Latest News from Web Security Journal

Cloud Computing – The Wave of the Future

Sat, 18 May 2013 16:00:00 EDT

“Trust is an ongoing journey and sits at the foundation of any vendor relationship – the companies that don’t consistently earn trust won’t be around long,” noted Henrik Rosendahl, Senior VP of Cloud Solutions at Quantum, in this exclusive Q&A with Cloud Expo Conference Chair Jeremy Geelan. “As they do more with cloud, trust will organically grow – maybe it’s just about meeting SLAs or seeing firsthand that data is there when you need it,” Rosendahl continued. Cloud Computing Journal: The move to cloud isn't about saving money, it is about saving time. – Agree or disagree? Henrik Rosendahl: I believe it is actually both. Time is money, as they say. I typically think in terms of efficiency, which encompasses economics as well as the positive impact on administrative workflows. This is certainly true when we talk about cloud-based backup as a service (BaaS). Typically with BaaS customers, the first question is “How much is this going to cost?” Monthly costs are primarily capacity-driven – store more, pay more; however, you don’t have to buy future capacity that’s not being used for a while so in that sense you save a lot of money. Cloud-based backup and archive solutions enable companies to reduce or eliminate tape, as well as realize the promise of true business continuity. Another benefit of cloud-based solutions, particularly when it comes to backup, is in paying only for the capacity you immediately need, with the ability to scale up as needed, and convert CAPEX to OPEX, which is an important element of flexibility.

Cloud Expo New York: Introducing the Open Cloud Exchange

Sat, 18 May 2013 11:00:00 EDT

The cloud-enabled data center sits at the center of IT transformation. It facilitates the interconnection and communities that come together, propelling growth for both buyers and sellers. In his session at the 12th International Cloud Expo, Gerry Fassig, CoreSite’s Vice President of Sales, will discuss how CoreSite is bringing together best-of-breed partners through the Open Cloud Exchange resulting in public, private, and hybrid cloud interconnection and management as well as connectivity to AWS direct connect. Gerry Fassig is CoreSite’s Vice President of Sales for the cloud/hosting service provider industry. He possesses more than 20 years of enterprise and start-up sales leadership experience and leads a national team responsible for acquiring, retaining and managing service providers of all sizes. Prior to joining CoreSite, he held senior sales and management positions with Savvis, helping drive strategic growth throughout the organization during the Exodus/Cable and Wireless acquisitions. Before Savvis, he held various leadership roles at Wheelhouse, a CRM strategy consultancy and at Gartner.

Remediating SSH Key Mismanagement

Mon, 13 May 2013 14:30:00 EDT

From its origin in 1995, SSH, the secure shell data-in-transit protocol, has been used the world over as a method to transfer data between machines, as well as a tool to provide remote administrator access. Some variation of the protocol is packaged free in every version of Unix, Mac OS and Linux. Recently, its use has grown exponentially in Windows operating systems as well. While the exact number of worldwide SSH deployments is unknown, it is estimated that nearly half of all of the World Wide Web uses SSH, making it a virtually mandatory service in the world of network security. After nearly two decades of use, SSH has succeeded in securing billions of business transactions without any faults of the protocol itself, demonstrating its dependability as a security solution. On the other hand, the evolution of cyber-threat ability requires that organizations take a careful look at how they manage their SSH environments.

Federal Government Prioritizes Data Security

Mon, 13 May 2013 12:15:00 EDT

The President's State of the Union address made it clear that data security is a top priority to keep personal, business-related and national security information protected. During the last State of the Union address, President Barack Obama included improving data security on his list of national priorities. President Obama said, “America must also face the rapidly growing threat from cyberattacks… We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.” Including data security 0n the President’s agenda is significant because it first implies that our government is not yet accomplishing this goal, and second it compels us to put the pieces in place “to protect our national security, our jobs, and our privacy.”

Time to Ditch Cryptographic Keys?

Mon, 13 May 2013 06:15:00 EDT

What is the most secure way to authenticate electronic data? Until recently, many technical people would have answered ‘cryptographic keys’ without blinking. But recent headline events – and a ‘biggie’ last year – have raised serious doubts about the ability of cryptographic keys to protect vital government and corporate data. Here are two examples from February that should make CIOs, CTOs and CSOs tremble in their boardrooms: McAfee revoking keys for signing apps on the Apple store; and stolen keys from Bit9 being used to sign malware. In the McAfee case, a McAfee administrator revoked (by mistake) the digital key for certifying desktop apps that run on Apple’s OS X, thereby creating serious problems for customers who wanted to install or upgrade Mac antivirus products. The original Arstechnica article (McAfee revoking keys) noted that the administrator intended to revoke his individual user key, but “instead revoked the code-signing keys Apple uses to help keep the Mac ecosystem free of malware.”

