT security, dates back to Egyptian times and the cryptographic algorithms in use today have been studied for over 20 years. Some cryptographers reckon that you simply can't trust anything that hasn't been studied for that long. Confidence in security comes from a thorough understanding of the science used to encrypt data--whether it is mathematics, physics or even biology. The better we understand it the stronger the security that can be built on top of it. So rather than advancing the underlying science and coming up with new algorithms, most of the important developments currently taking place are focused on the application and management of cryptography. For example, while the generation of cryptographic keys is well understood, and the use of these keys is understood, there are still problems in distributing keys that could well be solved better by newer technologies. Cryptography is best known today for protecting data in transit, particularly across the public Internet. We are all familiar with the padlock in the corner of the screen that provides the reassurance that SSL (Secure Socket Layer) encryption is being used to protect our personal details personal details npl (on form etc) → coordonnées fpl personal details person npl → Personalien pl personal details or ecommerce transaction. SSL is now a defacto standard to prevent eavesdropping Secretly gaining unauthorized access to confidential communications. Examples include listening to radio transmissions or using laser interferometers to reconstitute conversations by reflecting laser beams off windows that are vibrating in synchrony to the sound in the room. and provide secure sessions between the browser and web server. If sensitive information such as a password and pin are unencrypted on a web server to check against data stored in a back-end database A back-end database is a database that is accessed by users indirectly through an external application rather than by application programming stored within the database itself or by low level manipulation of the data (e.g. through SQL commands). , the point of risk is simply shifted. The challenge therefore, is to extend the security provided by SSL deeper into the web site infrastructure in order to protect data behind the firewall from internal and external attacks. As the concept of a secure network boundary becomes outdated it becomes even more important to protect sensitive information wherever it flows, inside or outside a corporate network. SSL sessions can now be terminated inside a protected tamper-resistant environment and traffic passed securely on to other back-end applications. The idea of end-to-end encryption Continuous protection of the confidentiality and integrity of transmitted information by encrypting it at the origin and decrypting at its destination. For example, a virtual private network (VPN) uses end-to-end encryption. Contrast with link encryption. may still be a holy grail but cryptography is increasingly playing a vital role both externally and internally. For example, why crack individual credit card transactions over the Internet when entire repositories of private information stored in databases may be open for attack? To overcome this vulnerability, fine-grained data protection and key management technologies have now been developed that only encrypt those data objects or fields specified by the security policy. So instead of building 'walls' around servers or hard drives, a protective layer of encryption is created around individual data-items or objects. When it comes to Web services (1) Loosely, any online service delivered over the Web. Such usage appears in articles from non-technical sources, but not in IT-oriented publications, because definition #2 below describes the correct use of the term. , the security challenges mirror those of standard Internet communications but the stakes are higher. Web Services involve scalable machine-to-machine interaction, which will often bridge the firewall, increasing vulnerability to malicious attack. Not only is it vital to deliver confidentiality and integrity though encryption and digital signatures, it is also important to manage user identities and verify who or what is on the other end of a network connection. A Leap in the Dark So encryption is finding its way into a wide range of new applications but what about future developments in cryptography? Probably the most heralded technology in this field is quantum encryption See quantum cryptography. . From many reports, it would seem that this is a commercial proposition about to replace established security technologies to provide a panacea for all the unresolved security issues. Quantum encryption works by using the unique properties of fundamental particles to encrypt streams of data. If any attempt is made to intercept encrypted data the quantum properties are changed, showing that the data has been compromised. So far this technology has been confined to research laboratories, though each report suggests that researchers are closer to achieving a commercially useful implementation of this technology. Two main issues emerge. The first is practical. The type of security that quantum encryption proves to be good at--at least in initial implementations--is point-to-point security between parties that already know each other. As the quantum-secured streams of data can only pass down a single fibre-optic cable while remaining readable, this