According to Thor Olavsrud, it’s all about visibility and control. But what does that mean, exactly? Even though security is a major concern for enterprises and small businesses alike when it comes to cloud computing, a recent survey showed that only about 29 percent of companies said they engaged in heavy or comprehensive review of the cloud service providers’ security practices. Companies switching to cloud solutions are finding out that some of those solutions may not meet the regulatory requirements under which they have to operate. The recent case of the City of Los Angeles, which discovered that Google Apps wasn’t compliant with the FBI’s security requirements after deciding to use the service is one example. Read more here:
http://www.computerworld.com/s/article/9224385/Sec...mber=2
Attackers have taken to using the Domain Name System (DNS) to communicate with their botnets, rather than more traditional avenues such as TCP and HTTP. That’s because you can generally detect the malicious traffic going through those protocols with your firewall or IDS/IPS. That’s harder to do with DNS traffic, because it doesn’t normally get inspected or filtered. Thus clever bot masters are hiding their transmissions by taking advantage of this, sending instructions to zombie (infected) computers via DNS responses. Find out more about this here:
http://www.computerworld.com/s/article/9224743/Mal...yId=17
Security is still a major concern for those considering a transition to cloud computing, but what if the cloud was able to identify that a cyberattack is happening and thwart it, without any impact on users? MIT researchers (funded by DARPA), is working on that very project, as part of their “Cloud Intrusion Detection and Repair” study. The aim is to create a set of guidelines the cloud infrastructure can use to assess itself and rid itself of the problem, sort of like the way the human immune system responds to the attacks of viruses, bacteria, etc. Find out more:
http://www.computerworld.com/s/article/9224655/MIT...ews%29
This has been a big week for security, with lots of news coming out of the RSA Conference in San Francisco. Scott Charney, Microsoft’s corporate vice president of Trustworthy Computing, gave a keynote presentation in which he talked about the security risks that go along with the combination of two of today’s hottest IT trends: “big data” and cloud computing. The concerns he expressed regarding the privacy implications are something that should concern us all. Read more here:
http://searchsecurity.techtarget.com/news/22401187...lenges
The Windows 8 consumer preview was released today, and I’m impressed so far. I like the way the Metro interface and traditional desktop work together and compliment one another. But what about security software specifically designed for the new OS? One of the first to come out is mSecure’s Metro style app for protecting personal information (account numbers, usernames/passwords, etc.) with strong encryption. It’s free during the Windows 8 consumer preview period and you’ll be able to download it from the Windows Store.
http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2...04.DTL
If you’re new to the Windows Certificate Services that are included in Windows Server, you know that sometimes getting things to work properly can take a bit of time and tweaking. What if you’ve configured CA level auditing settings through the auditing tab of the Certification Authority properties, but there are no CA-related events showing up in the Windows security log? There’s another step that you might have left out. Jan De Clercq tells you what you need to do over on the Windows IT Pro web site:
http://www.windowsitpro.com/article/public-key-inf...142391
Regulatory compliance is the bane of many a network admin’s existence, and many organizations whose leaders think they are in full compliance really aren’t. That’s not entirely their faults; the requirements can be difficult to decipher. Another problem is that you may be making assumptions about your security that just aren’t true, or relying on assurances from others who are making such assumptions and/or who don’t understand the requirements. Read this article about five dangerous compliance assumptions to be sure your organization isn’t making any of these mistakes:
http://www.darkreading.com/compliance/blog/2326013...s.html
Security policies are the backbone of an organization’s strategy to protect its digital assets, but if those policies aren’t followed by the employees using the company network, they can’t do their job. A survey sponsored by McAfee and Xerox has discovered that over half of employees don’t follow the company’s security policies, and many of them don’t even know what the policies are. The security risks posed by networked printers, scanners and copies are particularly unrecognized. Read more here:
http://www.infosecurity-magazine.com/view/23982/is...icies/
Sometimes I get a little “Americentric,” since I live and work in the U.S. But our audience here is international, and many U.S. companies operate branches in other countries, as well. Last month, The European Union released new data security regulations, which member states are required to implement. One of the main components is an update to the data breach law, which set some strict rules for notification of affected customers and employees and also impose new fines that can be as much as €1,000,000 or 2% of a company’s global annual turnover – a huge increase. Businesses that operate in Europe need to be aware of this new law and start making plans for compliance. Luckily, there is some time to do that, since the timeline doesn’t come into force until 2015. Find out more:
http://www.veracode.com/blog/2012/02/the-new-eu-da...sider/