Living Social’s Data Breach

Thu, 09 May 2013 16:00:00 EDT

Living Social, the popular online discount site, recently experienced a cyber-attack affecting more than 50 million of their customers. Users with a Living Social account received an email explaining the data breach, which included hackers accessing customer user names, email addresses, birth dates and passwords. In the email to customers, Living Social asked many users to change their password immediately. While the passwords were encrypted, Living Social Chief Executive Tim O’Shaughnessy wrote “We also encourage you, for your own personal data security, to consider changing password(s) on any other sites on which you use the same or similar password(s).” Unfortunately, the other compromised personally identifiable information (PII) – user names, emails addresses and birth dates – was not encrypted, putting the personal data of millions of Living Social customers into the hands of cybercriminals. The dollar value associated with PII and the potential to use this information to commit identify theft and other online fraud has made these types of attacks more common. This may appear to be just another in a string of recent incidents where high-profile companies such as Apple and Twitter, those with significant amounts of sensitive customer data, came under attack by hackers. But, Living Social’s upfront handling of the attack can serve as a forewarning for other companies holding large amount of customer PII.

Intel Buys Stonesoft for McAfee

Wed, 08 May 2013 09:00:00 EDT

Intel security unit McAfee, the semiconductor’s largest acquisition ever, is buying Stonesoft Oyi, a Finnish company founded in 1990 that’s got next-generation network firewalls. It’s paying $389 million cash. That’s a 128% premium to the outfit’s closing price on May 3 or $5.90 (€4.5) a share. Intel, which says it’s been looking for a better firewall solution and evasion-prevention widgetry for some time to ward off cyber-attacks, expects the market to be worth over $4 billion by 2016. CEO Ilkka Hiidenheimo, who owns 16.3% of the company and will make $61.5 million on the deal, claims Stonesoft+McAfee will offer “a 360-degree solution.”

Richard Bejtlich: Digital Weapons Can Cause Physical Damage

Tue, 07 May 2013 15:33:04 EDT

Richard Bejtlich, chief security officer at cyber firm Mandiant, outlines how cyber spying can lead to physical destruction and perhaps war. The world needs to develop a deeper understanding of digital defense, spying and war as many still believe espionage is a step below a full-scale digital attack that could be seen as an act of war, according to Mandiant Chief Security Officer Richard Bejtlich. In an article for Foreign Affairs, Bejtlich argues that hackers and other adversaries can use the same tools for digital espionage to commit digital destruction and the amount of damage is not solely based on intent. Cyber espionage can quickly escalate to cyberwar, resulting in physical damage from digital weapons, Bejtlich writes. Bejtlich offers a scenario of an intruder surveying his or her target to find avenues for stealing data, then delivering a malicious code or other weapon via an email. Once a victim opens the file, Bejtlich says the intruder is free to pursue their goals.

The Next Billion-Dollar Business

Tue, 30 Apr 2013 14:36:15 EDT

AT&T's move into home security is the natural move for service providers looking for new revenue sources to replace declining voice and SMS revenues. AT&T is not the first service provider to enter this market in North America – Comcast has its Xfinity Home monitoring service and Verizon has its Home Monitoring and Control system – and it’s probably not going to be the last: more service providers are likely to join them as they search for additional services they can offer customers to replace declining revenues from the traditional voice and text income streams, as well as to prevent customer churn. (Once you’ve entrusted your home security to a service provider, how likely is it you’ll switch carriers?)

F5 Tech Talk – Streamline, Secure and Optimize XA and XD Deployments

Tue, 30 Apr 2013 08:20:00 EDT

In my 199th F5 video, Kevin Stewart and I share how BIG-IP APM can optimize, secure and streamline Citrix XenApp and XenDesktop deployments. Make Citrix better with F5.

Creating Confidence in Mobility

Mon, 29 Apr 2013 09:00:00 EDT

Every business wants to protect its confidential financial information. But for an organization like ours, financial information is our entire business. Over the course of a year, Broadridge handles millions of trades worth trillions of dollars, so it’s easy to see how security must be intertwined in everything we do. It was foremost in our minds when we were spun off from our parent company in 2007, because we wanted to grow the business while retaining security as a priority. One data breach, or a few hours of downtime, would cost us millions. We had a team of 55 IT professionals working together for the first couple of years to make sure that our core functions and sensitive information were fully protected. We had several different security solutions on our endpoints that didn’t interact well, so we implemented new security software on all our endpoints, as well as encryption technology. These were all incremental steps toward embracing the latest trend: mobility.