development is likely to be useful in some important security scenarios, such as securing telecommunications links. In its current form it is not applicable to most forms of Internet or corporate security where data must pass through many computers on its journey from start to endpoint. Unless every connected computer can have a direct connection with every other connected computer, this will limit the application of this development--though it promises to be very useful for particular security needs. The second is more theoretical. While we understand enough about quantum physics quantum physics n. (used with a sing. verb) The branch of physics that uses quantum theory to describe and predict the properties of a physical system. quantum physics See quantum mechanics. to see how it can be used to encrypt data and provide a novel security solution, the field is by no means fully mature. There remains a risk that further discoveries could change our understanding of the quantum world and that such discoveries might provide a security hole or enable a form of attack that we can't envisage or protect against based on current understanding. Compare this with the well-understood mathematics behind the RSA (1) (Rural Service Area) See MSA. (2) (Rivest-Shamir-Adleman) A highly secure cryptography method by RSA Security, Inc., Bedford, MA (www.rsa.com), a division of EMC Corporation since 2006. It uses a two-part key. public key algorithm. There remains an outside risk that a mathematician will discover something about factorisation Noun 1. factorisation - (mathematics) the resolution of an entity into factors such that when multiplied together they give the original entity factoring, factorization resolving, resolution - analysis into clear-cut components , the basis of security in the RSA algorithm. This branch of mathematics is more mature than the study of quantum physics, so it is much less likely that there could be an undiscovered fault-line in the technology. With over 25 years' close scrutiny of this algorithm and the maths behind it, users can be reasonably confident that weaknesses have already been discovered and understood. The most likely risks to algorithms such as RSA are probably those we already know about. For example, as computers get more powerful, they can process the sums behind the security much more quickly and could therefore crack keys more quickly. So, because we understand this risk, we can protect against it by using longer keys which make the sums involved exponentially more difficult and therefore reduce the likelihood that an attacker can find a key in any reasonable period of time. The process of introduction for the symmetric algorithm AES (the US government's Advanced Encryption Standard (cryptography, algorithm) Advanced Encryption Standard - (AES) The NIST's replacement for the Data Encryption Standard (DES). The Rijndael /rayn-dahl/ symmetric block cipher, designed by Joan Daemen and Vincent Rijmen, was chosen by a NIST contest to be AES. ) shows how the industry can work together, by subjecting it to an unprecedented level of scrutiny from experts all over the world. Even so, security curmudgeons still express some scepticism that this new standard is entirely safe to adopt after its brief but intense introduction. Quantum key distribution See QKD. and encryption are technologies worth watching, although there is a great deal to be implemented and proven before the risks of using them become as low as the risks of using more familiar technologies such as RSA. The quality of the research undertaken in this field is undoubtedly high; look for more discussions of the topic at security conferences and peer- reviewed articles and papers to show how the technology is developing and its implementation progressing. While quantum encryption sounds like the stuff of science fiction, it is a serious development. www.ncipher.com A best practice approach for secure data backup Tony Byers, UK Sales Director at Iron Mountain Europe In many environments, storage has operated outside of the realm of security officers for some time, as their main focus has been primarily on areas such as perimeter security, intrusion detection/prevention and protection of host systems. As a result, the storage infrastructure--both primary storage and especially copies of primary storage--is likely to be an Achilles' heel when it comes to security. Policies for data security are a corporate concern and should be a fundamental element of an enterprise security strategy. Strategic security policies can then spawn tactical and operational policies through the joint efforts of the security and storage organisations. To that end, storage must become an integral part of the corporate security strategy. To achieve these goals, a corporation should build a practice around five fundamental areas: * Assign accountability, responsibility and authority * Assess risk * Develop a data protection process * Communicate the process * Execute and test the process 1. Assign accountability, responsibility and authority. Make storage security a function of overall information security policies and architecture. Even if companies decide that backup or storage security responsibilities should reside within the storage team, they still must integrate any storage and backup security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security with those that secure the rest of the infrastructure. Integrating storage and backup security measures will help build defense-in-depth protection. It is also recommended to divide duties where data is highly sensitive Adj. 1. highly sensitive - readily affected by various agents; "a highly sensitive explosive is easily exploded by a shock"; "a sensitive colloid is readily coagulated" . It is prudent to ensure that the person authorizing access is not the person charged with responsibility for execution. 