By Robert Mullins
Network World

I was astonished when Mike Dausin of security provider HP TippingPoint briefed me on a new state of network security report and explained how much more sophisticated writers of malicious code had become. Their code is much cleaner than it had been in years past and that recently, some updated versions of this code had actually come with release notes.

“When you think about code having release notes, that implies a level of maturity that just wasn’t there before,” said Dausin, manager of advance security intelligence for TippingPoint, whose DVLabs unit conducts research into network vulnerabilities and helped produce “The Top Cyber Security Risks Report,” which was published today.

Read more: Click to access the related article.

The PCI Data Security Standard mandates foundational controls, most of which are information security best practices. It is a one-size-fits-all standard meant to address all business and technological environments that store, process or transmit payment card data. Minimum compliance with PCI standards may not adequately protect card data. Therefore, it is necessary to conduct a risk assessment in accordance with PCI requirements.

Read more: Click to access the related article.

Re: State Security Breach Laws

This memorandum summarizes state legislation requiring notification to consumers of unauthorized disclosures of their personal information. To date, forty-six states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands have enacted legislation addressing security breaches. Most recently, Mississippi enacted security breach legislation, and Washington amended its law.

Read more: Click to access the Memorandum and the Security Breach Chart.

Read more: Click to access the related article.

By Kelly Jackson Higgins
DarkReading

Among the unsettling results in the final report, released today, from the Social Engineering Capture The Flag contest held in August at Defcon: Security companies were just as susceptible to social engineering as nontechnology firms, Internet Explorer 6 was still in use at 65 percent of the Fortune 500 companies targeted in the contest, and nearly 90 percent of the targets willingly opened a URL that the contestants gave them.

The contest, in which the art of social engineering was demonstrated on a rare public stage using real-world targets, was aimed at gauging the vulnerability of major corporations to social engineering. And the 17 contestants, who had to compile a dossier of as much information as they could gather passively on their assigned target company beforehand (no phone calls, email, or direct contact), had little trouble scoring information in the 25 minutes they had to social-engineer someone on the other end of the telephone line during the contest. The event was open to Defcon attendees to watch as the contestants made their calls from a soundproof booth.

Read more: Click to access the related article.

The importance of information sharing for the Critical Information Infrastructure Protection –CIIP-is widely acknowledged by policy-makers, technical and practitioner communities alike. The Agency has researched peer-to-peer groups, e.g. Information Exchanges (IEs) and Information Sharing Analysis Centres (ISACs). The report identifies the most important barriers and incentives in day-to-day practice in IEs and ISACs for CIIP. This research differs from other reports by being focused on the practitioners’ experiences. The material stems from three sources, literature analysis, interviews, and a two-round ‘Delphi’ exercise with security professionals. The report is launched in conjunction with the NIS Summer School, taking place 13-17 September, in Crete.

Read more: Click to access the related article.

For an enterprise concerned about security, which most are, addressing the risks posed by threats hidden within encrypted SSL traffic is clearly not something that can be ignored. If SSL were being used for no purpose, then the problem could be solved by simply avoiding or preventing the use of SSL. However, the reality is that SSL is used to provide much-needed security for a wide range of network applications.

Today, most enterprises have a number of network security appliances that provide protection against attacks aimed at enterprise computing resources, as well as prevent the loss of sensitive enterprise data due to deliberate or unintentional leakage. These security appliances work by matching network traffic with threat signatures or tracking application state as a means to detect suspicious behavior.

Read more: Click to access the related article.

By Robert Lemos, Contributing Writer
DarkReading

The recently revealed abuse of insiders’ system privileges to commit fraud at Sprint could be a wake-up call for other enterprises to implement more stringent security practices, experts said this week.

Last week, nine Sprint employees were charged with misusing their access to the telecommunications giant’s systems to redirect phone charges to other customers by “cloning” their cell phones — to the tune of more than $15 million in fraudulent charges in the first six months of this year.

Read more: Click to access the related article.

By Jeff Bertolucci
PC World

A new study by security vendor Symantec reports that Internet crime has grown into a widespread problem globally. It also provides intriguing insights into consumers’ lax attitudes toward online piracy, plagiarism, and other illegally or unethical activities.

Some 7,000 adults in 14 nations participated in the Norton Cybercrime Report: The Human Impact, which was released Wednesday.

Read more: Click to access the related article.

“Our dependence on all things cyber as a society is now inestimably irreversible and irreversibly inestimable.”

Yeah, I had to re-read that line a few times, too. Which is probably why I’ve put off posting a note here about the article from which the above quote was taken, a thought-provoking essay in the Harvard National Security Journal by Dan Geer, chief information security philosopher officer for In-Q-Tel, the not-for-profit venture capital arm of the Central Intelligence Agency.

Read more: Click to access the related article.

In Cyber War: The Next Threat to National Security and What to Do About It, you write about how vulnerable America is to electronic attack. Is it possible to create an effective deterrence policy against cyberwar, as was done for nuclear war?

