7.4 C
Friday, November 24, 2017

Cyber Essentials for public sector IT suppliers: pros and cons

The UK government will require IT suppliers to comply with the five security controls laid out in its Cyber Essentials Scheme (CES) from 1 October 2014, but what benefits will this bring and is there a downside? The most obvious benefit is it will raise the overall level of protection by putting security in the procurement process, thereby creating a commercial reason for improving security. 140326_0082.jpg Adrian Davis, managing director for Europe at (ISC)² believes this is a more positive approach than mandating security standards through legislation and regulation. “It levels the playing field. If accreditation is carried out rigorously, all suppliers can be compared in terms of their cyber security efforts and it provides a baseline from which organisations can build,” he said. Davis also believes this approach will make it easier and relatively low cost for small and medium-sized enterprises (SMEs) to improve their security posture. “This is important because about 90% of our economy is based on SMEs which typically do not have the resources, the time or the skills to perform information security,” he said. Compliance with CES will be mandatory for all services handling personal information of citizens, government employees and government agents. This is only a reinforcement of the Data Protection Act, and therefore should come as no surprise, said independent advisor on payments, risk, cyber crime and digital innovation Neira Jones. “This actually gives a tangible set of controls – albeit basic – to start addressing the issue of information risk due diligence in the supply chain. “Basic hygiene, especially in view of all the Information Commissioner's Office (ICO) penalties of late, can only be welcomed,” she said. By pitching the Cyber Essentials certification costs for smaller companies between £200 and £400 at basic level, and between £1,000 and £3,000 at the CES Plus level, Jones said government is clearly trying to encourage SMEs to have a basic level of cyber protection Compliance with CES will also be required for all products and services handling information classified as official – which is any information relating to routine government business operations and services. “This is interesting for two reasons," said Jones. "First, it points to contracts that are handling information at the lowest level of the threat profile, not secret or top secret. “Second, the guidelines also state that Cyber Essentials is not intended for use with bespoke IT systems such as those found in manufacturing, industrial control systems, online retail and other environments. “This gives a good sanity check and puts it in its right place – a basic, minimum and limited set of controls for those who don’t know where to start," she said. “Quite rightly, it is not aimed at retail, banking or critical infrastructure,” she added, but in the light of that fact, she questioned why Barclays was so quick to “jump on the CES bandwagon”. Barclays digital banking was one of the first organisations to achieve certification under CES in July 2014, shortly after the scheme was introduced. “I found it at once perplexing and worrying that Barclays and other big businesses are bothering to get certified for something they have been doing for some time,” said Jones. She thinks while the move is fairly meaningless for information security professionals, it is most probably aimed at those increasingly conscious of cyber security, who are more likely to be assured by a government-backed certification. “That’s good for big business, but it doesn’t solve any problems. Why did the government allow large organisations to use the scheme in a way that clearly contradicts the guidelines above? Your guess is as good as mine,” said Jones. She believes the scheme should really be confined to SMEs for it to have any kind of credibility, but said it is not immediately clear whether it will really help SMEs either. While the cost is relatively low at basic level, Jones pointed out there does not appear to be any financial help available for SMEs to close any security gaps identified in the self-assessment phase. Jones said once CES certification is obtained, it is also unclear if SMEs will be given a fair chance at government contracts and if any incentives will be provided. There are also other questions to be answered, she said. For example, the guidelines state government authorities should be aware that a supplier may share a client's information with a third party, such as a cloud service provider. “However, Cyber Essentials does not ensure the security of the third party is in scope of certification. So the onus is on government authorities to check the supply chain of their supply chain and indeed see if any part of it requires certification. But how will this be managed? With more and more cloud services, this could prove difficult,” said Jones. I see this as a real opportunity for suppliers to build security into their products in a measured and consistent manner Adrian Davis, (ISC)² The requirement applies to new contracts advertised after 1 October 2014, but it remains unclear what happens to incumbents and whether they will be given unfair advantage over those trying to enter the supply chain, she observes. Another problem is the scheme addresses only a very basic set of technical controls, and does not address best practice in the areas of governance or user awareness. “One of the stated aims of the scheme is to mitigate against the risk of phishing, but it is the user that will click on that link in that email, so why are there are no requirements to educate staff?,” said Jones. “Even the stated aim of mitigating against malware omits basic technical requirements, such as code vulnerabilities like structured query language (SQL) injection, for example,” she said. Jones admitted this would incur more cost for SMEs to cope with, but such basic flaws plague the SME space, she said. Jones also questioned whether government departments have the required maturity and ability to assess what level of CES certification potential suppliers require. “All in all, the Cyber Essentials Scheme is a laudable initiative, but it should have been confined to small businesses, with the appropriate grant and incentives frameworks in place. “We risk that these businesses will either not be able or willing to invest in even the basics if they cannot see a clear return on investment, and large corporations will easily and cheaply capitalise on the marketing spin for something