Derek Melber who is one of the authors at WindowSecurity has some upcoming training sessions that some of you may be interested in. Give the below a read!

Modulo Risk Manager Spotlights Governance, Compliance and Risk Management

Extensive new version utilizes 4000+ data collectors, 11,000 controls, and 250 knowledge bases

June 27, 2007-New York, NY- Modulo, a market leader in governance, risk management, and compliance software, announced today the availability of the latest version of Risk Manager™. Modulo Risk Manager helps organizations streamline and automate processes required for in-depth risk assessment and compliance projects. An enhanced compliance module, expanded knowledge bases, and customized reports are just a few of the new features included in this latest release.

Modulo Risk Manager collects, centralizes, and generates reports relating to technology assets, such as software and equipment, as well as non-technology assets such as people, processes and physical facilities within an organization to assess risk and ensure compliance.Modulo Risk Manager can now communicate risk in several ways, integrating business and technical views and providing risk illustrations by asset, perimeter, business component, and threat as well as additional customizable options.

“We are dedicated to helping our customers effectively protect their assets while meeting regulatory compliance mandates,” said Alvaro Lima, director and co-founder of Modulo. “This enhanced version of Modulo Risk Manager assists organizations in meeting their risk assessment and compliance goals in the most efficient way possible.”

Modulo has further expanded Risk Manager to include 4,000 automatic data collectors, 11,000 controls, and 250 knowledge bases which incorporate SOX, PCI, HIPAA, ISO 17799 and 27001; COBIT, FISMA, NIST 800-53a, FIPS 199, A 130 , DOD 8500.2 and Shared Assessments compliance standards among many others. Users can now generate multiple compliance reports from the same set of data, eliminating “audit silos”, as well as generate a score and set of reports for any of the included compliance standards. Live updates, remote installation capabilities, and database integration are also included in the new version of Modulo Risk Manager.

ABOUT MODULO

Modulo is Latin America’s market leader for information security and risk assessment software and services. Founded in 1985 and employing 300 employees worldwide, Modulo Security recently expanded operations and partnership outreach to the United States, with its office headquarters in New York. Modulo’s Risk Manager Software provides organizations with the tools they need to automate the processes required for assessing and eliminating security vulnerabilities and attaining regulatory compliance. For more information on Modulo and Risk Manager, visit www.modulo.com.

Technorati Tags: Risk management, Governance, Risk assessment

I now have the latest VMware release and I must admit I love it as always. The reason I needed to upgrade was that I wanted to run a virtual instance of Microsoft Vista for some research. Since I became a convert to VMware several years ago I can’t really imagine not having it. It really is an indispensable tool to have at ones disposal. Especially so if you are testing various configurations for one reason or another. How about you guys? What are your thoughts and uses for VMware?

Technorati Tags: VMware, Microsoft Vista

It is of little surprise to me that one of the areas being looked at after the Amero trial fallout is that of educating the court system as it impacts IT matters. Can you imagine being convicted of a crime because of someone else’s ignorance? Almost like being executed and later proven to be innocent isn’t it. At least in this case it would not of been capital punishment. This though is an excellent example of the court system needing some IT guidance, be it in the form of expert witnesses or other such means.

Technorati Tags: Amero, Expert witness, IT Security

Well I read the following article with some trepidation. We all know that pretty much all bot armies are made up of users who are not computer savvy. That said, do we need the government to step in and start mandating change? I for one would think no, not at all. Well who then? Is it the ISP’s fault? Well, I would say partially yes. In reality the blame rests completely upon the home user who has not paid that much attention to computer security. Not even in its most basic form ie: a f/w and a/v solution. About all we can really hope for is that all computers are sold with a package of f/w and a/v, which most are nowadays. All roads seemingly then lead to the apathetic home user who pays a lot more attention to their wallet then their computer. As we all know they are pretty much one and the same nowadays with home based banking and the such. Bottom line is, there is no easy solution to this problem.

