Global Security Mag Online

Vigil@nce: Cisco ASA, Secure Desktop, Cross Site Scripting

Vigil@nce — 2010-02-09T12:36:47Z

An attacker can generate a Cross Site Scripting in Cisco Secure Desktop.

Severity: 2/4
Consequences: client access/rights
Provenance: document
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 02/02/2010

IMPACTED PRODUCTS

Cisco PIX/ASA Software

DESCRIPTION OF THE VULNERABILITY

The Cisco Secure Desktop product is used to check the security level of computers connecting to the VPN.

The https://computer/+CSCOT+/translation page of CSD generates a variable containing the translated text.

However, posted parameters are not filtered before being displayed.

An attacker can therefore generate a Cross Site Scripting in Cisco Secure Desktop.

CHARACTERISTICS

Identifiers: 19843, BID-37960, CORE-2010-0106, CVE-2010-0440, VIGILANCE-VUL-9398
Url: http://vigilance.fr/vulnerability/C...

gateProtect at CeBIT 2010: Unified Threat Management (UTM) for midsized and large companies

Marc Jacob — 2010-02-09T09:04:47Z

As in previous years, the German-based network security specialist gateProtect is exhibiting at CeBIT, underscoring its strong market presence as well as its healthy growth. Show visitors in Hanover will be able to see a preview of gateProtect's new generation of Unified Threat Management (UTM) firewalls, version 8.6, from 2-6 March 2010 at CeBIT. The new release provides automatic updates of the client software, enhanced performance of encryption technologies, and support for in-house DynDNS servers. Other new products on show at CeBIT include gateProtect's new range of appliances designed for use in large environments.

The new gateProtect V 8.6 firewall generation will have its debut at this year's CeBIT. It offers users the following new features:

Automatic client software updates

The gateProtect firewall has been able to update itself over the web since version 8.5. In the new version, gateProtect 8.6, the automatic update capability is extended to the client software.

Performance boost with support for cryptographic accelerators

The new generation of appliances – GPX-800 and later – includes crypto accelerator processors that support the mathematical functions inherent in encryption and decryption processes. As such, they conform to the security requirements of the most demanding environments. With the new version, gateProtect V8.6, these are also supported by IPSec und VPN SSL, giving customers much better performance in these areas.

Support for in-house DynDNS servers

Many administrators use publicly available DynDNS servers (e.g. from DynDNS.org). In some cases it makes sense to create these services in-house. With gateProtect V8.6, users can add and use DynDNS servers created in-house as well as those from official sources.

Users can easily manage gateProtect UTM appliances with the end-to-end graphical administration console, which clearly portrays all the underlying security processes. This makes administration much less time-consuming while minimising the risk of configuration errors. gateProtect is the only provider on the UTM market able to offer these benefits. Users can also choose to manage the appliances centrally via the gateProtect Command Center. As fully integrated network security solutions, gateProtect Unified Threat Management appliances protect midsized and large companies from known and unknown threats while helping firms to reduce the cost and time involved in managing IT security.

Existing gateProtect customers can download the new software version with immediate effect from the company's website at gateprotect website.

Vigil@nce: Linux kernel, incorrect permissions on devtmpfs

Vigil@nce — 2010-02-08T19:15:24Z

SYNTHESIS OF THE VULNERABILITY

On a 2.6.32.x kernel, a local attacker can access to devtmpfs.

Severity: 2/4

Consequences: data reading, data creation/edition

Provenance: user shell

Means of attack: no proof of concept, no attack

Ability of attacker: expert (4/4)

Confidence: confirmed by the editor (5/5)

Diffusion of the vulnerable configuration: high (3/3)

Creation date: 01/02/2010

IMPACTED PRODUCTS

Linux kernel
Mandriva Linux
OpenSUSE

DESCRIPTION OF THE VULNERABILITY

The devtmpfs filesystem was added in the kernel 2.6.32. It is used to create device nodes, before mounting the / root, and before mounting it to /dev.