The Prosecution Calls Your Smartphone to the Stand

Wed, 24 Apr 2013 09:30:00 EDT

A very real legal situation is brewing in the wake of the bring your own device phenomena. eDiscovery. You might be familiar with some of the various legal or liability issues that should be addressed with a BYOD policy, like privacy, the loss of personal information, working overtime or the fact that financial responsibility may dictate legal obligation. Now, technology law experts are saying that if your company is involved in litigation, criminal or civil, personal mobile devices that were used for work email or other company activity, could be confiscated and examined for evidence as part of the investigation or discovery process. So if you use your personal smartphone for work related activities and your company is involved in a lawsuit, there may come a point where the court might subpoena your phone to see what relevant evidence might be contained. During litigation, the organization itself may have the legal obligation to sift through your mobile device for related information. If sued, companies are required to make a good-faith effort to retrieve data – where ever that may be. That includes your email, GPS history, text messages, cell phone records, social media accounts, pictures and any other info that could be pertinent to the case. This is proprietary company owned data that resides on my personally owned device. This is especially true of your corporate email co-mingles with your personal email – meaning delivered through the same email app or program. In fact, according to this article, a judge recently sanctioned a company for a discovery violation because it did not search the BYOD devices during discovery.

The New Standard: Intelligence-Driven Security

Mon, 22 Apr 2013 10:00:00 EDT

Network perimeters are all but erased and traditional security strategies such as stacking don't adequately address the current needs of a modern enterprise. Many companies are still using strategies rooted in 2002 technologies and approaches. The new intelligence-based security model is one that integrates several alerting, analytical and preventative tools into a central monitor and management best practice. In a recent blog post, Art Coviello, the executive chairman at RSA, posed an important question. How do we move from traditional security to intelligence-driven security? In his answer he described that the quickly interdependent exchanges between parties (B2C, B2B, B2P, etc) have grown beyond the traditional means of securing the enterprise.

How to Re-imagine Your Business for a Mobile World

Mon, 15 Apr 2013 08:00:00 EDT

There is little argument at this point that the mass adoption of mobile technology and bring-your-own-device (BYOD) strategies by enterprises is a true business technology revolution. At the core, the catalysts driving this revolution are the vast array of mobile devices leveraging soaring bandwidth – 4G – and super-fast internals – quad-core processors – which have become commonplace. With this high-bandwidth, ultra-capable combination, end users see the productivity and convenience possible by running the newest, most sophisticated business applications on their own personal mobile devices. And it’s not just end users who can benefit. A recent Symantec survey found that innovative companies – early technology adopters, especially of mobile technology – are seeing significantly higher revenue growth and higher profits than traditional organizations; in fact, by nearly 50 percent.

Ride The Crime Coaster

Fri, 12 Apr 2013 10:00:00 EDT

Now that would be a fun amusement park ride – the Crime Coaster – with the hills and valleys designed based on crime statistic charts. You can even get a digital photo of yourself as you fly thru the Tunnel of Turmoil. Muuhahahahahahahahahah! With all the dire warnings of how cybercrime is the nation’s top priority, I was wondering how other crimes have been faring. And NO, this is not a for/against ‘gun control’ rant but for instance, is burglary loosing its luster to smashing a server’s window? Since cyber crime is a billion dollar business will the door-to-door thief change tactics? Probably not for now but as physical, non-cyber crimes drop, does digital crime go up? Or, since ‘stealing something’ is the ultimate goal, as more available methods (like cyber) to accomplish the goal become available, does all crime go up? I should also note that crime stats should be taken with a grain of salt since law enforcement can only comment on the crimes that have been reported to them. Crimes like car theft are often reported due to insurance claims while other crimes, like domestic disputes, are under reported due to embarrassment or other hindering factors. Add to that, different jurisdictions have various scales of classification, penalties and measurement. Plus, the recent report that says few companies report that cybercrime results in big losses only adds to the confusion.

