Resources
Bit9’s newsletter for July 25, 2007
Portable Apps Get Users Around Privilege RestrictionsAs Windows admins flock to turn off administrator rights on managed PCs, users are left unable to install their favorite applications. However, a new movement towards "Portable Apps" is threatening the very element of control that User Rights in XP and User Account Control in Vista sought to deliver. These applications are entirely self-contained and can be run from a USB device or a user-managed directory on the file system. Good for users – bad for IT. Because even though these apps won’t corrupt an operating system, they are significantly harder to detect – opening the door for uncontrollable data leakage, unknown vulnerabilities in third-party software packages, and unauthorized apps violating compliance policies throughout your network.
PCI to Small Businesses: Now It’s Your Turn
Most security breaches come from small companies, but up until now, Visa has been focusing its security efforts on the largest “Level 1” merchants. Now, however, with 89% of those companies meeting or close to meeting the PCI Data Security Standards, Visa is pointing its scope towards smaller businesses. According to this discussion with Eduardo Perez, Visa’s Vice President of Payment System Risk, small “Level 4” merchants account for 99% of Visa’s merchant base and are collectively responsible for 80% of identified breaches since the beginning of 2005. Obviously, Visa sees this group as an important base to bring into compliance, but the lack of security expertise and IT resources within small businesses makes it a very difficult target. That’s why many companies are looking for drastically simpler ways of keeping their payment systems secure and compliant.
P2P: The Latest Threat to US National Security?
Let’s say you run a peer-to-peer file-sharing application such as Kazaa or LimeWire on your corporate PC, and it accidentally shares a file you didn’t expect it to. It can be troublesome – maybe even damaging – but certainly not an uncommon event. Now let’s say that you are an employee of the U.S. Defense Department, and that file was a classified document containing military plans. This scenario has caused some members of the US Congress to consider controversial legislation aimed at improving security – perhaps by banning P2P networks. But doing so would send ripples throughout the consumer community. Should blame for these breaches lie with the software vendor or the user? Is protecting this data the responsibility of the organization or the individual? Is the solution greater control, more legislation, or simply better education? For many companies, the issue is more black and white: protect your data, period. But at the governmental level, a solution to this dilemma remains elusive.
3 Critical Vulnerabilities Fixed in Latest Firefox Update
Mozilla.org recently released the latest security update to Firefox 2. Version 2.0.0.5 fixes a number of problems with the browser, including 3 critical vulnerabilities that, according to Mozilla, “can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.” One of these latest vulnerabilities enabled an attacker to escalate their privileges, while another allowed for remote code execution. While Mozilla is to be applauded for their quick turnaround for security issues, IT professionals worry that profoundly weak links remain in the chain for application-level security:
- Not all software publishers are as diligent and responsive when it comes to security vulnerabilities.
- Users do not necessarily apply the patches they ought to be applying in a consistent or a timely fashion.
- Many companies do not have a way of centrally enforcing appropriate security policies at the application level.
12 Best Practices that Bring CSOs Greater Success
"12 Steps to Becoming a Security Master" from The Pragmatic CSO by Mike RothmanDownload your eBook today.
The Pragmatic CSO is a management-training program for CSOs that provides a structure for building repeatable and effective security programs. This proven 12-step methodology is designed to give CSOs a roadmap to the future - and away from constant firefighting and audit reporting.
