To succeed, IT security must raise its profile in the business, says former CIO
SAN FRANCISCO — RSA Conference 2008 — Security pros need to stop fighting fires in the data center and start getting themselves noticed in the boardroom, a former CIO and top-ranking security executive said here last week.
Many IT security people see themselves primarily as technologists and problem-solvers, said Dave Hansen, former CIO at Computer Associates and currently senior vice president and general manager of CA’s Security Management business unit. But as security becomes more critical to the business, CSOs need to delegate some of the operations functions and get more tied into the business, he said.
“Right now, 46 percent of CSOs spend up to a third of their day just analyzing security event reports,” Hansen said. “That’s not the way to maximize value to the organization — and it needs to change.”
To help make his point, Hansen showed the audience a humorous video that demonstrates how deeply the security function may be buried in some organizations.
“If you’re a CIO and you don’t know where your CSO sits, you’re probably missing a critical component in your strategic planning,” Hansen said during the keynote and in a subsequent question-and-answer session afterwards. “When I was a CIO, I wanted that CSO close by, because I was ultimately responsible and I needed to know what was going on.”
Read the rest of this entry »
Security
researcher Joel Eriksson recently demonstrated how security vulnerabilities within hacker attack tools can be used to turn the tide on online criminals.
According to a Wired blog post, Eriksson, a security researcher with Swedish security form Bitsec, demonstrated how he has successfully reverse engineered attack software, such as Trojan horses, so that he can upload his own exploits on the attacking systems.
It seems Eriksson is finding vulnerabilities in a number of “remote administration” tools, including Bifrost and PCShare.
“If there is a vulnerability, it is still game over for the hacker,” Eriksson is quoted as saying.
Read the rest of this entry »
Some companies are failing to encrypt dat
|
Companies and public bodies are not doing enough to protect customers’ data, the UK’s privacy watchdog and a major survey of security have said.
The Information Commissioner said that the 94 security breaches reported to him last year was an “alarming” number.
The survey of more than 1,000 firms suggested that almost 90% of them let staff leave offices with potentially confidential data stored on USB sticks.
Firms and public bodies were urged to make data protection a priority.
Information Commissioner Richard Thomas said of the 94 data breaches, two thirds were committed by government or other public sector bodies.
Data had been recovered in only three of the 94 cases, he said.
Stolen computers
The material included personal details of UK citizens, including health records.
“The evidence shows that more must be done to eradicate inexcusable security breaches,” he said.
Mr Thomas’ findings and the separate Information Security Breaches Survey will be detailed at the InfoSec show in London, the world’s largest event of its kind.
Read the rest of this entry »
The rate at which Internet security company Sophos detected infected Web pages nearly tripled in the first quarter of 2008, the company said.
In its Q1 08 threat report released Monday, Sophos says that it discovered a new infected Web page every 5 seconds. In 2007, the company says, it saw new infected Web pages every 14 seconds.
“The Web continues to be the preferred way for malware authors to deliver their attacks,” the report says. “Our growing dependence on the Web for purchasing and gathering information makes it an ideal hunting ground for cyber criminals chasing poorly protected users.”
The rise in infected Web pages is related to a decline in infected e-mail. Sophos says that about 1 out of every 2,500 e-mail messages contained malware, compared to 1 out of every 909 messages monitored in 2007.
Read the rest of this entry »