they are already doing,” said Jones. Adrian Davis of (ISC)² also has some reservations. He is cautious against over-reliance on CES. “It is a starting point, not the be all and end all. Just because an organisation has CES accreditation, it does not mean it is secure,” he said. Davis noted CES is a set of controls, and does not in itself enable a proper risk-based approach to security. He is concerned organisations may follow CES and think they have covered their risks, when in reality they have not. “Accreditation, like an audit, refers to a point in time, so acquiring organisations will still need to perform their own investigations and/or due diligence of the supplier, depending on the information to be shared and the risks associated with that information,” he said. Davis also pointed out there is no update cycle for CES, no indication of who is responsible for it, and little awareness of the scheme among SMEs. Like Jones, he highlighted the lack of government support to help SME implement CES. “I see this as a real opportunity for suppliers to build security into their products in a measured and consistent manner, and in the IT service provision market, this may mean all users of a service will benefit from greater security, which can only benefit the provider, the users and the wider market. “And while CES is not perfect, driving its use through commercial imperatives is a lot better than the situation we have now. Indeed, we at (ISC)² have argued that if cloud suppliers raise their security game it will benefit SMEs and the providers themselves,” said Davis. Jay Abbott, founder and managing director of security consultancy JustASC, also supports CES for highlighting the five things that cause the most common issues. But, he said there are some “interesting gotchas” in CES that could create some issues for organisations, especially the larger ones. “Take self-assessment question 108, for example, which asks if all operating systems on devices are supported by a supplier which sends regular fixes for any problems. “This seems innocuous at first glance, but if you have Windows XP in use, the answer is no, and that is a fail. Larger organisations may struggle with this one,” said Abbott. As far as the SME sector is concerned, he said while there is nothing in the CES that is too difficult to achieve and it will undoubtedly improve the inherent security posture of businesses, there is limited appetite to do so. “Most SMEs are focussed entirely on the delivery of their core business in an aggressive market, often with significant competition and many financial pitfalls to sidestep daily. As a small business owner myself, I can 100% vouch for this. “Achieving this certification requires they stop thinking about their day job for a moment and seriously consider their entire use of IT. This in itself is a time-consuming thing if you know what you’re looking for, but for the average UK SME, they probably do not even have someone in the business with the right skills to do it,” he said. Like Jones, Abbott is concerned about the cost burden this creates if they are forced to seek outside support from consultants, who may then tell them they need to buy new licenses for software, spend money on new equipment, and spend time on integration of technology. “From the security industry’s perspective, CES is great, a real step forward in securing the UK, but from the average SME’s perspective it is a little bit of a different feeling,” he said. Even if CES certification enables an SME to win a government contract, Abbott points out that all it will have achieved is “good security housekeeping”, rather than something that makes it more profitable in the long run. “If everyone is required to achieve certification, there will no longer be lingering competitive advantage, just the ongoing cost and time commitments to maintain the basics will remain,” he said. “So Cyber Essentials is a problem as much as it is a solution. It will improve the UK SME security stance, it will ultimately benefit the SME in ways they cannot quantify or measure, but it will cost the SME money and time in an aggressive free market, and that in itself will make it a difficult sell,” said Abbott. That said, he believes CES is a good thing that will improve the SME’s ability to defend against and withstand simple, common security attacks they may already be victim to. It will prevent simple attacks succeeding that could easily leave them with an empty bank account due to a direct fraud, or have them facing material fines from the ICO. “Let us not forget that these SMEs are the supply chain to our country’s central government agencies, so their insecurity is ultimately a problem we all share, so yes, it is very much a good idea that I personally support,” he said. Abbott believes CES should be treated as an opportunity by getting the right advice. “An SME probably did not plan the IT strategy for its business and just acquired machines and software ad hoc as it grew. “CES is a great opportunity to take stock of everything and speak to an expert, not only in security, but in IT as a whole. Someone who can advise them on whether what they are doing as a business needs with the way the way they are using IT. “This is where the opportunity for improvement comes and where the standard can be used to drive improvements in productivity. After all, security is just a concept in IT that should be designed in the systems from the start,” he said. Abbott noted CES does not allow the company that helps an organisation to achieve compliance through advice and support to award certification. “That has to be done by a different company, therefore providing a solid segregation of duties and mitigating against fly-by-night organisations looking to make a quick buck off the ignorance of the market through one-stop package solutions that really do not meet the goals of the standard,” he said. While there is support for CES because of the benefits it will bring, that support is qualified. It appears government has a lot more work to do in creating awareness of CES and in clarifying some key issues. Mandating CES certification for IT suppliers to the public sector is a good start, but government will have to go a lot further to provide incentives and support to the SME sector to ensure it does not become an overwhelming burden. The government will also have to be more transparent about how departments will decide which suppliers need CES basic or CES plus certification to ensure the process does not become arbitrary and subjective.  Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK

Apple Patches Shellshock as Attacks Continue

Five days after the Shellshock vulnerability in the Bash (Bourne Again SHell) shell scripting application was first publicly reported, Apple is finally providing a fix for Mac OS X users. It's about time. The Shellshock flaw came to light on Sept. 24 and was first associated with a vulnerability identified as CVE-2014-6271. The scope of the flaw within Bash has since been expanded to include other identified vulnerabilities, including CVE-2014-7169. Apple's patch fixes both the CVE-2014-6271 and CVE-2014-7169 issues. "In certain configurations, a remote attacker may be able to execute arbitrary shell commands," Apple warned in its advisory. The root cause of the Shellshock flaw is weakness in how Bash is able to parse certain environment variables, which could enable an attacker to exploit a system. Apple's advisory noted that its patch for Shellshock now provides "improved environment variable parsing, by better detecting the end of the function statement." The Apple Shellshock patch is available for the OS X 10.7.5, 10.8.5 and 10.9.5 releases. Apple is currently gearing up for its next major release, 10.10 (code-named Yosemite), which will have the patched version of Bash when it ships. Shellshock's impact comes across all Unix and Linux systems that use Bash. While that might not seem to include Apple's Mac OX, it's important to remember that since 2007, Apple's OS X has been officially considered a Unix-based operating system. As to why Apple took several days to patch the issue, there likely are several reasons. For one, Apple is typically a little behind the open-source community in terms of patching. The other issue is that with Shellshock, the actual vulnerability is somewhat complex and I suspect that Apple wanted to make sure it covered all its bases. That said, Apple potentially left its customers exposed for days while attacks have proliferated around the Internet. However, the reality is that the risk to Mac OS X users is likely minimal, as attacks seem to be concentrated on servers and not end-user systems. Security firm Incapsula reported on Sept. 29 that since news of the Shellshock vulnerability first broke on Sept. 24, it had seen 217,089 exploit attempts against its Web Application Firewall customers.  The attacks are also broadly based, with more than 890 different IP addresses launching Shellshock-related attacks. The simple truth of a flaw like Shellshock is that it takes time for systems to be updated, whether those systems are servers or Mac OS X desktops. There will likely be a significant volume of Shellshock-related attack traffic and breaches for weeks and possibly months to come. Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

New docs show how Reagan-era executive order unbounded NSA

Newly declassified info sheds light on EO 12333 and the feds' obscuring tactics.

BYOD Programs Expose Businesses to Security Risks

The report found 30 percent of BYOD users would share their mobile devices with friends or family members even if they hold critical company data. Seventy-one percent of employed Americans who own personal mobile devices are able to connect them to the secure network provided by an employer, but do not take the proper precautions to safeguard their devices or the data they have access to, according to a Bitdefender study of 1,045 Internet users in the United States. According to the respondents, 29.7 percent of bring-your-own-device (BYOD) users would share their personal mobile devices with friends or family members even if they hold critical company data. Demographically, employees between the ages of 45 and 64 are sharing their devices to a lower extent, while those with low education are more open to sharing. "Most likely, BYOD users do not perceive their devices and the way they store corporate information pose a real threat to the company itself. Most of the time, the smartphone is still perceived as a mobile phone rather than a miniature computer, although the latter better describes it as a device," Bogdan Botezatu, senior e-threat analyst at Bitdefender, told eWEEK. "Also, convenience seems to trump security and users would rather leave their phone’s display always unlocked than having to deal with the pattern or pin-based unlock mechanism every time they check their e-mail or social network activity." Botezatu noted that while an informed employee is effective and empowered, large companies unfortunately have to survive with undersized IT teams that barely have the necessary time to deal with mission-critical issues, and they seldom train all the employees and explain the indirect technological implication of mobile device misuse. The report found 39.7 percent of the users who connect personal mobile devices, such as laptops, tablets and phones, to the company network do not have any lock-screen mechanism set in place. If lost or stolen, these devices would immediately expose their contents (private and work-related information) to unauthorized third parties, which puts the company in a weak position. In contrast, only 9.1 percent of BYOD users rely on biometric features (such as face, voice or fingerprint recognition) as the preferred method for unlocking their mobile devices. In order to prevent or minimize these occurrences, Botezatu said training could be done either directly, in a similar manner fire or hazard training is done, or remotely, as part of the corporate newsletter. He said training should be doubled by a mobile device management (MDM) solution to ensure that certain aspects--such as remote wipe and screen lock features--are enforced by default before joining the corporate intranet or Internet. "BYOD has already diminished the authority of the IT teams, as they can hardly stay in control with mobile devices. After all, the devices and software running atop are the property of the user, not of the company the user is working for," Botezatu said. "What the IT teams should start looking after now is not so much the security of the device, but rather the security of the company data stored on it." He noted there are a number of MDM solutions available, but the most effective ones are the enterprise solutions that blend MDM with antimalware and intrusion detection.

Flexera Software/IDC Report Reveals Enterprises Fleeing the Perpetual Software Licence Model...

Ironically, 'shelfware' is rampant with 96 percent of organisations wasting money on un-used softwareMaidenhead, U.K. - September 30, 2014. Enterprise software spending is being squeezed, and as a result organisations are looking for better ways to ali...

