This is an exceedingly useful article from IT Security. For the past couple of decades, security professionals and those trying to push various forms of malware have played a high stakes game of cat and mouse. Consequently, many approaches to data security have emerged, each protecting against one strain of vulnerability. This complex mosaic of solutions means that one security tool can overlap with another. One layer up are approaches — such as network access control (NAC) — that federate the localized products into a more comprehensive offering.
The article attempts to make some sense of this highly fragmented environment; it poses nine questions that those in charge of security should pose to vendors, integrators or other experts. The writer doesn’t advocate a particular approach. Rather, he is laying out the first step in suggesting to businesses how they can find out how the various approaches available (for instance, white listing, access control programs and behavior-blocking) can be harnessed in a flexible and efficient manner. The piece describes what each does and whether one makes another unnecessary.
The story offers no answers. Its usefulness is in helping those charged with protecting organizational data — but perhaps untrained in the niceties of security — to start organizing their thinking.
Thursday, 6 March 2008
Over Here or Over There, Server Protection Is Key
This distressing story from Government Computer News focuses on government servers, but there seems to be no reason to assume what is happening isn’t a danger to corporate servers as well.
Tools available to Internet browsers, the writer points out, are becoming more adept at identifying questionable Web sites and stopping phishing attempts. That’s great. But it’s also true that the malware community is clever and never at a loss for what to do. Its response, according to the story and the Symantec release upon which it is based, is to find loosely protected government servers and use them to host phishing sites that attack that government.
It doesn’t sound like it’s all that hard, either. At least some of the servers used by a government will be lightly protected. It’s also particularly dangerous, since the superimposition of the fake site on a real server makes it seem legitimate.
So far, according to Symantec information, the hackers aren’t using the .gov domain name in the United States. But this approach has been seen on servers in 12 nations (Thailand, Indonesia, Hungary, Bangladesh, Argentina, Sri Lanka, Ukraine, China, Brazil, Bosnia-Herzegovina, Columbia and Malaysia). It seems like only a matter of time before it is attempted here.
Tools available to Internet browsers, the writer points out, are becoming more adept at identifying questionable Web sites and stopping phishing attempts. That’s great. But it’s also true that the malware community is clever and never at a loss for what to do. Its response, according to the story and the Symantec release upon which it is based, is to find loosely protected government servers and use them to host phishing sites that attack that government.
It doesn’t sound like it’s all that hard, either. At least some of the servers used by a government will be lightly protected. It’s also particularly dangerous, since the superimposition of the fake site on a real server makes it seem legitimate.
So far, according to Symantec information, the hackers aren’t using the .gov domain name in the United States. But this approach has been seen on servers in 12 nations (Thailand, Indonesia, Hungary, Bangladesh, Argentina, Sri Lanka, Ukraine, China, Brazil, Bosnia-Herzegovina, Columbia and Malaysia). It seems like only a matter of time before it is attempted here.
Pfizer, Kingston Breaches Show Notification Shortcomings
egal requirements mandating notifications of employees or customers if their data is exposed is an understandably unpleasant corporate task. No matter why the data disappeared, the organization’s image is clipped a bit with every notification it sends out.
This Computerworld story implies that Pfizer Inc. and Kingston Technology Co. had trouble facing the music and delayed letting those potentially impacted know what was going on — until it was likely too late to do anything about it.
The story says Pfizer’s lawyers informed Connecticut Attorney General Richard Blumenthal that a breach impacting about 17,000 employees occurred on April 18, but notifications weren’t made until about six weeks later. The time gap in the Kingston situation was far greater. Earlier this month, the company began informing 27,000 online customers of a potential compromise in September 2005.
This Computerworld story implies that Pfizer Inc. and Kingston Technology Co. had trouble facing the music and delayed letting those potentially impacted know what was going on — until it was likely too late to do anything about it.
The story says Pfizer’s lawyers informed Connecticut Attorney General Richard Blumenthal that a breach impacting about 17,000 employees occurred on April 18, but notifications weren’t made until about six weeks later. The time gap in the Kingston situation was far greater. Earlier this month, the company began informing 27,000 online customers of a potential compromise in September 2005.