2. Assess storage risk as it pertains to information security. Managers must examine each step of their backup methodology looking for Looking for In the context of general equities, this describing a buy interest in which a dealer is asked to offer stock, often involving a capital commitment. Antithesis of in touch with. security vulnerabilities. Could a tape administrator secretly create copies of backup tapes? Are boxes of tapes left out in the open? Is there a tight, end-to-end chain of custody The movement and location of physical evidence from the time it is obtained until the time it is presented in court. Judges in bench trials and jurors in jury trials are obligated to decide cases on the evidence that is presented to them in court. for your backup tapes? If data is backed up and transported in clear text, vulnerabilities like these could make mission-critical data easy prey. If a risk analysis exposes numerous vulnerabilities, organizations should seriously consider whether data encryption data encryption, the process of scrambling stored or transmitted information so that it is unintelligible until it is unscrambled by the intended recipient. Historically, data encryption has been used primarily to protect diplomatic and military secrets from foreign is warranted. 3. Develop an information protection program that ensures the security of a corporation's information, regardless of where it is at any point in time. Adopt a multi-layered approach to data protection by taking best practices that may already exist for the data network and applying them to the storage network, while adding layers unique to the characteristics of data at rest. These include the areas of: * Authentication: Apply multi-level authentication and anti-spoofing techniques. * Authorisation: Enforce privileges based on roles and responsibilities versus full administrative access. Copy your backup tapes. Depending on a single copy of data is never a good idea. While tape media can have a long life, it is susceptible to environmental and physical damage. A common practice is to perform nightly backups, then ship those tapes off-site--with no verification process. The recommended best practice is to copy backup tapes and then send the copy off-site. Tape remains the preferred storage method for backup as it is cost-effective and has the capacity to back up a single operating system operating system (OS) Software that controls the operation of a computer, directs the input and output of data, keeps track of files, and controls the processing of computer programs. on one tape. Stored correctly, tapes can have an archival life of over 30 years making it an incredibly reliable storage medium. A 'Low-tech Guide to High-tech Media' is available from Iron Mountain. It includes the types of media best suited to backup requirements, advice and best practice tips on how to handle media tapes post backup, and how to ensure data continuity and compliance for an organisation. To obtain a copy of the guide, visit: www.ironmountain.co.uk/forms/OSDP 4. Communicate the processes that are to be taken around information protection and security. Now that the process has been defined for ensuring that the sensitive data is properly protected and handled, it is important to ensure that the people who are responsible for carrying out its security are informed and trained. Security policies are the most important aspect of assigning accountability, responsibility, and authority. Inform business managers of risks, countermeasures, and costs. Data loss and intellectual property theft are a business issue, not an IT issue. As such, the Chief Information Security Officer (CISO See CSO. ) should begin a data security effort by educating business executives on risks, threats, and potential losses from security breaches. 5. Execute and test the information protection security plan. Secure data protection is not about technology; it is about process. That is why it is important to test the process. Additionally, as a company grows, information and data protection needs change, so the information security practices must change as well. Once the end-to-end plan has been developed, defined, and communicated to the appropriate people, it is time to begin execution. Ensure that the tools, technologies and methodologies that need to be deployed for information classification are in place. You may need to deploy new technologies that allow information to be classified or tagged with metadata such that, upon backup, the information is backed up using the right rules and processes. Test the process once it is in place. Remember, the process to be tested needs to include both backup and recovery. Attempt to inject any conceivable threat into the process including server and tape loss, network issues, device issues, data classification issues and any other scenario that might affect the business. www.ironmountain.co.uk The Changing Nature of Risk Management Piers Wilson, Head of Technical