Microsoft partners with financial services industry to fight cyber crime

Microsoft is to share cyber threat intelligence with the Financial Services Information Sharing and Analysis Center (FS-ISAC) to help fight cyber crime. FS-IS is a member-owned, non-profit organisation set up by members as the global financial industry's resource for cyber and physical threat intelligence analysis and sharing. 141507_cs0935.jpg Microsoft has worked with FS-ISAC before to tackle cyber crime by disrupting its infrastructure. Under the new collaboration agreement, Microsoft will provide FS-ISAC members with visibility into malware infections on banking networks. This agreement is the latest example of Microsoft proactively partnering with customers, industry leaders and global law enforcement to counter cyber threats. Criminals have moved into cyber space to target banks, businesses and customers to steal millions of dollars without ever cracking a safe, said Richard Boscovich, assistant general counsel at Microsoft’s Digital Crimes Unit. He said Microsoft has seen this firsthand from its work with the FBI, FS-ISAC and other partners to disrupt the Citadel botnet, which cyber criminals deployed to infect thousands of computers to steal banking information and identities from unwitting victims. “More recently, we worked with law enforcement in the United Kingdom to disrupt the Caphaw botnet [also known as Shylock], which targeted banks in Europe,” Boscovich wrote in blog post. The most critical component of Microsoft’s efforts to thwart cyber criminals online is deep partnerships with law enforcement and industry partners, including FS-ISAC, he said. Under the new collaboration pilot programme, Microsoft will give FS-ISAC members near real-time information on known malware infections affecting more than 67 million unique IP address. The programme is aimed at enabling FS-ISAC members to identify infected computers on their networks quickly and remove malware. The threat intelligence will be provided using an automated, confidential and secure feed distributed via the cloud with Microsoft Azure. “This collaboration will provide valuable intelligence into the global threat landscape affecting the financial services industry, including distributed denial of service attacks and financial botnet attacks,” said Boscovich. “Together, we’ll be able to better protect FS-ISAC’s members and Microsoft customers from cyber-threat,” he said. At the RSA Conference 2014 in March, Microsoft and FS-ISAC defended their actions to disrupt criminal botnets. Opponents argue that collateral damage is too high and researchers say it limits their opportunity to study botnets in action. But Microsoft and FS-ISAC said the goal is always to protect the ecosystem and people whose computers have become infected with botnet malware. They said they measured the success of the Citadel campaign by the fact that FS-ISAC members reported between 86% and 98% reduction in fraud following the takedown of the botnet.  In June, the UK finance industry launched a cyber security framework for sharing detailed threat intelligence, testing cyber security and benchmarking financial service providers. The CBEST framework was developed by the Council of Registered Ethical Security Testers (Crest) and cyber intelligence company Digital Shadows in collaboration with the Bank of England, Her Majesty’s Treasury and the Financial Conduct Authority (FCA). The framework was the first of its kind to be led by any of the world’s central banks. Launching the framework at the Bankers Association in London, Andrew Gracie, executive director of resolution at the Bank of England, emphasised the importance of CBEST to help UK financial services organisations protect against increasingly sophisticated cyber attacks on their core systems. Cyber attacks targeting financial firms Concerns about the vulnerability of financial institutions and markets were further fueled in August 2014 when the FBI said it was investigating a series of co-ordinated cyber attacks at JP Morgan Chase and at least four other financial institutions. Also, in August a report from business consultancy KPMG said cyber attacks or disruption could cause the next systemic shock to the UK banking industry, rather than a liquidity crunch. It said that, while the banking industry has addressed many of the problems that led to the financial crisis in 2008, cyber attacks or very large systems outages represented threats yet to be addressed. In September 2014, the UK government and financial services organisations made further moves to shore up cyber defences The British Bankers' Association (BBA) commissioned BAE Systems Applied Intelligence to create a system that will give banks early warning of cyber threats. The Financial Crime Alerts Service (FCAS) system is aimed at enabling 12 government and law enforcement agencies, including the National Crime Agency (NCA), to make banks aware of potential threats as early as possible. The move coincided with a warning by a US financial services regulator that a cyber attack on the US finance system could be the computer equivalent of the 9/11 attacks in 2001. Benjamin Lawsky, superintendent of the New York State Department of Financial Services, said he was worried about a major cyber attack on the US finance system. "We like to say that, to some extent, the failures to detect the 9/11 plot were a failure of imagination and communication "I'm worried about the same thing here – that an event will happen and we'll look back and say: 'How did we not do more?” Lawsky told a Bloomberg event in New York that he thought it only a matter of time before such an attack happens. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK

gateprotect presents its latest “Made in Germany” network security products for...