Keep an Eye on Subcontractors
Tim Wilson, the site editor for Dark Reading, points out that there has been a spate of high-profile incidents in which companies compromised partners’ data.
IndyStar.com reports that names, addresses, Social Security numbers and other data of 51,000 patients of St. Vincent Indianapolis Hospital were made vulnerable by Verus, a firm that was working on a medical billing site for the institution.
Verus was implicated in another recent incident. In New Hampshire, personal records of more than 9,000 Concord Hospital patients were viewed eight times while they were posted on the Internet for a month-and-a-half. In a Concord Monitor report, the institution’s president and CEO says a search to replace Verus is under way and that a decision hadn’t been made on whether to sue the company.
In some cases, the loss clearly was not accidental. In May, an employee for Alta Resources, a company that fulfills orders for the Disney Movie Club, stole sensitive data — including credit card numbers — of customers. Disney would not comment to InfoWorld, but a letter reportedly sent to victims by a vice president said that the employee tried to sell the information to law enforcement authorities.
IndyStar.com reports that names, addresses, Social Security numbers and other data of 51,000 patients of St. Vincent Indianapolis Hospital were made vulnerable by Verus, a firm that was working on a medical billing site for the institution.
Verus was implicated in another recent incident. In New Hampshire, personal records of more than 9,000 Concord Hospital patients were viewed eight times while they were posted on the Internet for a month-and-a-half. In a Concord Monitor report, the institution’s president and CEO says a search to replace Verus is under way and that a decision hadn’t been made on whether to sue the company.
In some cases, the loss clearly was not accidental. In May, an employee for Alta Resources, a company that fulfills orders for the Disney Movie Club, stole sensitive data — including credit card numbers — of customers. Disney would not comment to InfoWorld, but a letter reportedly sent to victims by a vice president said that the employee tried to sell the information to law enforcement authorities.
UTMs Make Sense for SMBs and, Increasingly, for Enterprises
This PC Magazine piece looks at four products that are aimed at protecting small and medium-sized businesses (SMBs). The fact that three of them are members of the unified threat management (UTM) family may or may not be a coincidence. The reality is that this sector is hot.
The writer looks at the Astaro Security Gateway 120 (verdict: potent features, confusing configuration, high price); the eSoft InstaGate 404e (easy to use, powerful, lets too much malware through, expensive); and the Sonic Wall TZ 180 Wireless TotalSecure 25 (great installation and configuration, good wired and wireless security, not too flexible, low price). Each capsule links to longer reviews. The non-UTM piece of equipment described is the Trend Micro InterScan Gateway Security Appliance 1.5.
Like network access control (NAC), UTM is attractive in its ability to cut complexity and cost by teaming discrete security products in a common framework. Th
The writer looks at the Astaro Security Gateway 120 (verdict: potent features, confusing configuration, high price); the eSoft InstaGate 404e (easy to use, powerful, lets too much malware through, expensive); and the Sonic Wall TZ 180 Wireless TotalSecure 25 (great installation and configuration, good wired and wireless security, not too flexible, low price). Each capsule links to longer reviews. The non-UTM piece of equipment described is the Trend Micro InterScan Gateway Security Appliance 1.5.
Like network access control (NAC), UTM is attractive in its ability to cut complexity and cost by teaming discrete security products in a common framework. Th
The Roiling Security Sector: M&As, R&D and Moving Targets
This interesting ZDNet blog reports on a recent Symantec analysts’ call. Larry Dignan cuts though a lot of the corporate-speak from the security vendor’s COO to get to the main point: The company’s approach of dumping a lot of different security products into big packages may become less effective as a new generation of specialized new devices — smartphones, mostly — find themselves in crackers’ cross hairs. The bottom line is that this new reality may lead to more acquisitions. Dignan points out that Symantec recently purchased Altiris and Vontu.
There is nothing new about entrepreneurial firms in security (or elsewhere) being snapped up by bigger companies. The issue of comparative merits and the tensions between internal research and development and industry consolidation is part of this wide-ranging InfoWorld Q & A roundtable with the CEOs of McAfee and Symantec.
