Wednesday, February 23, 2011

Enterprise Security Spending Trends - Security - News & Reviews - eWeek.com - eWeek Mobile

The post in this site indicates that the security spending trends toward cloud and mobile security.

http://mobile.eweek.com/c/a/Security/Enterprise-Security-Spending-Trends-601104/

From Android to the iPhone, Security Vendors Target Mobile Devices - Security - News & Reviews - eWeek.com - eWeek Mobile

http://mobile.eweek.com/c/a/Security/From-Android-to-the-iPhone-Security-Vendors-Target-Mobile-Devices-198446/

Windows Loses Hacker Star Status In Next Decade


The next decade will see Microsoft lose its grip as the most-used and most attacked platform, as a new generation of hackers and cybercriminals diversify, launching attacks on a growing population of mobile devices and computers that run operating systems other than Windows, according to Kaspersky Lab's 2020 cybercrime outlook.

The Kaspersky Labs forecast is based on an analysis of emerging trends in personal computers, mobile phones, and operating systems, as well as on observed changes in the network security ecosystem over the last ten years, the company said. Going into the second decade of the 21st century, the computer crime landscape will be shaped by the increasing mobility and miniaturization of devices, the transformation of virus writing into the cybercrime sphere, and the emergence of social networks, search engines, and Internet commerce.

Though it will lose its near monopoly of the operating system market, Microsoft's Windows is likely to remain the most popular business platform in the next decade, and a top target for cyber criminals and hackers. However, where cybercriminals have long banked on Windows' ubiquity in designing their attacks, the threat landscape in a world of competing operating systems will be such that criminals will have to choose between targeting multiple operating systems with numerous individual devices under their control or honing in on Windows by targeting corporations, Kaspersky said.

Alternative operating systems like Apple OS X and iOS and Google's Android mobile operating systems are gaining momentum with consumers, despite early signs of security weaknesses around such devices and services. Despite that, Windows-based, corporate attacks are likely to rule the cybercrime landscape of the next decade. However, Windows' continued dominance in the corporate environment will force the cyber criminal world to split into two distinct groups: those that specialize in targeting businesses and those that target systems affecting our everyday lives. The first will continue with practices of database theft, commercial espionage, and corporate reputation smearing, while the latter will make their living by targeting transportation and similar systems to change and/or steal personal data stored within. On both fronts criminals will face opposition from corporate IT departments and state-run anti-cybercrime agencies, Kaspersky said.

Continued growth in electronic payment and online banking will force the development and deployment of new security measures like payment protection and biometric identification. The report also claims that the botnets of today, which are widely used in the cybercrime industry, will be an unrecognizable thing of the past after they evolve, and presumably improve, dramatically.

Read more on Kaspersky's security predictions for the next decade here.





HIPAA Bares Its Teeth: $4.3m Fine For Privacy Violation

I thought you might enjoy this article from 

The health care industry's toothless tiger finally bared its teeth, as the U.S. Department of Health and Human Services issued a $4.3 m fine to a Maryland health care provider for violations of the HIPAA Privacy Rule. The action is the first monetary fine issued since the Act was passed in 1996. 

The U.S. Department of Health and Human Services (HHS) issued a Notice of Final Determination to Cignet Health care of Temple Hills, Maryland on February 4. The notice followed a finding by HHS's Office of Civil Rights that Cignet failed to provide 41 patients with copies of their medical records and for failing to respond to requests from HHS's Office of Civil Rights for information related to the complaints. 

A copy of a penalty notice against Cignet depicts a two year effort in which HHS struggled with what appears to be a dysfunctional Maryland provider unaware of the potential impact of HIPAA non compliance, and unwilling or unable to cooperate with HHS in any way. 

Following patient complaints, repeated efforts by HHS to inquire about the missing health records were ignored by Cignet, as was a subpoena granted to HHS's Office of Civil Rights ordering Cignet to produce the records or defend itself in any way. When the health care provider was ordered by a court to respond to the requests, it disgorged not just the patient records in question, but 59 boxes of original medical records to the U.S. Department of Justice, which included the records of 11 individuals listed in the Office of Civil Rights Subpoena, 30 other individuals who had complained about not receiving their medical records from Cignet, as well as records for 4,500 other individuals whose information was not requested by OCR. 

