[ISN] Security Diligence Is Overdue
isn at c4i.org
Thu Jun 29 04:52:43 EDT 2006
This email newsletter comes to you free and is supported by the
following advertisers, which offer products and services in which
you might be interested. Please take a moment to visit these
advertisers' Web sites and show your support for Security UPDATE.
1. In Focus: Security Diligence Is Overdue
2. Security News and Features
- Recent Security Vulnerabilities
- Two New Excel Vulnerabilities Surface
- Workarounds for the First of Two Excel Vulnerabilities
- Windows Defender
3. Security Toolkit
- Security Matters Blog
- Share Your Security Tips
4. New and Improved
- Faster Intrusion Protection
==== Sponsor: SPI Dynamics ====
ALERT: "Top Web Application Hacker Tricks"
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation. Learn step-by-step vulnerability
testing methods for your own Web Applications and guidelines for
establishing best administration and coding practices.
==== 1. In Focus: Security Diligence Is Overdue ====
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
I recently came across some very interesting survey information
published by Deloitte Touche Tohmatsu (DTT). The company conducted a
survey of security executives in 150 companies from 30 countries whose
business relates to technology, media, and telecommunications (TMT).
The results shed some light on why some companies are open to security
According to the survey results, the majority of the surveyed companies
consider themselves reactive (as opposed to proactive) when it comes to
investing in information security. In other words, they spend money in
response to breaches but don't typically spend nearly as much money to
Only 4 percent of the companies think they're addressing the problem
sufficiently; only 25 percent have already implemented or are in the
process of implementing antiphishing protection; only 37 percent
provided security training to employees over the past 12 months; only
24 percent believe their current security tools are being used
effectively; and only 33 percent perform security risk assessments.
Another interesting pair of findings is that half of the companies who
suffered breaches over the past 12 months were victims of insider
attacks and only 47 percent of the companies believe they are
adequately protected against such internal attacks.
Brian Geffert, principal of Deloitte Security and Privacy Services,
said about the survey findings, "When it comes to security, TMT
companies are talking the talk but not yet walking the walk. Survey
respondents say that security is a top concern, but it is still not
being addressed across the organization from a risk-based perspective,
despite recent breaches costing million[s] of dollars of damage and
inestimable harm to companies' reputations, brands, revenue and
productivity. In fact, more than half of security executives surveyed
admit that their security investments are falling behind the threats or
at best just catching up."
Eye opening, isn't it? In a parallel study, DTT polled financial
institutions as well as life sciences and health care companies.
Although DTT didn't say how many companies took part in those studies,
it did say that 78 percent of the financial institutions had
experienced an external security breach and 49 percent had experienced
an internal security breach in the past year. Seventeen percent of life
sciences and health care companies had experienced an external security
breach and 9 percent had experienced internal breaches. Wow!
How many news stories have you read over the past several months about
some company suffering either an intrusion or equipment loss that
exposed people's private information? We can't go more than a week or
so without yet another of these stories coming to the surface, which
just reinforces DTT's findings.
It seems to me, even more so in light of DTT's survey results, that the
problems of intrusion and identity theft must be due to a lack of
diligence, or maybe a lack of funding to support proper diligence.
After all, with proper funding, how hard is it to diligently defend
your enterprise network, and how hard is it to diligently protect your
mobile computing devices and backup media? The former can be tedious,
of course, but not overly difficult. The latter requires mostly
attentiveness and common sense on the part of users to avoid theft or
other forms of loss.
If, in your opinion, your company isn't providing adequate resources
for a diligent approach to information security, consider pointing your
executives or decision makers to this editorial and DTT's press
release. Maybe it'll help open some eyes.
==== Sponsor: Diskeeper ====
FREE UTILITY: SCANS YOUR SITE FOR SYSTEM SLOWDOWNS
Disk Performance Analyzer for Networks is a FREE utility that remotely
scans your networked systems looking for severe fragmentation-related
disk performance bottlenecks. Disk fragmentation is a major source of
slowdowns, freeze-ups and headaches; with Disk Performance Analyzer for
Networks you can find and address potential problems before they become
help desk calls. Find disk performance problems before they find you?
download the FREE Disk Performance Analyzer for Networks now!
==== 2. Security News and Features ====
Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these
Two New Excel Vulnerabilities Surface
You know the adage: When it rains it pours. On the heels of a zero-
day Excel vulnerability reported two weeks ago come two more Microsoft-
related vulnerabilities, one in Excel and one in Windows.
Workarounds for the First of Two Excel Vulnerabilities
Two weeks ago, a zero-day exploit was discovered that affects
Microsoft Excel. The vulnerability could allow the execution of
arbitrary code on an affected computer. Microsoft has published a
security advisory that includes possible workarounds to help you
protect your systems.