There is nothing new about entrepreneurial firms in security (or elsewhere) being snapped up by bigger companies. The issue of comparative merits and the tensions between internal research and development and industry consolidation is part of this wide-ranging InfoWorld Q & A roundtable with the CEOs of McAfee and Symantec.
Disney will produce animated TV for Japan
TOKYO — Entertainment giant Walt Disney will team up with several Japanese companies to produce animation for television in Japan, a leading market, a Disney official said Thursday.
Disney will work with Toei Animation Co., Madhouse Co. and Jinni's Animation Studios, said the official, speaking on condition of anonymity to comply with company rules.
The move was aimed at localizing contents of Disney products for a wider audience, she said.
"We need to make contents which fit the Japanese market to further boost the popularity of Disney in Japan," she said.
With Madhouse, Disney will produce a 30-minute TV program Stitch!, an offspring of the Lilo & Stitch series, to be aired in Japan, the official said, adding that the company has not decided when the show will go on air.
FIND MORE STORIES IN: California | Hawaii | Burbank | Walt Disney | Disney Channel | Stitch | Lilo | Fireball
A Japanese girl named Hanako will play Stitch's sidekick in the new show and the imaginary story will take place in a southern Japanese island, instead of in Hawaii as in the original, the company said in a statement.
With Jinni, Disney will make a short animation Fireball, which will go on air in April on Disney's cable channel and Tokyo Metropolitan Television, according to the official.
Disney will produce a short animation Robodz for television with Toei Animation, expected to be aired in June, she said.
Disney will work with Toei Animation Co., Madhouse Co. and Jinni's Animation Studios, said the official, speaking on condition of anonymity to comply with company rules.
The move was aimed at localizing contents of Disney products for a wider audience, she said.
"We need to make contents which fit the Japanese market to further boost the popularity of Disney in Japan," she said.
With Madhouse, Disney will produce a 30-minute TV program Stitch!, an offspring of the Lilo & Stitch series, to be aired in Japan, the official said, adding that the company has not decided when the show will go on air.
FIND MORE STORIES IN: California | Hawaii | Burbank | Walt Disney | Disney Channel | Stitch | Lilo | Fireball
A Japanese girl named Hanako will play Stitch's sidekick in the new show and the imaginary story will take place in a southern Japanese island, instead of in Hawaii as in the original, the company said in a statement.
With Jinni, Disney will make a short animation Fireball, which will go on air in April on Disney's cable channel and Tokyo Metropolitan Television, according to the official.
Disney will produce a short animation Robodz for television with Toei Animation, expected to be aired in June, she said.
Bill Miller fights back
(Fortune Magazine) -- It's been a rough couple of years for Bill Miller. His $16.5 billion mutual fund, Legg Mason Value Trust, just turned in its worst two-year performance relative to the S&P 500 since 1990, trailing the index by ten percentage points in 2006 and by 12 last year. That would be a poor stretch by any standard, but it's even worse by Miller's own: Until 2006 his value-oriented fund outperformed the index every calendar year for an astounding decade and a half (see "The Man Who's Beaten the Market 15 Years Running," Nov. 27, 2006).
With relatively few stocks in the portfolio - fewer than 50 at present - Value Trust (LMVRX) has long been one of the most volatile funds in its category. But investors aren't used to seeing Miller lose, and they pulled more than $3 billion out of the fund in 2007, according to Financial Research Corp. Based on its expense ratio of 1.7%, that adds up to a $50 million annual drop in revenues from fees.
The loss of confidence in Value Trust reverberates loudly through Legg Mason (LM). Miller is not just the firm's star fund manager but also chairman and chief investment officer of its $59.6 billion equity investing group, Legg Mason Capital Management. And the stumble by its flagship fund has come at a particularly tough time for Legg. In January it finally completed a drawn-out CEO search to replace co-founder Raymond "Chip" Mason. Last quarter it had to take a $23 million charge related to asset-backed securities in its money market funds. And its stock has fallen 30% over the past year, way underperforming its peers. The Baltimore investing house could use a Miller comeback, and soon.