A vulnerability, related to default access rights to devtmpfs, was announced. Technical details are unknown.

On a 2.6.32.x kernel, a local attacker can thus for example directly access to some restricted devices.

CHARACTERISTICS

Identifiers: CVE-2010-0299, MDVSA-2010:030, SUSE-SA:2010:010, VIGILANCE-VUL-9396

http://vigilance.fr/vulnerability/L...

New IP Access Routers of Funkwerk Set standards in flexibility

Marc Jacob — 2010-02-08T18:16:33Z

With its new bintec RS series, Funkwerk Enterprise Communications (FEC) presents flexible IP access routers with comprehensive equipment for professional network access. With the abundance of different connection technologies, the bintec RS series sets new standards in the flexibility of access routers.

The bintec IP access routers, which will be available at the occasion of the CeBIT 2010, distinguish themselves via excellent performance increases and are predestinated for the application in small- and medium-scale enterprises, subsidiaries and remote locations, as well as home offices.

The six models of the new bintec RS series are equipped with five Gigabit Ethernet ports, which can be freely configured for LAN, WAN, or DMZ. Already ex-factory, all bintec routers of the new series are provided with a license for five hardware-accelerated IPSec tunnels and offer one of the most comprehensive IPSec implementations. Data encryption is performed by means of the integrated Encryption Engine in a resource-saving mode. The integrated configuration wizards permit optimal and easy configuration of the system by means of a Web-based graphical user interface.

In addition, the “professional routers” of the bintec RS series are equipped with a USB port and—according to the variant in question—with an SFB port for optical fiber extension modules or are equipped with an integrated UMTS modem or ADSL 2+ modem with ISDN. The WLAN variants are provided with a dual-band module with 2.5 and 5 GHz for the wireless access according to IEEE 802.11n, with impressive PHY rates of up to 300 Mbps.

The durable bintec IP access routers in fan-less metal casings distinguish themselves via a more attractive price/performance ratio than the one offered by the devices available on the market and once again guarantee investment protection for the application of FEC systems.

The Models of the bintec RS Series in an Overview:

• bintec RS120: Gigabit Ethernet router with IPSec

• bintec RS120wu: Gigabit Ethernet router with integrated UMTS (HSxPA) modem, 802.11n WLAN, and IPSec

• bintec RS230a: ADSL2+ Annex A router with Gigabit Ethernet and IPSec

• bintec RS230aw: ADSL2+ Annex A router with Gigabit Ethernet, 802.11n WLAN, and IPSec

• bintec RS232b: ADSL2+ Annex b router with Gigabit Ethernet, ISDN, and IPSec

• bintec RS232bw: ADSL2+ Annex b router with Gigabit Ethernet, ISDN, 802.11n WLAN, and IPSec

Common Assurance Metric – Beyond the Cloud

Marc Jacob — 2010-02-08T17:48:57Z

The Common Assurance Metric (CAM) launched is a global initiative that aims to produce objective quantifiable metrics, to assure Information Security maturity in cloud, third party service providers, as well as internally hosted systems. This collaborative initiative has received strong support from Public and Private sectors, industry associations, and global key industry stakeholders.

There is currently an urgent need for customers of cloud computing and third party IT services to be able to make an objective comparison between providers on the basis of their security features. As ENISA's work on cloud computing, has shown, security is the number one concern for many businesses and governments. Existing mechanisms to measure security are often subjective and in many cases are bespoke solutions. This makes quantifiable measurement of security profiles difficult, and imposes the need to apply a bespoke approach, impacting in time, and of course cost. The CAM aims to bridge the divide between what is available, and what is required. By using existing standards that are often industry specific, the CAM will provide a singular approach of benefit to all organisations regardless of geography or industry.

The project team anticipate delivery of the framework in late 2010 followed by a process towards global adoption for organisations wishing to obtain an objective measurement of security provided by cloud providers, as well as the level of security for systems hosted internally.