Windows Defender Beta 2 is Microsoft's second antispyware beta
release, but it really feels more like a new program. New graphics,
tighter integration into the OS, and a streamlined interface all set
this release apart from its predecessor, Microsoft AntiSpyware Beta 1.
Jeff Fellinge gives you the skinny in this article on our Web site.
==== Resources and Events ====
Attend Black Hat 2006 in Las Vegas July 29 - August 3; 2,500+
international security experts, 10 tracks, no vendor sales pitches.
Event Log (for Windows systems) and Syslog (for UNIX/Linux systems)
contain a wealth of information. In this free Web seminar, you'll learn
about the processes, challenges, and benefits of consolidating events
on a centralized server. Plus--identify the 50 critical events that
should be monitored in your enterprise. Live Event: Thursday, June 29
Make full use of your VoIP network--integrate Fax for IP to reduce TCO
and increase the ROI for your investment. On-demand Web seminar
Learn the essentials about how consolidating hardware and updating
selected technologies can help you build an infrastructure that can
handle change effectively.
In this free podcast, Randy Franklin Smith outlines five points to
consider when choosing an antispyware solution. Download the podcast
today, and you could win an iPod!
Implement real-time processes in your email and data systems--you could
also win a Best Buy Gift Card! Register today; the contest ends June
==== Featured White Paper ====
Strategically managing software licenses saves time and cuts costs by
centralizing licensing operations. Use this 5-step program to quickly
implement your license management program.
Don't miss your chance to win a pair of Bose Triport Headphones!
Download any white paper from Windows IT Pro before June 30 to enter.
See the full selection of papers today at
==== Hot Spot ====
Free White Paper - "7 Steps for SIMple Log Monitoring"
Activeworx collects event logs from all your security devices and
vendors to provide a single Dashboard view along with correlated
alerts; hundreds of compliance reports; and deep forensics tools. Easy
to install and use. Personalized support. Click for Free White Paper -
7 Steps for SIMple Log Monitoring
==== 3. Security Toolkit ====
Security Matters Blog: WildPackets' OmniPeek Personal
by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=2FEF1:4FB69
Need an alternative to Ethereal and Wireshark? The OmniPeek Personal
packet capture and analysis tool might be your answer.
by John Savill, http://list.windowsitpro.com/t?ctl=2FEEF:4FB69
Q: Where is the remote wipe facility in Microsoft Exchange Server 2003
Service Pack 2 (SP2)?
Find the answer at http://list.windowsitpro.com/t?ctl=2FEED:4FB69
Share Your Security Tips and Get $100
Share your security-related tips, comments, or problems and
solutions in the Windows IT Security print newsletter's Reader to
Reader column. Email your contributions (500 words or less) to
r2rwinitsec at windowsitpro.com. If we print your submission, you'll
get $100. We edit submissions for style, grammar, and length.
==== Announcements ====
(from Windows IT Pro and its partners)
Summer Special--Save 58% off Windows IT Pro
Subscribe to Windows IT Pro today and SAVE 58%! Along with your 12
issues, you'll get FREE access to the entire Windows IT Pro online
article archive, which houses more than 9,000 helpful articles. This is
a limited-time offer, so order now:
Need Access to Helpful SQL Server Articles?
Subscribe to SQL Server Magazine today and SAVE 58%! Along with your
12 issues, you'll get FREE access to the entire SQL Server Magazine
online article archive, which houses more than 2,300 helpful articles.
This is a limited-time offer, so order now:
==== 4. New and Improved ====
by Renee Munshi, products at windowsitpro.com
Faster Intrusion Protection
Third Brigade announced Deep Security 4.5, the newest release of its
intrusion prevention system (IPS) that protects mission-critical hosts,
applications, and data from malicious attacks. New features are
designed to help customers deploy Deep Security more quickly. Customers
can purchase Third Brigade Deep Security Manager to place Deep Security
Agent software in IPS-ready mode on any number of hosts at no extra
cost. Then when they're ready, they can switch the Agent from detection
to prevention mode. Deep Security 4.5 also offers preconfigured
security profiles for more than 80 software applications that run on
Windows, Linux, and Solaris. And Third Brigade says it delivers new
filters within hours of the announcement of new software
vulnerabilities. For more information, go to
Tell Us About a Hot Product and Get a Best Buy Gift Card!
Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Tell us about the product, and
we'll send you a Best Buy Gift Card if we write about the product in a
Windows IT Pro What's Hot column. Send your product suggestion with
information about how the product has helped you to
whatshot at windowsitpro.com.
==== Contact Us ====
About the newsletter -- letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=2FEF3:4FB69
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- salesopps at windowsitpro.com
This email newsletter is brought to you by Windows IT Security,
the leading publication for IT professionals securing the Windows
enterprise from external intruders and controlling access for
internal users. Subscribe today.
Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2006, Penton Media, Inc. All rights reserved.
More information about the ISN