Security News

Education and skills key to cyber security, says (ISC)2

Information security professionals are making progress, but they are still losing the race against adversaries, according to Hord Tipton, executive director of security professional certification body (ISC)2. But one of the biggest challenges is the lack of skilled people to help mitigate the security risks as businesses move into mobile and cloud computing. “Even banks are going into mobile transactions, despite the fact that this is still one of the most dangerous areas in terms of security threats,” he told Computer Weekly. Despite the lack of skilled people, Tipton said there is room for improvement as those in the field continue to “fight the good fight” to bring the effect of cyber attacks down to an acceptable level. “Typically only around 10% of the easy stuff is being addressed, but we cannot afford to ignore the low-hanging fruit,” he said. Tipton said improvement can come in areas such as reducing the number of days it takes for organisations to detect that they have been breached, which is around 320 days on average. Security skills must be kept up to date As head of (ISC)2, Tipton sees ongoing education as important, and the constantly changing threat landscape is why members are required to re-certify every three years. In addition to broad-based skills, Horton said there is a growing demand for specialised skills in areas such as software assurance and forensics. “I am excited about the new Cyber Forensics Professional Certification (CCFP) because that will enable practitioners to learn what they need to feed back into the preventive side to ensure the same weaknesses are never exploited again,” he said. The new Secure Software Lifecycle Professional Certification (CSSLP) is aimed at creating skills in building software secure from the start of the development process. “If businesses knew the cost of patching bespoke, in-house and even commercial software, the demand for software assurance would be extremely high,” said Tipton. With the skeptical view that most organisations will be breached at some time or other, Tipton said it is important that organisations do not neglect traditional preventive strategies. “If we are ever to get losses down to acceptable levels, we can’t give up on prevention,” he said. Two commonly overlooked areas are application security updates or patching and proper configuration management.

Although both require manpower, Tipton said if done properly, the gains are huge. Continuous monitoring is a new area that is becoming more prominent, he said, which is a good thing because it is a form of preventive control, but requires a forensic capability to translate data into action. This is where security practitioners who have forensics training could be invaluable to organisations in being able to analyse and interpret logs to help fine-tune cyber defences. Investing in future information security professionals To help ensure more skilled people enter the cyber security profession, Tipton said organisations have got to create career pathways in the field to attack talented individuals from a young age. Through around 10,000 volunteers in 105 member chapters around the world, (ISC)2 runs school programmes to help “build the pipeline” of information security professionals. “Organisations need to make it known that they offer challenging and lucrative careers in cyber security,” said Tipton. In another outreach initiative, (ISC)2 is running a pilot training programme for graduates to become associate members with a view to becoming fully fledged members with work experience. Looking ahead, he said businesses need to look at ensuring they have the right people with the right skills and that the software they are using is free of vulnerabilities that can be exploited. With the amount of outsourcing, including cloud, it is also important for businesses to achieve security oversight through the supply chain. For its part, (ISC)2 is working with the Cloud Security Alliance (CSA) on a certification for advanced cloud practitioners. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com

Congress unveils bill to limit NSA’s powers

A bipartisan group of senators introduces a bill that would prohibit the bulk collection of e-mail and phone records of US citizens. September 26, 2013 6:56 AM PDT (Credit: Declan McCullagh/CNET) Several US senators are trying to clamp down on t...

Small businesses must encrypt customer data, says ICO

The Information Commissioner’s Office (ICO) has told small businesses to make sure they encrypt customer data after a sole trader was fined for failing to do so. Sole trader Jala Transport Ltd in Wembley was fined after it lost a hard drive containing the personal and financial details of 250 customers.

The hard drive contained customer names, dates of birth, addresses, the identity documents used to support loan applications, and details of the payments made. The data was password protected, but not encrypted. The company was fined £5,000.

