Mozilla Firefox, Internet Explorer, Apple Safari … the list of browsers goes on. Each browser has taken its own approach to embedding security features. Looking ahead, security pros see a future when reputation-related and validation technologies play a bigger part.
It's no secret that the Web is the No. 1 attack vector for hackers. That puts Web browsers on the front line of the war against malware, and leaves vendors to decide just how much security to embed in browsers.
The latest versions of the major browsers, from Microsoft Internet Explorer 8 to Google Chrome, have all sought to address security in their own ways. Microsoft, for example, is touting a number of security features in IE 8, from a cross-site scripting filter to clickjacking protection. Google turned to sandboxing in Google Chrome, and included an Incognito mode similar to IE 8's InPrivate Browsing.
Still, security pros expect to see more features designed to protect users embedded in browsers in the future. Dave Marcus, director of security research and communications at McAfee's Avert Labs, said browser security is generally in a state of flux. Looking ahead, he expects to see more reputation technologies embedded in the browser, possibly making use of behavioral and script evaluation technologies.
"With financial motivation driving malware, user data is under constant attack, and the browser is certainly one of the main attack points," Marcus said. "Provided users and businesses are staying current with security technologies, maintain patches and are informed as to trends, they can browse safely."
That may seem like a lot of conditions, particularly for typical home Web users. For them, the correct mantra could be, "The more embedded security, the merrier."
"As far as browser security features, anti-phishing was a very good step forward," Gartner analyst John Pescatore said. "I would like to see that broadened out to include malware sites in general, not just phishing sites … There are open-source services that list these—not as good as the pay sites like the Web security gateway companies—but better than not checking."
Pescatore continued, "I would also like to see browsers have some way of asserting, 'I am a browser that has a human typing at a keyboard controlling me,' so that Web sites could differentiate between actual human beings, bots, spiders, screen scrapers and other automated browser actions. This would take a coordinated effort between the browser companies and the Web server—basically Microsoft and Apache—to do this right. It doesn't have to be perfect, just has to be hard (not impossible) to hack, to have value."
Officials at Mozilla and Microsoft, asked recently, did not do much speculating as to what the future holds for browser security. Microsoft highlighted the new features of IE 8; Mozilla, maker of Firefox, spoke of the importance of blacklisting rogue sites.
Addressing some problems, such as clickjacking, will likely mean working alongside researchers. Over the course of IE 8's development, Microsoft worked closely with those in the security research community to stay on top of new classes of threats, Microsoft officials said.
For vendors, cooperation may be the buzzword of the future.
"Symantec views efforts by browser vendors to increase security in their products as part of a necessary and desirable process to better protect consumers and enterprises … [It's] a partnership rather than a competition," said Dean Turner, director of the Global Intelligence Network at Symantec Security Response.
From: www.eweek.com
Tuesday, February 3, 2009
Monday, February 2, 2009
Data Breaches Costing More than Money
A study by the Ponemon Institute found the average cost of data breaches - from detection to notification to lost business - is rising. The No. 1 cost to companies is lost business, which now accounts for 69 percent of total costs.
Data breaches are costly, and they are not getting any cheaper – particularly breaches due to third parties.
But data breach costs don't just come in the form of a line item expense tied to notification. They also come in the form of lost business opportunity, which is far and away the most expensive part of a data breach, according to a new study by the Ponemon Institute.
According to its survey, which was sponsored by PGP, the average cost of a data breach from detection to notification and response was $202 per record in 2008. That’s an increase from $197 per record in 2007.
According to the study, lost business accounted for 69 percent of data breach costs in 2008, up from 65 percent in 2007 and 54 percent in 2006.
Ponemon based its findings on the experiences of 43 organizations that suffered data breaches. Eighty-four percent of those organizations had experienced a breach in the past.
Like other studies, Ponemon reported that most breaches were not due to hackers, but negligence of insiders. Breaches by third-party organizations such as outsourcers, contractors and consultants were reported by 44 percent of respondents, more than double the percentage in 2005. Third-party breaches tended to cost $52 more per record, averaging $231.
