Category Archives: Information security

Hybrid environments and IoT pose biggest threats to infosec – F5

F5 Forum 2Service providers and enterprises face an insecure networking environment in coming years as more applications, data and services are sent to the cloud, according to networking vendor F5, writes

Speaking at the F5 Forum in London, VP of UK and Ireland Keith Bird stressed security is now front and centre not only to the CTO and CEO, but to consumers as intrusion or security breaches regularly make headlines. Bird pointed to the hybrid on-premise/cloud-based environment, in which an increasing number of enterprise and service providers operate, as a huge challenge looming for the information security industry.

“Not so long ago, we looked at just single points of entry. In today’s hybrid world, we’ve got apps in the data centre or in the cloud as SaaS and this is only increasing,” he said. “What we know for sure is that there is no longer a perimeter to the network – that’s totally disappeared.”

“81% of people we recently surveyed said they plan on operating in a hybrid environment, while 20% said they’re now moving over half of their corporate applications to the cloud. Even some of the largest companies in the world are taking up to 90% of their applications to the cloud.”

Given the volume and nature of data being hosted in the cloud, firms are far more accountable and held to tighter information security standards today than they have ever been. The average financial impact of an information security breach is now in the region of $7.2 million, according to F5 research.

“The average cost of a security breach consists of $110,000 lost revenue per hour of downtime – but the effect on a company’s website or application is costing potential business,” said Bird. “The average customer will abandon an attempted session after roughly four seconds of inactivity, so there’s new business being lost as well.”

F5 said of the threats it is seeing at the moment, according to customer surveys, the evolving nature and sophistication of attacks ranks highest, with the internal threat of employee ignorance a close second.

“So what are the top security challenges our customers are seeing?” said Bird. “58% are seeing increasingly sophisticated attacks on their networks, from zero-day to zero-second. 52% were concerned that their own employees don’t realise the impact of not following security policies. Obviously plenty of people said they don’t have enough budget, but that’s not quite the biggest problem facing security departments today.”

F5’s Technical Director Gary Newe, who’s responsible for field systems engineering, said the looming prospect of IoT “scares the bejesus” out of him.

“We’ve all heard about the IoT,” he said before pointing to the connected fridge as a farcically insecure IoT device. “There are 3 billion devices which run Java, which makes it 3 million hackable devices, and that scares the bejesus out of me. This isn’t just a potential impact to the enterprise, but it could have a massive impact on consumers and families. Fitness trackers, for example, just encourage people to give a tonne of data over to companies we don’t know about, and we don’t know how good their security is.”

The scariest bit, Newe emphasised, is the growing knowledge and intelligence of more technically adept youngsters today, and how the rate of technological change will only exacerbate the requirement for a fresh approach to network security.

“Change is coming at a pace, the likes of which we’ve never seen nor ever anticipated,” he said. “We’re building big walls around our networks, but hackers are just walking through the legitimate front doors we’re putting in instead.

“The scariest thing is that the OECD [Organisation for Economic Cooperation and Development] has said the average IQ today is 10 points higher than it was 20 years ago. So teenagers today are smarter than we ever were, they’ve got more compute power than we ever had, and they’re bored. That, to me, is terrifying.”

Dropbox the latest to adopt public cloud privacy standard

Dropbox is the latest to adopt one of the first public cloud-focused data privacy standards

Dropbox is the latest to adopt one of the first public cloud-focused data privacy standards

Cloud storage provider Dropbox said it has adopted ISO 27018, among the first international standards focusing on the protection of personal data in the public cloud.

The standard, published in August 2014, is aimed at clarifying the roles of data controllers and data processors in keeping Personally Identifiable Information (PII) private and secure in public cloud environments; it builds on other information security standards within the ISO 27000 family, and specifically, is an enhancement to the 27001 standard.

ISO 27018 also broadly requires adopting cloud providers to be more transparent about what they do with customer data and where they host it.

In a statement the company said the move would give users more confidence in its platform, particularly enterprise users.

“We’re pleased to be one of the first companies to achieve ISO 27018 certification. Privacy and data protection regulations and norms vary around the world, and we’re confident this certification will help our customers meet their global compliance needs,” it said.