In the end, HHS's Office of Civil Rights found that Cignet showed "willful neglect of its obligation to comply with the requirement of the Privacy Rule and, in essence, threw the book at the Maryland provider. 
HIPAA has been a force in the health care industry for more than a decade: forcing health care providers of all stripes to institute tighter controls over patient data. However, for years after its passage, HIPAA lacked strong language about enforcement and penalties for non compliance. That changed with the passage of the HITECH Act, part of the American Recovery and Reinvestment Act of 2009. That law strengthened privacy and information security provisions of HIPAA and expanded the list of entities covered by the law. 





Monday, February 21, 2011

Google Funds Web Anti Malware Startup Dasient




Google Ventures, the venture capital arm of Google Inc., has invested in anti malware firm Dasient, according to a statement from the company on Monday.

Based in Sunnyvale, California, Dasient sells a Web anti malware technology and has deep ties to Google. Co-founders Neil Daswani and Shariq Rizvi both worked for the search giant. Dasient said that it will use Google's investment - which the company declined to disclose - to expand research and development as well as sales and marketing.

The security of Web sites has been a sore spot for consumers and corporations alike, which rely on the smooth flow of Web content. Dasient's technology can spot and profile malicious code being hosted from both legitimate and hostile Web domains. The company offers both free and premium services including Web site blacklisting and alerting around suspicious Web sites, as well as Web site monitoring, malware quarantining and diagnostics for paying customers.

Previously, Dasient has raised $2m from an assortment of venture firms and angel investors, including Maples Investment, Radar Partners, Stratton Sclavos, and Eric Benhamou.

Dasient claimed that 2010 was a strong year, with double digit sales growth to financial, media, and e-commerce firms. The company said it blocked malware on 1.2 million Web sites. It also introduced a product aimed at helping Web publishers and online ad networks spot malicious ads that are being served from their network.





Experts Agree: No Easy Fix For Mobile Security


SAN FRANCISCO -- Mobile phones, tablet PCs and other new technologies are poised to take over the workplace, but organizations that hope to secure them before they do so face an uphill battle, according to a symposium on mobile security.

Experts at the half day mobile security event on Monday  warned that security, management and data protection are likely to be pressing problems for organizations of all sizes, as consumer driven adoption of multi function mobile devices outstrips the ability of IT organizations to manage and monitor the devices within the workplace.

The event, Mobile Security Symposium 2011, was held in the shadows of the RSA Security Conference and sponsored by consulting firm SRA International, brought together leading experts on mobile device security from the worlds of academia, government, industry and the technology sector. While malware targeting mobile devices is still a relatively minor concern, other security issues are vexing organizations awash in a sea of unmanaged smart phone and tablet devices, the experts warned.

Mobile device applications are an up and coming threat, said Rob Smith, the Chief Technology Officer of Mobile Active Defense. The applications offered on even reputable application marketplaces aren't vetted for features that could constitute security threats to enterprise data, he said.

"Whitelists and blacklists for mobile devices are useless," he said. Figuring out the exact functioning of a mobile application is harder than determining whether or not a Web page is malicious. "When you buy Angry Birds, you're just trusting that there weren't any 'angry developers' working on it," he told the audience in a panel discussion of Mobile Data Security. In fact, mobile marketplaces encourage users to think that the applications they are downloading have been vetted and are reliable, when the opposite is often true. At stake is, potentially, access to corporate assets and data, he warned.

Security vendors are increasingly recognizing the same issue. Veracode last week expanded its application testing program to include Apple iOS and Google Android devices, while firms like ViaForensics have been sounding the alarm about insecure data management practices in popular mobile applications.

Security vendors have long warned about threats to mobile devices, but the last decade has seen little momentum behind mobile malware - especially when compared with the flood of Windows- and Web-based malware and attacks. But that may be changing.

Cisco Systems predicted that threats and attacks will migrate from Windows and the Web to mobile devices such as Google Android devices and Apple iPhones and iPads in 2011. Such devices increasingly hold sensitive and valuable financial, personal and corporate data, Cisco said.

Organizations need tools to inventory and track mobile devices, as well as enforce policies on them in the same way that they do now for desktop and laptop computers. But those tools, for the most part, don't exist, says Ward Spangenberg, the Director of Security Operations at social gaming giant Zynga.

While most mobile device operating systems are far more resistent to attacks than the Windows desktop operating system, there's a shortage of tools to manage them.

"Laptops have mature technology to manage the device, but we're still playing catch up with mobile devices in terms of being able to manage them," he said. Zynga, like other employers, has to balance the desire of employees to use the latest mobile devices, like iPads, with the company's need for security.