Ovum releases new Technology Audit of Neptuny Caplan 3.2, confirming Caplan as "the future of Capacity Planning"

Marc Jacob — 2010-02-08T17:44:01Z

In updating its latest Technology Audit of recently released Neptuny Caplan™ 3.2, Ovum confirms its conclusion that Caplan™ is the “the future in capacity-planning solutions”[1] and is “impressed with its ease of use combined with its depth of capability.”

Virtualization-ready Caplan™ simplifies and optimizes consolidation and virtualisation planning.

Caplan™ 3.2 supports all major virtualization technologies from leading vendors such as VMware, AIX, HP, Sun, Citrix and Microsoft. Ovum is “particularly impressed” by Caplan™ Optimal Allocation Models that enable organisations to optimise the placement of virtual and physical machines on virtualised infrastructures. In particular, Caplan™ Optimal Allocation Models automatically simulate placement scenarios and suggest the optimal overall configuration based on customizable business or technical constraints, such as the number of physical machines, maximum utilization thresholds or set procurement budgets.

Caplan™ supports complex accounting, chargeback and cost models Ovum considers the introduction of Caplan™ Accounting & Chargeback a product strength, which supports IT Financial Management in implementing accounting and chargeback tasks based on complex cost models. Caplan™ leverages resource utilization data to support users to fully account for IT service costs and to charge them back to final users. Caplan™ supports several types of cost models and its interface allows users to easily create multiple target hierarchies and to assign resources to targets.

Caplan™ correlates business KPI's with infrastructure KPI's

The ability to correlate business and infrastructure KPI's is crucial in aligning infrastructure optimization processes with actual and forecasted business needs. For example, Caplan™ can automate the correlation of business KPIs, such as the number of invoices per day and the expected web traffic following a promotional campaign, and link these to IT infrastructure-related KPIs such as CPU utilisation and network performance. Ovum believes that “capacity management from a business perspective will become an essential capability” and is impressed by Caplan's™ ability to “provide organisations with the maturity to establish capacity planning based on business metrics”.

Moreover, Caplan™ isaligned to ITIL® (including v2 and v3) capacity-management guidelines: this feature is crucial nowadays since organizations are moving towards an advanced and business-oriented approach to capacity management which will require them to review their organizations IT infrastructure and align to ITIL best practices.

Caplan™ agent-less connectors now aggregate data from over 50 management tools

Ovum analysts are “impressed with the solution's analytical capability, which includes ‘what-if analyses' and the wide range of management tools that Caplan™ can gather data from”. With version 3.2, Caplan™ has introduced new and improved connectors to import performance and configuration data from management tools, native platforms and interfaces, such as: Oracle Enterprise Manager (improved), Ganglia (new), NetIQ AppManager (new), HP uCMDB (new), EMC2 Storage Scope Control Center (improved) and VMware (improved with vSphere 4 support). Moreover, Caplan™ 3.2 provides a new Integrated Development Environment based on Eclipse and named Caplan™ Integration Studio (CIS) which helps customers to create custom connectors.

In its conclusions, Ovum continues to express its belief that Caplan™

“represents the future in capacity-planning solutions.” Neptuny's commitment and focus on enhancing the solution's capability put the company in the position to continue to deliver on its stated goal to enable advanced, scalable and comprehensive enterprise capacity management.

Giuseppe Nardiello, Neptuny's Business Development Manager, commented the new Technology Audit, saying: “We are very pleased that an influential analyst such as Ovum has confirmed Caplan as the 'future of Capacity Planning'. The feedback we are receiving from the market is that Caplan is the only viable solution to easily implement a continuous and automated Capacity Management process also for large IT infrastructures. As confirmed by this updated OVUM report, our new version of the product, Caplan 3.2, now enables customers to fully address their critical needs related to Virtualization Planning and Accounting & Chargeback".

Thales Adds Multipoint Capability to its Datacryptor Ethernet Layer 2 Network Encryptors

Marc Jacob — 2010-02-08T17:38:54Z

Thales announces that its Datacryptor 100 Mbps and 1 Gbps Ethernet Layer 2 network encryptors now have the capability to operate in multipoint, fully meshed environments, enabling organizations to reduce their information security cost.