Hamburg, September 30th, 2014 - As part of the Rohde & Schwarz group the international operating manufacturer gateprotect presents its innovative achievements in network security technology for businesses and critical infrastructure. From October 29th to 30th the company will exhibit at Infosecurity.nl the most recognised exhibition for ICT security in the Netherlands at stand A116 in hall 1.For the first time the IT security specialist will show with its WebGUI a network to touch that offers an easy to use drag & drop-surface to administrate UTM firewalls. Further highlights are the release of the firewall version 9.5 with reverse-proxy function as well as version 5.2 of the Next Generation Firewall Network Protector.With over a 100 seminars & case studies, 200 exhibitors and 8000 visitors, Infosecurity.nl shows the latest developments in the field of IT security, data storage and IT management solutions. The reinvention of firewall administration managed with gateprotect's WebGUI will be demonstrated at stand A116 in hall 1.Protection of critical infrastructureThe power sector, i.e. producers and suppliers of electricity and gas, is currently experiencing a great change. Due to the development of renewable energies, the formerly very centralistic power network is transforming towards a rather decentralized form. Today, electricity is generated by a great number of smaller units that need to be controlled and administered just as precisely as the large power plants. Furthermore, the existing networks need to be connected safely to the public network. At the same time, communication via the Internet needs to be protected to maintain a reliable distribution and controlling of energy consumption.Conventional firewalls are able only to a limited extent to assure the protection needed by process networks. Classic port filtering is too inaccurate and the additional filters available in UTM solutions are all based on a blacklisting concept.This is where the next generation firewall gateprotect NP comes in: Via finely granulated application recognition, a whitelisting approach is realized, enabling filtering and validation even at a sub-application level by means of Deep Packet Inspection. This approach of so-called full positive validation reflects the needs of the power sector: All traffic to pass the firewall must be unequivocally identified and validated in the scope of this concept. Unknown data streams or even unknown components within known data are blocked reliably.A network to touchWith its patented eGUI technology gateprotect successfully indicated that administrating larger corporate networks can be quite simple without lacking security and efficiency. This technology, which has already been successfully established in the market, provides operators with an overview and allows them to deploy IT security solutions that may be quickly administered and safely operated. With respect to the growing number of security functions and the complex defense mechanisms, this is a decisive advantage in the fight against threats from the Internet and the loss of data.The firewall administration is immensely simplified thanks to the fully visual display of the company network in the eGUI. The unique usability approach renders complex IT security systems much more transparent and comprehensible to the administrator.With just one click on an object administrators are able to view all firewall rules no matter if desktop PC, server or printer. With this technology gateprotect continues to follow its "easy-to-use" approach.Release UTM-Firewall Version 9.5With the release of software version 9.5 gateprotect shows at Infosecurity.nl comprehensive reverse proxy functionalities for high performance UTM firewalls to set up dedicated filter rules or loadbalancing guidelines. The benefit of highest security standards that a reverse proxy offers allows external users only access to a reverse proxy - everything else can't be accessed.Access to internal resources can be granted to certain users without creating new vulnerabilities. Highest Information Security with Next Generation Firewall Network Protector 5.2 With the Next Generation Firewall NP series gateprotect offers a new product line for larger corporations. The products of formerly Adyton Systems now gateprotect Leipzig GmbH ensure highest information security through an innovative technology based on complete protocol validation in combination with application whitelisting through a single-pass engine.At Infosecurity.nl gateprotect exhibits its innovative firewall version 5.2 with new features like forensic traffic capture and reporting based on rule management. The benefits for IT managers are customized reports with a clear overview on the network traffic composition as well as "firewall-success-metrics". To block or to prioritize access to certain content operators can create certain firewall policy rules.gateprotect exhibits in hall1, stand A116. For further information on our fair appearance please visit: http://www.gateprotect.com/en/29-3010-gateprotect-infosecuritynlDownload the Press Release: http://www.gateprotect.com/enAbout gateprotectgateprotect GmbH has been a leading, international producer of IT security solutions in the field of network security for more than ten years. Among the solutions developed in Germany are firewalls with all modern UTM functionality for small and medium-sized businesses, managed security systems for larger companies as well as VPN client systems for networking branch offices and home offices. All gateprotect UTM firewalls are equipped with innovative security features and the patented eGUI® technology. Thanks to the uniquely visual representation of the network, even complex security systems are extremely simple to operate.For larger companies, gateprotect GmbH offers a next generation firewall in the shape of its gateprotect NP-series which represents the highest level of information security thanks to the novel technology of complete positive validation in conjunction with application whitelisting in a single pass engine.gateprotect solutions meet the highest international standards, are mainly certified to "Common Criteria Evaluation Assurance Level 4+ (EAL 4+)" with the Federal Office for Information Security and have won many international awards. Since 2010 gateprotect is also listed in the renowned "Gartner Magic Quadrant" for UTM firewall appliances.gateprotect is a company belonging to the Rohde & Schwarz Group. The electronics group, Rohde & Schwarz is a leading solutions provider in the fields of measurement technology, radio, radio surveillance and detection technology as well as secure communications. Further informationgateprotect GmbHAnika Ohlsen - Marketing DirectorValentinskamp 2420354 Hamburg, GermanyTel.: +49 (0) 40 278 85 0Fax: +49 (0) 40 278 85 105E-Mail: anika.ohlsen@gateprotect.comInternet: www.gateprotect.de Source: RealWire