Adaptive Risk: Making Sure You Are Who You Say You Are

Mon, 08 Apr 2013 09:30:00 EDT

Implement the predictive analytic process that is designed to assess/score risk attributes during authentication so that Access Management can determine whether to require the user to complete further authentication steps. Does this sound familiar? Ann, sitting at her desk eating lunch, is surfing the Net. She checks her personal Yahoo email account and sees a message from a purported survey company asking her about her music preferences. She opens the email and takes the survey. Seems harmless enough, but what Ann doesn’t know is that this survey company doesn’t exist and embedded in some of the survey prompts hides an undetected botnet that downloaded onto her desktop. This nasty bugger can record her keystrokes and take screen shots as she navigates through your network. Now some unauthorized entity has her login credentials, passwords…essentially her online/employee identity and access to your enterprise’s proprietary assets and other sensitive data.

Switching the Locks: Who Has Copies of Your SSH Keys?

Sun, 07 Apr 2013 12:00:00 EDT

Despite the recent flood of high profile network breaches, hacking attempts are hardly new. In 1995, I was attending school in Helsinki when I discovered a password “sniffer” attack in our university network. In response, I wrote a program called the “secure shell” to safeguard information as it traveled from point to point within the network. This new program shielded all of our data and ensured that these kinds of attacks didn’t jeopardize our logins. This program, SSH, works by developing an encryption key pair – one key for the server and the other key for the user’s computer – and encrypting the data that is transferred between those two keys. Currently, almost every major network environment – including those in large enterprises, financial institutions and governments – uses a version of SSH to preserve data in transit and let administrators operate systems remotely. Organizations use SSH to encrypt everything from health records to logins, financial data and other personal information.

Security Strategies for Successful Small Businesses

Fri, 29 Mar 2013 09:44:29 EDT

Majority of the people who put up their own businesses want financial independence. Even with the economic instability, a lot of people still risks their own money to put up that business they have always dreamed of. Success in businesses comes with a lot of risks but if you know how to protect your investments, you are more likely to succeed. Starting a small business poses less risks compared to big businesses but keep in mind that this doesn’t dictate the percentage of success. To succeed, you should anticipate every possible threats to the business and be ready to address them when they arise. You should also pay close attention to every aspect of the business or at least have someone you trust in charge of things you cannot oversee yourself.

[berkman] Dan Gillmor on Living off the Privacy Grid

Thu, 28 Mar 2013 00:32:00 EDT

Dan Gillmor is giving a Berkman lunchtime talk about his Permission Taken project. Dan, who has been very influential on my understanding of tech and has become a treasured friend, is going to talk about what we can do to live in an open Internet. He begins by pointing to Jonathan Zittrain’s The Future of the Internet and Rebecca MacKinnon’s Consent of the Networked [two hugely important books]. He says that the intersection of convenience and freedom is narrowing. He goes through a “parade of horribles” [which I cannot keep up with]. He pauses on Loic Le Meur’s [twitter:loic] tweet: “A friend working for Facebook: ‘we’re like electricity.’” If that’s the case, Dan says, we should maybe even think about regulation, although he’s not a big fan of regulation. He goes through a long list of what apps ask permission to do on your mobile. His example is Skype. It’s a long list. Bruce Schneier says when it comes to security, we’re heading toward feudalism. Also, he says, Skype won’t deny it has a backdoor. “You should assume they do,” he says. The lock-in is getting tighter and tighter.

Five Truths of Information Security

Mon, 25 Mar 2013 06:45:00 EDT

Information security professionals often find themselves filling a critical but unique role within an organization. An effective security approach must balance required business operations and system availability while still ensuring the confidentiality and integrity of these same systems. Systems that are absolutely secure are not usable. Likewise, systems that are completely usable are absolutely not secure.

Fifteen Percent of NCAA Tourney Teams Breached in the Past Year

Fri, 22 Mar 2013 13:57:02 EDT

Nearly 15% of universities competing in this year's NCAA tournament were breached during the past year. According to a database maintained by the Privacy Rights Clearinghouse, the following schools experienced some form of unintended data disclosure since July 2012. In some cases, the breaches exposed social security numbers, usernames and passwords and other forms of personally identifiable information (PII). A good reminder that any institution handling information on behalf of students needs to take extra precaution to secure the data and ensure it's following disclosure rules laid out in the Family Educational Rights and Privacy Act.

McAfee Integrated into Android

Sat, 16 Mar 2013 16:00:00 EDT

McAfee has announced the industry’s first white-listing security solution for Android embedded systems. McAfee Application Control for Android is the only security solution that resides in the Android operating system kernel. McAfee provides protection from the installation or execution of a malicious application on an Android-based device. It also provides protection at the application layer to Android devices. Previously, embedded engineers only had Security-Enhanced Linux (SELinux) if they wanted to have enforceable security capabilities for their embedded systems.

