to help enterprise security across Europe
The resource centre for busy senior executives seeking the latest insights into IT Compliance & Privacy issues for major organizations
 
sarbaines oxley ofcom communications regulator
Latest Resources      data protection register
compliance resources privacy resource center

Breaking Global News
Global Compliance and Privacy News - Breaking News, updated every 30 minutes
•   Compliance, Privacy and Security
•  Money Laundering
•  Phishing
•  Regulatory Issues
•  SOX, Basel 2, MiFID


You Tell Us:
S
S
L

T
E
C
H
N
O
L
O
G
Y		 We use SSL Technology for web data entry points:

Always
Sometimes
Never
What is SSL?

News
Are Smartphones Endangering Security? - Wick Hill
Dealing with Internet Security Threats - Ian Kilpatrick
How the New EU Rules on Data Export Affect Companies in and Outside the EU - Thomas Helbing
Farmers' Data Leak Highlights Old Technology Use - Wick Hill
Saving Money with SFTP - Wick Hill
UK Information Commissioner targets firm selling vetting data - Eversheds e80
12 Key Steps to Internet Security - Wick Hill
Telephone Monitoring Legality in the UK - Dechert
Firewall or UTM - Wick Hill
UK Information Commissioner demands mobile device encryption - Eversheds e80
Data loss - liability, reputation and mitigation of risk - Eversheds e80
Phorm, Webwise and OIX - BCS Security Forum
The challenges of PCI DSS compliance - Thales, Russell Fewing
"Quality" Data Vendor Spams us! Editor astounded!
National Gateway Security Survey 2008 - Wick Hill
Unified Threat Management - Watchguard Technologies

news archives:
0 | 1 | 2 | 3 | 4 | 5 |
6 | 7 | 8 | 9 | 10 | 11 |
12 | 13
[What is this?]

Industry Blogs
Tim Berners Lee's Blog
Tim Callan's SSL Blog
Davis Wright Tremaine's Privacy & Security Law Blog
Emergent Chaos Blog
Michael Farnum's Blog
Phillip Hallam-Baker's Blog - The dotFuture Manifesto: Internet Crime, Web Services, Philosophy
Stuart King's Security and Risk Management Blog
David Lacey's IT Security Blog
Metasploit Official Blog
Jeff Pettorino's Security Convergence Blog
Jeff Richards's Demand Insights Blog
David Rowe's Risk ManagementBlog
Bruce Schneier's Security Blog
Larry Seltzer's Security Weblog
Mike Spinney's Private Communications Blog
Richard Steinnon's Threat Chaos Blog
The TechWeb Blog
Tim Trent's Marketing by Permission Blog
Rebecca Wong 's DP Thinker Blog

Newsletters
23 February Newsletter
Newsletter Archives are located in "News"

Industry Update
Internet Security Intelligence Briefing - November 2005
Find out the latest trends in e-commerce, web usage & the latest threats from adware/Spyware

Reports
Phorm, Webwise and OIX - BCS Security Forum
'The Any Era has Arrived, and Everyione has Noticed' - Stratton Sclavos - VeriSign
Identity Security - Time to Share
Malicious code threats - iDefense
Public Alerts - updated as they happen from Stopbadware.org
Public Alerts - updated as they happen from Websense
Public Advisories - updated as they happen, from iDefense
Phoraging - Privacy invasion through the Semantic web: a special report by Mike Davies of VeriSign

Legislation
Privacy Laws & Business International E-news, Issue 57
Privacy Laws & Business UNited Kingdom E-news, Issue 60

Security Reviews
February 2007 - VeriSign Security Review
The security review archive is here

Case Studies
Finance Industry
Case Study Example
A case study on a Finance industry company.

White Papers
VeriSign® Intelligent Infrastructure for Security
VeriSign® Intelligent Infrastructure: An Overview
Identity Protection Fraud Detection Service - description of the service
Life of a Threat - Video on Threat Management Lifecycle
Optimizing Enterprise Information Security Compliance - Dealing with all the audits
For a full list of all whitepapers, visit our Whitepaper library

Legal Notices
Privacy Policy
Terms of use
basel 2 sarbanes oxley
    legislation
data controller notification binding corporate rules BCR data transfer third countries third part data transfer basel 2 regualtor regulation regulate FSA banking network security RSA encryptin algorithm Bits sacked bank staff
Blogs compliance Reports compliancy Legislation Data Protection Case Studies data privacy White Papers data protection act News information commissioner Events security standards Links information security iDefense
Retail Solutions

VeirSign Security Reviews

compliance and privacy

Current News Updates

VeriSign Security Review - June 2006

An eventful Microsoft patch week passed with no significant new exploits. Security managers, however, should remain vigilant as unpatched issues remain. Last month also saw the painful departure of spam warrior Blue Security who faced defeat of the money-hungry spam and phishing industry. VeriSign continues to monitor spam, phishing, and other malicious activities to help customers stave off costly attacks.

