Monthly Content
Up-to-Date Content On IT Security
In this section of our website, SEC Consult, the leading IT Security service provider and the leading content providers L.S.Z. / Giga / Forrester offer up-to-date content on IT security for free.
To sign up for our newsletter, please go here.
July 2008: Survial kit for security and privacy for IT-outsourcing-deals
Global spending on IT services and outsourcing was estimated at $488 billion in 2007 and is predicted to rise an additional 9% in 2008. Organizations engaged in outsourcing will require sufficient security and privacy controls to protect their investments and reduce risks to their sensitive information. Security and privacy professionals should be an integral part of the outsourcing process, from developing the request for proposal to signing the contract. But the job isn’t complete just because the contract has been signed; the outsourcing relationship needs to be monitored, the contract components need to be enforced, and business value needs to be realized.
[PDF 14 pages, 296 kB]
April 2008: CISO Agenda: Embrace Change
FIt’s amazing how little progress in the organization of security we see year after year. The only change that we see is the intensity of some of the incidents. CISOs are finally getting the visibility that they had been asking for, but in order to be taken seriously, they need to change their way of doing things. Results from surveys attest that CISOs are looking at the right issues; what’s still missing is the business-centric approach. Our current newsletter proposes 10 changes to bring security and business closer together.
[If you want detailed information about the article please contact office@sec-consult.com]
[PDF 7 pages, 237 kB]
January 2008: Mobile Authentication Marries Security With Convenience
Financial institutions seeking to expand their online and mobile banking offerings to their entire customer base face the age-old challenge of balancing security with usability. Many banks feel trapped: Fail to implement strong authentication and incur the wrath of auditors, or roll it out and risk losing customers that find it too inconvenient to use. These banks often compromise on a method that ticks the boxes on audit sheets but fails to deliver strong security. But several vendors now leverage the near ubiquity of mobile phones to provide a range of secure, effective, and convenient methods of customer authentication. Mobile authentication can be the linchpin that holds together online banking, mobile banking, and mobile payments in a way that marries security with convenience — increasing the chances that banks will heed the advice of their security professionals. To sell all sides on the value of mobile authentication, look for solutions that offer several levels of convenience to make customers happy on the front end and a flexible, modular architecture to ease management on the back end.
[If you want detailed information about the article please contact office@sec-consult.com]
[PDF 16 pages, 391 kB]
August 2007: The Evolving Security Organization
In the past few years, the IT security role transformed itself into the cross-functional information risk management role. Many companies try to structure their security and risk organizations properly and effectively. Problems are often reporting relationships and staffing decisions for this evolving role. The roles, responsibilities, staffing, and reporting structure should be based on the company’s size, industry, maturity, and corporate organizational structure — but, most importantly, an organization’s culture should dictate its security organization archetype; creating a security steering committee could allow you to achieve those objectives.
[If you want detailed information about the article please contact office@sec-consult.com]
[PDF 14 pages, 360 kB]
July 2007: You’ve Got Encrypted Email
Companies increasingly want to exchange sensitive data with clients and
partners over email. Consequently, many are looking to adopt centrally
managed email encryption and find no shortage of vendors offering their own
solutions. Read our July newsletter to find out how organizations can look
to a solution that fits in with their overall data encryption strategy and
still maintains the required level of control over information entering and
leaving the organization.
[If you want detailed information about the article please contact office@sec-consult.com]
[PDF 5 pages, 95 kB]
June 2007: Virtualization: Impacts on Security
Server virtualization becomes more and more popular. But many security managers are wary of the technology because they don't know what server virtualization means for security. The good news: Most of the current security policies can be applied to a virtualized server environment. However, server virtualization brings both risks and rewards. Read on to find out if the net benefits of server virtualization outweigh its security drawbacks.
[If you want detailed information about the article please contact office@sec-consult.com]
[PDF 8 pages, 136 kB]
May 2007: Security Breaches - the True Costs
It's more than just losing money. Although studies may not be able to determine the exact cost of a security breach in your organization, the loss of sensitive data can have a crippling impact on an organization's bottom line. Therefor it's important to be able to make an educated estimate of its cost.
This month's newsletter deals with the direct and indirect costs of security breaches.