Bromium Commits to Fixing Endpoint Security Also in the UK

Fri, 15 Mar 2013 05:00:00 EDT

"Since running with our first product in North America just five months ago, the global response has been remarkable," said Ian Pratt, co-founder and SVP of Products at Bromium, as Bromium, Inc. this week announced its arrival into the UK market with the general availability of its vSentry product. "A big part of our heritage is in the UK," he added, "So it made sense to push on from here; we're committed to growing our engineering presence in Cambridge as well as addressing the local market and branching out into Europe."

RSA2013 & Pulse2013 – The Video Outtakes

Fri, 08 Mar 2013 10:13:00 EST

Like the special features of a DVD, all the mistakes, flubs and bloopers from the RSA & Pulse Conferences. It happens to the best of us.

Pulse2013 – That’s a Wrap

Thu, 07 Mar 2013 09:53:00 EST

I wrap it up from the #IBMPulse 2013 conference from the MGM Grand in Las Vegas. Special thanks to Ron Carovano for the invite along with Nojan Moshiri for showing the integration between BIG-IP ASM and IBM’s InfoSphere Guardium along with showing the BIG-IP APM and IBM Maximo solution. And a special Mahalo to Janice Merk for holding the camera this week. And to you, thanks for watching! Aloha.

Pulse2013 – IBM Maximo Optimization & SSO with BIG-IP APM

Wed, 06 Mar 2013 10:45:00 EST

It’s an all Nojan week at the Pulse2013 conference at the MGM Grand! This time, he shows Peter Silva how to deploy Maximo Asset Management with the new Maximo iApp from F5 found on DevCentral along with how to configure acceleration and SSO for Maximo users. Increased performance for remote users along with the ease of deployment for administrators. Got Maximo? Get BIG-IP APM.

Pulse2013 – BIG-IP ASM & IBM InfoSphere Guardium

Tue, 05 Mar 2013 09:28:00 EST

I meet with F5 Solution Architect Nojan Moshiri to learn about the integration between BIG-IP ASM and IBM’s InfoSphere Guardium offering real time data security along with contextual meta data associated with the SQL data. Each enhances the other to provide both defense-in-depth protection and contextual security information. Powerful stuff.

Pulse2013 – Gimme 90 Seconds: IBM Edition

Mon, 04 Mar 2013 20:59:00 EST

I welcome F5 Solution Architect Nojan Moshiri as his next contestant on the hit trade show game show, Gimme 90 Seconds. See if Nojan wins the coveted psilva autographed F5 squeeze ball if he’s able to answer how F5 products secure, optimize and provide high availability for IBM solutions. Had a little camera blip at the end so thanks to Janice Merk for handling the camera and Nojan for playing!

Pulse2013 – Find F5

Mon, 04 Mar 2013 09:56:00 EST

Reporting from Las Vegas at the MGM Grand, I show you how to find F5 Booth E508 at the IBM Pulse2013 Conference.

RSA2013: That’s a Wrap

Thu, 28 Feb 2013 23:17:00 EST

I wrap up the RSA Conference 2013 from the Moscone Center in San Francisco. Special thanks to F5ers Ron Carovano, Jonathan George, Danny Luedke, Eric Swenson, Claire Delaney and Rinisha Jha. Also thanks to Tom Clare and Jonathan Knepher of Websense, Mark Elliott of Quarri Technologies and of course, WhiteHat Security’s Jeremiah Grossman. Another fun week covering F5 Security.

RSA2013: Interview with Jeremiah Grossman

Thu, 28 Feb 2013 21:33:00 EST

Peter Silva catches up with WhiteHat Security Founder & CTO Jeremiah Grossman to talk about WhiteHat’s recent round of funding, vulnerabilities in mobile apps, the idea for companies to hack themselves first along with some trends regarding web vulnerabilities. Always fun to chat with one of InfoSec’s coolest dudes and a fellow local boy.

RSA2013: BIG-IP DNS Services

Thu, 28 Feb 2013 01:16:00 EST

Taking a moment from behind the camera to appear in frame with me, F5 PMM Jonathan George shares some excellent insight, along with a well-drawn whiteboard, on all the ways BIG-IP can secure and optimize your DNS services. Jonathan also closes out the video in style. This one was especially fun.

RSA2013: BIG-IP SSL/TLS Services

Thu, 28 Feb 2013 01:05:00 EST

I give up the mic to F5 Product Marketing Manager, Danny Luedke who promptly whiteboards his way through the many BIG-IP solutions to handle SSL/TLS. Certificate management, encryption, performance and other goodies are discussed.

