Recently in Industry News Category

InformationWeek discovers how IT can implement an effective vulnerability management program that works.  

For an effective vulnerability management that works -- apply risk management principles and logic relative to the business value. IT must also engage across business units to determine a company-wide security posture that is within acceptable risk tolerance levels, create operational processes that address the computing environment as a whole, and select the right technology platforms to bolster those processes.Critical steps to break the cycle of ineffectiveness:

    Step 1: Integrate Data Collection
    Step 2: Prioritize
    Step 3: Continue to Refine

Read More

InformationWeek outlines four principles to achieve ongoing vulnerability management success:

Principle 1: Focus on Output, Not Input
Tools are only a means to an end. Data collection is a fundamental requirement for vulnerability management, but providing timely, accurate, contextual reports to appropriate individuals is critical. Many organizations develop programs that generate vast amounts of data, but struggle to make it actionable and measurable.

Principle 2: Align with Business Processes
Vulnerability management process integration with and awareness of business processes is critical to understanding enterprise risk and focusing on the areas that matter most.

Principle 3: Continue to Integrate Technologies
Incorporating change and configuration technologies will increase the reliability of data, build accurate reporting, and increase overall effectiveness in lowering enterprise risk and achieving compliance objectives.

Principle 4: Leverage Measurement and Promote Visibility
Defining key performance indicators, such as an acceptable host-to-vulnerability ratio, and using measurement tools will help focus the program on activities that will have the most impact.

Read More

In this MarketScope report, Gartner details the challenges and tools to consider when evaluating and deploying Vulnerability Assessment technologies. MarketScope includes Gartner's vendor rating where Qualys received the highest possible rating ('Strong Positive').

Read Report

PCI DSS 1.2 represents an update to the original 12 requirements found in PCI DSS version 1.1.  The intent of the latest specification is to clarify existing requirements and provide clarification and flexibility in terms of interpretation of the standard.

• Guidance around scope of PCI DSS and elaborate on segmentation of Cardholder data environment 
• Clarification of wireless technology requirements and provide sunset date for use of WEP - All WEP implementations must be discontinued as of June 30, 2010 
• Clarification around requirement 6.6 for web application security to remove references to source code review and add use of automated assessment tools 
• Require employees that interact with cardholder data to review and accept security policy annually
• Compensating controls should now be reviewed and validated annually by a qualified assessor 
• Flexibility for incorporation of evolving technologies and threats 
• Announcement of Quality Assurance program for assessors
  

Listen to Podcast
Read Summary

Related Coverage:
Credit-Card Security Standard Issued After Much Debate, by Ellen Messmer, Network World
Payment Card Security Toughens With DSS 1.2 Release, by Jabulani Leffall, Redmond

When it comes to security, Apple isn't sitting still. Amol Sarwate, guest columnist for SC Magazine's Hot or Not column looks at some of the new features inherent in OS X 10.5 that help keep the system secure. According to Apple, these security enhancements were added to 10.5, released last fall:

• Tagging and first-run warning: Mac OS X 10.5 marks files that are downloaded to help prevent users from inadvertently running malicious downloaded applications. 
• Runtime protection: New technologies such as execute disable, library randomization, and sandboxing help prevent attacks that try to hijack or modify system software. 
• Improved firewall: After the new application firewall is activated, the firewall configures itself so that users get the benefits of firewall protection without having to understand the details of network ports and protocols.
• Mandatory access control: These enforce restrictions on access to system resources. Not even a compromised "root" user can change some settings.
• Application signing: This enables users to verify the integrity and identity of applications on the Mac. 
• Improved secure connectivity: Virtual private network (VPN) support has been enhanced to connect to more of the most popular VPN servers-without additional software.
  

Read More

Qualys Vulnerabilities Research Lab manager, Amol Sarwate, recently discussed Web application firewalls (WAF) for security and regulatory compliance in SC Magazine's Hot or Not feature.  In the feature, Amol provides considerations to ensure the proper WAF is chosen to fit an organizations specific needs. Readers are also pointed to the Open Web Application Security Project (OWASP) which provides an abundance of Web application security educational information including the top 10 most prevalent web application attacks.

Read More

InternetNews.com reports on the PCI Security Standards Council latest version 1.2 of PCI Data Security Standards, or PCI-DSS available for merchant use beginning Oct. 1. The Council says version 1.2 will "not introduce any major new requirements" and will only "introduce clarifying items." The clarifications include:

• Addition of monitoring capabilities for removable electronic media, e-mail, Web, laptops It also adds monitoring capabilities for removable electronic media, e-mail, Web, laptops and PDAS.
• Wired Equivalent Privacy, or WEP wireless security protocol dropped in favor of the newer IEEE 802.11x standard.
• Tightening of security requirements for employees of companies the PCI-DSS governs.
• Security policy requiring employees to acknowledge that they have read and understood their security policy and procedures at least once a year.
• New wireless networks implementations cannot use WEP implementations after March 31, 2009 and current implementations must get rid of WEP by June 30, 2010.

Sumedh Thakar, PCI solutions manager at Qualys, told InternetNews.com he welcomes these changes because a vulnerability scan is more doable and less expensive than going through your source code.  Instead of having to go through possibly millions of lines of source code, companies can run a scan then focus on detected vulnerabilities in the code and remedy those. Another change that Thakar likes is the Council's formally ruling out the use of WEP, which has, since 2001, been known to be easy to crack. "The standard has always recommended that WEP not be used, but now they're putting in a timeline," added Sumedh.

Read InternetNews.com Article
Read SC Magazine Article

eWeek has posted the latest markeshare predications from Gartner. Findings point to SaaS marketshare which is expected to grow in several security segments over the next five years, notably in areas such as remote vulnerability assessment, which the firm predicted will jump from 10 percent to 30 percent by 2013.

"Messaging security is the big area now," said John Pescatore, an analyst with Gartner. "I think Web security -- both protecting Web servers, and also protecting users and browsers -- will grow fast. Vulnerability assessment has already started to grow as a service, so has DDoS prevention."

Vulnerability assessments provided by vendors such as Qualys are a good fit as a cloud-based service, as they can be done efficiently from the cloud and typically don't require any deep knowledge of business-specific aspects, like what an application actually does, Pescatore contended.

Click here to read full eWeek story