Monday, August 30, 2010

Security and Risk Analysis Skills Becoming More Important


In an article in ITBusiness.ca, entitled "5 most sought-after IT skills of the future", the author points to the profile of contemporary computer uses, observing that while users are increasingly tech savvy, they know nothing about security. At the same time, security risks, and particularly privacy risks, are growing.


As the article states, "Since we're spending more and more time online, verifying users' identities and protecting privacy will be big challenges by 2020, because fewer interactions will be face-to-face, more personal information may be available online, and new technologies could make it easier to impersonate people, according to a report by PricewaterhouseCoopers.


"Teleworkers will also represent a larger portion of the workforce, opening up a slew of corporate security risks.


"We're in a dangerous place," because many employees are tech-savvy, yet they "don't understand the first thing about data security," Foote explains. "That will change in 2020," when companies will cast an even wider net over data security -- including the data center, Internet connectivity and remote access, he predicts."


Accordingly, the conclusion is reached that there will be a major demand for security professionals in the future.


The article also names risk management as one of the areas with a high demand in the future, for quite similar reasons, but also because of the growing impact of IT on general business risks.


You can check out the article at this site.

Friday, August 27, 2010

CloudAudit

Cloud computing has become a critical part of many systems from all sorts of viewpoints. Risk and security has been a major concern, and it is gradually being addressed. The question of auditing cloud systems is being addressed in some quarters, but is way behind what is needed.

A new standards organization - cloudaudit.org - supported by some 250 organizations involved in the cloud, has begun to establish standards for cloud audits. While the standards so far are far from completed, there is now enough to work with, and some organizations have begun to do so. Here is an overview article on cloudaudit.

Thursday, August 26, 2010

Vulnerability disclosures and Attacks Rise

A recent IBM report points out that vulnerability disclosures have increased during the past year as have certain kinds of attacks. Obfuscated attacks, which allow malicious code to be hidden, are up 52%.  Web apps account for 55% of the disclosed vulnerabilities. For a write up on the report, see this article.

Monday, August 23, 2010

Leveraging a Maturity Model to Achieve Proactive Compliance

This is a very thorough white paper by Symantec - timely and comprehensive.  Here is an excerpt from the introduction:

This paper examines how organizations can use a Capability Maturity Model to help achieve proactive compliance. It explores how an organization can move from the lower levels of the model, where the focus is typically on process alignment and mechanisms for assessing risk, to the higher levels where the needs of CIOs, CISOs and Compliance Managers are met through a combined focus on system availability, data security and compliance. Drawing on recent research from the IT Policy Compliance Group, the benefits of such operational excellence are quantified. Each level of the Capability Maturity Model is described, including recommendations for moving up to the next level. Guidelines are also provided for solutions to be adopted at each level in support of these recommendations. Finally, this paper highlights how
one Fortune 500 company realized significant cost-savings in the areas of audit scoping, preparation and testing as it moved towards adopting a truly proactive approach to compliance.

To download the paper, follow this link.

Friday, August 20, 2010

Security Concerns are Hampering Mobile Commerce

KPMG has released their annual survey on mobile commerce, which this year shows that there only 19% of the subjects surveyed are comfortable with using their mobile devices for the purchase of goods. The survey covered 300 people and found only 8% actually use their phones for the purchase of goods. Interestingly, the survey found that older people are less concerned about security, but then they use fewer mobile applications.

Security of mobile devices is a constant concern of systems administrators and IS auditors as well.

Here's a write-up on the KPMG survey.

Wednesday, August 18, 2010

ISACA e-Symposium:  Security, Privacy and eSecurity in the Cloud
Join ISACA on 24 August 2010, 11:00AM - 2:00PM EDT / 15:00 - 18:00 UTC, for the opportunity to earn up to 3 FREE CPE hours.
At this month's live e-Symposium we will be exploring security and privacy in the cloud, and discussing the IT and legal requirements for reviewing electronic data.  Join us on Tuesday, 24 August  to have all your questions answered by our experts, and hear them talk about relevant issues surrounding cloud computing at an exclusive round-table discussion following their presentations. For a complete program overview and to register, please click here.
e-Symposium Frequently Asked Questions (FAQs)
All live events are archived for on demand viewing. Detailed information on the ISACA e-Symposium—including registration information, on-demand (archive) viewing instructions, and an explanation of CPE credits—can be found by visiting the ISACA webcasts page and clicking on the "FAQ" link located in the left navigation pane.
If you are interested in presenting at a future e-symposium, sponsoring an e-symposium, or if you have suggestions for e-symposia topics, please contact us.
We hope you join us on 24 August for this FREE educational event!
Making VOIP Secure

VOIP has taken off in recent years as a technology for communications, but the means of making it secure have had trouble keeping up. VOIP has known insecurities, related to such aspects as buffer overflows and packet header issues. Making a VOIP application secure can be important to an organization.

This link sets out nine different steps that can be taken  to secure VOIP. The article also offers an excellent overview of the vulnerabilities of VOIP and how to address them.

Monday, August 16, 2010

Report Criticizes U.S. Network Security Abilities


"The Homeland Security Department's inspector general has issued a report that criticizes the U.S. Computer Emergency Readiness Team, saying the agency must share information about threats and trends more quickly and in greater detail with other federal departments so they can better protect themselves from a cyberattack."


Cyber Security has become a priority of the Obama administration in the face of ramped up activity by foreign governments and organized crime. this report will be taken seriously as a base on which to build a stronger security infrastructure. For more, click this link.

Friday, August 13, 2010

It's Not Just Printers That Pose a Risk

Recently, we ran a post pointing to the ever present potential of risk posed by printers attached to a system. While long a concern, this risk has grown along with the growth in the memory capacity and processing capability of printers.

But a recent interview with an expert points out that printers are not the only concern. "Network-attached peripherals include postage machines, UPS (Uninterruptible Power Supply) systems, Point-of-Sales systems, digital signs, security cameras, proximity readers, facility management systems, power, lighting, HVAC, and alarms."

Read more on InformationWeek.

Wednesday, August 11, 2010

Virtualization Carries its Risks

A common strategy for many organizations has been to virtualize its servers, by creating servers that are not tied to a particular piece of hardware. Virtualization provides a measure of flexibility and scalability, but also includes risks that need to be managed. For example, server administration software can allow a single administrator to create new servers. So a company could lose control of even the number of servers it is running. Also, while the virtual servers are not tied to particular hardware, they are in fact resident on some hardware somewhere. The question is whether that hardware is secure.

Questions like this need to be addressed in managing the control environment for a virtual server environment. This article provides a good summary of the issues.

Tuesday, August 10, 2010

Outsourcing Security Requires Careful Thought

Companies are outsourcing all kinds of apps and of necessity they need to outsource some of the security that goes with them. The question of which security services can be outsourced is one requiring careful thought. Those that require constant servicing or update, for example, may be better kept in-house.
for a thoughtful overview on this issue, check out this article.

Thursday, August 5, 2010

Data Retention Policies - A Dichotomy

An interesting statistic came out of a recent study put out by Symantec, based on a June 2010 survey of 1,680 senior IT and legal executives in 26 countries, conducted by Applied Research. A key finding showed that 87% of the executives felt that they should have a data retention policy but only 46% of them actually had one. Given the importance of data retention in these litigious times, that's amazing. One might assume that the executives are being hindered in doing what they think is right, either by budgets or by corporate policies. Too bad. Data retention is critical to an organization today, and a lack of appropriate policies will be costly in the long run. For a run-down on the study, see this link.