[If you want detailed information about the article please contact office@sec-consult.com]
[PDF 7 pages, 144 kB]
December 2005: BS 7799-2 and ISO 27001
On October 18th 2005, the long-awaited new version of the security standard BS 7799-2 was released as ISO 27001. As technical security can not tap its full potential without the underlying organisational processes, the new standard is an important guideline for companies who set a high value on security. The most important changes as well as tips on implementation have been summarized in our recent newsletter.
[If you want detailed information about the article please contact office@sec-consult.com]
September 2005: Increasing Organized Cime Involvement Means More Targeted Attacks
Attacks on computer security infrastructure used to be little more than indiscriminate acts of vandalism perpetrated by hackers who desired bragging rights more than anything. But the perpetrators of attacks and their motivations have changed. The resulting increase in attack sophistication means that companies must adopt a more vigilant and correspondingly sophisticated approach to defending their environments.
[If you want detailed information about the article please contact office@sec-consult.com]
August 2005: Mobile VPN´s - Securing Mobile Remote Access
Enterprises are going mobile and looking to deploy an increasing number of applications across wireless technologies like WLAN and 2.5/3G networks. These enterprises can’t afford to ignore security, which means deploying a remote access VPN. But today’s standard IPsec and SSL VPNs just aren’t cutting it. The technology is emerging and firms need to look for vendors like Columbitech, NetMotion Wireless, and IBM that offer true mobile VPN products.
[If you want detailed information about the article please contact office@sec-consult.com]
July 2005: Do Internet Browsers Open Doors for Cybercriminals?
Internet Explorer and Firefox use different security models in order to
protect users. Is this enough? SEC Consult explains how to protect yourself. [PDF, 5 Seiten, 160 KB]
As uncovered by SEC Consult last months, vulnerabilities in Browsers can be an enormous security risk for users surfing the Internet. [Details of the vulnerability in Internet Explorer uncovered in June by SEC Consult]
May 2005: IT's Role In Enterprise Risk Management
Increased regulation and more stringent contractual obligations have resulted in greater accountability for corporate officers when it comes to managing risk in their organization. Companies are facing pressure to adopt a comprehensive approach to risk management, and nowhere is this more evident than in the IT department.
[If you want detailed information about the article please contact office@sec-consult.com]
April 2005: Secure Online Card Activation Isn´t
Far from increasing eCommerce security, the online card activation procedures for MasterCard SecureCode and Verified by Visa actually create new opportunities for identity thieves to exploit well-known but untreated vulnerabilities of the Web infrastructure. To protect what little remains of customer trust and to limit fraud loss exposures, financial services firms will have to carefully redevelop and re-implement a number of their online applications.
[If you want detailed information about the article please contact office@sec-consult.com]
March 2005: IT Policies And Procedures: A Table Of Content
With all of the focus on Sarbanes-Oxley and compliance in general, IT governance has become one of the top priorities for many organizations. Part of any IT governance process is a set of documented policies and procedures that govern everything from procurement to security. Forrester has developed an IT policies table of contents (TOC) to assist clients in getting started with the process of creating documented IT policies and procedures. This TOC represents a logical framework for organizing and developing a comprehensive set of policies.
[If you want detailed information about the article please contact office@sec-consult.com]
February 2005: Windows Privilege Management
For historic reasons, Windows users consider their desktop pcs to be single user systems. Whereas it's not common to do standard tasks as "root" on a linux box, a windows standard installation provides you with a default user with admin privileges, thus giving virii and trojans a head start.
[PDF, 3 pages, 153 kB]
January 2005: SSL VPNs Poised For Significant Growth
SSL has emerged as the remote-access VPN technology of choice. In the past two years, adoption has climbed to 44% of all North American enterprises having started or completed SSL VPN rollouts. Financial services is the most aggressive vertical deploying SSL VPN, with 56% currently using the technology. As the market continues to mature, the top-tier vendors will find other vertical industries where SSL VPNs help solve specific business and regulatory issues.
[If you want detailed information about the article please contact office@sec-consult.com]
Nov. 2004: Web Application Security Certification.
Web application security vendors recently teamed up with security product certification firm ICSA Labs to introduce a set of certification criteria for Web application security products. This effort is a positive first step to start the standards process in application security, but it must not stop here. Web application security product customers should push for standards created by a collaborative body in which they can participate.
