Hyperguarding your Web Applications

Archive for July, 2010

Weekly Industry Round-up, Week of 7/19

Posted by hyperguard on July 23, 2010

Channel Web…
Surveys Reveal Cloud Computing Security Concerns
This article looks at some recent surveys that address IT professional’s concerns with cloud security. The Information Systems Audit and Control Association (ISACA) reported that almost half of the IT professionals surveyed in the U.S. say the associated benefits of cloud computing are not worth the potential security risks. The majority of companies hosting IT services in the cloud, according to a survey conducted by Symantec and the Ponemon Institute, have no cloud-specific security policies and procedures in place. A third survey sponsored by the Ponemon Institute and CA found that while more than half of U.S. organizations are adopting cloud computing services, only 47 percent of the IT professionals surveyed believe that those services are properly secured.

CIO Update…
Cloud Computing – Evaluating Security-as-a-Service
Over the past few years, more and more businesses have turned to software as a service (SaaS) to reduce costs. Because of this, more traditional software security vendors are developing and enhancing their service based offerings, including those in the “security as a service category.” These offerings typically include protection against Web and email threats, monitoring of inbound and outbound network traffic, and assessing an externally facing website for potential vulnerabilities. In this article, Matt Sarrel takes a look at some of the pros and cons of using security as a service offerings.

Network World…
Firefox Lets Hackers Grab Your Passwords
At the upcoming Black Hat security conference, Jeremiah Grossman of WhiteHat Security, will present a demo showcasing how Javascript can be used to collect passwords from Firefox and how to grab other personal data from IE 6 and IE 7. His demo will involve getting passwords out of Firefox’s Password Manager using Cross-Site Scripting (XSS)—the execution simply requires tricking Firefox users into visiting a site hosting the XSS malware.


Posted in Highlights | Leave a Comment »

Weekly Industry Round-up, Week of 7/12

Posted by hyperguard on July 16, 2010

Network World…
Top Cloud Computing Security Risk: One Company Gets Burned
Kevin Fogarty says that virtualization and cloud computing have not worn down the online security of most companies. However, they may be contributing to situations in which IT-service customers leave themselves vulnerable to attack because they assume their cloud provider is taking care of security. Since placement of responsibility for security in cloud computing arrangements is not clear, Gartner listed access to information about how a cloud service works and a service level agreement spelling out customer expectations and requirements in a report released this week.  Research from the Cloud Security Alliance listed customer ignorance of security practices and service providers’ refusal to give information to relieve it—among the seven top security risks in cloud computing. According to the CSA’s research, cloud projects and the risks they involve may be “complicated by the fact that cloud deployments are driven by anticipated benefits, [and] by groups who may lose track of the security ramifications.”

10 Web Application Security Myths
This slideshow looks at 10 common myths about Web application security. The list includes:

  • A Web page is safe if it’s at the top of Google search
  • Users can’t get around company Web policies
  • Users can only become infected if they download files
  • A Web app is secure if it has that lock icon in the corner.

Check out the article for a complete list of some of the biggest lingering misconceptions about Web application security.

The Challenges of Cloud Security
In this article, Beth Schultz says some IT execs dismiss public cloud services as being too insecure to trust with critical or sensitive application workloads and data. However, she spoke with Doug Menefee, CIO of Schumacher Group, an emergency management firm. Doug says that although there are risks with anything you do, 85% of Schumacher Group’s business processes currently live inside the public cloud. Enterprises have much to think about when they consider using public cloud services, but Doug says they’ve got to take a risk-based approach, such as Schumacher Group, with a strong focus on the data and what controls are needed.

Posted in Highlights | Leave a Comment »

Weekly Industry Round-up, Week of 7/5

Posted by hyperguard on July 9, 2010

Data Center Journal…
Security and Legal Concerns Hamper Cloud
Jeffrey Clark says the cloud offers a number of benefits, both from the perspective of increased business value and from the perspective of reduced environmental impact resulting from the use of IT resources. However, despite its numerous benefits, the cloud continues to be weighed down by concerns revolving around security and various associated legal matters. With the Federal Government looking at the cloud as one means to reduce its data center footprint, the potential market for cloud-based services could explode. Cloud-service providers should consider the concerns of potential customers, especially in terms of security. Many providers believe that this information about data centers and procedures should be kept secret, but many customers (such as the Federal Government) want to be made aware of that information before signing on with a provider.

ReadWrite Enterprise…
41% of IT Pros Surveyed Admit to Abusing Admin Privileges
According to this article, of the over 400 IT professionals who responded to Cyber-Ark Software’s fourth annual “Trust, Security and Passwords” survey, 41% admitted to abusing administrative passwords to access sensitive or confidential information, such as HR records and customer databases—an 8% increase since last year’s survey. As a report by the Cloud Security Alliance points out, storing data in the cloud increases the total number of individuals with potential access to sensitive data, and thereby increases the risk of data theft by a malicious insider. But many of the same practices used to protect against internal data theft can be applied in the cloud as well. Some ways to deal with these issues? Trend Micro says companies should specify human resource requirements as part of legal contracts, determine security breach notification processes and require transparency into overall information security and management practices.

SC Magazine…
GAO: Federal Agencies Lack Advisement on Cloud Security
Dan Kaplan says that according to a new report from the U.S. Government Accountability Office (GAO), a growing number of federal agencies are running some form of cloud computing, but nearly all lack policies around securing data hosted offsite. The report, written by Gregory Wilshusen, director of information security issues at GAO, found that 22 of the 24 major federal agencies are either “concerned” or “very concerned” about the security risks associated with cloud computing. Despite that, half of the agencies have moved forward on cloud computing projects, mostly for the technology’s low-cost disaster recovery, data storage and self-service benefits.

Posted in Highlights | Leave a Comment »

Weekly Industry Round-up, Week of 6/28

Posted by hyperguard on July 2, 2010

SC Magazine…
Universityof Maine Student Data Exposed
Hackers have compromised two University of Maine servers that were hosting personal and clinical information of more than 4,500 students who received counseling services in the last eight years. The first server was breached at the beginning of March, and the intruders used the newly gained information to compromise the second one. Methods employed to carry out the attacks successfully have not been disclosed and it is unclear whether the data was viewed or downloaded.

IT World…
15 Must-Listen Podcasts for Security Pros
Security researcher at SecureState, Matt Neely, shares with us how he stays informs and on top of trends in this ever-changing security world. The two primary tools he uses are security podcasts and Twitter. Check out his post for background on the security podcasts he listens. Stay tuned, in a future post he’ll be discussing how he uses Twitter to keep in touch with the security community and stay on top of emerging trends.

The Register…
The cloud’s impact on security?
Tony Lock of UK analyst house, Freeform Dynamics describes his recent research that looks at security and how fast cloud computing models are being adopted. Research shows that mass adoption of the hosted service cloud model is a long way off, and that the internal, dynamic IT model may come sooner than we think; Tony says we have virtualization to thank for that. Read Tony’s article for the potential security challenges and how to tackle them.

Posted in Highlights | Leave a Comment »