“My sense is that a lot of customers still have put far more effort into protection from the external threat than the internal threat,” said Mark McClain, CEO of identity and access management vendor SailPoint Technologies. “They have a lot more in place to protect them against the infamous eastern European hacker than they do the rogue employee.”
However, as we saw in the case of the Heartland Payment Systems breach and numerous incidents before that, cyber-crooks always have their eyes on corporate data. In the case of Heartland, the company first received word of suspicious activity involving credit card transactions it processed from Visa and MasterCard. It then began an investigation and found hackers had planted malware on their systems.
Once a breach happened, enterprises tended to invest in training and pursue encryption.
“The first thing they seem to do is they implement manual procedures and training, which makes sense given that so many of these breaches are caused by a negligent insider,” said Larry Ponemon, chairman of the institute. “But from a technology perspective it appears that the most frequently used technology after a breach is encryption and a more holistic and strategic use of encryption seems to be implied by our researcher findings.”
Since announcing the breach, officials at Heartland have established an internal department dedicated exclusively to the development of end-to-end encryption to protect merchant and consumer data in financial transactions.
Heartland CEO Robert O. Carr said that while the Payment Card Industry Data Security Standard is effective, the sophistication of cyber-thieves requires additional steps.
“There is no single silver bullet that will secure payment systems, and constant vigilance and monitoring of the infrastructure will always be required,” he said in a statement. "Nevertheless, I believe the development and deployment of end-to-end encryption will provide us the ability to implement increasing levels of security protection as they become needed.”
The idea that being PCI compliant may not fully protect customers or businesses has led to debates about the role of legislation in IT security. Though he agreed including guidelines about security technology in regulations is good, there is a danger that laws can fall too far behind the times, Ponemon warned.
“There is always a lag to regulations,” he said. “Today they say you must do this type of encryption or that type of software protection but they are not cognizant of all the other big monstrous security threats and as a result what you implement is probably not state-of-the-art. You want to have some flexibility to innovate…not have laws that restrict innovation.”
From: www.eweek.com today 10:44AM
Data breaches are costly, and they are not getting any cheaper – particularly breaches due to third parties.
But data breach costs don't just come in the form of a line item expense tied to notification. They also come in the form of lost business opportunity, which is far and away the most expensive part of a data breach, according to a new study by the Ponemon Institute.
According to its survey, which was sponsored by PGP, the average cost of a data breach from detection to notification and response was $202 per record in 2008. That’s an increase from $197 per record in 2007.
According to the study, lost business accounted for 69 percent of data breach costs in 2008, up from 65 percent in 2007 and 54 percent in 2006.
Ponemon based its findings on the experiences of 43 organizations that suffered data breaches. Eighty-four percent of those organizations had experienced a breach in the past.
Like other studies, Ponemon reported that most breaches were not due to hackers, but negligence of insiders. Breaches by third-party organizations such as outsourcers, contractors and consultants were reported by 44 percent of respondents, more than double the percentage in 2005. Third-party breaches tended to cost $52 more per record, averaging $231.
“My sense is that a lot of customers still have put far more effort into protection from the external threat than the internal threat,” said Mark McClain, CEO of identity and access management vendor SailPoint Technologies. “They have a lot more in place to protect them against the infamous eastern European hacker than they do the rogue employee.”
However, as we saw in the case of the Heartland Payment Systems breach and numerous incidents before that, cyber-crooks always have their eyes on corporate data. In the case of Heartland, the company first received word of suspicious activity involving credit card transactions it processed from Visa and MasterCard. It then began an investigation and found hackers had planted malware on their systems.
Once a breach happened, enterprises tended to invest in training and pursue encryption.