This would have been £70,000 had Jala Transport Ltd had more resources. The ICO said it expects all information to be encrypted. “We have continued to warn organisations of all sizes that they must encrypt any personal data stored on portable devices, where the loss of the information could cause clear damage and distress to the customers affected,” said Stephen Eckersley, head of enforcement at the ICO. “While the circumstances of this case are unfortunate, if the hard drive had been encrypted the business owner would not have left all of its customers open to the threat of identity theft and would not be facing a £5,000 penalty following a serious breach of the Data Protection Act. “The penalty will have a real impact on this business and should act as a warning to all businesses owners that they must take adequate steps to keep customers’ information secure,” he said.  In a blog post, the ICO’s group manager for technology, Simon Rice, said: “Appropriate encryption products are widely available, but it is important that organisations understand the type of protection a particular encryption product offers and the circumstances under which personal data will be protected from unauthorised or unlawful access.” Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com

Take ultimate responsibility for cloud, users warned amid Nirvanix closure

American private, hybrid and public cloud services provider Nirvanix has advised its customers to move data off its services before September 30 when it shuts down.

The closure should serve as a wake-up call for end users when contracting for cloud services as well as propel them to plan exit and migration strategies right at the onset, experts have warned. Last week the ailing cloud storage provider advised customers to stop uploading first or second copy of data onto its platforms and urged them to migrate it to other public cloud providers such as Amazon S3, Google Storage, Microsoft Azure or IBM-SoftLayer. The company’s confidential email to customers warned them about its closure giving them two weeks to move data off its cloud. The company plans to close two or three datacentres it has leased in the US, Europe and Asia.

Other Nirvanix datacentres will be used to pull data out of the systems. The company has a programme called Direct Connections to help customers migrate data using LAN or the internet. But Forrester’s senior analyst Henry Baltazar has warned that even over large network links it could take days or even weeks to retrieve terabytes or petabytes of data from a cloud.  “If you used Nirvanix for third or fourth duplicate copies you need assurance that data will be destroyed.

If you used it for primary data you need that data back, and that is no trivial task right now,” said 451 Research Group’s analyst Simon Robinson in a Computer Weekly article. “The whole scenario is clearly also a big blow to the cloud storage model, since it apparently validates fears over the risks of handing your data over to a third party,” Robinson said. Launched in 2007, Nirvanix was struggling to compete with giant public cloud providers such as Amazon, Google and Microsoft on price points. Meanwhile the not-for-profit industry body, Cloud Industry Forum (CIF), said that enterprise customers must ensure they have achieved contractual clarity for service delivery and with regards to how a relationship formally ends at a practical level, regardless of cause of the termination. The cloud company’s closure is not dissimilar to UK datacentre 2e2’s closure earlier this year. 2e2 asked its customers for nearly £1m in funding if they want uninterrupted services and access to their data. “Offering a mere two-weeks in which to migrate customer data from their servers, Nirvanix have essentially hung their customers out to dry,” said CIF founder Andy Burton. But end-users must take steps to mitigate risk and assume ultimate responsibility, Burton warned. The sudden closure of Nirvanix should serve as a necessary reminder for end users to seek contractual clarity and reassurance from CSPs (cloud service providers) to understand how a service will be delivered, where and how the data is stored, the minimum notice they will have to move data to another provider is, what format the data will be provided back and what costs will be incurred (if any) to retrieve their data, he said.   Customers must always seek clarity on how the service will be delivered, who is accountable and liable for which aspects of service continuity, and ultimately what is the process and timescale to disengage and move data in a planned or forced termination, added Burton.  “When it comes to procuring cloud services, caveat emptor still applies today. Whether buying direct online or via a third party it is essential that an organisation can establish confidence in the service provider and be confident in both its expectations and experience throughout the life of a contract,” he said. The industry body also urged end-users to take stock and always maintain overall governance of how IT is delivered, and therefore to always assume and maintain ultimate responsibility for decisions they make either on-premise or in terms of adopting cloud services But CIF also called for cloud service providers to “act honourably”. “CSPs have an opportunity to achieve competitive advantage by being straightforward and transparent about their business practices and processes. Clarity of obligations, service levels, service options and issue resolution will positively reduce risk for end users in making their supplier choice decisions,” Burton concluded. Exit strategy -- a crucial aspect of the cloud contract A European virtualisation and cloud expert Ruben Spruijt advised enterprise customers that it is crucial to consider the “exit strategy” right at the time of entering into a cloud contract. Forrester’s Baltazar adds that in addition to planning an exit strategy, customers should also plan migration strategies as they formulate their cloud storage deployments. “One of the most significant challenges in cloud storage is related to how difficult it is to move large amounts of data from a cloud,” Baltazar said.  Gartner too has been advocating the importance of cloud exit strategies to clients for some time and has published a titled, “Devising a Cloud Exit Strategy: Proper Planning Prevents Poor Performance. “I’m sad to say however, that compared to many other Gartner research documents, this document has not seen nearly the amount of demand or uptake from our clients,” Gartner’s research director Kyle Hilgendorf said on his blog.  “Why is that?  I suspect it is because cloud exits are not nearly as sexy as cloud deployments – they are an afterthought.”  “If you are a Nirvanix customer, it’s too late to build a strategy. Get as much of the data as you can back immediately,” Hilgendorf said. “If you are a customer of any other cloud service – take some time and build a cloud exit strategy/plan for every service you depend upon. Cloud providers will continue to go out of business,” he further warned.  Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com