Gridstore Extends Product Line With HyperConverged Appliance

Delivers the First All-Flash Converged Elastic Infrastructure Purpose-Built for Hyper-V Gridstore™, the leader in converged infrastructure purpose-built for Microsoft Hyper-V, today introduced a range of Hyper-V focused hyper-converged appliances, including the first all-flash appliance, to deliver tunable, auto-optimised compute and storage resources together in a single system. The Gridstore HyperConverged Appliances improve operational and application performance yet save on both OpEx and CapEx. HyperConverged Appliances complement the existing Gridstore Storage Nodes which already provide the greatest scalability and optimised price/performance storage for Hyper-V available today. With the addition of the HyperConverged Appliance, Gridstore is adding a new implementation option for customers that meets the rapidly growing need of IT organisations for a simple, easy-to-deploy solution, yet one that still allows highly elastic independently scalable compute and storage."Hyper-converged architectures are here to stay," said Arun Taneja, Founder The Taneja Group, "The customer has spoken clearly that they like the idea of getting an entire infrastructure in a box that is easy to scale and even easier to manage. Gridstore's ability to not only deliver a complete hyper-converged system but also allow for independent extensibility of the storage and compute makes it stand out in this market."Gridstore has leveraged its unique, patented software architecture in this innovative design. This architecture allows administrators to set quality of service on a per VM basis to ensure the most important applications get the resources they need to perform. Unlike other hyper-converged systems that cannot scale storage independently, and unique to Gridstore, is the ability to mix and match HyperConverged Appliances and Storage Nodes, along with their associated servers. This means the easy turnkey deployment of hyper-converged systems can be combined with the extensibility of independent servers and storage, to maximise both flexibility and resource management. Additionally, the Gridstore design eliminates the need for the typical 3-way replica, thereby providing increased usable capacity and up to 50 per cent TCO savings."We have seen a dramatic increase in customer demand for converged infrastructure systems that provide a simple, easy-to-deploy solution, yet one that still allows highly elastic scalable compute and storage," said Skip Gould, President, BrightPlanIT. "We believe with the addition of Gridstore's new HyperConverged Appliances to our portfolio, our clients will reap the benefits of having access to one of the most innovative "built-for-virtualisation" storage solutions available in the market today." Gridstore Converged Infrastructure Includes:- HyperConverged Appliances: Gridstore's single system that includes both compute and storage. Each appliance has four compute/storage nodes, and can be expanded with additional Appliances and/or Storage Nodes up to 250 total nodes. Both all-flash and hybrid versions will be available.- Compute Servers: Any Microsoft Windows Servers to which are added the Gridstore vController, a small software driver that interfaces with Gridstore Storage Nodes and provides simple management and end-to-end control of IO from server to storage, eliminating the "IO blender effect" and allowing performance to scale linearly with capacity.- Storage Nodes: Gridstore offers both Hybrid and Capacity Storage Nodes that scale from 12TB to 12PB with up to 250 nodes. Both Storage Node types include SATA drives for capacity and Hybrid Storage Nodes add PCIe Flash for caching to deliver high performance. These work with both Compute Nodes and HyperConverged Appliances.HyperConverged Appliances are based on Gridstore's unique software that delivers elastic resources, per-VM IO Control, and deployment agility…all critical components of the private cloud.- Elastic Resources: Start small and scale nondisruptively over time by adding either HyperConverged Appliances or Storage Nodes, scaling both performance and capacity independently and linearly according to business needs.- Per-VM IO Control: Gridstore's unique end-to-end control creates an isolated IO lane for each VM and auto optimises to enable optimal application IO. Coupled with Gridstore Quality-of-Service - "TrueQoS" IO per-VM can be precisely controlled to ensure that the most critical applications receive the highest priority, delivering the right performance and prioritisation of resources when and where needed.- Deployment Agility: The ability to expand infrastructure resources in compute, storage, and/or hyper-converged systems which together delivers the flexibility and agility IT organisations need to protect, extend, and complement existing IT infrastructure.Gridstore will be offering both all-flash and hybrid versions of the HyperConverged Appliances. First in the market with an all-flash hyper-converged system, Gridstore's includes SSD for both the server and the storage, for maximum performance on both reads and writes, intelligently managed to eliminate the wasteful duplication common in cache deployments. A read cache dedicated to the compute processes is used for maximum read performance, with the integrated storage being all flash SSDs. The hybrid appliance will include SATA drives in addition to flash, for extended capacity. HyperConverged Appliances are particularly well suited to certain crucial contemporary IT challenges, a few examples include:- VDI where each HyperConverged Appliance can support up to 600 desktops in a typical deployment. Since VDI scales in uniform chunks based on the number of desktops being added, a hyper-converged solution is a fast and easy way to scale these deployments.- Hyper-V Initial deployment, where a HyperConverged Appliance can be installed and up and running the same day ready for application deployment or migration from existing environments.- Branch Office deployment of a complete compute and storage solution in a box."Gridstore's patented software architecture is the key to our delivery of a superior hyper-converged solution," said George Symons, CEO, Gridstore, "Now with our HyperConverged Appliance, we're answering the demands of the market for ease-of-use and extensibility, and expect to become the de facto standard for Windows environments."AvailabilityGridstore HyperConverged Appliances will be available in Q4 2014; Gridstore Storage Nodes are available now.###About GridstoreGridstore™ is the leader in converged infrastructure purpose-built for Microsoft Hyper-V and designed to accelerate applications in virtualized environments. Gridstore's converged infrastructure includes all flash and hybrid versions of HyperConverged Appliances that include both compute and storage in a single system, and Storage Nodes that provide external storage and work with any Windows servers and the HyperConverged Appliance, all driven by Gridstore's patented software. Gridstore software architecture delivers native Windows integration, per-VM I/O control, and elastic and independent scaling of resources. Benefits include easy deployment, predictable and controllable high performance, scaling that fits your needs, and up to 50% lower TCO. Headquartered in Mountain View, CA. its products and services are available through a global network of value-added resellers. For more information, please visit: www.gridstore.com.###© 2014 Gridstore. All rights reserved. Gridstore, the Gridstore logo, AutoPilot, Direct I/O, FlashGrid, Grid, GridControl, GridProtect, GridScale, GridSensor, HyperConverged Appliance, Server-side Virtual Controller Technology (SVCT), Thin-Provisioned vLUNS, TrueQoS, vController, vmOptimized, vPool, and vStore are registered trademarks or pending trademarks of Gridstore in the U.S. and other countries. All other trademarks are the property of their respective owners. Information regarding products, services and offerings may be superseded by subsequent documents and are subject to change without notice. For the latest information and specifications regard­ing Gridstore and any of its offerings or services, please visit www.gridstore.com. Media Contact: Amita Hanspal / David Hourihan Spreckley Partners Tel: +44(0)20 7388 9988 Email: gridstore@spreckley.co.uk Source: RealWire