Technorati Tags: Bot army, Anti-virus, Firewall, Computer security

I was recently made aware that Barrie Dempster, one of our members at the forums for WindowSecurity will be speaking at Blackhat 2K7. His talk will be based on VoIP security, which unless you are not involved in the computer security arena is becoming more and more important. This is due to many companies beginning to adopt this new and still maturing technology, in order to effect some cost savings. Well done Barrie! Hopefully you will all join me in congratulating Barrie on his successful talk submission at Blackhat. Not sure yet if I will be attending this year or not, but I will be sure to drop by and say congrats to him if I do.

Technorati Tags: VoIP, Barrie Dempster, Blackhat, Computer security

New version 5 of Acunetix Web Vulnerability Scanner ensures companies meet PCI compliancy

London, UK - June 11, 2007 - The PCI Compliancy Standard requires any company that has a website and does business online, to ensure their web site and web applications are secure. Penalties for noncompliance range from fines of up to $500,000, to increased auditing requirements or even losing the ability to process credit card transactions. Acunetix today announced the release of Acunetix Web Vulnerability Scanner v5 which includes an extensive compliancy reporting tool amongst others, to aid companies achieve PCI compliancy.

“PCI compliance, required by September 2007, is not just another bureaucratic standard to comply to. It’s a standard to protect consumers and the future of online business, based on real world needs. To avoid similar cases such as TJX happening again, it is imperative that companies take all the necessary precautions to ensure they reach compliancy,” announced Nick Galea, CEO Acunetix.
“Acunetix WVS v5 will check your web site and alert you to any issues you need to fix. Once fixed, it will create a detailed report which will allow you to easily prove that you meet these particular PCI standards.”

Acunetix WVS v.5 helps meet the following PCI requirements:

• (Requirement 2.2.4) Remove all unnecessary functionality
• (Requirement 2.3) Encrypt all non-console administrative access
• (Requirement 4) Encrypt transmission of cardholder data across open, public networks
• (Requirement 6) Develop and maintain secure systems and applications
• (Requirement 6.5.1) Unvalidated Input
• (Requirement 6.5.2) Broken Access Control
• (Requirement 6.5.3) Broken Authentication and Session Management
• (Requirement 6.5.4) Cross Site Scripting (XSS) Flaws
• (Requirement 6.5.5) Buffer Overflows
• (Requirement 6.5.6) Injection Flaws
• (Requirement 6.5.7) Improper Error Handling
• (Requirement 6.5.8) Insecure Storage
• (Requirement 6.5.9) Denial of Service
• (Requirement 6.5.10) Insecure Configuration Management

A PCI Compliance Guide is available at: http://www.acunetix.com/websitesecurity/PCI-Compli...ce.pdf

Other important new features:

Acunetix Reporter 
The Acunetix Reporter is a separate application which provides centralized control over all reporting and documentation needs. The Reporter allows single-click reporting capability and features multiple reporting formats such as vulnerability and developer reports, compliance (including The Health Insurance Portability and Accountability Act (HIPAA), OWASP TOP 10 2004, OWASP TOP 10 2007, Payment Card Industry (PCI), Sarbanes Oxley Act of 2002, Web Application Security Consortium: Threat Classification), comparison, and also statistical reports. The Reporter allows reports to be exported as PDF, RTF, HTML, BMP, and PRN formats.

Web Services Scanner
Many organizations are implementing the Web Services architecture to increase the availability of information and to improve process executions of the internet. Web Services, like any other internet- dependent system, presents new exploit possibilities and increases the need for security audits. The Web Services Scanner performs automated vulnerability scans for Web Services and generates detailed security reports from the results.

Web Services Editor
Allows the importing of an online or local WSDL and the sending of custom operation inputs over the ServiceSOAP ports. Also includes in depth analysis of the WSDL structure, containing parameters in the XML schema and the various operations over the SOAP service ports.

Subdomain Scanner
Automatically scans a top-level domain to locate any subdomains configured in its hierarchy by using the target domain’s DNS server, or by specifying one manually. Any subdomains discovered can be scanned for vulnerabilities from within the tool itself, or imported directly into the HTTP Editor for further analysis through custom requests.