Time for a new security paradigm, says ex-military CIO

Security is constantly changing, which means security professionals need to be proactive, says a former US military CIO. “They need to look at security from multiple perspectives all the time,” Maria Horton, chief executive of information assurance firm Emesec, told attendees of the (ISC)2 Security Congress 2013 in Chicago. But, many feel overwhelmed by the security implications and enormous potential pitfalls of moving to mobile and cloud environments, she told Computer Weekly. “Our society is becoming more dynamic, which means preconceived notions of security practices need to change too,” she said. Assessing security priorities According to Horton, information security professionals need to evolve their approach to security to match technological evolution, and give up the old idea of achieving “perfect” security. “Start by determining the organisation’s risk tolerance and formulate a security strategy accordingly, giving the most protection to what matters most,” she said. Companies that need to grow would typically have a greater risk tolerance than government agencies, such as the US Department of Veterans Affairs, which is one of Emesec’s largest customers. Security has more chance of success, said Horton, if it is concentrated on only the most critical information assets rather than trying to protect everything. The difficulty with a risk-based approach to security, she said, is that many security professionals are unwilling to prioritise out of fear of making the wrong choices. However, making choices is also necessary to ensure that limited security budgets are well spent on protecting what is really important, said Horton. Expand the security skills base In recognition of the rapidly changing technology and threat environments, she said businesses should also change their security recruitment practices to seek out people with multiple skills. “Non-traditional backgrounds in such things as combating fraud can provide different perspectives,” said Horton. Security professionals need to start integrating non-traditional skills into their teams if they want to remain relevant to their organisations in future, she said. Cloud security challenges Turning to the specific security challenges of cloud computing, Horton said all contracts should include a get-out clause if service providers failed to meet agreed service levels in terms of security. Before signing up to a service, organisations should also determine how to ensure they are able to migrate to another service provider if necessary and define a clear exit strategy. “Ask important questions around what happens to data when you leave, about who owns what data, and how intellectual property will be protected,” said Horton. It is also important to ensure upfront that security strategies are flexible enough to keep up with potential changes, such as a move to another cloud services provider. “There is still no clear security standard for cloud, so organisations must accept that they will essentially need to make one on their own,” said Horton. Looking to the future, she said that over and above baseline security, organisations should expect to pay for the level of security they want. In any event, organisations should ensure that enterprise management of cloud service level agreements should be a key part of the overall cloud strategy. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com

Ex London deputy mayor: hackers were to blame for my naked...