This newly added multipoint capability enables any one node in the network to securely connect simultaneously to any other node, thus reducing the total number of encryptors required to protect multiple connections. Government agencies and enterprise customers are now able to protect sensitive data in transit across fully-meshed distributed applications more cost effectively with fewer dedicated encryption appliances. With the added benefit of an integrated automatic key generation and distribution capability, Datacryptor Ethernet Layer 2 can be easily deployed as a bump-in-the-wire security solution requiring no network reconfiguration.

Vigil@nce: TYPO3, vulnerabilities of extensions

Vigil@nce — 2010-02-08T17:25:51Z

SYNTHESIS OF THE VULNERABILITY

An attacker can use several vulnerabilities of TYPO3 extensions in order to generate a Cross Site Scripting or to inject SQL code.

Severity: 2/4

Consequences: user access/rights, client access/rights, data reading

Provenance: internet client

Means of attack: no proof of concept, no attack

Ability of attacker: expert (4/4)

Confidence: confirmed by the editor (5/5)

Diffusion of the vulnerable configuration: high (3/3)

Number of vulnerabilities in this bulletin: 7

Creation date: 01/02/2010

IMPACTED PRODUCTS

TYPO3

DESCRIPTION OF THE VULNERABILITY

An attacker can use several vulnerabilities of TYPO3 extensions.

An attacker can generate SQL injections and Cross Site Scriptings in the T3BLOG (t3blog) extension. [grav:2/4; BID-38030, TYPO3-SA-2010-002]

An attacker can generate a SQL injection in the Event Manager (eventmanagement) extension. [grav:2/4; TYPO3-SA-2010-003]

An attacker can generate a SQL injection in the Game Article DB (game_articledb) extension. [grav:2/4; TYPO3-SA-2010-003]

An attacker can generate a SQL injection and a Cross Site Scripting in the Simple career (ml_career) extension. [grav:2/4; TYPO3-SA-2010-003]

An attacker can generate a SQL injection in the Surprise Calendar (ml_surprisecalendar) extension. [grav:2/4; TYPO3-SA-2010-003]

An attacker can generate a Cross Site Scripting in the Search Api Ajax Google (searchajaxgoogle) extension. [grav:2/4; TYPO3-SA-2010-003]

An attacker can obtain information via the Download Manager (spr_downloadmanager) extension. [grav:1/4; TYPO3-SA-2010-003]

CHARACTERISTICS

Identifiers: BID-38030, TYPO3-SA-2010-002, TYPO3-SA-2010-003, VIGILANCE-VUL-9394

http://vigilance.fr/vulnerability/T...

MTI to Offer Axxana's Zero Data Loss Disaster Recovery Phoenix System™ RP in Europe

Marc Jacob — 2010-02-08T16:41:47Z

Axxana and MTI announced that they have signed a partnership agreement to market the Axxana Phoenix System™, which will also be showcased in the MTI Solutions Centre established last year in the UK in conjunction with EMC, VMware and Cisco.

The Axxana Phoenix System is the first product on the market to enable zero data loss, i.e. where the Recovery Point Objective (or RPO – the point in time that the restore goes back to) equals zero, over any geographical distance, for significantly less than the cost of traditional synchronous data mirroring alternatives. The Phoenix System complements the asynchronous replication benefits offered by MTI with EMC's RecoverPoint, and enables organisations to protect a synchronous copy of the data at the primary site in a disaster-proof “black box” storage device designed to withstand extreme conditions. Following a disaster or loss of communication with the primary data centre, the Axxana Phoenix System rapidly repatriates the data set using a cellular broadband link, ensuring an exact copy; the recovered data can then be reintegrated by EMC's RecoverPoint. Here the remote copy is an exact mirror image of the data in the primary data centre thus fulfilling Zero Data Loss (RPO=0) and Recovery Time Objectives (RTO) requirements over any distance.