With relatively few stocks in the portfolio - fewer than 50 at present - Value Trust (LMVRX) has long been one of the most volatile funds in its category. But investors aren't used to seeing Miller lose, and they pulled more than $3 billion out of the fund in 2007, according to Financial Research Corp. Based on its expense ratio of 1.7%, that adds up to a $50 million annual drop in revenues from fees.
The loss of confidence in Value Trust reverberates loudly through Legg Mason (LM). Miller is not just the firm's star fund manager but also chairman and chief investment officer of its $59.6 billion equity investing group, Legg Mason Capital Management. And the stumble by its flagship fund has come at a particularly tough time for Legg. In January it finally completed a drawn-out CEO search to replace co-founder Raymond "Chip" Mason. Last quarter it had to take a $23 million charge related to asset-backed securities in its money market funds. And its stock has fallen 30% over the past year, way underperforming its peers. The Baltimore investing house could use a Miller comeback, and soon.
Don't count Blockbuster out
NEW YORK (Fortune) -- Blockbuster Inc. is like a slasher-flick villain that just won't die. In spite of what appear to be deep and devastating blows to its business - the rise of Netflix and mail-order movie rentals, in-home use of DVRs and video-on-demand via cable, and Apple's recent introduction of online film rentals - Blockbuster adapts and lumbers onward.
Part of that adaptation was evident this morning, when Blockbuster (BBI, Fortune 500) announced that its fourth quarter profit grew nearly 360 percent, thanks to aggressive cost cutting and the repositioning of some of its subscription offerings. The movie rental and retail company's quarterly earnings grew from $8.3 million (or 4 cents per share) in the last three months of its 2006 fiscal year to $38.1 million (or 18 cents per share) in the quarter just ended. The company said revenue increased 4 percent compared to the same period a year ago, to $1.44 billion.
Blockbuster shares were up as much as 3.4 percent in morning trading. But by noon, shares had settled about 1.3 percent below this morning's $3.25 opening price.
The Dallas, Texas-based movie rental and retail company operates over 6,000 stores in the United States and around the world. In recent years, the business has undergone a transformation, expanding its offerings beyond in-store VHS, DVD, and video game rentals. The company now operates a combination mail-order and online movie rental business, which has been further enhanced by the company's acquisition of Movielink last August.
Part of that adaptation was evident this morning, when Blockbuster (BBI, Fortune 500) announced that its fourth quarter profit grew nearly 360 percent, thanks to aggressive cost cutting and the repositioning of some of its subscription offerings. The movie rental and retail company's quarterly earnings grew from $8.3 million (or 4 cents per share) in the last three months of its 2006 fiscal year to $38.1 million (or 18 cents per share) in the quarter just ended. The company said revenue increased 4 percent compared to the same period a year ago, to $1.44 billion.
Blockbuster shares were up as much as 3.4 percent in morning trading. But by noon, shares had settled about 1.3 percent below this morning's $3.25 opening price.
The Dallas, Texas-based movie rental and retail company operates over 6,000 stores in the United States and around the world. In recent years, the business has undergone a transformation, expanding its offerings beyond in-store VHS, DVD, and video game rentals. The company now operates a combination mail-order and online movie rental business, which has been further enhanced by the company's acquisition of Movielink last August.
RecordMyCalls.com makes call-recording easy but pricey
This call may be monitored for quality assurance.
It has a familiar ring. But given the exasperating encounters many of us have after hearing those words, you may wish you were the one monitoring the exchange.
RecordMyCalls.com permits you to do just that, without installing software or requiring you to get one of those cheap suction-cup microphones, much less more-elaborate telephone recording equipment.
The aptly named Web service is aimed at any consumer or business person who has ever felt compelled to record conversations, if only to save voice mails for posterity, or avoid disputes with insurance companies, airline agents, contractors, brokers, even former spouses. Potential customers include attorneys, day traders and journalists.
You play back recorded calls on your PC or Mac. And your recordings are logged and stored online. (Recorded files are encrypted.)
It has a familiar ring. But given the exasperating encounters many of us have after hearing those words, you may wish you were the one monitoring the exchange.