In this issue:

Hot Topics

Standards and Regulations

News from VeriSign

Ask a VeriSign Consultant

Security Events

Hot Topics

Phishing Attacks Against American Banks Increase

Phishing attacks against US financial organizations have increased to some 62 percent of all phishing scams noted, while identity fraud attacks against European targets have been dropping, according to a recent survey by RSA Security. Nevertheless, Germany recently outpaced China as the second worst country for hosting phishing attacks (14 percent of attacks), followed by China, the UK and South Korea. Of identity fraud attacks worldwide, 40 percent of non-US attacks are aimed at Spain, Germany and the Netherlands, according to the survey (Thomas, Daniel, “Phishing attacks against Europeans drop,” June 14, 2006, http://www.computing.co.uk/computing/news/2158229/phishing-attacks-against ).

Back to Top

Monthly Threat Summary

The VeriSign iDefense Threat Level was raised to Elevated, or Level 3, and remained there due to concerns over the recent slew of Microsoft vulnerabilities. Despite Microsoft's June 12 patch, VeriSign iDefense believes that the existence of unpatched issues in an application with the prevalence of Excel warrants an elevated alert level.

The Mozilla Foundation has released thirteen security advisories specifying security vulnerabilities in Mozilla Firefox, SeaMonkey, Camino, and Thunderbird. These vulnerabilities allow attackers to execute arbitrary machine code in the context of the vulnerable application crash affected applications. That may potentially allow remote execution of machine code gain access to potentially sensitive information.

The authors behind the Turkojan remote administration tool (RAT) announced the release of v.3.0 of their product in postings on a variety of cyber crime-related forums. Turkojan is a RAT designed to steal a victim's passwords and other sensitive information.

A new worm that initiates contact with unsuspecting Internet users by sending an America Online Instant Messenger (AIM) message from a user's buddy list emerged in May. The message promises new photos and includes a hyperlink that directs victims to a fake logon page for the popular social-networking site MySpace. Once a user logs on, the fake Web page obtains the username and password, and then redirects the user to the legitimate logon page. With this information, a hacker could access a victim's MySpace page to obtain personal information (such as home address, full name and date of birth) that could be used for identity theft.

Back to Top

The Demise of Blue Security

Continued denial-of-service attacks last month brought down the anti-spam startup Blue Security. The Israel-based company had 500,000 users and had been successful in getting some spammers to use its open-source mailing list scrubber. Other, more malicious spammers, however, launched massive attacks from zombie computers and flooded Blue Security's database servers. The company decided to take down its service to prevent the damage from spreading to the rest of the Internet community.

Back to Top

Assessing Geopolitical Threats Via Data Analysis

A crucial role of security intelligence is determining the geographical location of salient cyber activity and its underlying motivations. Known as geopolitical intelligence, this information is often crucial in providing context for prevention and mitigation strategies. VeriSign iDefense takes a discerning look into the data that organizations commonly use to make such determinations and illustrates how the research and analysis can transform seemingly undirected data into actionable intelligence.

Open-Source Statistics

There is no “one-stop shop” for Internet statistics. As with any Internet search, the analyst must question the accuracy, timeliness, and objectivity of the information provided from search results. Even assuming perfect data, however, collecting and collating intelligence from millions of sources is an impossible task.

Proprietary Statistics

Proprietary data are generally more accurate than open-source statistics, but the analyst must, once again, question the accuracy, timeliness, and objectivity. An example of constrained data appeared in Symantec Corporation's recent semi-annual threat report (Symantec Corp, March 2006). The chart identified bot infections by country for the second half of 2005, which the publisher deemed an important indicator of bot-related attacks in specific geographic locations. For the July-December 2005 timeframe, the U.S. and U.K. are identified as having the highest percentages of bot-infected computers, 26 percent and 22 percent, respectively. China came in third at 9 percent, according to the published data. Interestingly, neither the hotspot countries of Russia or Brazil made the Top 10 list. The data is most likely accurate within the scope of their measurements. Given the limitations of the data collection methodology, however, the statistical statement made about worldwide bot infections is probably specious at best.