MTI, an active member of Storage Networking Industry Association (SNIA) Europe, has been diagnosing, designing and delivering hardware, software and services as scalable end-to-end solutions for over twenty years, enabling hundreds of organisations to maximise their IT investments and allowing technology to successfully support businesses. MTI, recently voted European Solution Centre of the year by EMC, now counts offices near Amsterdam, Frankfurt, London and Paris.

Axxana's Phoenix System RP EDR was tested with EMC RecoverPoint in a SAN environment by the EMC E-Lab. The EMC E-Lab conducts the industry's most rigorous interoperability testing, spanning every major platform and operating system. The Axxana Phoenix System RP EDR was first demonstrated at EMC World in May 2009. The Phoenix System RP is available now through EMC Select.

Common Assurance Metric – Beyond the Cloud

Marc Jacob — 2010-02-08T16:00:15Z

"With today's complex IT architectures and heavy reliance upon third party providers, there has never been a greater demand for transparency and objective metrics for attestation", said Jim Reavis, Executive Director of the Cloud Security Alliance. "The Common Assurance Metric framework has great promise to address this demand and the Cloud Security Alliance is proud to support this initiative and align our own cloud security metrics research with it"

"Microsoft is committed to delivering secure, private, and reliable computing experiences. Today's interconnected world trustworthiness of computing solutions depends on many interdependent components and requires broad industry collaboration. We look forward to contributing to the work on Common Assurance Metric.” Matt Broda, Senior Security Strategist, Microsoft.

This work is essential. The number one barrier to adoption of cloud computing is assurance – "how can I know if it's safe to trust the cloud provider?” This is a problem for providers too - answering a different security questionnaire for every customer is a huge drain on resources. Giles Hogben, Network Security Policy Expert, ENISA

“The Information Security Awareness Forum (ISAF) is committed to improving accessibility of advice through the promotion of consistent messages to help protect individuals and businesses alike. The Common Assurance Metric is a bold initiative that aspires to provide greater consistency in the security of cloud computing services. This will help to make the Internet a safer place for business and pleasure - an objective which the ISAF very much supports.” Dr David King, Chair ISAF.

“Security maturity is a major consideration in the adoption of cloud and collaboration technology, in fact a recent poll by Infosecurity Europe found that the lack of transparency around information assurance maturity was the biggest barrier to getting into the cloud for 94% security professionals (sample size 1014). Infosecurity Europe recognises that the CAM initiative can provide objective metrics which will enable customers to make timely and informed decisions to assure Information Security for cloud, third party service providers and internally hosted systems.” Tamar Beck, Group Exhibition Director, Infosecurity Europe.

“In an environment that is increasingly driven by regulatory and cost issues, confidence that your information is secure is a key factor to business success. But knowing who to trust your information to is an issue many businesses struggle to deal with effectively. The Common Assurance Metric will provide businesses with that confidence to choose the most appropriate partner to whom they can entrust their sensitive information.” - Brian Honan, Principal Consultant with BH Consulting.

Cloud computing creates a new legal ballgame: But who will solve the legal issues on this important new technology?

Marc Jacob — 2010-02-08T15:57:51Z

Although there are a number of benefits that cloud computing brings to the better business table - including reduced servicing costs and increased flexibility on IT services - there are still a number of legal issues that need to be addressed, say the organisers of 360°IT - The IT Infrastructure Event.

According to Natalie Booth, the show's event director, Microsoft is quietly lobbying for new legislation in a number of key countries, with the software giant's general counsel reportedly visiting several countries to lobby for the changes.

"Microsoft's corporate counsel Brad Smith has been globe-trotting in connection with this for some time, as was confirmed by his presentation at the Brookings Institution last month," she said.

"Brad Smith referred in his Brookings speech about Facebook's founder Mark Zuckerman's comments that `privacy is no longer a social norm,' and questioned this statement, calling on the US Congress to modernise the law, and filling in the gaps that cloud computing clearly creates," she said.