Former deputy mayor of London, Richard Barnes, has pinned the blame on "hackers" after a naked selfie was posted to his Facebook page. In one photo, Barnes' face is out of shot. But the viewer is presented with a photo of Barnes posing in front of a bedroom mirror, undressing from his white shirt and red braces, with his lower body exposed. Barnes told the Evening Standard it was hackers to blame, not an iOS 7 blunder, as some pundits brandishing Occam's razor have suggested. "Have you ever been hacked?" Barnes asked, adding, "Well, I have been hacked. Someone's got in there and put the picture up".  Although the pictures were quickly deleted from Facebook, screenshots had already spread like wildfire online. Readers can Google them if they must. Speaking with the Metro, Barnes said: "I'm annoyed and shaking with anger. I'm a 65 year old gay man on his own, it's not the sort of thing I do. Do you really think I would be that f***ing stupid after 30 years in politics?" As everyone is aware, politics, scandal and embarrassment are very rarely linked. Earlier this year, former congressman Anthony Weiner was the subject of scandal when his sexting under the pseudonym 'Carlos Danger'  was revealed. Barnes is a Conservative councillor in Hillingdon.

He served as Boris Johnson's deputy from 2008 to 2012. Security expert Graham Cluley told TechEye: "It would certainly be unusual for a hacker to do this."What can people do to keep themselves safe from embarrassing blunders like this?  Keep their trousers on when they're taking smartphone photographs," Cluley said.

D-Link Releases IP Surveillance Camera With Wireless 11ac Support

The DCS-2136L includes the D-ViewCam management software for expanded surveillance options, allowing users to manage up to 32 network cameras. Network solutions provider D-Link Systems, which specializes in small- and midsize-business (SMB) products, announced the DCS-2136L, which the company is billing as the world’s first IP surveillance camera with wireless 11ac support for longer range and greater bandwidth availability. The mydlink-enabled day and night camera with wireless N connectivity offers small-business owners networking and viewing capabilities, including a white light LED for color night vision viewing in complete darkness.

The technology allows the camera to show images in complete darkness while remaining in color mode, and the visible white light LED serves as a warning sign that the camera is on, and often results in intruders looking directly at the camera. The DCS-2136L includes the company’s D-ViewCam management software for expanded surveillance options, allowing users to manage up to 32 network cameras, set email alert notifications, create recording schedules and use motion detection to record directly to a hard drive.

The camera will be available in late 2013 throughout D-Link’s network of channel partners, including value-added resellers (VARs) and distributors. Additional camera features include WiFi Protected Setup (WPS) for three-step installation, built-in passive infrared sensor (PIR) for enhanced motion detection, two-way audio with built-in microphone and speaker, a microSD Card (SDHC) slot for local storage HD resolution with 1280x720 HD (1 megapixel), H.264, MPEG-4 and Motion JPEG compression, and support for the Open Network Video Interface Forum (ONVIF), a global and open industry forum with the goal to facilitate the development and use of a global open standard for the interface of physical IP-based security products. "With the demand for residential and SMB wireless surveillance steadily increasing, D-Link is moving the market forward with the first IP camera to support the new Wireless 11ac standard," Vance Kozik, director of marketing for IP surveillance for D-Link, said in a statement. "Whether you are looking for an entry-level, DIY camera or a high end professional enterprise solution, D-Link is dedicated to providing the best, most advanced IP surveillance solutions to its customers." Featuring mydlink support, the DCS-2136L offers user-friendly installation and integration into an existing network with the mydlink portal to view streaming video from a PC, notebook, iPhone, iPad, or Android mobile devices, as well as enhanced remote capabilities via the mydlink+ and free mydlink Lite app. Both apps offer access to camera feeds from anywhere and a host of updated features for expanded remote control, including motion detection settings, pinch-to-zoom viewing, day/night viewing options, drag-and-drop reordering of devices, two-way audio, remote pan and tilt of live video, and the ability to configure recording schedules and override options, however, the company noted mydlink application capabilities vary depending on the camera model. A mydlink-enabled cloud camera or cloud router device needs to be registered with mydlink in order to use the service. Once the device is physically plugged in and connected to the network it can be configured from the setup wizard on a Windows PC or Mac.