RecordMyCalls.com permits you to do just that, without installing software or requiring you to get one of those cheap suction-cup microphones, much less more-elaborate telephone recording equipment.
The aptly named Web service is aimed at any consumer or business person who has ever felt compelled to record conversations, if only to save voice mails for posterity, or avoid disputes with insurance companies, airline agents, contractors, brokers, even former spouses. Potential customers include attorneys, day traders and journalists.
You play back recorded calls on your PC or Mac. And your recordings are logged and stored online. (Recorded files are encrypted.)
Weird Science: Using Quantum Mechanics to Bolster Security
One of the strangest and most counter-intuitive areas in science is quantum mechanics. Even scientists think it is weird. Nobel prize-winning physicist Niels Bohr famously commented that “[i]f quantum mechanics hasn’t profoundly shocked you, you haven’t understood it yet.” Albert Einstein, whose discoveries on the dual packet- and wave-nature of light are key building blocks of quantum science, dismissed it with the even more famous line that “God does not play dice with the universe.”
None of that means that it isn’t potentially useful. For years, scientists have understood that certain things about quantum mechanics make them good candidates for security tasks. A couple of recent stories suggest that quantum tools may be coming closer to reality.
This Dr. Dobbs Portal posting describes — in mercifully general terms — research by the National Institute of Standards and Technology (NIST) on efforts to create quantum key distribution (QKD) systems. Keys are the codes that allow encrypted data to be restored to its original form. Researchers have long sought foolproof ways of distributing the keys.
Quantum approaches may be just what the Ph.D.s ordered. One characteristic of quantum science is that it is impossible to measure things without altering them. The benefit of QKD, therefore, is that bells and whistles will go off if a third party — a criminal — tries to read the private key. The story details efforts to build practical QKD systems that are usable with current telecommunications gear and otherwise are efficient enough to make them viable. The Chinese government also is working on QKD systems.
None of that means that it isn’t potentially useful. For years, scientists have understood that certain things about quantum mechanics make them good candidates for security tasks. A couple of recent stories suggest that quantum tools may be coming closer to reality.
This Dr. Dobbs Portal posting describes — in mercifully general terms — research by the National Institute of Standards and Technology (NIST) on efforts to create quantum key distribution (QKD) systems. Keys are the codes that allow encrypted data to be restored to its original form. Researchers have long sought foolproof ways of distributing the keys.
Quantum approaches may be just what the Ph.D.s ordered. One characteristic of quantum science is that it is impossible to measure things without altering them. The benefit of QKD, therefore, is that bells and whistles will go off if a third party — a criminal — tries to read the private key. The story details efforts to build practical QKD systems that are usable with current telecommunications gear and otherwise are efficient enough to make them viable. The Chinese government also is working on QKD systems.
Corporate iPhone to challenge the BlackBerry
(Fortune) -- As anticipated, Apple announced a series of software developments Thursday to make the iPhone more useful to business customers while venture capital firm Kleiner Perkins Caufield & Byers said it is starting a $100 million "iFund" to finance startups developing applications for the iPhone.
Speaking at the company's town hall session in Cupertino, Calif., CEO Steve Jobs took direct aim at smartphone rival Research in Motion (RIMM) with the introduction of a plan to have the iPhone sync with office desktops.
The plan, according to iPhone enterprise chief Phil Schiller, is to license software that allows the device to work on Microsoft's Exchange platform for so-called push email as well as calendar and contact syncing.
Schiller explained that the business-user targeted iPhone will have network and information security features similar to BlackBerry devices in conjunction with Cisco (CSCO, Fortune 500). This would allow users and IT departments to perform similar functions that the BlackBerry does like swiping clean the devices if they are lost or stolen.
Speaking at the company's town hall session in Cupertino, Calif., CEO Steve Jobs took direct aim at smartphone rival Research in Motion (RIMM) with the introduction of a plan to have the iPhone sync with office desktops.
The plan, according to iPhone enterprise chief Phil Schiller, is to license software that allows the device to work on Microsoft's Exchange platform for so-called push email as well as calendar and contact syncing.