Mark van der Linden, Dropbox country manager for the UK said: “Businesses in the UK and all over the world are trusting Dropbox to make collaboration easier and boost productivity. Our ISO 27018 accreditation shows we put users in control of their data, we are transparent about where we store it, and we operate to the highest standards of security.

Earlier this year Microsoft certified Azure, Intune, Office 365 and Dynamics CRM Online under the new ISO standard. At the time the company also said it was hopeful certifying under the standard would make it easier to satisfy compliance requirements, which can be trickier in some verticals than others.

Six Degrees Group Achieves PCI DSS Compliance

Six Degrees Group, a provider of integrated managed data services, today announces that following an official audit its datacentres and security systems are now fully compliant with the Payment Card Industry Data Security Standard (PCI DSS).

The confirmation of PCI DSS compliance complements Six Degrees Group’s ISO27001: 2005 certification for information security, which emphasises the Group’s commitment to protecting and securing clients’ data.

PCI DSS is a set of comprehensive standards for ensuring the security of financial payment data that was developed by the founding payment brands of the PCI Security Standards Council including Visa Inc., American Express and MasterCard Worldwide. As a result of this certification, Six Degrees is now on the approved global Visa Merchant register.

Mike Ing, group business operations director of Six Degrees Group, stated: “These standards globally govern all organisations that store, process or transmit cardholder data. Achieving this compliance provides our customers and prospects with the reassurance that Six Degrees Group is committed to the security and confidentiality of sensitive data by meeting the physical security requirements of the PCI standard.”

NorseCorp Launches Context-Aware Cyber Risk Intelligence Solution

NorseCorp, the provider of live cyber risk intelligence and solutions for businesses to reduce eCommerce fraud and secure their high-value data, today announced the launch of its flagship cloud security service, IPViking™. IPViking is the first solution to harness Big Data analytics of live Internet traffic to deliver contextually-aware and actionable cyber risk intelligence, a missing layer in today’s security technology stack that levels the playing field for developers and enterprises in their fight against cyber crime, hacking, and ecommerce fraud.

In recent years the security landscape has changed dramatically. Companies are now spending more money on security solutions than ever, while breaches and data losses continue to rise. Meanwhile the total cost of these breaches has also increased. A recent study of U.S. companies sponsored by Hewlett Packard and conducted by the Ponemon Institute indicates that the cost and frequency of cybercrime have both continued to rise for the third straight year, with the occurrence of cyber attacks more than doubling over a three-year period and the financial impact increasing by nearly 40 percent. The study also revealed a 42 percent increase in the number of cyber attacks, with organizations experiencing an average of 102 successful attacks per week, compared to 72 attacks per week in 2011 and 50 attacks per week in 2010.

“Today’s security solutions lack the dedicated computing power to process the massive volume of cyber threats, something that hackers have exploited for years,” said Tommy Stiansen, CTO at Norse. “Norse developed a unique system combined of global infrastructure hardware and powerful proprietary software to acquire live threat data, delivering to customers in milliseconds as actionable intelligence. Because of Big Data tools, GPU computational clusters and IPViking, companies can secure their infrastructure, network transactions and applications more effectively than ever.”

To address this challenging security landscape, Norse created IPViking, a SaaS technology and service that reduces strain on existing reactive security solutions, while increasing their effectiveness by providing live intelligence that is context-aware and adaptive to the continually changing nature of the Internet threat landscape.

IPViking does this in three ways:

  • True Big Data Analytics – The ability to continuously collect and
    analyze vast amounts of live Internet traffic and turn it into
    actionable insight and cyber risk intelligence supported by over 1,500
  • Internet-Scaled Global Infrastructure – A purpose-built ultra fast
    private cloud infrastructure that delivers intelligence to businesses
    in milliseconds before a potential network connection can become an
    attack, massively scalable to meet the demands of enterprises,
    datacenters, managed security providers, public and private cloud
    providers, and ISPs.
  • Flexible RESTful and JSON APIs – IPViking enables enterprises and
    developers to easily add live context-aware and adaptive security
    intelligence to any website, app, or device via flexible APIs that
    support virtually all programming languages.