A free mydlink account can be created during the setup process, or the device can be added to an existing account. Once activated, the mydlink account is accessible from a Web browser on any Internet-connected computer.

iPhone 5S TouchID Fingerprint Sensor Fooled by Copied Prints

A contest to show that Apple's technology would be difficult to break proved just the opposite as German hackers win the crowd-sourced prize. Using a desktop scanner, a light-sensitive printed circuit board and white wood glue, a group of researchers from the Chaos Computer Club in Germany broke the security of Apple's TouchID fingerprint sensor, creating a fake fingerprint to unlock Apple's latest smartphone, the iPhone 5S. The hack, announced on Sept. 21, came less than 48 hours after members of the security community started a Twitter-fueled project to collect money for a bounty to pay any researchers who successfully broke the biometric security of Apple's device.

The CCC used a desktop scanner to capture an image of the phone and print that image on to a photo-sensitive PCB to form a mold.

Then, using graphite spray and wood glue, a mold of the fingerprint was created. The relative ease with which the security can be broken means that iPhone users should be wary of relying too much on the security of the device, the CCC said in its statement. "A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5S secured with TouchID," Frank Rieger, spokesperson of the CCC, said in the statement. "This demonstrates—again—that fingerprint biometrics is unsuitable as access control method and should be avoided." Apple announced the TouchID fingerprint sensor earlier this month as a security enhancement that would help more people lock their phones more securely than with a 4-digit pass code.

The sensor, built into the home button of the iPhone 5, does not optically read a person's fingerprint, but uses a capacitive measurement that "in essence, takes a high-resolution image of your fingerprint from the sub-epidermal layers of your skin," Apple stated on its site. However, the security of biometric devices—especially one with glass surfaces that collect its user's fingerprints—has been widely criticized by experts. "In reality, Apple's sensor has just a higher resolution compared to the sensors (we've seen) so far," a hacker using the handle "Starbug" said in the CCC's statement. "As we have said now for (at least six) years, fingerprints should not be used to secure anything. You leave them everywhere and it is far too easy to make fake fingers out of lifted prints." The security of the sensor was heavily debated on Twitter, with some security researchers assuming that Apple had made the sensor more difficult to trick then previous optical sensors. Security professionals Nick Depetrillo and Robert Graham started the site, IsTouchIDHackedYet.com, to collect donations to the prize pool for any researchers who successfully bypassed the security of the device by copying a fingerprint. In essence, Depetrillo and Graham were telling other researchers who doubted the security to put the efforts into actually hacking the device. Turns out, it was not so difficult after all, Graham said in a blog post. "We claimed it'd be harder," he wrote. "We assumed that a higher resolution sensor wouldn't be so simply defeated with just a higher resolution camera. We bet money. We lost." The IsTouchIDHackedYet bounty surpassed $10,000 in cash, bitcoins, alcohol and other goods pledged by security researchers and other community members.

While it had reached $20,000, student Arturas Rosenbacher, who also claims to be a micro investor and entrepreneur, added additional restrictions on his pledge when it became obvious that someone had actually succeeded in breaking the TouchID security.

While the original contest asked for a researcher to fool the sensor using a print "lifted from a beer mug" or similar circumstances, Rosenbacher's changes require that the biometric data be taken from the device itself. "The fingerprint must be obtained using software and hardware, in sense a technological solution, rather than lifting prints and accessing a secure phone using said 'lifted prints'," according to the after-the-fact changes. Rosenbacher did not respond to an e-mailed request for comment. ${QSComments.incrementNestedCommentsCounter()} {{if QSComments.checkCommentsDepth()}} {{if _childComments}}

The jolly japes of Steve Wozniak

Apple co-founder Steve Wozniak said that he is a hacker to his core and loves to play pranks on friends and family. Woz told Network World he had fun with light-hearted forays into hacking computer and telecommunications networks several deca...

A good password can still trump sketchy security

WatchGuard has been caught doing what a lot of first-timers to access control have done — simply hashing passwords as a means of implementing security — but perhaps all isn't that bad in the world. Information security researcher Jérôme Nokin, who runs a blog on all the fun things you can do over IP, found that WatchGuard's firewall appliances are taking a bit of a shortcut when it comes to storing passwords. It's the typical mistake of recognising that storing plain text passwords is a big no-no, but not going any further than simply hashing the password. In WatchGuard's case, it had been performing an NTLM hash of the password and that's it. Some might recognise NTLM as being part of Microsoft's old security protocol suite that, these days, is no longer recommended by Redmond because it is so outdated.