Assurance, Siemens Insight Consulting Much security and risk assessment activity takes place at a discrete point in time. Siemens Insight Consulting has a number of longer term, operational and managed service clients, where we are continuously involved in managing their risks--but certainly, if I look at the penetration and security assurance services Assurance services have been defined by the American Institute of Certified Public Accountants (AICPA) as 'Independent Professional Services that improve information quality or its context'. we undertake, the risk management reviews and assessments, and even the development of policies and standards all represent a summary of findings and/or recommendations at a certain point in the lifecycle of systems or the environments of our clients. In some cases, projects become periodic; undertaking penetration testing work every 3 months to pick up new vulnerabilities and system changes or providing ISO (1) See ISO speed. (2) (International Organization for Standardization, Geneva, Switzerland, www.iso.ch) An organization that sets international standards, founded in 1946. The U.S. member body is ANSI. 17799 support services support services Psychology Non-health care-related ancillary services–eg, transportation, financial aid, support groups, homemaker services, respite services, and other services coinciding with the annual interim certification audits our clients undergo. Ongoing, real-time risk management What is really required though is a constant reassessment of risk and vulnerability--the ability to adjust to real-time changes in the likelihood of threats and the impacts of vulnerabilities, i.e. the way risks are assessed and managed on a continuous basis. In the US, the Department of Homeland Security Noun 1. Department of Homeland Security - the federal department that administers all matters relating to homeland security Homeland Security executive department - a federal department in the executive branch of the government of the United States has a "Threat Level" advisory system which is changed to respond to the global climate or in response to "intelligence"--it occurs to me that modern businesses may need to think about their own exposure along the same lines: constantly tracking the threats against them, their exposure, and the climate in which they conduct business, to make sure that their response is appropriate. Let's consider some examples: * The risk of flooding may change depending on whether the weather forecast predicts rain or not; * The risk of virus attack varies constantly, depending on the ever changing number of viruses released, the systems they affect and the schedule for updating signature files. In both these cases though, organisations will have defined flood countermeasures or virus systems in place (or not) and set to protect them in certain ways. These may change in likelihood, but may not necessarily mean a change in countermeasures (i.e. you'd be unlikely to go out and fill a load of sandbags sandbags small sacks containing sand used to support an anesthetized animal in dorsal recumbency and prevent it from rolling sideways during anesthesia or surgery. just because it was going to rain, but you might permanently site your IT equipment away from ground level). However, things might be different in the following cases: * The risk of electronic attack changes based on newly discovered vulnerabilities; * Changes in the public perception of a business surrounding a product launch, a new service or due to merger activity might raise its profile or attractiveness to external attack; * The risk of theft might increase following large-scale IT purchases (workstation roll-outs), office refits or other major investments/building work. In all these cases the stance of the company could be dynamically altered to respond to the changed risk. Taking each in turn: * The existence of new electronic vulnerabilities might mean increasing the vigilance on intrusion detection systems (IDS), or paying closer scrutiny to system logs--potentially causing an increase in staff costs and resource effort (weekend overtime) to oversee the more vulnerable systems. * The launch of a new product or service, diversification into new markets or the announcement of a merger might mean an increased risk of protests, motivated attacks or disgruntled dis·grun·tle tr.v. dis·grun·tled, dis·grun·tling, dis·grun·tles To make discontented. [dis- + gruntle, to grumble (from Middle English gruntelen; see employees. Again, increased vigilance, an increase in the level of system logging and tighter access controls might be deemed necessary. * The purchase of new hardware and general investment in premises and technology might make a tired old building with "nothing worth stealing" a lot more attractive. Increased security guard presence, improved physical security controls and a more structured CCTV CCTV abbr. closed-circuit television CCTV closed-circuit television tape regime might be a good idea. Clearly, in these cases there is a direct increase in operational cost in reacting to the increased risk, so you would not want to continue this (e.g. the increased vigilance) all the time. However, unless the risk profile of a business can quickly be reassessed it is hard to see how increased risks could be managed, certainly between now and the next security audit. www.siemens.com |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion