May 2009 Archives

As the leading voice for the U.S. technology industry and foundation of the global innovation economy, TechAmerica has elected CEO Philippe Courtot to its Board of Directors.

TechAmerica President Phil Bond stated: "We are pleased that TechAmerica members and their supporting organizations elected Philippe Courtot to the 2009 Board of Directors.  Philippe's proven industry knowledge and global expertise brings a new perspective and resource to the association enabling us to be the loudest and strongest voice in Washington, D.C., Wall Street and the major markets for electronics and IT."

Representing approximately 1,500 member companies, of all sizes, from the public and commercial sectors of the economy, TechAmerica is the industry's largest advocacy organization dedicated to helping members' top and bottom lines. It is also the technology industry's only grassroots-to-global advocacy network, with offices in state capitals around the United States, Washington, D.C., Europe (Brussels) and Asia (Beijing).  TechAmerica was formed by the merger of AeA (formerly the American Electronics Association), the Cyber Security Industry Alliance (CSIA), the Information Technology Association of America (ITAA) and the Government Electronics & Information Technology Association (GEIA).

Read More

The notion of supervisory-control and data-acquisition system security, SCADA, seemed not long ago to be a topic of interest only to those who ran complex industrial control systems, water treatment plants, and power generation - and in some ways it still is. But for anyone who attended the SANS 2009 SCADA and Process Control Summit recently, it became clear that the convergence of IT security and physical security is accelerating.

This is happening as more IT systems are managing physical systems - and it's no longer only utilities and the critical infrastructure that rely on SCADA systems for management. These days we see more traditional industries, such as manufacturing, turning to SCADA systems, while health care and many other industries are, or soon will be, using telematics to manage all types of far-flung devices. In coming years, the security of physical control systems will be part of many IT security managers' bag of responsibilities. 

One thing certainly is clear to me after researching the subject: Many SCADA systems are inherently vulnerable. First, these systems never were designed with network security in mind, and these systems increasingly are being connected to the internet. That's not an especially encouraging situation. 

In fact, increasingly, SCADA devices are falling vulnerable to the same kind of software vulnerabilities that have been plaguing IT systems and applications for years. Just last month, Paris-based Areva warned its customers that an important part of its energy management software was vulnerable after software flaws were found in several versions (5.5, 5.6, 5.7) of its e-terrahabitat package. As the U.S. Computer Emergency Readiness Team (US-CERT) warned, a number of buffer overflow and denial-of-service vulnerabilities made versions 5.5, 5.6, and 5.7 of e-terrahabitat susceptible to tampering. Customers using earlier versions needed to upgrade as well.

Theoretically, SCADA systems should not be exposed to the internet, but I fear they increasingly are being connected to IP networks. In most industries, SCADA systems should be completely air-gapped from data networks, thus significantly mitigating the risk of attack. However, more installations are using SCADA to manage their systems remotely, or even connect the systems to an internet-enabled corporate network to collect and analyze data. As this trend continues, SCADA systems increasingly must be treated as any other networked device: They must be identified, inventoried, and analyzed for vulnerabilities.

Read Full Article

With the goal of improving and enhancing the Ohio Dominican University IT security and risk management program, Ohio Dominican began a year-long journey to build an optimized set of security management processes. Some of the initial enhancements included creating a security awareness program and streamlining the university's vulnerability management process, as well as gaining more near real-time insight into network security events.

"We chose QualysGuard as it not only helps us to secure our systems better, but it adds value because it makes us more efficient. It streamlines our vulnerability management efforts so that we can focus better on innovative IT initiatives that add value to the university," stated Mike Young, CIO.

Click here to read more about how Mike Young and his team added 100 improvements to the university's IT security program.

For on-demand Web Content Management (WCM) provider Clickability, the benefits of Software-as-a-Service (SaaS) and Infrastructure-as-a-Service (IaaS) offer more efficiency and affordably than traditional software. In an effort to reduce its carbon footprint and create a greener enterprise, Clickability supports the reliability and sustainability of the green SaaS model. In fact, the company runs its entire business via SaaS delivered solutions.

When Clickability sought a way to secure its infrastructure - which houses and delivers content for a spectrum of global brands in financial services, technology, broadcasting, and publishing, it turned to Qualys and its on-demand SaaS IT risk and compliance management platform, QualysGuard.

"Qualys is the most accurate [vulnerability assessment solution] we've used, and the SaaS solution makes it easy and transparent because we don't have to maintain the server or the software, or manage the updates." Tom Cignarella, VP of Technical Operations, Clickability. "And, because Qualys is the leading vulnerability assessment provider, most of our customers are familiar with QualysGuard's reputation and are happy to know that it's part of how we keep their information secure."

Click here to read more about how Clickabitlity's easily manages, builds and maintains its secure infrastructure.

With the rising need to secure employee and student data and increased regulatory compliance demands, University of Idaho sought a way to enhance the effectiveness of its vulnerability and risk management program.

"QualysGuard is accurate and easy to use. We didn't trust the open source tool we were using, and we couldn't get consistent results. Each time someone ran a scan, the settings and the results were different. With QualysGuard, anyone on my team can use it, and its results are accurate and consistent," says Dave Lien, Networks and Systems Manager, University of Idaho.

In addition, because Qualys is an approved PCI scanning vendor, the university is able to scan and validate the security and PCI compliance of the systems that serves as gateways to their credit card processors. "Using QualysGuard, anyone can quickly complete and submit the PCI self-assessment questionnaire, and perform pre-defined PCI scans on all relevant systems to identify and resolve network and system vulnerabilities," added Dave.

Click here to read more about how University of Idaho restructured its approach to PCI compliance.