RSA2013: Partner Spotlight – Quarri

Wed, 27 Feb 2013 09:01:00 EST

I chat with Mark Elliott, Founder and EVP of Quarri Technologies about the recent integration with Quarri’s armored browser technology. You can see the Quarri and BIG-IP Integration in the 1st ever Guest Edition of In 5 Minutes. Interesting Stuff.

RSA2013: Partner Spotlight – Websense

Wed, 27 Feb 2013 08:50:00 EST

I stop by the Websense booth at RSA to check out a demo of the F5 BIG-IP and Websense Integration. Tom Clare, Sr. Director Product Marketing shares some insight into the strategic agreement and Jonathan Knepher, Sr. Director Technology Alliance shows the BIG-IP integration.

RSA2013: Gimme 90 Seconds Security Edition

Tue, 26 Feb 2013 20:32:00 EST

I challenge two-time champ, Ron Carovano to name and explain his favorite security features in BIP-IP. See if he wins his 3rd psilva autographed f5 squeeze ball.

RSA2013: Find F5

Tue, 26 Feb 2013 08:00:00 EST

Follow, as I show you how to find F5 Booth 1354 at the RSA Conference along with the cool trinkets you can win playing the F5 Claw Game. Add to that, I close with way off-key rendition of the Looney Tunes classic, This is It!

RSA2013: Welcome to RSA

Sun, 24 Feb 2013 23:05:00 EST

I welcome you to the RSA Conference 2013 in the City By The Bay. Reporting from Sausalito, I talk a little about the theme ‘Security in Knowledge’ with an amazing shot of San Fran behind me

Burning Down the House for Fun and Profit

Fri, 22 Feb 2013 11:00:00 EST

What we saw this week was is very similar to what we saw in 1962. What is most interesting in this case is that the bombshell was not dropped in a stuffy chamber full of wrinkly policy makers, nor was it used by the administration to draw a hard line under the Executive Order 13636 that President Obama signed last week. No, the story was brought to light by a single, private sector entity using unclassified information that was publicly available for anyone to put together. By doing so, a precedent has been set. Finally, the veil has been lifted. Now, the public was able take a glimpse at an unseen threat that many within the security industry have been following closely for nearly a decade. A complex, intangible idea has a face, or rather a building, attached to it.

Inside Look: BIG-IP ASM Botnet and Web Scraping Protection

Thu, 21 Feb 2013 11:53:00 EST

I hang with WW Security architect Corey Marshall to get an inside look at the Botnet detection and Web scraping protection in BIG-IP ASM.

BYOD 2.0 – Moving Beyond MDM with F5 Mobile App Manager

Thu, 21 Feb 2013 09:00:00 EST

BYOD has quickly transformed IT, offering a revolutionary way to support the mobile workforce. The first wave of BYOD featured MDM solutions that controlled the entire device. In the next wave, BYOD 2.0, control applies only to those apps necessary for business, enforcing corporate policy while maintaining personal privacy. The #F5 Mobile App Manager is a complete mobile application management platform built for BYOD 2.0. As more smartphones, tablets, and other types of mobile devices make their way into employees’ hands, requests for corporate access from those devices are increasing, which represents a huge challenge for IT departments. Not only has IT lost the ability to fully control and manage these devices, but employees are now demanding that they be able to conduct company business from multiple personal devices. Initially resistant to the idea due to security concerns, IT teams are slowly adopting the concept, but hesitantly, still concerned about the inherent risks of allowing personal devices to access and store sensitive corporate information.

What Is SFTP, and Why Is It More Effective Than FTP?

Fri, 08 Feb 2013 15:10:34 EST

With a rising number of security threats emerging in the industry, it is unsurprising that a tougher line is being taken with regard to Internet security procedures. Whilst preventative measures such as firewalls and IPS systems are a necessity for businesses, there is further concern surrounding the privacy and confidentiality of data that is being shared over the Internet. Given that the Internet is an open network and businesses transfer large amounts of sensitive information on a daily basis, it is vital to have a secure method to send, receive and store valuable data. Hackers can attempt to access data from file shares where information is not encrypted. Banks and credit card companies are obvious targets for attack, but smaller, unsuspecting companies have also had their sensitive data compromised.

What Are DDoS Attacks and How Can You Prevent Them?