As Nokin also learned, an NTLM hash is simply the password converted to Unicode, then MD4 applied to it. Microsoft is right to shun NTLM, as in 1995, Hans Dobbertin demonstrated that using a Pentium processor (which has far less processing power than can be found in a smartphone today), he could break MD4 in a matter of seconds. His paper (PDF) into the cryptanalysis of the algorithm stated, "Where MD4 is still in use, it should be replaced!" The exclamation mark is his, despite this being in a paper submitted to the Journal of Cryptography. That's how strongly he felt about it. Yet, here we are almost two decades later, and MD4 is still hanging around like a bad smell. I said earlier that perhaps this isn't all that bad, and there's a good reason for it.

The credentials that Nokin broke aren't actually for the management of the firewall appliance itself.

As WatchGuard's director of security strategy and research Corey Nachreiner pointed out, they're used for an entirely different, and optional, purpose. "Our devices offer the ability for you to create policies by user, not just by IP address. To do this, you have to set up authentication. In most cases, users choose to authenticate with their own internal Active Directory, LDAP, or Radius authentication server, in which case we don't store any credentials. However, we also offer the local FireboxDB database for small customers who don't have their own authentication server." And the file that contains these credentials is only really accessible if you've gained access to the device itself. "The configuration file is normally saved to the laptop/PC of the person who already knows the password anyway. Best practice would ensure that administrators take protective measures to stop unauthorised access to the WatchGuard management computer anyway, including complex passwords and the latest Microsoft authentication protocols. Communication between the management PC and the WatchGuard is secured with AES encryption, so even the hashed password is only used with encryption and cannot be 'sniffed'," a WatchGuard spokesperson told ZDNet. Nachreiner also argued that although NTLM is showing its age, sufficiently strong passwords should offer reasonable protection.

He defines a strong password as one that is a complex combination of 12 characters or more. A strong password is the critical factor here, because as recently as December last year, Stricture Consulting Group CEO and security researcher Jeremi Gosney demonstrated that a specialised hash-cracking rig (PDF) could churn through 348 billion NTLM hashes per second.

If only lower-case characters were used (thus breaking the complexity requirement), a password of up to 12 characters in length could take a few days to brute force. Granted, not everyone has a 25 GPU setup like Gosney, but Nokin claims he was able to run through 12.7 billion hashes per second on his own dual-GPU setup.

A poorly constructed password susceptible to a dictionary attack will be easily broken. Yes, the use of NTLM was a pretty dumb move, but, lucky for WatchGuard, I'd argue that the level of protection matches the risk. Nachreiner put it best when he said, "If an attacker already has enough access to the administrator machine you use to manage your network security appliance, you already have bigger problems." And that lastly, had an administrator picked good passwords to begin with, this would still be a non-issue. Nevertheless, WatchGuard's engineers are now looking at implementing Dobbertin's advice from 1995 and Microsoft's recommendation by getting rid of NTLM/MD4 and replacing it with something more suitable.

Developers Working With Big Data Suspect Government Snooping

A recent Evans Data survey shows that 39 percent of software developers said they suspect a government agency is tracking their data. Nearly four out of 10 (or 39 percent of) developers working with big data applications say they believe a government agency is keeping track of the data that they create, collect or use, according to the findings of a new survey. More than one-third of developers polled believe they have reason to think the government is watching their data, according to the study released by Evans Data, which regularly gathers data on the global developer population. This is more than simple paranoia, according to Evans Data officials, who based the "Data and Advanced Analytics Survey 2013" on input from more than 440 developers who work with databases and analytics. Of the respondents who indicated they are confident that they could tell if the government was tracking their data, the proportion of developers convinced that they are being tracked jumps to 59 percent.

