[ISN] Security Diligence Is Overdue

InfoSec News isn at c4i.org
Thu Jun 29 04:52:43 EDT 2006


This email newsletter comes to you free and is supported by the 
following advertisers, which offer products and services in which 
you might be interested. Please take a moment to visit these 
advertisers' Web sites and show your support for Security UPDATE. 

SPI Dynamics




1. In Focus: Security Diligence Is Overdue

2. Security News and Features
   - Recent Security Vulnerabilities
   - Two New Excel Vulnerabilities Surface
   - Workarounds for the First of Two Excel Vulnerabilities
   - Windows Defender

3. Security Toolkit
   - Security Matters Blog
   - FAQ
   - Share Your Security Tips

4. New and Improved
   - Faster Intrusion Protection


==== Sponsor: SPI Dynamics ====

ALERT: "Top Web Application Hacker Tricks"
Learn how to defend against Web Application Attacks with real-world 
examples of recent hacking methods such as: SQL Injection, Cross Site 
Scripting and Parameter Manipulation. Learn step-by-step vulnerability 
testing methods for your own Web Applications and guidelines for 
establishing best administration and coding practices.


==== 1. In Focus: Security Diligence Is Overdue ====
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

I recently came across some very interesting survey information 
published by Deloitte Touche Tohmatsu (DTT). The company conducted a 
survey of security executives in 150 companies from 30 countries whose 
business relates to technology, media, and telecommunications (TMT). 
The results shed some light on why some companies are open to security 

According to the survey results, the majority of the surveyed companies 
consider themselves reactive (as opposed to proactive) when it comes to 
investing in information security. In other words, they spend money in 
response to breaches but don't typically spend nearly as much money to 
prevent breaches. 

Only 4 percent of the companies think they're addressing the problem 
sufficiently; only 25 percent have already implemented or are in the 
process of implementing antiphishing protection; only 37 percent 
provided security training to employees over the past 12 months; only 
24 percent believe their current security tools are being used 
effectively; and only 33 percent perform security risk assessments.

Another interesting pair of findings is that half of the companies who 
suffered breaches over the past 12 months were victims of insider 
attacks and only 47 percent of the companies believe they are 
adequately protected against such internal attacks. 

Brian Geffert, principal of Deloitte Security and Privacy Services, 
said about the survey findings, "When it comes to security, TMT 
companies are talking the talk but not yet walking the walk. Survey 
respondents say that security is a top concern, but it is still not 
being addressed across the organization from a risk-based perspective, 
despite recent breaches costing million[s] of dollars of damage and 
inestimable harm to companies' reputations, brands, revenue and 
productivity. In fact, more than half of security executives surveyed 
admit that their security investments are falling behind the threats or 
at best just catching up." 

Eye opening, isn't it? In a parallel study, DTT polled financial 
institutions as well as life sciences and health care companies. 
Although DTT didn't say how many companies took part in those studies, 
it did say that 78 percent of the financial institutions had 
experienced an external security breach and 49 percent had experienced 
an internal security breach in the past year. Seventeen percent of life 
sciences and health care companies had experienced an external security 
breach and 9 percent had experienced internal breaches. Wow!

How many news stories have you read over the past several months about 
some company suffering either an intrusion or equipment loss that 
exposed people's private information? We can't go more than a week or 
so without yet another of these stories coming to the surface, which 
just reinforces DTT's findings. 

It seems to me, even more so in light of DTT's survey results, that the 
problems of intrusion and identity theft must be due to a lack of 
diligence, or maybe a lack of funding to support proper diligence.

After all, with proper funding, how hard is it to diligently defend 
your enterprise network, and how hard is it to diligently protect your 
mobile computing devices and backup media? The former can be tedious, 
of course, but not overly difficult. The latter requires mostly 
attentiveness and common sense on the part of users to avoid theft or 
other forms of loss. 

If, in your opinion, your company isn't providing adequate resources 
for a diligent approach to information security, consider pointing your 
executives or decision makers to this editorial and DTT's press 
release. Maybe it'll help open some eyes. 


==== Sponsor: Diskeeper ====

Disk Performance Analyzer for Networks is a FREE utility that remotely 
scans your networked systems looking for severe fragmentation-related 
disk performance bottlenecks. Disk fragmentation is a major source of 
slowdowns, freeze-ups and headaches; with Disk Performance Analyzer for 
Networks you can find and address potential problems before they become 
help desk calls. Find disk performance problems before they find you?
download the FREE Disk Performance Analyzer for Networks now!


==== 2. Security News and Features ====

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at

Two New Excel Vulnerabilities Surface
   You know the adage: When it rains it pours. On the heels of a zero-
day Excel vulnerability reported two weeks ago come two more Microsoft-
related vulnerabilities, one in Excel and one in Windows. 

Workarounds for the First of Two Excel Vulnerabilities
   Two weeks ago, a zero-day exploit was discovered that affects 
Microsoft Excel. The vulnerability could allow the execution of 
arbitrary code on an affected computer. Microsoft has published a 
security advisory that includes possible workarounds to help you 
protect your systems. 