Pricing and availability
Acunetix VWS is available in three versions: Small Business Version  (scans 1 nominated website), Enterprise Version (scans unlimited
websites) and Consultant version (scans unlimited third party websites). Pricing starts at $1995 for a perpetual Small Business license and $5995 for a perpetual Enterprise license.

About Acunetix Web Vulnerability Scanner
Acunetix Web Vulnerability Scanner ensures website security by automatically checking for SQL injection, Cross site scripting and other vulnerabilities. It checks password strength on authentication pages and automatically audits shopping carts, forms, dynamic content and other web applications. Acunetix also crawls and analyzes websites including flash content, SOAP and AJAX. As the scan is being completed, the software produces detailed reports that pinpoint where vulnerabilities exist.

About Acunetix
Acunetix was founded to combat the alarming rise in web attacks. Its flagship product, Acunetix Web Vulnerability Scanner, is the result of several years of development by a team of highly experienced security developers. Acunetix is a privately held company with headquarters based in Europe (Malta), a US office in Seattle, Washington and an office in London, UK. For more information about Acunetix, visit: http://www.acunetix.com; http://www.acunetix.de.

Enhancements Manage Permissions and Access Controls for Popular Document Portal Server; Product Demonstrated as Part of Company Activity at Microsoft Tech·Ed 2007

Orlando, Fla. – Microsoft Tech·Ed 2007 (Booth 1013) – June 4, 2007 – ScriptLogic® Corporation (www.scriptlogic.com), a leading provider of systems lifecycle management solutions for Microsoft® Windows®-based networks, today announced enhancements to ScriptLogic’s Security Explorer™ product that specifically address security challenges inherent to Microsoft® Office SharePoint™ Server 2007. IT administrators can rely on Security Explorer 6.5 for SharePoint to improve the security management related to end user access to SharePoint, assisting with regulatory compliance while optimizing IT resources.

The release of Security Explorer 6.5 for SharePoint allows management of Microsoft Office SharePoint Server 2007 (MOSS 07) and Windows SharePoint Services v3 (WSS3), increasingly popular solutions used by enterprises to centrally store and manage documents and files. With the new Security Explorer 6.5 for SharePoint version, IT administrators can explore a tree view of the entire SharePoint site, easily set and search user permissions for SharePoint libraries and files, and back them up and restore security settings as necessary. Finally, Security Explorer 6.5 for SharePoint can edit SharePoint permission levels and SharePoint groups, making it the most comprehensive permission management solution for SharePoint.

“The SharePoint Server solution is quickly emerging as a viable alternative to direct connections to file servers, and for that reason our customers are very interested in a solution that will manage SharePoint security and permission settings,” said Nick Cavalancia, vice president of marketing at ScriptLogic. “We’ve enhanced Security Explorer to bring the full power of the solution to the SharePoint environment. Our customers can rely on the product to save time, enhance security efforts and assist with compliance.”

With today’s announcement, Security Explorer extends its capabilities to SharePoint Server, dramatically reducing the time and difficulty involved in managing access rights to SharePoint content, and assisting with reporting on file server compliance for regulatory purposes. In addition to the world-class SharePoint security management features, ScriptLogic’s Security Explorer manages access controls, services and tasks on Windows servers and desktops. Without Security Explorer, completing these IT tasks is time-consuming, prone to error, and requires a high level of skill. IT professionals use the product for rapid, comprehensive management of user permissions for file systems (NTFS), printers, the registry, file shares, services and scheduled tasks.

“ScriptLogic’s Security Explorer 6.5 for SharePoint is a cool product for IT administrators that have deployed or are adopting SharePoint,” said Ivan Sanders, a SharePoint consultant with Dimension Solutions. “With a simple point & click interface, my clients can manage their SharePoint permissions by cloning existing permissions, adding users to existing roles or granting new permissions on SharePoint servers. Plus, managing their NTFS, share, registry, printers, and service permissions - as well as backing up and restoring those permissions - is just as easy. Security Explorer is one of the best on the market allowing you to quickly assess and apply permissions throughout SharePoint. This saves time and, more importantly, contributes to other tasks that IT pros are regularly tasked, such as reporting and the many edicts from the board rooms of companies requiring close control over content that employees access.”

