My colleague at Forrester, Chris Silva, recently commented upon the recent Air Defense acquisition by Motorola. Looking at the deal through the security lens, I completely agree with Chris that this will help ease integration of wireless security into wireless infrastructure. It's good to see one of the major wireless brands step up and take wireless security seriously. Perhaps that other major wireless vendor will get the hint...
Motorola announced this week its intentions to acquires Wireless IDS/IPS vendor AirDefense.
The acquisition may provide a bit of deja vu to readers who recall the
acquisition of Network Chemistry's wireless IDS/IPS assets by Aruba
Networks in 2007.
Moody’s recently launched their Vendor Information Risk (VIR) ratings service. The main objective of this service is to reduce the overall burden of conducting risk assessments for organizations, as well as their service providers. The whole idea being that if Moody’s can do a risk assessment on behalf of multiple subscribers, it can make the assessment process a lot more efficient. The service provider will not have to go through multiple assessments and the subscribers will share the cost, and therefore have a much lower price point.
Many CISOs I talk to are sick of performing third party risk assessments; it takes up valuable time, is expensive, and most importantly, pulls resources away from doing actual security work within the company. On the other hand service providers are also having a hard time keeping up with these assessments. A compliance manager at a large service provider estimated that they responded to over 300 audit requests in 2007, and that number would be around 400 in 2008. Thus, a service like this could potentially save millions of dollars for service providers and subscribers.
This article in GSN caught my attention on the proposed IT budget numbers released by OMB (Office of Management and Budgets). The 10% spending on cyber-security may seem surprising to some, especially when compared to an average 8% of IT spend in the commercial sector across North America and Europe. As many of us have seen stagnation in our security budgets, the US government has increased its cyber-security budget by a whopping 73% since 2004. The media has picked up on things such as DOT (Department of Transportation) more than doubling its budget while DHS (Department of Homeland Security) had less than a 5% increase, they don’t have their priorities right or that we should fund federal agencies based on how well they do on FISMA. These numbers may seem a little out of whack, but here is why I think the US government is headed in the right direction.
It is astounding, and in the words of Societe Generale's chairman and chief executive, Daniel Bouton “unbelievable” that a person could single-handedly circumvent the security of France’s second largest bank to cause so much damage. This event brings to bear what security professionals have been saying for years – focus on the insider threat. Mr. Kerviel cost the bank $7.2 billion by making huge unauthorized trades that he hid for months by allegedly hacking into the computers of the bank and creating fraudulent transactions to hide his tracks. The combined trading positions he built up totaled some €50 billion, or $73 billion. While this level of exposure going unnoticed boggles the mind, none of it could have happened without a fundamental failure of information security controls.
Here are ten lessons for us security folks to pass on to our executive teams.
Many financial indicators are pointing to a looming global recession. This means that companies will be tightening their belts and drastically cutting down on their discretionary spending. What does this mean for information security industry? And what can CISOs do to recession proof their security programs?
This means leaner security organizations (yes that means lay offs), significantly reduced spending on security consultants and contractors, and squeezing the most out of every buck that is spent for information security. This would also mean longer sales cycles for security vendors, cost taking precedence over functionality. From a CISO perspective, it means more justification for security budgets, begging other parts of the business to fund security projects, and pushing existing vendors to provide more for the same amount of dollars.
With CardSpace and Higgins being in nascant and almost non-existent market adoption mode, you may wonder what authentication features you want to be looking for when shopping online. Usernames and passwords are a thing of the past: you can safely assume that you will use a computer to log in which has a keylogger or trojan capturing your keystrokes, and with it your username and password.
Savvy customers are increasingly turning towards online retailers and financial institutions which provide at least some form of multi-factor authentication to protect against password theft. The following list gives a compass to consumers and vendors to navigate the misty waters of online transactions.
Smart cards / USB tokens (very costly, high level of security, great user inconvenience)
Hardware based solution that contains applications, PKI certificates used to authenticate to a site. These cards can include a magstripe for physical access management and RFID proximity sensors.
McAfee released their “Virtual Criminology Report” earlier this year and warned thatthere is a growing threat to national security, as cyber espionage becomes increasingly sophisticated, moving from simple network probes to well-funded, well-organized, and possibly government backed operations. The intent is not only financial gain, but also political or competitive gain.
Some other interesting news items have appeared in the recent past.
On 4 October 2007,The National Retail Federation (NRF) Chief Information Officer and Senior Vice President, David Hogan wrote a letter to the Payment Card Industry (PCI) Standards Council requesting that the card industry to stop requiring merchants to store complete card numbers.Currently, some merchants are required to keep credit card numbers for up to 18 months to satisfy card retrieval and dispute requests. The letter said, “"Instead of making the industry jump through hoops to create an impenetrable fortress, retailers want to eliminate the incentive for hackers to break into their systems in the first place." NRF proposes that credit card companies and their banks should provide merchants with the option of keeping nothing more than the authorization code provided at the time of sale and a truncated receipt, rather than requiring merchants to keep the data for an extended amount of time.