[If you want detailed information about the article please contact office@sec-consult.com]
Oct. 2004: The Role of Audit in IT and Security
The current organizational focus on risk management, governance, and compliance has, for some, blurred the role of audit. Information security is one particular area of concern because many organizations have not built a real management structure for it and have allowed audit to lead the charge. Management should strive to build a collaborative relationship with the audit department to facilitate input and measurement of IT and security management practices.
[If you want detailed information about the article please contact office@sec-consult.com]
Sep. 2004: Managing and Securing Mobile Devices
As the use of handheld devices in the enterprise continues to expand, organizations will need to manage the devices to control costs and limit security risks. Because many employees use their own devices to store company information, companies often don’t have control of the devices or how the information is protected. Unmanaged mobile devices represent one of the most serious and often overlooked security threats to the enterprise.
[If you want detailed information about the article please contact office@sec-consult.com]
Aug. 2004: Email Validation Is Coming: Plan Now
Specifications are emerging that will provide greater validation that email comes from the purported sender. The use of email validation technologies will eliminate, or at least make it a lot more difficult, for spammers to hide their identities.
[If you want detailed information about the article please contact office@sec-consult.com]
Jul. 2004: IT Spending Continues To Focus On Security
Security remains a top priority for IT buyers. In fact, a recent Forrester survey shows that 66% of North American enterprises plan to purchase security products by the end of the year, up from 52% that projected purchasing the technology going into 2004. On average, North American and European enterprises expect to spend 7.9% of their IT budgets on security in 2004.
[If you want detailed information about the article please contact office@sec-consult.com]
Jun. 2004: Security Assurance in Software Development Contracts
Business runs on software. Insecure software weakens the confidentiality, integrity, and availability of business processes. This results in lost revenue, a decline in stakeholder value, liability, breaches of regulatory compliance, and a weakened reputation. It is time for organizations to require secure code in their development contracts. Contract requirements should include a right to audit the code, vulnerability remediation, definition of secure development practices, and the establishment of a security assurance warranty.
[If you want detailed information about the article please contact office@sec-consult.com]
May 2004: Combating fraud in financial services
With the expanded Internet and the increase of online financial
transactions, financial services companies have become more vulnerable
to fraud. As online transaction capabilities expand, so do the
cleverness and capabilities of criminals, making it imperative that
financial institutions remain on top of criminal techniques and remedies.
[If you want detailed information about the article please contact office@sec-consult.com]
Apr. 2004: Is Linux more secure than Windows?
Microsoft gets a bad rap for security, while many believe that Linux is relatively secure. A fair assessment? Not really: After collecting a year’s worth of vulnerability data, Forrester’s analysis shows that both Windows and four key Linux distributions can be deployed securely. Key metrics include responsiveness to vulnerabilities, severity of vulnerabilities, and thoroughness in fixing flaws.
[If you want detailed information about the article please contact office@sec-consult.com]
Mar. 2004: Best Practices: Desktop Security
A growing number of viruses, worms and other attacks threaten to compromise desktop security. The sheer volume of security threats, combined with the need to manage remote locations or business units, puts significant pressure on IT to develop standard security policies at the desktop. However, most firms do little to secure desktops and laptops properly against emerging threats. A single security breach related to regulation or legislation can put companies at significant risk of a significant financial loss or public relations disaster.
[If you want detailed information about the article please contact office@sec-consult.com]
Feb. 2004: Wireless LAN Security: Best Practices
As the topic of Wirelss LAN having called a lot of negative attention in the years 2001/2002, nowadays it's winded down. Despite of all past considerations, this technology enforces today's business slowly but surely. Therefore ensurance of Security-Policies for this new technology becomes more important.
[If you want detailed information about the article please contact office@sec-consult.com]
Dec. 2003: IT Trends 2004: Application Security
In the range of IT-Security, Application Security became the hot topic. Unlike infrastructure, Application Security is relatively unexplored.
Development trends for 2004 are Single-Sign-On (SSO), Application firewalls as well as Securitychecks.
[If you want detailed information about the article please contact office@sec-consult.com]
Nov. 2003: What's the job of an Chief Security Officer?
Security-Officer's primary goal is to aim at eficiency and effectiveness of the crew, in service provision, the work cycles as well as in technical applications.
In short, it's up to the Chief Security Officer to consider the topic of security as an comprehensive and contiguous business process as well as to manage it.
[If you want detailed information about the article please contact office@sec-consult.com]
|