Windows Defender
   Windows Defender Beta 2 is Microsoft's second antispyware beta 
release, but it really feels more like a new program. New graphics, 
tighter integration into the OS, and a streamlined interface all set 
this release apart from its predecessor, Microsoft AntiSpyware Beta 1. 
Jeff Fellinge gives you the skinny in this article on our Web site. 


==== Resources and Events ====

Attend Black Hat 2006 in Las Vegas July 29 - August 3; 2,500+ 
international security experts, 10 tracks, no vendor sales pitches.

Event Log (for Windows systems) and Syslog (for UNIX/Linux systems) 
contain a wealth of information. In this free Web seminar, you'll learn 
about the processes, challenges, and benefits of consolidating events 
on a centralized server. Plus--identify the 50 critical events that 
should be monitored in your enterprise. Live Event: Thursday, June 29

Make full use of your VoIP network--integrate Fax for IP to reduce TCO 
and increase the ROI for your investment. On-demand Web seminar 

Learn the essentials about how consolidating hardware and updating 
selected technologies can help you build an infrastructure that can 
handle change effectively. 

In this free podcast, Randy Franklin Smith outlines five points to 
consider when choosing an antispyware solution. Download the podcast 
today, and you could win an iPod! 

Implement real-time processes in your email and data systems--you could 
also win a Best Buy Gift Card! Register today; the contest ends June 


==== Featured White Paper ====

Strategically managing software licenses saves time and cuts costs by 
centralizing licensing operations. Use this 5-step program to quickly 
implement your license management program. 

Don't miss your chance to win a pair of Bose Triport Headphones! 
Download any white paper from Windows IT Pro before June 30 to enter. 
See the full selection of papers today at


==== Hot Spot ====

Free White Paper - "7 Steps for SIMple Log Monitoring" 
Activeworx collects event logs from all your security devices and 
vendors to provide a single Dashboard view along with correlated 
alerts; hundreds of compliance reports; and deep forensics tools. Easy 
to install and use. Personalized support. Click for Free White Paper - 
7 Steps for SIMple Log Monitoring


==== 3. Security Toolkit ==== 

Security Matters Blog: WildPackets' OmniPeek Personal
   by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=2FEF1:4FB69

Need an alternative to Ethereal and Wireshark? The OmniPeek Personal 
packet capture and analysis tool might be your answer. 

   by John Savill, http://list.windowsitpro.com/t?ctl=2FEEF:4FB69

Q: Where is the remote wipe facility in Microsoft Exchange Server 2003 
Service Pack 2 (SP2)?

Find the answer at http://list.windowsitpro.com/t?ctl=2FEED:4FB69

Share Your Security Tips and Get $100
   Share your security-related tips, comments, or problems and 
solutions in the Windows IT Security print newsletter's Reader to 
Reader column. Email your contributions (500 words or less) to 
r2rwinitsec at windowsitpro.com. If we print your submission, you'll 
get $100. We edit submissions for style, grammar, and length.


==== Announcements ====
   (from Windows IT Pro and its partners)

Summer Special--Save 58% off Windows IT Pro 
   Subscribe to Windows IT Pro today and SAVE 58%! Along with your 12 
issues, you'll get FREE access to the entire Windows IT Pro online 
article archive, which houses more than 9,000 helpful articles. This is 
a limited-time offer, so order now:  

Need Access to Helpful SQL Server Articles? 
   Subscribe to SQL Server Magazine today and SAVE 58%! Along with your 
12 issues, you'll get FREE access to the entire SQL Server Magazine 
online article archive, which houses more than 2,300 helpful articles. 
This is a limited-time offer, so order now:  


==== 4. New and Improved ====
   by Renee Munshi, products at windowsitpro.com

Faster Intrusion Protection
   Third Brigade announced Deep Security 4.5, the newest release of its 
intrusion prevention system (IPS) that protects mission-critical hosts, 
applications, and data from malicious attacks. New features are 
designed to help customers deploy Deep Security more quickly. Customers 
can purchase Third Brigade Deep Security Manager to place Deep Security 
Agent software in IPS-ready mode on any number of hosts at no extra 
cost. Then when they're ready, they can switch the Agent from detection 
to prevention mode. Deep Security 4.5 also offers preconfigured 
security profiles for more than 80 software applications that run on 
Windows, Linux, and Solaris. And Third Brigade says it delivers new 
filters within hours of the announcement of new software 
vulnerabilities. For more information, go to

Tell Us About a Hot Product and Get a Best Buy Gift Card!
   Have you used a product that changed your IT experience by saving 
you time or easing your daily burden? Tell us about the product, and 
we'll send you a Best Buy Gift Card if we write about the product in a 
Windows IT Pro What's Hot column. Send your product suggestion with 
information about how the product has helped you to 
whatshot at windowsitpro.com.


==== Contact Us ==== 

About the newsletter -- letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=2FEF3:4FB69
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- salesopps at windowsitpro.com


This email newsletter is brought to you by Windows IT Security, 
the leading publication for IT professionals securing the Windows 
enterprise from external intruders and controlling access for 
internal users. Subscribe today.

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2006, Penton Media, Inc. All rights reserved.

More information about the ISN mailing list