"I can't manage iPads on our network, so they don't get access," he said.

Among the issues facing employers is how to manage corporate data like e-mail and files that employees have stored on their mobile devices. In the event of a lost or stolen mobile devices, organizations are looking for ways to erase the device in question before thieves can get access to the data.

An even thornier problem arises when employees leave their job or are terminated: companies want to erase their data from that employee's device, but the employee will be (understandably) reluctant to have the entire device erased.

Smith, of Mobile Active Defense, said that even technology giants like Apple learned that the hard way. An employee of that firm famously lost a pre-release version of the iPhone 4 in a bar, dashing the company's plans for a surprise unveiling of the new product.

A new breed of firms offer enterprises tools for tracking and enforcing policies on smart phones and other mobile devices, as well as managing data encryption, remote wipe capabilities and more, said Ahmed Datoo, VP of Marketing for Zenprise, which introduced its first mobile management product in 2007. But there are challenges: vendors like Apple and Google insist on managing firmware updates themselves, meaning that mobile device management firms have to turf patching to those vendors.

At the same time, mobile carriers may sport their own flavor of operating systems like Google's Android - further complicating the job of managing those devices within an IT environment.

Carriers could play a greater role in securing the mobile ecosystem and helping firms manage mobile devices - but that would require them to abandon their proprietary ecosystems of devices and support heterogeneous environments, Datoo said.

Ed Amoroso, CSO of mobile carrier AT&T, agreed that carriers should shoulder greater responsibility for security with mobile devices, but said they face little pressure on the issue in what is still a market driven by consumer demand for cool devices, features and convenience.

"Security is not a differentiator in the mobile market," Amoroso said. "It's hard for us in the carrier space, at this point, to make strong statements about security," he said.

Panelists at the event generally agreed that attention to mobile security will increase along with adoption and threats. The coming months and years will reveal the need for better coordination among carriers, platform vendors and organizations as attacks target and highlight weaknesses in the current mobile ecosystem.





New Android Trojan Surfaces in China



New Android Trojan Surfaces in China

Android trojanLookout Mobile Security discovered a new Android based Trojan called HongTouTou (aka ADRD Trojan) that is packaging itself in popular Android apps and delivering itself through app markets and Chinese forums.

This piece of malware is requesting additional permissions from users and may also be executing search related activities under the radar, including keyword searches, the company warned.

Lookout, a mobile security vendor, said it has identified 14 instances of the malware repackaging itself in various wallpaper apps and specifically in the popular game, RoboDefense, made available in alternative application markets. The trojan works by duping an infected app into sending encrypted data containing the device's IMEI and IMSI to a remote host. HongTouTou then receives a set of search engine target URIs and search keywords to send as queries. It then uses these keywords to emulate search processes, creating searches in the search engine yielding the top results for those keywords and clicking on specific results. To the search engine, the searches appear to be coming from a mobile user using a mobile web browser with User-Agent corresponding to the UCWeb browser.

The Trojan is also capable of processing commands instructing it to download an APK (Android package file) that could allow the malware to monitor SMS conversations and insert content related to specific keywords (spam) into the SMS conversations. However, Lookout cautions that it has not yet seen it attempt to install the APK.

Mobile devices, specifically those running on the Android OS, are becoming increasingly popular targets for malware authors. Part of the reason is that Android's app market is outpacing Apple's by three times. Furthermore, many of these apps are being written with the capability to access sensitive user information. Compound that with the fact that many Android apps, some 11% of which have been repackaged (not submitted by the original developer), are being peddled on an alternative application markets not regulated by Google and one realizes it would be stupid not to target Android.

Security experts are warning that mobile applications and loosely monitored application exchanges pose a major security risk to consumers and corporations. At a symposium on mobile security in San Francisco sponsored by SRA International on Monday, Rob Smith of the firm Mobile Active Defense said that malicious or suspicious apps should be a huge concern to corporations and public sector organizations that are allowing employees to bring mobile devices in to work. 

"I think app(lication) stores are the greatest malware delivery mechanism in the history of man," Smith said. "Apple has 300,000 mobile applications, but there's no check of the underlying source code." 

As of now, Lookout Security is only aware of the HongTouTou Trojan affecting users on Chinese forums. It does not affect any apps in their original versions available on the Google Android Market.





