EYE ON SECURITY

The World of Secure Development.

May 2007

RSA has released a freely available document entitled A Guide to Strategic Database and File Security. Registration is required, however.

The document includes a March 2007 Forrester Report Adopting an Enterprise Approach to Encryption, which normally sells for $279, and a pair of data sheets entitled "Data Sheet: Database Security Manager," which examines transparent, policy-driven data protection optimized for heterogeneous database environments, and "File Security Manager," which discusses centrally managed, transparent compromise prevention for critical files.

A podcast on "Total Enterprise Strategy for Data Encryption" is included, as is a review of key U.S. regulations related to encryption and security.

Posted by Jon Erickson at 03:20 PM  Permalink |

According to Frost & Sullivan's recent report North American Video Surveillance Software Markets, the market earned revenues of $139.76 million in 2006 and estimates this to reach $826.65 million in 2013.

Driving the market in IP-based video surveillance are security concerns, lower cost hardware, and improved detection capabilities of the video analytics software. Additionally, the ability to integrate various security systems is driving growth of the IP surveillance market.

"The convergence of security with the IT infrastructure is providing the necessary business case for security managers to shift from analog to IP surveillance," notes Frost & Sullivan Senior Research Analyst George C. Paul. "This convergence not only reduces the cost of deployment, but also helps build a unified database that can increase interaction among the various security systems."

Advanced compression techniques have improved the quality of the images for lesser bandwidth requirements, thereby reducing the network cost to support IP cameras. In addition, the ease of integration with video analytics and low-cost server-based video management systems further demonstrates the advantages of IP surveillance. However, this convergence will not be easily achieved due to the differences in technologies between traditional security products and IP products.

In the past, live video feed was sent through coaxial cables and stored on a tape drive, or encoders would convert the feed and store it on digital video recorders (DVR). However, with the emergence of IP surveillance, video now transfers over transmission control protocol (TCP)/IP networks, and persons implementing these solutions must understand IT standards and technologies.

Posted by Jon Erickson at 10:04 AM  Permalink |

If you're interested in security and RFID, then you'll also be interested in the National Institute of Standards and Technology's recently released Guidelines for Securing Radio Frequency Identification (RFID) Systems.

The 150-page document (NIST SP 800-98) provides an overview of RFID technology, the associated security and privacy risks, and recommended practices that will help organizations mitigate these risks, safeguard sensitive information, and protect the privacy of individuals.

It's actually very good and comprehensive. Congratulations to Tom Karygiannis, Bernard Eydt, Greg Barber, Lynn Bunn, and Ted Phillips who wrote the document. It covers from technology overviews and applications, to privacy issues and case studies.

Posted by Jon Erickson at 05:59 PM  Permalink |

Worried about Web 2.0 security? If so, you may be all by yourself, at least according to a recent survey by security firm Clearswift. What Clearswift found is that many organizations don't have a clue about what many of their employees are doing online, and way too many don't have adequate security policies in place.

For the most part, the survey focused on Web 2.0 social media sites -- blogs, forums, Web mail, instant messaging, social networking sites, podcasts, online video sites, wikis, photo sharing sites and Second Life -- and employee's use of them during in the work environment. More specifically, Clearswift's research, which was conducted online earlier this year with total sample size of 939 adults, found that:

• 34 percent of organizations don’t monitor employees’ use of the Internet.
• 51 percent of businesses don't know whether they've lost confidential information via social media outlets.
• 20 percent of IT and business decision-makers don't have a policy governing appropriate use of the internet, including social media sites.
• 20 percent of organizations do not allow blogging at work while 45 percent don't have a policy on it.
• 39 percent of IT and business decision-makers consider social media to be relevant to today's corporate environment, while 36 percent do not see social media as relevant to their businesses.
• 13 percent of organizations are not aware of social media and have no policy on it.

While most organizations do understand that 71 percent of their staff use Web mail, 62 percent use forums, and 56 percent use blogs, 36 percent of those surveyed do not see them as relevant to their business and have no plans on using them in the future.

While more than 73 percent of those surveyed felt that loss of confidential data was the number one security issue in terms of priority to the security of their organization, 51 percent are not aware if their company has ever lost confidential information through social media sites. The only security issue to rank higher than loss of confidential data was viruses/worms (77 percent), yet 96 percent of companies are already using anti-virus tools.

In addition to virus, worms, and losing confidential data, other security issues that survey responders consider "high importance" are spyware (54 percent) and pornography in the workplace (54 percent). At the bottom of the list of security issues in terms of priority were those related to social media, including security breaches via blogs and security breaches via forums, which were tied for last, edging out "employee time wasting" and security breaches via instant messaging, and security breaches via Web mail.

Posted by Jon Erickson at 05:05 PM  Permalink |

Promisec, a company that specializes in endpoint security management, has released the findings of an audit 30 large organizations covering 193,000 corporate endpoints. According to the audit, data loss and illegal software introductions are the two largest threats, driven by the unauthorized connection of USB-attached mass storage devices.

Findings of the audit which was conducted over the last 12 months reveal that:

• 25,090 (13%) of the corporate PCs surveyed had unauthorized USB devices attached to them, opening the door to data loss and the opportunity for USB-borne viruses and malware to enter the corporate network.
• 7720 (4%) of corporate PCs had peer-to-peer (P2P) applications installed.
• 2895 (1.5%) of the corporate PCs did not have the latest Microsoft service packs.
• 3281 (1.7%) had anti-virus monitoring and remediation issues.
• 2316 (1.2%) of the 193,000 audited endpoints were without required third-party desktop security agents.
• 1582 (0.8%) of endpoints had unauthorized remote control software, and a lesser percentage had unauthorized and unprotected shareware.

Promisec bases its audit on information collected via its Promisec Spectator Professional software which is installed on a single enterprise workstation. The software's ability to perform discovery and provide reporting across all corporate networks produces a detailed synopsis of processes, devices and other activities on the network which may be outside of corporate policy, revealing the current state of internal network security.

"Organizations are becoming more adept at identifying security threats to their external networks, but internal network security issues represent a substantial problem for businesses challenged with preventing loss of corporate IP and the infiltration of their networks by malware inadvertently introduced by employees and business partners," said Promisec's Amir Kotler. "The answer to this problem is first understanding the magnitude of it. The loss of internal financial data, customer lists and proprietary product details can be devastating while the introduction of malware can significantly slow down business efficiency -- all of which can be prevented by implementing a strong endpoint security strategy."

Posted by Jon Erickson at 11:43 AM  Permalink |