“The first thing they seem to do is they implement manual procedures and training, which makes sense given that so many of these breaches are caused by a negligent insider,” said Larry Ponemon, chairman of the institute. “But from a technology perspective it appears that the most frequently used technology after a breach is encryption and a more holistic and strategic use of encryption seems to be implied by our researcher findings.”
Since announcing the breach, officials at Heartland have established an internal department dedicated exclusively to the development of end-to-end encryption to protect merchant and consumer data in financial transactions.
Heartland CEO Robert O. Carr said that while the Payment Card Industry Data Security Standard is effective, the sophistication of cyber-thieves requires additional steps.
“There is no single silver bullet that will secure payment systems, and constant vigilance and monitoring of the infrastructure will always be required,” he said in a statement. "Nevertheless, I believe the development and deployment of end-to-end encryption will provide us the ability to implement increasing levels of security protection as they become needed.”
The idea that being PCI compliant may not fully protect customers or businesses has led to debates about the role of legislation in IT security. Though he agreed including guidelines about security technology in regulations is good, there is a danger that laws can fall too far behind the times, Ponemon warned.
“There is always a lag to regulations,” he said. “Today they say you must do this type of encryption or that type of software protection but they are not cognizant of all the other big monstrous security threats and as a result what you implement is probably not state-of-the-art. You want to have some flexibility to innovate…not have laws that restrict innovation.”
From: www.eweek.com today 10:44AM
Sunday, May 11, 2008
Nmap on Vista !!!
Hi all, I've just known today that nmap version 4.11 isn't able to work in MS Windows Vista environment (at least in the Ultimate ver.)!! I've found this problem because I tried to use it to scan for details of a website.
First, I tried to run nmap in Zenmap GUI that I've just loaded into my labtop (actually it's my company's labtop :P) with the default option and then I found:
getinterfaces: intf_loop() failed
"Oh!! What the hell is going on !?!!" and then I searched this problem with google and found that not only me having this problem (that's very so relief, huh?) so I found the ploblem is in intf-win32.c of libdnet (need to define MIB_IF_TYPE_MAX to MAX_IF_TYPE rather than 32) [1]
However, I cann't fix this problem with my own efford :P, so I continue searched for others results and found the solution which I can use nmap while nothing to do with its code :D. The reference site was claimed that he take an experiment on nmap and it work properly when he bypass the WinPcap. Otherwise, you can see the details in the reference URL I've mentioned:
http://www.nabble.com/RE:-Nmap-crash-under-Vista-p13521497.html
I hope it'll help you to fix this problem !! ; )
References:
[1] : http://archives.neohapsis.com/archives/nmap/2006/0016.html
First, I tried to run nmap in Zenmap GUI that I've just loaded into my labtop (actually it's my company's labtop :P) with the default option and then I found:
getinterfaces: intf_loop() failed
"Oh!! What the hell is going on !?!!" and then I searched this problem with google and found that not only me having this problem (that's very so relief, huh?) so I found the ploblem is in intf-win32.c of libdnet (need to define MIB_IF_TYPE_MAX to MAX_IF_TYPE rather than 32) [1]
However, I cann't fix this problem with my own efford :P, so I continue searched for others results and found the solution which I can use nmap while nothing to do with its code :D. The reference site was claimed that he take an experiment on nmap and it work properly when he bypass the WinPcap. Otherwise, you can see the details in the reference URL I've mentioned:
http://www.nabble.com/RE:-Nmap-crash-under-Vista-p13521497.html
I hope it'll help you to fix this problem !! ; )
References:
[1] : http://archives.neohapsis.com/archives/nmap/2006/0016.html
Sunday, March 30, 2008
Welcome to AAIS blog
Hello everyone !! Finally, I've decided to open this blog and intended to continuously write the topics about Information Security. I hope my exeperiences and interested is reccorded in somewhere (follows the knowledge management aspect). As I just start to write the article, so that, my early release articles may have some mistakes. If you have any suggestion, please feel free to tell me. I'm so please to every comments for my articles. Thank you :)
Subscribe to:
Posts (Atom)