Security Explorer Demonstrated at Microsoft Tech·Ed

ScriptLogic company officials will demonstrate Security Explorer 6.5 for SharePoint and other company solutions in the company’s booth (No. 1013) at Microsoft Tech·Ed, held this week (June 4-8) at the Orange County Convention Center in Orlando, Fla. The booth activity is just one in a serious of activities the company has planned for the conference. In addition, ScriptLogic is inviting booth visitors to be “on the cover” of Redmond Magazine, a well-known publication to IT administrators. By stepping in a company-sponsored photo booth, IT administrators can receive a “sample” Redmond cover with their picture as recognition for being a crucial part of their organization’s overall IT efforts and a desktop or server “rockstar.”

Pricing and Availability

Security Explorer 6.5 for SharePoint is currently in beta and will be generally available in the next few weeks. The product is priced on a per-server and per-workstation basis with volume discounts available through ScriptLogic’s global network of reseller partners. A free 30-day evaluation of this product and all software solutions from ScriptLogic are available at www.scriptlogic.com.

About ScriptLogic

ScriptLogic Corporation is a leading global provider of systems lifecycle management solutions for Microsoft Windows-based networks. ScriptLogic’s award-winning suite of desktop, server, and Active Directory management products help empower network administrators to proactively save time, increase security, and maintain regulatory compliance. More than 19,500 customers use ScriptLogic solutions to manage approximately 4.8 million desktops and 100,000 servers. ScriptLogic solutions benefit any size network in any industry. ScriptLogic is a privately held company headquartered in Boca Raton, Florida.  Reach ScriptLogic at (561) 886-2400 or on the Web at www.scriptlogic.com.

I am not quite sure if it is a good idea that smaller security vendors are being bought out by large multi-nationals. White it is laudable that IBM is buying out Watchfire to become a better balanced solution provider, it makes you wonder if it is good as a whole for the security landscape. This approach of buying up smaller security providers was seemingly pioneered by Symantec. I suppose you could say then that the goal of any startup is that of being purchased by one of the big players. That or hopefully surviving till the IPO. Either way, I think I preferred it when Watchfire was on its own, vice now being an IBM offered solution.

Technorati Tags: Watchfire, IBM, IPO

Companies have until September 30 to comply or otherwise face fines up to USD 500,000

London, UK, 29 May, 2007 – GFI Software, a leading developer of network security, content security and messaging software, has today launched a white paper to explain what the Payment Card Industry Data Security Standards (PCI DSS) are, how they affect different companies and the repercussions of non-compliance.

As from September 30, 2007 all businesses handling cardholder data – irrespective of size – have to be fully compliant with strict security standards drawn up by the world’s major credit card companies. The move to tighten up security comes as an increasing number of firms report that customer data has been lost or stolen.

Credit card fraud was the most common form of identity theft with 26% of all reported occurrences in 2005, with more than USD 48 billion lost by financial institutions and businesses in that year and USD 5 billion lost by individuals. The white paper examines the consequences of cardholder data theft and explains in detail what the PCI directive is, why it is important that companies comply with the these standards, the consequences of non-compliance and finally, what solutions are available to help companies become compliant.

The white paper also outlines how two of GFI’s leading network security products – GFI LANguard N.S.S., a complete vulnerability management solution, and GFI EventsManager, a powerful events log management solution – can help companies to meet all the ‘technical’ requirements imposed by the PCI DSS.

For more information on PCI DSS please visit http://www.gfi.com/security/pci.htm and to download a copy of the white paper, http://www.gfi.com/whitepapers/pci-dss-made-easy.pdf. For more information on GFI LANguard N.S.S. visit http://www.gfi.com/lannetscan/ and on GFI EventsManager visit: http://www.gfi.com/eventsmanager/.