That doesn’t work in cyberspace for lots of reasons. In the nuclear era, there were more than 2,000 tests worldwide. Nations demonstrated they could do damage. It’s hard to demonstrate cyberweapons in advance. In a nuclear war, you see missiles. In cyberwar, it’s not clear who’s attacking. People can pretend to be other people.

Read more: Click to access the related article.

By Ericka Chickowski
DarkReading

With Visa releasing its tokenization best practices guide earlier this summer, security professionals and encryption vendors have debated the strengths and weaknesses of the guide. As one of the most debated topics in encryption-land, tokenization still has a long way to go before it achieves any kind of true standardization of best practices.

Read more: Click to access the related article.

IBM’s X-Force security team reported that thousands of known Web app security threats remained unpatched during the first half of 2010. What’s more disturbing is the researchers’ observation that because most Web apps are custom developed — and their vulnerabilities may never be publicly disclosed — the real extent of the problem is likely much larger than enterprises suspect.

During the first half of 2010, more than 4,300 new disclosures of software security issues came to light. That’s according to the mid-year report issued by IBM’s (NYSE: IBM) special X-Force security research team. What’s perhaps a bit more disturbing is how many of those vulnerabilities remain unfixed.

Read more: Click to access the related article.

By Kelly Jackson Higgins
DarkReading

Covert and obfuscated attacks on organizations have increased by more than 50 percent in the past year worldwide, according to newly released report by IBM’s X-Force research team.

The new IBM X-Force 2010 Mid-Year Trend and Risk Report also found that the total number of new vulnerabilities disclosed had increased 36 percent over the same period last year, to 4,396 for the first half of ’10. And 55 percent of these bugs had not been fixed by the end of the first half.

Read more: Click to access the related article.

By Richard Power
CSO Online

All around the world, governments declare they are gearing up for cyber war. I know, I know, to anyone who has been at this for any significant length of time, many of the news stories we are reading today could have, or should have, been written a decade ago, or more. The term “Cyber war” seems to be on everyone’s lips again. (Cue the theme music for “Groundhog Day” – again!) In one way, it is hard to take it seriously anymore; in another way, it is incredible that so many governments sound like they are just getting started, again. Nevertheless, even though the chest-beating seems to be a redux, and much of the blustering rhetoric seems to be recycled, the reality on the virtual ground in cyber space is that the capabilities (the offensive ones, at least) have evolved over the last decade, and so have the opportunities. Furthermore, the appetite to use them seems to have grown apace.

Read more: Click to access the related article.

By Jeremy Kirk
Network World

A majority of security software suites still fail to detect attacks on PCs even after the style of attack has been known for some time, underscoring how cybercriminals still have the upper hand.

NSS Labs, which conducts tests of security software suites, tested how security packages from 10 major companies detect so-called “client-side exploits.” In such incidents a hacker attacks a vulnerability in software such as Web browsers, browser plug-ins or desktop applications such as Adobe Acrobat and Flash.

Read more: Click to access the related article.

By John Sawyer, Contributing Writer
DarkReading

Insider attacks might have doubled during the past year, according to new case data from the U.S. Secret Service included in the recent Verizon Data Breach Investigations Report, but external attacks are still the major threat and account for the most records stolen — indicating companies still are not securing their networks and data properly.

Proactive security controls and secure network design can play an important part in preventing attacks both from the inside and outside. Unfortunately, without proper network segmentation and access control, once the attacker gains access to the victim’s internal network, it’s often game over: Sensitive servers are sitting there, just waiting to be pillaged.

Read more: Click to access the related article.

By Greg Machler
CSO Online

As an executive, do you ever get worried wondering if your corporate brand is properly protected from a lack of technological integrity? Corporations today have sensitive HR data, financial data, and often consumer data. If this data is compromised, often the outside world finds out about it, lawsuits are initiated and the corporate brand is tarnished. This could lead to consumers thinking twice about purchasing your products or services.

Read more: Click to access the related article.

WASHINGTON — Looking ahead to the next major global conflict, the more appropriate question might be to ask whether the United States will be able to defend against a major cyberattack, rather than if one will occur.

Students of information warfare point out that physical attacks rarely, if ever, transpire any longer without a cyber component, and that assaults on digital systems such as the electrical grid or telecommunications networks are quickly becoming the face of modern combat.

“This revolution is so profound that the whole history of warfare is now going to look very different,” said Scott Borg, director of the U.S. Cyber Consequences Unit, a nonprofit group that works closely with the government to evaluate the effects of potential cyberattacks. (“It’s our job to figure out how to destroy America and its allies,” Borg says of his organization.)

Read more: Click to access the related article.

If your business manages personal information about health or finances, a security breach can cost millions. HITECH and other regulations not only apply fines, but they require disclosure and notification of those affected. In some cases, companies must pay for free credit reports too. These costs can range from $80 to $200 per compromised record. The problem for many companies is the sheer volume of information that can be compromised in a single breach. If you lose 5,000, 50,000 or 500,000 records, the math may mean bankruptcy. Fortunately, you can now get insurance to cover these risks.

Read more: Click to access the related article.