Tuesday, April 01, 2008 5:05 PM/EST
I asked Adam Bosnian from privileged access management maker Cyber-Ark what sessions he thought would be interesting at RSA. He's going to the application security sessions. In years past, he's seen these sessions focus on application coding security tools to look for buffer overflows or other coding errors that could create a security risk. I'll also be interested to see if, because of SOA, app makers will focus on making apps while leveraging security products such as Cyber-Ark's newly announced Enterprise Password Vault 4.5 to take care of access management. This isn't the first time I've heard a security company talk about wanting to see app makers give over access management to a specialized company instead of building access management from scratch. And the features in the latest version of Enterprise Password Vault include a verification process that checks the stored password with the credential used on the target system...
Thursday, December 27, 2007 2:06 PM/EST
Today I learned a bit more about the McAfee Security Innovation Alliance from Pinkesh Shah, senior director of product management for policy compliance and risk management. From the conversation I picked up on two important concepts that will likely be a recurring theme for security in 2008. The first is deeper integration of the products that make up McAfee's security suite and more integration through partnerships, which is where the McAfee SIA (Security Innovation Alliance) comes in. The second is security infrastructure consolidation. In 2008 I'm planning on a closer look at McAfee's SIA, which is similar to Check Point's Opsec program. One of the compelling things about an integration program is the obvious benefit of being able to integrate competitive products into the McAfee infrastructure. SIA was launched in Oct. 2007, so the first half of 2008 will be a critical time to watch what happens with the offering....
Wednesday, December 19, 2007 4:27 PM/EST
Anti-Malware Testing Working Group is a group of vendors and test organizations that plan to release methodologies for testing security products. Brian Prince, one of my news colleagues, has more on the story here. The question Brian asks, "Why has testing lagged so far behind the threat landscape?" is a good one, but one that's got an easy answer. It's very expensive to do this type of testing. In many ways it's like testing spam ... you have to have a fresh crop of malware every time you test, so it's practically impossible to repeat the tests. BAD (Behavioral Anomaly Detection) software, which is supposed to be superior to signature-based anti-malware systems because it can catch zero-day attacks, usually requires some type of user interaction (such as signing up for mail lists, interacting with a system or clicking on a call-to-action to activate the malware). At a recent Symantec security...
Wednesday, December 12, 2007 6:29 PM/EST
I attended a Symantec endpoint security reviewer workshop in San Francisco Dec. 11. These workshops are always an interesting mix of "head fixing" on the part of the workshop sponsor (Symantec is far from the only company that holds such events) combined with often feisty reviewers on the other side. Our wrangles yesterday ranged from what constitutes malware (does a piece of malware have to be active to be considered a threat?) to what constitutes a good test for false positives in a behavior analysis tool (Symantec says the minimum test harness configuration should include 500 legitimate applications to get a meaningful test of a behavior-based threat prevention tool.) We didn't spend that much time on virtualization except to say that some malware turns itself off if it detects a VM because virus makers know how much the security industry relies on VMs to expedite the testing and detection process....
Monday, December 10, 2007 6:03 PM/EST
For most small and midsize organizations, use the following formula to find a Web host provider: Price (where low is good and high is bad) divided by services (where more is better) equals "our decision." There are some nonintuitive factors that must now be brought into play to get the best hosting provider for your organization. But first, let me set the stage for this discussion with a real-life example. I'm on an e-mail thread started by Diane Steinhauser, the executive director of the TAM (Transportation Authority of Marin). This thread, along with several long phone calls that I've had with Diane reveal that business leaders must also consider hosting security as part of the selection criteria. The problem is that there isn't an independent rating system or licensing body for Web host providers. Thus, picking a "good" hoster now also means asking a lot of questions about reputation and...
Thursday, December 06, 2007 3:16 PM/EST
At a recent speaking engagement about PCI and SOX compliance, I asked the audience to get out their wallets and pull out their credit cards. Then I asked them to hand the card to the person on their right. Everyone got out their wallet. Nobody would hand over the card. The point of the exercise was to get everyone thinking about PCI (Payment Card Industry-Data Security Standard) in a personal way. You can read more about my take on PCI and SOX compliance in my article. The event was our Security Summit 2007....
Tuesday, November 13, 2007 7:40 PM/EST
Vipin Samar, vice president of database security at Oracle, provided some candid information about when to use some of the new security features in Oracle Database 11g, which I reviewed in early October. In a session at Oracle's OpenWorld titled "Oracle Database 11g: Secure Your Data Transparently," Samar talked about how tablespace encryption now includes support for LOBs (Large Objects). He told the audience that if you have more than four or five sensitive columns in a table then the new tablespace encryption should likely be used. Tablespace encryption is also called for if you cannot identify all of the sensitive columns or if the sensitive columns change. It's reasonable to say that this is likely the case for applications that are used in different countries where data privacy laws may change. Depending on the size of the application and the type of data being processed, Samar said that TPC-C...
Thursday, November 08, 2007 2:02 PM/EST
When I thought I lost my (now found) Treo 650 mobile phone and all my personal data, I was a little panicked that I had put all of my data into the hands of a stranger. Several readers let me know about Butler, which has a facility to lock or erase data from a handheld after getting an SMS message with a predetermined code. Thanks for all the calls and letters! I was running an older version of Butler (a fantastic piece of software that I use every day to keep track of appointments). Lessons learned: 1. Be less aggressive in marking vendor e-mail about application upgrades as spam. It turns out that I really DID want the new features in Butler. And if I had been updating all along, I probably wouldn't have had to buy the product again to get the new features I wanted when I discovered...
Wednesday, October 31, 2007 2:09 PM/EST
I got home last night, felt for my cell phone, a Treo 650 that I've had since 2005, and found only an empty holster. Crap. I immediately flashed back to when I probably lost it. I was sitting on the floor of the BART train because I wanted to talk with a friend, there weren't enough seats and, well, in San Francisco it's not THAT uncommon to see middle-aged professionals sitting on the carpeted floor of the train. My phone holster doesn't have a flap or cover and a few times in the past sitting or crouching has caused my phone to fall out of the case. No panic. I make a habit of regularly backing up my phone data. All my data was safe and sound in my home computer. And then the second wave of realization struck me and I was afraid. All of my personal data--more than...
Friday, September 21, 2007 5:50 PM/EST
Jaime Levy Pessin at Dow Jones Newswires reported today that Citigroup's ABN Amro Mortgage Group allowed a data breach that released the names, Social Security numbers and mortgage information of thousands of people. As Permit/Deny hits the wire, Citigroup public affairs had no comment on the story. According to Pessin's story, confirmed by Tiversa, the information was leaked by an employee of Citigroup's ABN Amro Mortgage Group unit onto the peer-to-peer file-sharing network LimeWire. I have a lab machine searching for the documents now even though the data was supposedly removed on Thursday, Sept. 20. By their nature, peer-to-peer networks make data out in the wild almost impossible to control. The problem could have been addressed by data control products I've reviewed and blogged about, including Vontu. As I've said before, the cash register at the local mom-and-pop store has more physical security than laptops and handheld devices that carry...
|
|
