Cover Your Apps
5 Security Myths
By Jeremiah Grossman, VARBusiness
9:00 AM EDT Wed. Jul. 07
Like water, hackers take the path of least resistance. Today, this path leads over Secure Sockets Layer (SSL) to get past most corporate firewalls, where nothing exists between a hacker, a Web site and the information it holds. Using a browser and a few simple tricks, hackers can penetrate a Web site, access its credit-card database and make off with the goods unseen. With firewalls and patch management now being standard practices, the network perimeter has become increasingly secure. Determined to stay a step ahead, hackers have moved up the software stack, focusing on the Web site itself. According to a Gartner analyst, more than 70 percent of cyberattacks occur at the application layer. So what's a solution provider to do? To improve the security of the Web, you must dispel five largely held misconceptions.
1. "The Web site uses SSL, so it's secure."
SSL by itself does not secure a Web site. The tiny SSL lock symbol located at the bottom of a Web browser indicates that the information sent to and from a site is encrypted. Nothing more. SSL does not protect the information stored on the site once it arrives. Many sites using strong 128-bit SSL have been hacked just the same as those that do not. In addition, SSL has nothing to do with how a user's private information is safeguarded. When private data is stored on the Web site, the risk is at the server, not in between.
More....
The nuts and bolts of a security assessment
Opinion by Mark Perry, Symantec Corp.
JULY 08 (COMPUTERWORLD) - A year ago, the announcement of a patch for an operating system vulnerability preceded an attack by an average of 30 days. In May, the average vulnerability announcement-to-attack code propagation was less than 18 days. In other words, the attack-code propagation cycle was 60% faster than for the same period a year ago. This marks a dramatic change in the threat profile for corporations over the past year. Yet our response to these threats via policy, procedures, testing, monitoring and mitigation techniques in this same time frame have not seen the same 60% improvement.
One step that can immediately improve information security
efficiency is to conduct routine security assessments. The real
value of an assessment is not in vulnerability identification
but in interpreting results that lead to the root cause of
risks. The vast number of vulnerabilities identified in an
assessment report can be mitigated with relatively minimal
effort. Without an information security program in place, other
vulnerabilities will surface, however, and could spread within
your organization's infrastructure. For this reason, root-cause
analysis, when combined with a robust security program, will
achieve the maximum return on your organization's information
security investment.
The attack of the $2 million worm
By CNET News.com Staff
Internet-based business disruptions triggered by worms and viruses are costing companies an average of nearly $2 million in lost revenue per incident, market researcher Aberdeen said on Tuesday. Out of 162 companies contacted, 84 percent said their business operations have been disrupted and disabled by Internet security events during the last three years. Though the average rate of business operations disruption was one incident per year, about 15 percent of the surveyed companies said their operations had been halted and disabled more than seven times over a three-year period.
The portends for enterprises are alarming, given the increased use of the Internet for core business activities. About three-fourths of the companies contacted by Aberdeen indicated they are increasing online sales and customer service, 55 percent will do more procurement and sourcing through the Web, and 48 percent want to enhance online distribution and fulfillment activities.
"Increasing usage of the Internet for these core business functions means that business disruptions from Internet security can seriously impact a company's revenue,"
Could search sites spawn worms?
News Story by Joel Strauch
JUNE 30 (PC WORLD) - Worm attacks are bad enough by themselves, but some experts warn of an even more devastating variation: one that strikes at the application level instead of targeting network infrastructure, and spreads to Web sites through Web-based search engines. Essentially, a smart worm could crawl into the data gathered by a search engine to identify the most vulnerable sites and target them, say some security experts and analysts.
List of victims
"Search engines basically crawl Web sites and all their links and categorize them," says Shlomo Kramer, CEO and president of Imperva Inc., a Web application security company. Among the ways search site "bots" categorize sites is by their vulnerability.
"These vulnerabilities are indexed and saved in a very organized way and are available for anybody to access," Kramer says.
A worm could contain code to seek out those particular search engine lists. It wouldn't have to scan thousands, or tens of thousands, of pages to find its next target, Kramer says. The worm could just check the search engine's list of vulnerable sites, because every site on that list would be a good target.
More....
VoIP hacks gut Caller I.D.
Implementation quirks in Voice over IP are making it easy for hackers to spoof Caller I.D., and to unmask blocked numbers.
By Kevin
Poulsen, SecurityFocus Jul 6 1:54PM
Caller I.D. isn't what it used to be.
Hackers have discovered that the handy feature that tells you who's calling before you answer the phone is easily manipulated through weaknesses in Voice over IP (VoIP) programs and networks. They can make their phone calls appear to be from any number they want, and even pierce the veil of Caller I.D. blocking to unmask an anonymous phoner's unlisted number.
At root, the issue is one of what happens to a nugget of authentication data when it leaves the tightly-regulated realm of traditional telephony, and passes into the unregulated domain of the Internet.
On the old-fashioned phone network, Caller I.D. works this way: your local phone company or cell phone carrier sends your "Calling Party Number"
(CPN) with every call, like a return address on an envelope. Transmitted along with your CPN is a privacy flag that tells the telephone switch at the receiving end of the call whether or not to share your number with the recipient: if you have blocking on your line, the phone company you're dialing into knows your number, but won't share it with the person you're calling.
More....
Security strategies ‘not working'
By Iain Scott
, ITWeb
Posted: 12 July
Today's strategies to defend networks against viruses, worms and Trojan horses are not working, says Gary Middleton, IT security specialist at Dimension Data.Addressing the
BMI-TechKnowledge/International Data Corporation African banking forum in Midrand last week, Middleton said there was a huge interest in how companies needed to comply with legislation and corporate governance requirements.
In auditing and risk management there was also a requirement to reduce business risk in order to comply to audit reports. Security was also key to customer confidence. The better the security, the higher the customer confidence.
The security market is growing, with a BMI-T survey showing that the market, worth almost R1.05 billion last year, would be worth R1.22 billion this year.
However, while network infrastructure was now more able to defend itself from attack, in 2002 the number of reported security vulnerabilities reached a record high, as did the number of reported security incidents. At the same time security product spending is also reaching record levels.
“There's a huge increase in attacks and vulnerabilities, but also huge increases in spending. Something's wrong,” he said.
More....
Vulnerabilities