Thu, 07 Feb 2013 12:44:00 EST

Internet Security is a vital measure for any business to implement. Due to the Internet's global reach, it is becoming increasingly more important to protect sensitive company data and networks. For multinational corporations and smaller businesses alike, the possibility of attack on a system or network is a daily concern. Over the past few years Distribution Denial of Service (DDoS) attacks have become more frequent, diversified and on a larger scale. Unlike access attacks that enter security perimeters to gain information, DDoS attacks paralyze Internet systems by flooding it with useless traffic. Websites can be seized and crashed by hackers, which cause severe implications and damage to a business's reputation. These DDoS attacks are an unfortunate inevitability of online business and are a huge threat to organizations. Even high profile companies are having to reconsider their security protocols following vicious attacks. As technology becomes more sophisticated and widespread, so do DDoS attacks, making the preventative measures so critical. Most typically, DDoS attacks are intended to cause widespread damage, especially those carried out by activists and international cybercriminals.

Is BYO Already D?

Thu, 07 Feb 2013 09:00:00 EST

About a year ago I wrote BYOD–The Hottest Trend or Just the Hottest Term just when #BYOD was burning up the #trendingtopics. Since then, BYOD has become one of the most talked about IT challenges and at the top of many enterprise initiates for 2013. Most industry pundits and analysts alike believe BYOD is here to stay and will have a major impact both on business and how we use our personal mobile devices. Now, as more organizations investigate and deploy BYOD solutions, some unforeseen costs are starting to toss BYOD for a loop. A number of recent surveys, research and analysis indicate that the perceived cost savings might be a mirage. The Aberdeen Group says BYOD could cost organizations 33% more than a IT owned mobile device plan. iPass’ Q4 Mobile Workforce Report, suggests organizations are not considering long term costs of BYOD and Damovo UK’s survey of 100 IT Directors, 73% feel that BYOD costs will ‘spiral out of control,‘ with 69% skeptical that the BYOD shift will actually reduce support costs. And Xigo, a provider of cloud-based expense management, reported that while cost savings is a top goal for BYOD programs, most respondents (67%) said their mobile expenditures had not changed with 25% saying their costs rose. Finally, in a survey by Lieberman Software, most respondents (67%) said BYOD would increase IT and security costs.

Managing Internal Threats

Sat, 02 Feb 2013 11:00:00 EST

The number of annual security incidents caused by insider threats continues to increase. In The CERT Guide to Insider Threats, Capelli et al writes, “Insider threats are an intriguing and complex problem. Some assert that they are the most significant threat faced by organizations today.” Disgruntled system administrators damage data and systems, skilled professionals steal intellectual property, and inferior employees use information to achieve political or financial objectives for their self-gain. Any of these can constitute a critical national defense breach or breach of public trust. To defend against the damage or theft caused by insiders, an organization must hold every employee responsible for detecting and reporting both behavior and technical evidence indicating a possible employee defection from policy and compliance. In addition, technical controls can help monitor suspected offenders and the overall network for evidence of criminal behavior.

Inside Look – BIG-IP Advanced Firewall Manager

Fri, 01 Feb 2013 08:26:00 EST

If you enjoyed In 5 Minutes or Less: BIG-IP Advanced Firewall Manager, this is a much deeper dive into the BIG-IP AFM solution. I introduce BIG-IP Advanced Firewall Manager (AFM) and have Josh Mendosa, Product Management Engineer, show a demo of BIG-IP AFM available with BIG-IP v11.3.

New Cyber Threats within The Internet of Everything

Fri, 01 Feb 2013 07:00:00 EST

Cisco released findings from two global studies that provide a vivid picture of the rising security challenges that businesses, IT departments and individuals face -- particularly as employees become more mobile, blending work and personal lifestyles throughout their waking hours.

Despite popular assumptions that security risks increase as a person's online activity becomes shadier, findings from the Cisco 2013 Annual Security Report (ASR) reveal that the highest concentration of online security threats tend to target legitimate destinations visited by mass audiences -- such as major search engines, retail sites and social media outlets.

Cisco found that online shopping sites are 21 times as likely, and search engines are 27 times as likely, to deliver malicious content than a counterfeit software site.

Security risks rise in businesses because many employees adopt "my way" work lifestyles in which their devices, work and online behavior mix with their personal lives virtually anywhere -- in the office, at home and everywhere in between.

The business security implications of this "consumerization" trend are magnified by a second set of findings from the Cisco Connected World Technology Report (CCWTR), which provides insight into the attitudes of the world's next generation of workers, Generation Y.