Snapchat denies hack after accounts hijacked to send spam

Mobile messaging app Snapchat has denied it was hacked after some users received spam messages advertising a slimming site. Snapchat – a mobile app that allows users to send and receive "self-destructing" photos and videos – told the BBC that user login data was taken from other sites and used to hijack Snapchat accounts. Lockedphone-290x230.jpg The hijacked accounts were then used to send spam images to everyone on the hijacked account’s contact list. But the messages do not appear to harm the sender or recipient, Snapchat said. "We have seen evidence that hackers, who have access to a trove of credentials leaked from other websites, have started using them to gain access to Snapchat accounts,” the makers of the app said in a statement. “We recommend using a unique and complex password to access your Snapchat account.” Chequered security history In January 2014, Snapchat was forced to introduce extra security measures, including a user verification system, after hackers posted details of 4.6 million US Snapchat account holders online. In a report published on 25 December 2013, Gibson Security warned that a vulnerability on the Snapchat app could be used to reveal the phone numbers of users. The hackers said their aim was to raise public awareness around the issue, and put public pressure on Snapchat to fix the exploit. The hack highlighted security weaknesses in the Find Friends service, which enables users to find people they know who are also using the service by entering their phone number. Attackers could use the service to upload a large number of random phone numbers and match them with Snapchat usernames. Twitter backlash Snapchat said it does not yet know how many accounts were affected by the latest incident, but users in several countries reportedly took to Twitter to complain about the problem. Snapchat said that, in “many instances”, the company’s defence systems have notified users whose accounts have been compromised to change their passwords. Mobile engagement services firm Acision said that, although the latest incident is relatively benign, it still represents a breach of trust. “App providers are charged with ensuring security, in this instance for sending and receiving personal communications, which could also easily be sensitive information like banking or medical data,” said Acision’s JF Sullivan. “If providers of messaging services do not make security and customer integrity one of the key pillars in their architecture, it sets itself up for a breach of that trust and, more importantly, a breach of its customer’s most intimate information.” Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK

Industry First: Seagate Delivers New Surveillance Hard Disk Drive Featuring Recovery...

Surveillance HDD With Rescue Services and 6TB High-Capacity Storage, Optimized for Reliable 24x7 Video Surveillance Systems, Unveiled at ASIS 2014 CUPERTINO, Calif - Sept 30, 2014 -Seagate Technology plc (NASDAQ: STX), a world leader in storage solutions, today took the wraps off the industry's first dedicated surveillance hard disk drive (HDD) featuring Seagate Rescue™ services- the Seagate® Surveillance HDD. Engineered specifically for surveillance and video analytics applications, the Surveillance HDD is a world-class drive that employs data recovery services designed to restore data from malice or accidental failure, keeping systems in the field longer and reducing post deployment expenses."Over 413 petabytes of data are produced in just one day by video surveillance cameras installed worldwide in 2013[1] - that's 150,000 petabytes of data every year, most of which are stored on high-capacity surveillance systems for archive or video analytics purposes," said Scott Horn, Seagate vice president of marketing. "That data is invaluable to the user to either meet industry regulations or leverage for content analysis or security- so when data loss occurs it's an expense to the customer. Seagate's Surveillance HDD with Rescue services addresses this issue head on and alleviates these concerns."A fast and easy recovery process, Seagate Rescue services can typically restore data within two weeks depending on the type of recovery- with up to a greater than 90 percent success rate in data recovery. Activated at time of purchase, the rescue plan provides three years of data recovery at the fraction of what it would cost to recover data lost due to anything from computer viruses to natural disasters and more. "Over 50 percent of users who had an accident with their drive have experienced data loss," said Balaji Thangaraj, vice president for research at Boston Analytics. "The Seagate Surveillance HDD with Seagate Rescue Services provides consumers and system integrators alike with the critical reliability they expect in an easy, affordable solution, enabling them to gain peace of mind that their content is protected." "Seagate's expansion not only into a new capacity but into a new business with their Rescue services is an exciting endeavor for both Seagate and Dahua," said Lu Yacong, CTO of sales center, Dahua Technology. "Systems reliability has always been a primary focus for us both, but Rescue services goes a step beyond allowing our customers the unique opportunity to protect their data from the unpredictable."A seventh-generation optimized surveillance HDD, the drive now expands to capacities of up to 6TB and can store up to 600 hours of high-definition (HD) content making it the industry's highest-capacity drive designed specifically for surveillance applications. Designed to scale video storage, the drive also incorporates options for rotational vibration (RV) sensors enabling it to reliably perform in systems with up to 16 drives, making it ideal for small-to-medium businesses, who typically do not have IT support, but where bulk storage for HD video and back up are highly valued. Designed to support surveillance recordings from a number of cameras no matter their resolution requirements, Surveillance HDD supports up to 32 channels and easily handles the higher write workloads required by surveillance systems. The drive supports large streaming workloads for longer periods of time meeting industry archive and resolution demands. These features, coupled with the optional R/V sensors and Seagate's Rescue service, improve drive performance in multi-drive and RAID systems and increase the value of surveillance data by delivering the highest data integrity possible.Boasting industry-leading reliability, the Surveillance HDD has a 1 million hour MTBF, (mean time between failure) allowing the product to be kept in the field longer while reducing the cost of field deployment and maintaining customer retention. The drive is also engineered for low power consumption and heat emissions allowing solution providers greater design flexibility.Seagate will be attending the ASIS 2014 this week in Atlanta, Georgia with partners Dahua, MBX and SED. For more information on the Seagate Surveillance HDD with Seagate Rescue services visit us online at http://www.seagate.com/surveillancehddrescue/. Seagate Surveillance HDD is available starting today in 1-4TB capacities. Surveillance HDD in 5-6TB configurations will be available by the end of 2014.Strong Partner Support "We have enjoyed great success with Seagate drives for years and are excited for the new potential of offering the Rescue services to Hikvision customers," said Zheng Weirong, product manager of China marketing center of Hikvision. "With the volume of video recordings growing, these services give our customers the extra confirmation they need to rest assured their data is safe." "As a longtime partner, we have always appreciated the support Seagate extends to add value to our solutions," said Leechin Su, president of Leadertech Systems of Chicago. "Storage density is becoming a greater concern as camera resolution increases and NVR systems are tasked to hold more recorded video information. Seagate's release of 6TB drive capacity will allow us to meet customer needs in a smaller form factor, and that's a winner for all involved. The release of their Rescue services is just another way for Seagate to offer our customers the opportunity to differentiate our solutions offerings to deliver truly unique solutions to end customers.""As IP surveillance continues to grow, we are thrilled to expand our partnership with Seagate to introduce Seagate's new 6TB Surveillance HDD with Rescue Services in our solutions," said Shawn Ho, senior director of product marketing at NUUO. "The value of the data our customers store in our NVR solutions is critical and Seagate's new portfolio underlines their commitment to customers by offering the end user the peace of mind for the extra protection of their data."[1] IHS, October 2013About SeagateSeagate is a world leader in storage solutions. Learn more at http://www.seagate.com/. Follow Seagate on Twitter, Facebook, Google +, YouTube, Instagram and subscribe to our blog.©2014 Seagate Technology LLC. All rights reserved. Printed in the United States of America. Seagate, Seagate Technology and the Wave logo are trademarks or registered trademarks of Seagate Technology LLC in t he United States and/or other countries. When referring to drive capacity, one terabyte, or TB, equals one thousand billion bytes. Your computer's operating system may use a different standard of measurement and report a lower capacity. In addition, some of the listed capacity is used for formatting and other functions and will not be available for data storage. Media ContactsBetsy Haglage Besty.Haglage@Fleishmaneurope.com 02073957126Elizabeth MercerElizabeth.Mercer@Fleishmaneurope.com 02073957039Source: RealWire