Data Samples: Analysts Must Consider the Scope

For a statistically valid argument about worldwide bot attacks, the same percentage of computers from each area studied should be included in the sample population. Symantec's sample population consists of only computers that have installed Symantec's anti-virus application. A similar visual illustration of this point can be found in a world map of virus and spam origins as determined by Postini's email security and integrated message management solutions. Charts at http://www.postini.com/stats/ show data from Ethiopia and Brazil, detailing virus and spam origins in those countries. While independent analysis supports the conclusion that southern Brazil harbors many sophisticated cyber crime actors, Ethiopia's role in cyber crime (and/or infection rates) has yet to be determined. The assessment from Postini indicates similar levels of involvement for viruses and spam, respectively.

Thus, without knowing the exact nature of the data displayed, the conclusions drawn from these data sources call for further scrutiny. Compare the above data with those from ClickZ.com and the CIA World Factbook, for example, one would notice that Brazil, a large source of spam, is among the countries with more than 20 million Internet users. Ethiopia, on the other hand, is not.

Conclusions

Analysis and trending of numerical information from various sources is a useful way to prioritize workflow and gauge risks. The quality of the data, however, plays a large role in the decisions made.

Back to Top

Standards and Regulations

NIST Information Security Handbook Draft Released

The National Institute of Standards and Technology (NIST) released “Draft Special Publication 800-100, Information Security Handbook: A Guide for Managers.” It is a broad overview of information to assist CIOs and government agency security managers in understanding how to establish and implement and information security program. Earlier in May, the same organization published “Guide for Developing Performance Metrics for Information Security.”

Back to Top

News from VeriSign

2006 VeriSign Network Security Trend Survey

VeriSign released results of the annual network security trend survey in May. Polling on a cross-section of industries including manufacturing, banking, healthcare, and services, the survey found that the top five security budget priorities are vulnerability/risk management, security auditing, intrusion detection, compliance, and data privacy. Close to 90 percent of respondents engage in some degree of outsourcing, with intrusion detection and prevention management, firewall management, and VPN management at the top of the outsourcing list. See full report.

Each month, our highly experienced security consultants share their expertise in an area of your concern. This month, Branden Williams reviews best practices in complying with the new PCI data security standard. Send your questions to askverisignsecurity@verisign.com .

Ask a VeriSign Consultant

Complying With the New PCI Data Security Standard

Q: How can I optimize my compliance to PCI?

A:The Payment Card Industry Data Security Standard (PCI-DSS) is about to be updated and released to users of the electronic payment systems they govern.  While the details of the changes have been tightly controlled by the card associations, it is our understanding that only minor changes will be made.

Merchants & Service Providers can ensure that PCI has a minimal impact on their organization by doing everything possible to reduce the scope of PCI.  This can be accomplished in a number of ways.  Here are a few:

  • Eliminate card numbers from your environment as much as possible.  Use hashing or reference numbers in systems where you need to identify specific card numbers for tracking.  Card numbers are not needed after settlement occurs for the majority of your transactions.  Only in cases of investigations or charge backs would you need the number.
  • Surround credit card processing and storage with firewalls.  Companies can effectively reduce the scope of PCI-DSS on their infrastructure by treating the networks that store and process credit card data as “Secured Enclaves.”  Bring the perimeter closer to the payment systems and require users to use strong authentication and encryption to access those areas.
  • Push back on vendors that supply software for your credit card processing needs.  Vendors of Point Of Sale (POS), storage, and retrieval applications should make the needed changes to their applications to ensure compliance.  If an application that handles card numbers for you has not been certified under Visa's Payment Application Best Practices, you should push the vendors to meet compliance.  In future releases of the PCI-DSS, this will be a requirement that can keep you from compliance.
  • Perform regular checks of your payment systems.  Though PCI-DSS requires an annual assessment, companies that endorse quarterly or 6-month reviews will ensure that special circumstances do not prevent them from being compliant.

Branden Williams is a Principal Consultant at VeriSign. He is a Certified Information System Security Professional (CISSP), Certified Information Security Manager (CISM), Visa Qualified Data Security Professional (QDSP) and Qualified Payment Application Security Professional (QPASP), Checkpoint Certified Security Administrator (CCSA), and Checkpoint Certified Security Expert (CCSE).

Back to Top

Security Events

June 27-29, 2006
Identity Management Conference
Chicago, IL  

July 26, 2006
itsGOV Technology Showcase
Washington, D.C. 

July 29-Aug 3, 2006
Black Hat
Las Vegas, NV 

Back to Top

 


This site is independent of all its sources
The contents of the site are sourced from across the industry. All copyrights are acknowledged.