“To enable faster and more-accurate assessments of whether a given action should be allowed or denied, we must incorporate more real-time context information at the time a security decision is made,” said Neil MacDonald, “Using ‘Big Data’ to Address the Next Generation of Information Security Problems,” Gartner Symposium/ITxpo, October 21, 2012. “This is the heart of adaptive and context-aware security.”

As networking and security evolve toward new software defined architectures, IPViking gives enterprises and networking vendors the ability and flexibility to make intelligent risk weighted decisions and policy enforcement at the hardware, software, virtual machine, and cloud level via integration through new emerging standards such as OpenFlow.

”While security solution providers have developed increasingly complex solutions to help companies defend against today’s attacks and breaches, they’ve never been more vulnerable, said Sam Glines, Norse CEO. “The massive increase in the possible attack vectors resulting from the broadening of the online corporate footprint and the increasing costs of managing today’s complex security solution stack have placed unprecedented demands on CISOs and IT security staff. IPViking’s adaptive defense capabilities mitigate risks caused by today’s highly sophisticated attacks, as well as vacant or unenforced policies unpatched servers and software, and human error by providing millisecond awareness of harmful inbound traffic that today’s reactive security solutions miss.”

McAfee Launches New Data Center Security Suites

Image representing McAfee as depicted in Crunc...

McAfee today announced four new Data Center Security Suites to help secure servers and databases in the data center. The suites offer a unique combination of whitelisting, blacklisting and virtualization technologies for protecting servers and virtual desktops. These solutions provide optimal security for servers and databases in physical, virtualized and cloud-based data centers, with minimal impact on server resources which is a key demand for data centers.

“Performance and security are key concerns for servers in the physical, virtualized or cloud-based data centers,” said Jon Oltsik, Senior Principal Analyst, Information Security and Networking at Enterprise Security Group. “The new server security suites from McAfee, based on its application whitelisting, virtualization and blacklisting and AV technologies, provide an enhanced security posture while maintaining the high server performance needs of the data center.”

The suites offer customers the ability to protect their physical and virtual servers and virtual desktops with a unique combination of technologies in a single solution.

  • McAfee Data Center Security Suite for Server provides a
    complete set of blacklisting, whitelisting, and optimized
    virtualization support capabilities for basic security on servers of
    all types
  • McAfee Data Center Security Suite for Server–Hypervisor Edition
    provides a complete set of blacklisting, whitelisting, and optimized
    virtualization support capabilities for basic security on servers of
    all types and is licensed per Hypervisor
  • McAfee Data Center Security Suite for Virtual Desktop
    provides comprehensive security for virtual desktop
    deployments without compromising performance or the user experience
  • McAfee Database Server Protection provides data base activity
    monitoring and vulnerability assessment in a single suite, for all
    major database servers in the data center

“McAfee is leading the industry with these new solutions for protecting servers in the data center,” said Candace Worley, senior vice president and general manager of endpoint security at McAfee. “The combination of whitelisting, blacklisting and virtualization in a single solution, offers an optimal security posture for protecting servers in the data centers. These solutions address the need in the industry to offer solutions that provide the highest level of protection with minimal impact on the resources they are deployed on and in a wide range of customized licensing options.”


London City Lifeline Colo Gets ISO27001 Security Certification

City Lifeline, the central London colocation data centre, has today been awarded ISO27001 Information Security Management Certification. This accreditation confirms that City Lifeline’s security systems and processes meet the highest recognised international standards for physical security and information security.

Security, both of equipment operation and data integrity, is critical for all companies and organisations. When asked, organisations using data centre and colocation services consistently rate security as their number one priority. The internationally administered and recognised ISO27001 certification gives customers confidence that a data centre operates at the highest level of security and that it consistently delivers what it claims.

Commenting on the achievement, Roger Keenan, managing director at City Lifeline said: “We are thrilled to have been awarded the prestigious ISO27001 accreditation. Achieving ISO27001 took us over a year of hard work. All of our existing processes and procedures were reviewed and overhauled where needed and comprehensively documented. City Lifeline has always been strong on security and this new certification confirms that companies and organisations can trust and rely on us to keep their equipment and data 100 per cent secure.”

ISO27001 is an internationally recognized certification that sets out specific physical and information security standards, which must be continuously maintained by those to whom it is awarded.