For those who did not think they would personally be able to tell, only 23 percent suspect government tracking. The survey, completed in August 2013, covers a wide range of topics related to data, analytics and storage, including sections on data security, which is implicated in data tracking. Big data provides new problems in implementing security, as does governmental interference, Evans Data said. For instance, one question in the survey was: "Have you run into a situation in which your traditional security mechanisms for data don't work with big or unstructured data?" According to Evans Data, 72 percent of developers who suspect governmental tracking answered "yes." The belief that governmental tracking is ongoing spans across industries, the survey showed. "Big data and big government both bring unique challenges," Janel Garvin, CEO of Evans Data, said in a statement. "Security becomes not only a technical issue but can also become a policy issue that developers may not be able to address. In addition, cloud platforms, while providing necessary scalability for big data, may also increase the risk of governmental eavesdropping." While developers are split over whether the data will be stored on-site or in the cloud, two-thirds agree that the typical structure of data or analytics projects must be integrated into an enterprise-wide data warehouse, and not segregated from other data projects, thus increasing the need for security. The Evans Data survey covers such topics as the environment for big data, advanced analytics tools and services, real-time event processing, database technologies, data storage, shared resources and the cloud, general technology use, security concerns and more. Public skepticism of government snooping is widespread after former U.S. National Security Agency (NSA) contractor Edward Snowden leaked word of an electronic surveillance program called PRISM, where NSA analyzed email and telephone data in an effort to find patterns of activity that the agency claims provided valuable intelligence in the fight against terrorism. Also, since Snowden's leak, major technology firms, including Apple, Google and Facebook, have been battling allegations that the U.S. government enjoyed direct access to the servers in their cloud data centers and the user data contained within. Concerns about snooping are widespread. eWEEK Senior Editor Sean Michael Kerner reported that Linus Torvalds, the inventor of the Linux operating system, was asked at the recent LinuxCon 2013 event if U.S. government officials requested a backdoor into Linux. "Torvalds responded 'no' while nodding his head 'yes,' as the audience broke into spontaneous laughter," Kerner wrote.  

Compliance Is Still a Worry, but Security Is Now a Top...

IT security teams have made protecting business data their top priority but do not spend enough time communicating with executives, finds two surveys. Network breaches have become the top concern for security professionals, replacing worries over a company's compliance with federal and industry regulations, according to two surveys released in the past week. A survey of 272 security managers and network engineers, titled "What Keeps IT Pros Up at Night" found that 34 percent of respondents worry most about the possibility of a breach, while 31 percent of those polled are concerned with failing an IT-security audit. To improve security, about 20 percent of IT security professionals said they plan to implement the SANS Critical Security Controls in the next 12 to 24 months. "For the first time, we are seeing security as the dominant concern that is keeping them awake, versus compliance," said Vijay Basani, CEO of EiQ Networks, which conducted the study. "It is a nice thing to see, because for a very long time, security professionals were all about compliance, compliance, compliance." Data breaches have become commonplace  in the last few years, with massive breaches of companies such as LinkedIn and the South Carolina Department of Revenue.

The cost of data breaches can be cut by 25 percent if the victim has invested strongly in security management, according to a Ponemon Institute report released earlier this year. A troubling trend, however, is that two-thirds of respondents reported that their security teams do not have enough staff to do their jobs. In addition, more than one-third of IT professionals rarely or never meet with business executives to better understand the impact that security can have on the business, the survey found. "This will be a problem going forward, unless IT security and business people communicate about the issues facing the business," Basani said. In attempting to comply with regulations, the two largest concerns are the ability to measure and report on IT issues that affect compliance and the automation of IT security controls.

A quarter of respondents to the study said they do not know how long it will take to identify the root cause of a breach. Almost all companies are worried about their customers' perceptions of their security, according to a study released this week by technology firm Unisys.

The survey found that 91 percent of business and technology professionals said they worry about a breach undermining their customers' faith in their ability to secure data. "Business and technology decision makers are seeing threats from all directions and are looking for new ways to protect their organizations and their clients," Steve Vinsik, vice president of global security solutions at Unisys, said in a statement. Wireless infrastructure and network defenses are considered the most vulnerable to attacks; 74 percent and 72 percent of respondents, respectively, said they are concerned with those potential entry points.