"Smith also noted that it is often difficult to place a specific monetary value on the theft of content, reasoning that it makes more sense to impose statutory penalties on a per-victim basis," she added.

The problem facing regulators in most countries, Booth says, is that the penalties for hacking into an individual computer are the same as for a cloud-based IT system, even though the potential financial losses are clearly a lot higher.

According to the 360 IT Event show director, Smith's observations that legislation as it relates to cloud computing - with the courts in Belgium, Brazil and Italy seeking to impose penalties on US cloud entities in recent cases - is complex, is a very valid one, but the big question is who will administer this legislation.

It's interesting to note, she says, that Kroll Ontrack's major survey into data risk breaches - the third annual ESI trends study - the results of which were released last November, noted that firms may also face legal consequences following a breach due to the rising level of breaches in the news.

And, she explained, as firms place more and more of their data and IT assets in the cloud, the legal risks arising from cloud computing will rise, especially now that Gartner is predicting that, by 2014, around 20 per cent of businesses will have most, if not all, of their IT assets in the cloud.

"What we are seeing is a seachange in the way companies access and storage their data. The cloud is clearly the option of choice for a growing number of businesses, but the legal challenges this creates are a potential minefield," she said.

Lancashire Constabulary Chooses 3ami MAS for Protective Monitoring of Force's IT Systems

Marc Jacob — 2010-02-08T10:21:09Z

Lancashire Constabulary is using 3ami Monitoring and Audit System (MAS) to comply with new data security regulations from the Association of Chief Police Officers (ACPO). Coming into effect March 2010, the ACPO Information Systems Community Security Policy lists “protective monitoring” as a control UK police forces must score against to comply with the policy matrix. With a few minor exceptions, such as passwords and confidential reporting, 3ami MAS will monitor all data input on Lancashire Constabulary's network of terminals, including mobile and portable terminals.

“We expect that the implementation of 3ami MAS will ultimately result in a cost-saving, not just in the typical productivity sense, but also in the preventive message it sends out to the users of force computer systems,” said Detective Superintendent Martyn Leveridge. “It will provide us with the ability to resolve allegations of systems misuse more quickly and with more certainty, and allow the public additional confidence that systems are in place to protect data.”

Mr Leveridge added that the transition to 3ami MAS was a well-timed decision, with the ACPO Information Systems Community Security Policy coming into effect in March.

“The security and leakage of information has been identified in a number of national police assessments as being the greatest threat to operational security and integrity,” said Mr Leveridge. “Recent HMIC reports have made recommendations that all internal police computer systems should be made capable of auditing and being audited themselves, in order to ensure the integrity and confidentiality of sensitive information. The 3ami MAS installation is the cornerstone for achieving this.”

Lancashire Constabulary's primary use of 3ami MAS will be to aid the investigations of any corruption-related issues involving officers' and police staff‘s use of force computer systems. Activities falling under the umbrella of “police corruption” include the following (among others): inappropriate disclosure of police information, interference with police evidence, breaches of information security, system infiltration/attack, and perverting the course of justice.

Tim Ellsmore, Managing Director of 3ami, said, “3ami MAS is an essential tool for enforcing the laws of a digital network. Police forces that do not monitor and audit activity on their network's computers have no real way of knowing what officers and civilian staff are doing on their computers, let alone their portable terminals, which are becoming increasingly prevalent.”

3ami MAS will coordinate and corroborate Lancashire Constabulary's existing auditing facilities into one comprehensive auditing framework. The software will be installed early in 2010, after a staff education programme.

“Before 3ami,” said Martyn Leveridge, “our existing force auditing capabilities were application-based. Therefore, any activity conducted other than via the user interface—such as database file transfers, printing, screen captures and copying onto external data devices — was not capable of being monitored. 3ami provides a single solution to these problems, binding together existing application-based auditing.”