10 Essential Mobile Apps to Invest in 2011: Gartner - Mobile and Wireless - News & Reviews - eWeek.com - eWeek Mobile

http://mobile.eweek.com/c/a/Mobile-and-Wireless/10-Essential-Mobile-Apps-to-Invest-in-2011-Gartner-486968/

Wednesday, February 16, 2011

Mobile Device and FIPS 140 in Federal Market

I found this very interesting article 


It talks about iphone, android and blackberry and the FIPS 140 certification options of those mobile platform.



Friday, February 11, 2011

Wes Bush said that "export control" is like "Pest Control"

Northrop Grumm CEO Wes Bush said today at NVTC that US government needs to support export and support innovation. Innovation is the best commodity of USA. I am still in this meeting as I create this blog post.

Friday, February 4, 2011

NIST publishes: Guidelines on Security andPrivacy in Public Cloud Computing

http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdf

It talked about the following topics for public cloud security and privacy:

Governance
Compliance 
Trust 
Architecture 
Identity and Access Management
Software Isolation
Data Protection
Availability 
Incident Response
 Summary of Recommendations 


Trends in Security: 2011 Predictions from Oracle Security Leaders


I agree with the overall prediction, but want to add that the social website will see increase security breaches along with increasing attack on mobile environment. 

"As threat levels rise and new technologies such as cloud and mobile computing gain widespread acceptance, security is widely expected to occupy more and more mindshare among IT executives in 2011. 

To help prepare for the coming year, we asked two Oracle security leaders—Amit Jasuja, vice president of Identity Management and Security Products; and Vipin Samar, vice president of Database Security—to help us track key trends in security in 2011. 

1) Threat levels will grow—and there will be more serious breaches.
According to Samar, threat levels are on the rise for many reasons. A challenging economy increases the likelihood of breaches, and layoffs can open holes in IT security. Most organizations have not done enough to protect against insider threats. According to Jasuja, organizations will continue to look for security solutions to stop user access to applications based on real-time patterns of fraud and for situations in which employees change roles or employment status within a company. 

2) Cloud computing will continue to grow—and require new security solutions.
Recent investments in private cloud computing are providing significant returns, but also can lead to companies "putting all their eggs in one basket" as the result of increasing database consolidation, according to Samar. Cloud computing requires a new kind of vigilance he says, demanding investment in security solutions such as the new Oracle Database Firewall that defend against more threats. 

3) Mobile devices will challenge traditional security solutions. 
The proliferation of mobile devices—combined with increasing numbers of remote employees and expanding global partner networks—continues to dissolve the traditional boundaries of the enterprise, according to Jasuja. This, in turn, will require a holistic approach within an organization that combines strong database security, strong authentication and fraud protection, externalization of entitlements, and central management across multiple applications—and open standards to make all that possible. Oracle Security Solutions are uniquely positioned to meet these challenges. 

4) Security platforms will continue to converge.
As organizations move increasingly toward vendor consolidation, security solutions must also evolve, Jasuja and Samar both believe. Next-generation security platforms must have best-of-breed features, yet must also remain open and flexible to serve global markets and local conditions. As a result, says Jasuja, developers need products such as the service-oriented Oracle Access Management Suite in order to efficiently and reliably build identity management into applications—without requiring security experts. Oracle offers comprehensive solutions such as transparent data encryption, privileged user controls, auditing, and more at the database level that don't require modifying existing applications. 

5) Regulation of personally identifiable information (PII) will increase—including expanding definitions of what PII means.
In 2011, more and more jurisdictions are likely to follow California and Massachusetts in increasing regulation of PII, says Samar. He also expects the definition of PII to grow over time, especially because of the rapid rise of image sharing on social networks. The good news, says Samar, is that when data has been encrypted by security solutions such as Oracle Advanced Security, breaches don't need to be reported because the data itself is still protected. 

Jasuja adds that as organizations incorporate services from the cloud they will need to use security standards. In 2011, he expects growth in the use of virtual directories as companies connect data silos inside their organizations and use federation to connect to cloud services. Oracle Virtual Directory andOracle Identity Federation have out-of-the-box connectors so companies can connect their enterprise to the cloud quickly. 

6) Organizations will increasingly pursue "business-centric compliance." 
As privacy and security regulations increase, businesses will look for "business-centric compliance" solutions that combine strong security and compliance management tools with better user experience for faster, lower-cost implementations. Read more about how Oracle Identity Analytics 11g takes a "business-centric" approach with features such as Cert-360. "