Schiller explained that the business-user targeted iPhone will have network and information security features similar to BlackBerry devices in conjunction with Cisco (CSCO, Fortune 500). This would allow users and IT departments to perform similar functions that the BlackBerry does like swiping clean the devices if they are lost or stolen.
Corporate Mission: Protect Home WLANs
Protecting home wireless networks doesn’t seem like it would be a big concern for corporations. But it is, for both direct and indirect reasons.
The direct reason is simple: A lot of businesses — through both telecommuters and small offices/home offices (SOHO) — use home Wi-Fis. On the telecommuter side, PCs usually are linked in some way to corporate databases, so an insecure home network potentially provides a free pass through a company’s firewall.
Indirectly, insecure consumer networks and equipment are “attack vectors,” which is the jargony name security folks use to describe vulnerable spots that invite bad guys. Even more indirectly, insecure consumer networks generally degrade the Internet, which is a bad thing for every honest company using it to advance its business.
There are two initiatives mentioned in this Wi-Fi Planet piece. In California, Gov. Schwarzenegger has signed into law legislation that in a year will require home networking gear to carry warnings about the dangers of insecure access. The piece also discusses an initiative by the Wi-Fi Alliance to make it easier for customers to turn their security on.
The direct reason is simple: A lot of businesses — through both telecommuters and small offices/home offices (SOHO) — use home Wi-Fis. On the telecommuter side, PCs usually are linked in some way to corporate databases, so an insecure home network potentially provides a free pass through a company’s firewall.
Indirectly, insecure consumer networks and equipment are “attack vectors,” which is the jargony name security folks use to describe vulnerable spots that invite bad guys. Even more indirectly, insecure consumer networks generally degrade the Internet, which is a bad thing for every honest company using it to advance its business.
There are two initiatives mentioned in this Wi-Fi Planet piece. In California, Gov. Schwarzenegger has signed into law legislation that in a year will require home networking gear to carry warnings about the dangers of insecure access. The piece also discusses an initiative by the Wi-Fi Alliance to make it easier for customers to turn their security on.
Virtualization and Security: No Simple Answers
The security of virtualized environments is getting a lot of attention because VMware, a leading vendor in the sector, had a nasty encounter with some bugs last week. The issue, described at Network World and elsewhere, centers on flaws in the company’s Dynamic Host Configuration Protocol (DHCP) that could give an intruder control of the machine. The three DHCP flaws and a fourth, uncovered by McAfee, all have been patched.
This Help Net Security story says there are eight steps an enterprise should take to protect its virtualized environments. IT departments should make sure vendors fully support applications running within this structure; update security policies and procedures appropriately; make sure the host machine is secure; use strong access control to make necessary changes to incident response and forensics plans.
Also, the machines should exist on a “virtual DMZ” that enables communications between the disparate virtualized elements; update and upgrade network intrusion detection and prevention protection in a manner appropriate for virtualized environments and make necessary changes for incident response.
This Help Net Security story says there are eight steps an enterprise should take to protect its virtualized environments. IT departments should make sure vendors fully support applications running within this structure; update security policies and procedures appropriately; make sure the host machine is secure; use strong access control to make necessary changes to incident response and forensics plans.
Also, the machines should exist on a “virtual DMZ” that enables communications between the disparate virtualized elements; update and upgrade network intrusion detection and prevention protection in a manner appropriate for virtualized environments and make necessary changes for incident response.
Pollution Battle Waged On Capitol Hill
(AP) Big industries are waging an intense lobbying effort to block new, tougher limits on air pollution that is blamed for hundreds of heart attacks, deaths and cases of asthma, bronchitis and other breathing problems.
The Environmental Protection Agency is to decide within weeks whether to reduce the allowable amount of ozone - commonly referred to as smog - in the air.
A tougher standard would require hundreds of counties across the country to find new ways to reduce smog-causing emissions of nitrogen oxides and chemical compounds from tailpipes and smokestacks.
Groups representing manufacturers, automakers, electric utilities, grocers and cement makers met with White House officials recently in a last-ditch effort to keep the health standard unchanged. They argued that tightening it would be costly and harm the economy in areas that will have to find additional air pollution controls.