Call centres risk losing customers as complaints go unrecognised, says survey

Marc Jacob — 2010-02-08T09:58:26Z

A recent survey from speech search specialist Aurix has highlighted that 70 per cent of complaints made to call centres are ‘not being heard.' In addition over 96 per cent of respondents said that they would consider switching to a competitor as a result.

In a series of questions, answered by more than 100 consumers, the Aurix survey asked respondents whether they had ever made a complaint to a call centre, and if so, whether that complaint was taken seriously by the agent.

Peter Rogers, CEO at Aurix explains, “Call centre agents are more often than not the first point of contact for complaints, so it's essential that they are dealt with quickly and efficiently. During these conversations customers form opinions on which they will base future decisions. Our snap shot survey reinforces the message that customers are significantly more likely to ‘churn' to a competitor based on a poor experience.”

“In my opinion, it is these interactions which should be viewed as an opportunity to gain feedback and intelligence, as well as to deal with the customer's query – take the chance to reinforce positive messages about your brand, not cause it any further damage.”

“Technologies such as speech analytics provide a basis for identifying complaints and situations which could escalate. It is by acting quickly to remedy these complaints – improving processes and training for agents - that call centres can convert unhappy customers into advocates – protecting and in some cases promoting your brand”

ENISA: 17 golden rules to combat online risks and for safer surfing mobile social networks

enisa — 2010-02-08T08:44:22Z

The EU ‘cyber security' Agency - ENISA (the European Network and Information Security Agency) today presents a new report on accessing social networks over mobile phones, ‘Online as soon as it happens“. The report points out the risks and threats of mobile social networking services, e.g. identity theft, corporate data leakage and reputation risks of mobile social networks. The report also gives 17 ‘golden rules' on how to combat these threats.

Online Social Networking Sites (SNSs) have had an exceptional growth trend on Internet. 211Mn users (out of 283 Mn) in Europe use SNS, and, primarily, Facebook in 11/17 countries studied. The modern way of staying in touch with business or personal contacts is through SNS and other digital tools. Consequently, the ways people meet, share opinions, communicate information and ideas is changing. With growing popularity of SNS, the demand for instant, continuous access over the mobile phone has increased-i.e. mobile social networks (MSN). More than 65 Mn users now access the social network Facebook over their mobile device. MSN users are 50% more active than non-mobile users, and are estimated to be 134 Mn in Europe by 2012.

Many MSN users also use their phone as a backup device for business mails, personal data, contacts, pictures, and access codes. As a consequence, a lost mobile phone can cause serious damage, e.g. when illegitimately used to access MSNs. Many mobile phones come pre-packaged at purchase, with built in MSN applications i.e. ‘on-deck' services.

Several stories from Italy, France, Spain, Greece, UK, witness that many SNS/MSN users are largely unaware of security risks, privacy issues and threats related to misuse of the information put online in an SNS and of proper online privacy protection. A number of unique MSN risks/threats are identified in the report. The ENISA report gives an overview of the situation and underlines that in particular MSN users need awareness on how to safer use social networks on a mobile phone to avoid unexpected and damaging consequences. Risks include identity theft, and serious damage to personal or corporate reputation, or data leakage.

Two samples case studies:

• Fake profile on Facebook. A professor at Turin University discovered someone else had created a profile for him at Facebook with offensive features, affecting his reputation.

• Data leakage/corporate reputation. After a 2008 incident, Virgin Atlantic airlines later dismissed 13 staff members who had posted comments on Facebook which e.g. criticised the cleanliness of the company's fleet and of its passengers. Similarly, British Airlines check-in staff at Gatwick posted messages on Facebook saying e.g. travellers were ‘smelly' and criticised the chaotic operations at Heathrow.

The paper also gives a comprehensive view of the SNS world under the lens of the European directive on data protection (Dir. 95/46/EC). The Executive Director of ENISA comments:

“This report provides practical, hands-on advice to the users of how to more safely be online, anywhere and anytime, when enjoying mobile social networks.” The paper includes 17 practical ‘golden rules'. Samples include:

Remember to log out from the social network once your navigation is over.
Do not to allow the social network to remember your password (this function is called ‘Auto-complete').
Do not mix your business contacts with your friend contacts.
Report immediately stolen/lost mobile phone with contacts, pictures, or personal data in its memory
Set the profile privacy level properly.