Apple releases Mac OS X patches for Shellshock Bash bug

Apple has released security updates for its Mac OS X operating system to protect users from the newly reported Shellshock Bash bug affecting all Unix-based computers.   The release comes just days after Apple confirmed that Mac OS X, which is derived from Unix, was vulnerable to the bug, although the company claimed anyone using default Mac settings should be safe. According to Apple, only users who configured advanced Unix services were at risk, but the company did not name any of the services involved. Some users resorted to technical workarounds, but now Apple has published automatic updates for the latest versions of OS X. Patches are available through Software Update for OS X Mavericks, Mountain Lion and Lion. Security experts have warned that the bug in the Bash command prompt software used in OS X and up to 500 million Unix-based computers is being actively exploited. Researches at security firm FireEye have observed a “significant amount of overtly malicious traffic” using Bash. This malicious traffic includes malware droppers, reverse shells and backdoors, data exfiltration, and distributed denial of service (DDoS) attacks. The researchers think it is only a matter of time before attackers exploit the vulnerability to redirect users to malicious hosts, which can result in further compromise. Attackers have deployed scanners looking for vulnerable machines that have been bombarding networks with traffic since the 25-year-old bug was made public on 24 September. The Shellshock bug is widely regarded as a bigger threat than the Heartbleed OpenSSL bug because it affects a thousand times more computers and is easily exploited to enable attackers to take full control of the target computer. The US and UK Computer Emergency Response teams were quick to issue warnings about the Shellshock bug, and urged affected organisations to install software security updates immediately. The Information Commissioner’s Office (ICO) has also urged organisations and individuals to make sure their IT systems are up to date. “This flaw could be allowing criminals to access personal data held on computers or other devices. For businesses, that should be ringing real alarm bells, because they have legal obligations to keep personal information secure,” an ICO spokesperson said. The biggest threat is to the enterprise because many web servers are run using the Apache system, software which includes the Bash component. But, while most of the main Linux distributions have rushed to release updates, security experts have raised concerns about Unix-based embedded systems in internet of things (IoT) devices and legacy systems used by many critical national infrastructure suppliers. Security researchers have warned that, while home users and traditional servers may be able to patch their way out of danger, this solution is not available for many embedded devices and Unix-based industrial control systems. This also applies to supervisory control and data acquisition (Scada) systems commonly used by critical national infrastructure. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK

Intel Hires Ex-Cisco Security Chief

Christopher Young, who spent the last three years heading up Cisco Systems' security business, will now lead Intel's security efforts. The giant chip maker announced Sept. 29 that Young will be the company's senior vice president and general manager of Intel Security, reporting to President Renee James. Young had been a senior vice president of Cisco's global Security and Government Group, working on strategy, engineering and product development. Young also was co-founder of cyber-security company Cyveillance, where he served as president and chief operating officer. He was replaced at Cisco by 14-year Cisco veteran David Goeckeler. Prior to Cisco, Young was an executive with VMware and RSA. "Chris Young is a world-class leader in cybersecurity, and I have full confidence that he'll establish Intel Security as the pre-eminent provider of pervasive security and identity protection," James said. "The opportunities for innovation and growth are unparalleled."  Security has been a key focus for Intel as the company has looked to grow its presence in the data center beyond servers. The company bought McAfee in 2011 for $7.68 billion, with company executives saying that being able to integrate security onto the silicon was going to be important. McAfee has been running as a relatively independent subsidiary for most of the past three years, though Intel officials in January said the McAfee name would be slowly phased out, replaced by Intel Security. Intel Security is a mix of the McAfee business and Intel's internal teams that have experience in hardware and software, according to the company. The goal of the business unit is to expand the reach of Intel's security capabilities.