Oil and chemical companies also have pressed their case for leaving the current requirements alone in meetings on Capitol Hill and with the Bush administration. A dozen senators and the Agriculture Department urged EPA not to tamper with the existing standard.
The Environmental Protection Agency is to decide within weeks whether to reduce the allowable amount of ozone - commonly referred to as smog - in the air.
A tougher standard would require hundreds of counties across the country to find new ways to reduce smog-causing emissions of nitrogen oxides and chemical compounds from tailpipes and smokestacks.
Groups representing manufacturers, automakers, electric utilities, grocers and cement makers met with White House officials recently in a last-ditch effort to keep the health standard unchanged. They argued that tightening it would be costly and harm the economy in areas that will have to find additional air pollution controls.
Oil and chemical companies also have pressed their case for leaving the current requirements alone in meetings on Capitol Hill and with the Bush administration. A dozen senators and the Agriculture Department urged EPA not to tamper with the existing standard.
Online Banking Grows, But Security Concerns Continue to Accrue
Customers of HSBC, Bank of America and Washington Mutual may want to think twice about banking online. Quickly. The three banks are identified in a study by a UC Berkeley’s Boalt School of Law researcher as the most victimized by identity theft.
CNet, which links to the study, says that researcher Chris Hoofnagle used numbers received under a Freedom of Information Act request. He ran the numbers from three randomly chosen months in 2006. The results were that HSBC had 21 incidents per billion of dollars on deposit, BoA had 17 and WaMu 16. ING was the most secure, with a lone incident per billion on deposit, the study said.
The story says that the findings dovetail with a 2007 report from Cambridge University that said BoA and WaMu phishing sites usually stayed afloat for more than 100 hours, while Chase and PayPal general got such sites taken down in less than two days.
CNet, which links to the study, says that researcher Chris Hoofnagle used numbers received under a Freedom of Information Act request. He ran the numbers from three randomly chosen months in 2006. The results were that HSBC had 21 incidents per billion of dollars on deposit, BoA had 17 and WaMu 16. ING was the most secure, with a lone incident per billion on deposit, the study said.
The story says that the findings dovetail with a 2007 report from Cambridge University that said BoA and WaMu phishing sites usually stayed afloat for more than 100 hours, while Chase and PayPal general got such sites taken down in less than two days.
SaaS and Security are Perfect Together
Earlier this week, eWeek reported that Webroot is moving further into the software-as-a-service (SaaS) sector. The report says that during the next couple of months, the firm will expand its SaaS efforts from e-mail to Web security in the small- and medium-size business (SMB) sector. Data heading toward clients via Web surfing requests will take a brief detour to Webroot, where it will be scanned for viruses, spyware, and phishing and will have its URLs filtered.
This is a good move. SaaS and security go together perfectly. In general, SaaS provides companies with expertise that they lack. This has particularly strong potential in the security sector, where new threats and new approaches to thwarting those threats proliferate at a dizzying rate. It’s hard for security pros to keep up, much less firms with undermanned and overworked IT departments — or no IT department at all.
Security is being delivered in a growing number of ways. This InfoWorld article says that the concept of SaaS security is being validated by heavy hitters such as McAfee, Symantec and Trend Micro. However, SaaS is not good a good method to deliver all types of security. For instance, the nature of intrusion detection systems (IDS) always will require some on-site equipment. Other security measures, such as exploit prevention and compliance monitoring, will increasingly be done by outsiders.
This is a good move. SaaS and security go together perfectly. In general, SaaS provides companies with expertise that they lack. This has particularly strong potential in the security sector, where new threats and new approaches to thwarting those threats proliferate at a dizzying rate. It’s hard for security pros to keep up, much less firms with undermanned and overworked IT departments — or no IT department at all.
Security is being delivered in a growing number of ways. This InfoWorld article says that the concept of SaaS security is being validated by heavy hitters such as McAfee, Symantec and Trend Micro. However, SaaS is not good a good method to deliver all types of security. For instance, the nature of intrusion detection systems (IDS) always will require some on-site equipment. Other security measures, such as exploit prevention and compliance monitoring, will increasingly be done by outsiders.
Subscribe to:
Posts (Atom)