Microsoft released four security bulletins this afternoon (one critical, two important and one moderate) as part of its regular monthly release cycle.
Missing from today’s bulletins is a patch for the vulnerability affected by Duqu. Microsoft has said it is working diligently on that patch.
Spending on information technology security services worldwide is estimated to touch $35.1 billion this year, up from $31.1 billion in 2010, according to research firm Gartner. While Asia-Pacific is expected to spend around $4.7 billion in 2012 and $7 billion in 2015 on security services, North America remains the largest market, with revenue forecast to surpass $14.6 billion in 2012, and $19 billion in 2015.
"It is still very advantageous for smaller emerging vendors to maintain significant focus on North America, where there is a larger number of dollars at stake. There is also positive growth there," said Lawrence Pingree, research director, Gartner. "We are encouraging these vendors to continue to invest in strategies in order to remain relevant in other emerging high-growth markets as well," he added.
"It will be interesting to see what becomes of this. I would suspect the likelihood of this to be a state-sponsored attack rather than the work of an individual or a activist group like Anonymous." -Scott
"Combining these two conferences is a great idea. Let me know if you'll be there--I will." -Scott
"If the data had been encrypted, they would not have had to disclose this loss. Encrypting everything can be a pain, but not compared to the problems that HRHS will have after this--annual IT security audits, etc. etc. "-Scott
"From my experience, this might not be a bad idea. Coupled with a "secret shopper" program to catch those departments who are not complying, it would make security more uniformly enforced. When I am in various federal facilities, the security varies greatly in how well it is enforced. One place last month, I was able to roam the building after being let in, despite the fact that there were signs that unescorted visitors would be arrested. I asked my contact and she said that is not enforced--"don't worry, your fine." Er something...."-Scott
"It will be interesting to see how much "security in the network" people will be willing to have if it means that they can't do everything that they want on their new ipads, smartphones and other devices. There is always a trade-off between security and flexibilty and a delay between when a technology is introduced and when vulnerability is found. People may get used to the new features that a device provides, and be unwilling to give up those features in the name of security when a vulerability is found." --Scott
The consumerization of the endpoint and the increased usage of virtualization have rendered past security models obsolete and "it's time to rethink the entire system," Gillis said.
Gillis pointed to an era in which corporate users can select their own devices and determine where work is done at anytime from anywhere. And to accommodate that, the security model has to take a dramatic shift.
"One of the main reasons that companies need to invest in automated tools for IT and Security Professionals is so that they can be freed up to keep up to date on new threats and new technologies. Organizations are willing to add more and more technologies to the IT mix (social networks, mobile devices of all flavors) and are often too reluctant to invest more in their security tools." -Scott
The survey of 10,413 information security professionals from companies and public sector organizations worldwide also found a severe gap in the skills needed by information security professionals across the board. Many reported a need for better training, particularly on cloud computing. For example, more than 50 percent of respondents reported having private clouds in place, while more than 70 percent reported the need for new skills to properly secure cloud-based technologies.
"This is one of the more interesting "human" interest stories in IT security in a while. I'm not a fan of WikiLeaks, Anonymous or other hackivists, but it is insteresting to see what this incident reveled about how many so-called "Security Experts" operate. Apparently not by following even the simple security guidelines that we preach over and over again to end users. HBGry CEO Aaron Barr, provoked a skilled group of hackers (I'm sorry but if you can mess up MasterCard's online operations, you are skilled), but left his network open to relatively easy ID (I would have taken it off net) and appearently reused the same password on multple systems, so that once it was cracked, the hackers had access to all of his accounts. You can read more too about how HBGary setup plans to launch attacks (illegal attacks) on sites and the government, and then go sell security to then (illegal, immoral, unethical). I hope that ISC2 removes CISSP certification from any HBGary employees who participated in this practise." -Scott
It has been an embarrassing week for security firm HBGary and its HBGary Federal offshoot. HBGary Federal CEO Aaron Barr thought he had unmasked the hacker hordes of Anonymous and was preparing to name and shame those responsible for co-ordinating the group's actions, including the denial-of-service attacks that hit MasterCard, Visa, and other perceived enemies of WikiLeaks late last year.
When Barr told one of those he believed to be an Anonymous ringleader about his forthcoming exposé, the Anonymous response was swift and humiliating. HBGary's servers were broken into, its e-mails pillaged and published to the world, its data destroyed, and its website defaced. As an added bonus, a second site owned and operated by Greg Hoglund, owner of HBGary, was taken offline and the user registration database published.
"It is nice to see a government official working in IT security not try to exaggerate risks in order to get a bigger budget, more power or other "stuff." Al Queida doesn't want to hack our computers, steal our credit cards or slow down our email. They want to kill us! See us dead on the streets and kick our dead bodies. Interrupting Hulu is not on their list. The bigger dangers to the internet are the small crimes that all add up--phishing scams that get gramma's savings, etc." -Scott
Cyberspace functions as the very endoskeleton of modern life. So it’s no surprise that when bad actors emerge to exploit or threaten it — whether profit-driven criminals, electronic saboteurs or international espionage rings — there’s a temptation to define the threat in the strongest and simplest terms. These days, some observers are pounding out a persistent and mounting drumbeat of war, calling for preparing the battlefield, even saying that the United States is already fully into a “cyberwar,” that it is, in fact, losing.
We disagree. Cyberspace is not a war zone.
Conflict and exploitation are present there, to be sure, but cyberspace is fundamentally a civilian space – a neighborhood, a library, a marketplace, a school yard, a workshop – and a new, exciting age in human experience, exploration and development. Portions of it are part of America’s defense infrastructure, and these are properly protected by soldiers. But the vast majority of cyberspace is civilian space.
"After learning more about how Google tracks and monitors people, I wonder if one could obtain an email account and a mobile phone without having to reveal your true ID or provide an ID, if you could build other identities (Google, OpenID, facebook, etc) that are now considered trusted means of providing ID (not really sure why, they aren't) . It seems that more and more, the security measures that are used to verify who we are, are really based on meta data about who we are. Perhaps if you can create the meta data, to Google and the rest of the world, you have created a new person. Can you keep building until you have a bank account, etc. ? The 21st century version of The Modern Prometheus? " - Scott
Google is to offer all Gmail users the option to secure their accounts using two-factor authentication (2FA), the first time such security has been widely used on mass webmail.
The new 2FA option two step verification in Google terminology - will add an extra layer of security in which users designate a mobile phone, landline or mobile app to receive a unique one-time login code. This is then entered in addition to the usual username and password combination.