Why Today's Security Policies Must Evolve

According to the study, most Generation Y employees believe the age of privacy is over (91%), but one third say that they are not worried about all the data that is stored and captured about them. They are willing to sacrifice personal information for socialization online.

In fact, more Generation Y workers globally said they feel more comfortable sharing personal information with retail sites than with their own employers' IT departments -- the group that's paid to protect employee identities and devices.

As Generation Y graduates from college and enters the workforce in greater numbers, they test corporate cultures and policies with expectations of social media freedom, device choice, and mobile lifestyles that the generations before them never demanded.

As the first chapter of the Connected World Technology Report indicated in December, Gen Y is constantly checking social media, email and text updates, whether it's in bed (3 of 4 surveyed globally), at the dinner table (almost half), in the bathroom (1 of 3), or driving (1 of 5).

That lifestyle is entering work environments in greater numbers, spotlighting the future of work and how companies must consider competing for the next wave of talent. But what the security studies show is the next-generation workforce's lifestyles are also introducing security challenges that companies have never had to address on this scale.

Are You Ready for Tomorrow's Security Challenges?

Looking ahead, the Internet of Everything represents the largest online trend today.

As more people, things and devices connect to the Internet, more data from more places will be introduced across corporate and service provider networks -- which open up new vulnerabilities and a need for more sophisticated security approaches.

Exponentially more machine-to-machine (M2M) connections are coming online each day, leading to a proliferation of endpoints that extend far beyond mobile devices, laptops and desktops to an "any-to-any" scenario in which any device can connect to any cloud to any application across any network.
By 2020, with an Internet open to an estimated 50 billion things, the number of connections balloons to more than 13 quadrillion (specifically, 13,311,666,640,184,600). Adding just one more "thing" (50 billion + 1) will increase the number of potential connections by another 50 billion.
These new connections generate data in motion that needs to be protected in real time as it is evaluated for actionable insights through the network and before it's compromised and causes irreparable damages.
For network security professionals, the focus becomes content-neutral plumbing -- shifting from the endpoint and the periphery to the network.

"Each year, the security threats and defenses change as a result of one another. The Cisco Annual Security Report is our expert research, highlighting global threat patterns and trends. When combined with findings from the Cisco Connected World Technology Report and how the next-generation workforce views security, there are unique, troubling and informative correlations and conclusions. Today, we live a blended work-personal life," said John N. Stewart, senior vice president, chief security officer, Global Government and Corporate Security, Cisco.

Stewart added, "The hackers know this, and the security threats that we encounter online such as embedded Web malware while visiting popular destinations like search engines, retailers, social media sites and smartphone or tablet apps no longer threaten only the individual; they threaten our organizations by default. This year's ASR highlights this and other trends while providing the hard data, and ideas, for how we should be approaching security today."

Staying Secure in 2013

Thu, 31 Jan 2013 15:08:56 EST

The start of a new year is an opportune time to reflect on the achievements of the last twelve months and consider what needs to be accomplished over the next twelve. For consumers and professionals alike, the new year should serve as a timely reminder to think about their approach to online security in 2013. Indeed, caution should be exercised all year round, as the problem of online identity theft is obviously an annual problem rather than merely a seasonal one. Caution should always be exercised, whether you are making an online bill payment with a bank, doing business online, accessing a site for news, entertainment or related to a hobby interest, or even accessing an online dating site. Of course, online security starts with common sense as much as it does with technology. While many sites provide a convenient and seemingly safe way to find information, news or share interests, you should always be careful about how much information you divulge about yourself to strangers online, as more unscrupulous people could be focused to capturing your identity. It is always wise therefore to be careful about sharing information relating to where you live and demographic behaviour like your age, whether you are a student, working or retired. Equally, you should be careful about what personal images and photos you upload, as they offer another window into your life, possibly giving away clues that are useful to an online criminal.

Inside Look – SAML Federation with BIG-IP APM

Thu, 31 Jan 2013 08:16:00 EST

I get an Inside Look at BIG-IP’s new #SAML #Federation functionality in v11.3 with Sr Security Solution Architect, Gary Zaleski. We cover BIG-IP as a SAML Service Provider (SP) and as a SAML Identity Provider (IdP). Watch how users can easily connect to Salesforce, SharePoint, Office365 and Google. Solving Substantiation with SAML. ps Related: [...]

In 5 Minutes or Less: BIG-IP Advanced Firewall Manager

Wed, 30 Jan 2013 08:33:00 EST

I show you the new BIG-IP Advanced Firewall Manager as part of the BIG-IP v11.3 release in around 5 minutes…or so.