For all recommendations, please download the full report.

http://www.enisa.europa.eu/act/ar/d...

Keross: ISO 27001 Compliance Checklist – Best Practices

Keross — 2010-02-07T13:39:29Z

ISO 27001's comprehensive scope and broad adoption base have made it the de facto international information security standard. As the backbone of a well-executed information security program, the standard can significantly increase managerial confidence in information assets. In addition, the ISO 27001 certification option gives companies a rare and powerful tool for reaping market benefits from internal security initiatives.

ISO 27001's strength as a robust standard can also be its greatest challenge, however. Companies seeking to develop an ISO-compliant Information Security Management System (ISMS) must consider and potentially meet more than 130 discrete security control objectives listed in the standard. But building controls is only half the battle: the real work lies in the ongoing maintenance, tracking, and assessment of complex control implementations.

IKON PQM has been designed by auditors for auditors to help companies more efficiently manage and maintain ISO 27001 programs. Built on a globally accessible SaaS platform, PQM provides powerful automation and built-in expertise to reduce the cost and complexity of control selection, operational assessment, and real-time monitoring of critical operational functions.

PQM is uniquely designed to support both targeted compliance programs and the integration of programmatic audit and control initiatives into a holistic information governance practice. Incorporating the T2P Rationalized Operational Control KnowledgebaseTM (ROCK), PQM categorizes, ranks, and weights a harmonized set of hundreds of operational control objectives. Managers can choose, sort, and track controls just for ISO 27001; compare existing information security practices to IKON's rationalized list of operational best practices; and easily identify new opportunities for process efficiency across disparate security audit and operational programs.

Review some of our ISO 27001 Audit Checklist :

• ISO 27001 Mapping Area and Departments Checklist

• ISO 27001 IT Security Support and Implementation Checklist

• ISO 17799 Network Vulnerability Assessment Evaluation Checklist

Keross: PCI Compliance Checklist – Best Practices

Marc Jacob — 2010-02-07T13:32:42Z

The Payment Card Industry Data Security Standard (PCI DSS) has changed the way merchants around the world handle personal and account data. Stringent control mandates, audit reporting requirements, and the threat of hefty penalties for noncompliance have compelled companies that process payment cards to closely review—and in many cases revamp—operational networks and systems.

As a relatively specific and granular information security standard, PCI challenges organizations at many levels: interpretation, implementation, assurance, and integration. The standard itself lists almost 200 control objectives that organizations must meet, track, maintain and audit to achieve compliance. Some requirements, such as daily log review and vulnerability testing, cannot practically be met with manual methods. In addition, tracking PCI controls and related assurance materials consumes extraordinary time and budget in many companies. This PCI compliance “overhead” not only diverts key IT resources from mission-critical operational functions, it also undermines PCI's potential value as a model of information security for all key operational systems.

IKON PQM has been designed by auditors for auditors to help companies reduce the cost and complexity of PCI compliance programs. Built on a globally accessible SaaS platform, PQM provides powerful automation and built-in expertise, allowing managers to more easily identify—and demonstrate—what PCI requires, what needs to be accomplished for compliance, and how PCI security controls can be harmonized with the overall organizational information security practice.

PQM is uniquely designed to support elemental PCI compliance programs, as well as the integration of programmatic audit and control initiatives into holistic operational governance practice. Incorporating the T2P Rationalized Operational Control KnowledgebaseTM (ROCK), PQM categorizes, ranks, and weights a harmonized set of hundreds of operational control objectives. Managers can choose, sort, and track controls just for PCI; compare existing information security control practices to IKON's rationalized list of operational best practices; and easily identify new opportunities for process efficiency across disparate information security and audit programs.

Please review some of our Audit Checklist :
PCI DSS 1.2 Requirements
Log Management Audit Checklist