Home Tags News
The company pairs a light mobile client with a few lines of system code for ease of deployment and use on both sides of any authentication experience. LiveEnsure announced a solution designed to addresses current shortcomings in global user authentication techniques, adding contextual analysis to ensure certainty of identification with minimal personal imposition and a focus on privacy. The company pairs a light mobile client with a few lines of system code to help ensure ease of deployment and use on both sides of any authentication experience. "User authentication is critical to every level of digital activity. Without it, no payment, social connection, login, download, access or interaction can be considered authentic. All meaning, value and validity surrounding them are suspect," Christian Hessler, CEO of LiveEnsure, told eWeek. "User authenticity is like a personal brand. It is the very essence of our digital selves, since we lack any actual physical manifestation in the bit realm. Personal information, reputation, integrity and revocability are critical to surviving and thriving in cyberspace, whether via mobile, desktop, wearable or the internet-of-things." The platform correlates data on a variety of dynamics involving device type, location and even user behavior for irrefutable authentication without certificates, tokens, SMS, biometrics, NFC, OOB, OTP or other techniques. "It’s about the crowd, not the cloud. The cloud is big, the hackers are bigger, but the crowd is the biggest of all. It is the base of the identity and authenticity triangle and it is where the solution lies," Hessler said. "In addition, if you want to beat a scalable hack or threat, you simply have to out-scale it - and we have that opportunity with LiveEnsure." He said users have a personal vested interested in maintaining the sanctity, anonymity and control of their authentication, and without it, they are powerless to explore, inhabit and benefit from the digital world. Along with integration partners Pebble, Drop Payments and Intrinsic ID, LiveEnsure also launched an initiative that aims to free mobile users from the need to handle devices, cards and other forms of payment and identification when making in-store purchases. When fully realized, project Freehand will enable users to communicate securely with staff, products and points-of-sale through whatever device they choose. LiveEnsure and Intrinsic-ID have partnered to offer physically inclinable factors (PUF) for mobile devices across iOS, Android and Windows Phone, while LiveEnsure Pebble factors will launch on both the iOS and Android apps this year. "LiveEnsure and Drop have teamed to improve the privacy, security, and scalability of mobile transactions on smart devices and wearables, Hessler said. "The three goals of project Freehand are to design elegant and secure mobile, wearable and commerce technology that simplifies an streamlines the experience, to design user experiences in gaming, driving, shopping and other navigable environments where users need tech to free up their focus, not monopolize it, and to bring security, authenticity and trust to the fabric, under full, private user control that thwarts the hacks, out scales the threats and turns security from something people hate into something they embrace," he explained.
At the OpenStack Summit, a researcher applied threat-modeling techniques to gauge the potential impact of a vulnerability. PARIS—At the OpenStack Summit here, a security researcher discussed the recent Heartbleed and Shellshock vulnerabilities and gave a score for the impact of each, based on a number of threat-modeling metrics. Both the Heartbleed and Shellshock bugs were open-source flaws found in many Linux distributions, and both had the potential to impact OpenStack cloud users. Heartbleed is a flaw in the OpenSSL crytographic library for secure transport while Shellshock is a vulnerability in the Bash shell. Threat modeling involves multiple techniques—each of which has its own acronym—to understand and quantify risk, explained Robert Clark, lead security architect at Hewlett-Packard Cloud Services. The first threat-modeling acronym is STRIDE, or Spoofing identity, Tampering with data, Repudiation, Information disclosure, Denial of service and Elevation of privilege. All those items are activities that attacks can attempt to execute when exploiting an organization. Another key threat-modeling acronym that Clark detailed is DREAD, which stands for Damage potential, Reproducibility, Exploitability, Affected users and Discoverability. "DREAD is a simple scoring system," Clark said. "A low number doesn't matter that much, a high number matters a lot." For the Hearthbleed flaw, Clark noted that from a STRIDE perspective, there was the risk of information disclosure. From a DREAD score, he noted that the vulnerability was easily exploitable, discoverable and reproducible. Clark, who gave the Heartbleed vulnerability a 4.1, noted that anything more than 4 is considered very bad. "Heartbleed caused a lot of headaches for a lot of people," Clark said. However, the Shellshock flaw, which Clark gave a DREAD score of 4.2, was a worse. As an example, a DHCP client could get bad information from a server that could potentially compromise an entire data center. "The reason why it gets such a high DREAD score is it allowed an attacker to subvert the system itself," Clark said. "Heartbleed was terrible, but all it allowed an attacker to do is recover credentials and then interact with the system."Additionally, Clark noted that with Shellshock it was very difficult for many organizations to properly identify what parts of the infrastructure were affected by the flaw. In contrast, Heartbleed was somewhat narrower, impacting SSL-related data transport. Another flaw that Clark analyzed was XEN XSA-108, which is the Xen hypervisor flaw that caused Amazon, Rackspace and IBM to reboot their public clouds at the end of September. Though XSA-108 did not necessarily receive a branded name, such as Heartbleed and Shellshock, it had a greater impact, at least as rated by Clark's DREAD score. Clark gave XSA-108 a score of 4.3. "XSA-108 could have allowed virtual guests to read each other's data and cause all sort of horribleness," Clark said. "As a cloud provider, this was your worst nightmare." Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
Virtual machine and cloud system security provider CloudPassage has released its latest version of Halo, which it bills as the only software-defined security platform purpose-built for cloud and virtualized storage infrastructure. The new capabilities announced Nov. 4 make it faster and more effective for Global 2000 companies to detect and react to security vulnerabilities in virtualized environments, CEO Carson Sweet said. Hackers and organized crime IT intruders are taking advantage of the "disruptive changes are occurring in corporate IT environments as large enterprises accelerate adoption of public and private cloud solutions," Sweet, a 22-year veteran of the security industry, said. "As a result, new security strategies and solutions are urgently needed." Halo is doing its part to provide some of these new capabilities. The latest release includes: --Halo Audit Mode, which offers greater visibility for large, global enterprises by enabling companies to monitor their virtual infrastructure without impacting system availability or performance. Halo's lightweight agent, integrated with cloud orchestration tools, ensures administrators within seconds any new workload in the cloud can be assessed for vulnerabilities and made immediately accountable to security policies; and --Halo Log Based Intrusion Detection System, which allows immediate visibility and notification when security anomalies are detected in watched log files. Policies and enforcement can be defined for specific indicators of risk, compromise or error to enable quick security action. Organizations can also monitor network or system activities for malicious behaviors or policy violations, and automatically generate alerts and reports. This latter feature gives, regardless of scale, near real-time ability to detect unauthorized accounts being created, application security errors, changes to host firewall configurations, and other events that can threaten the security and compliance of an organization, Sweet said. "It's become clear that perimeter-based security models simply won't work. CloudPassage solves these issues with a flexible, elastic software-defined security platform that delivers the abstraction, automation and orchestration required with modern infrastructure," said Nate Lindstrom, vice president of technology operations for OneLogin.For more information, go here.
In the cloud, high utilization is the norm, so can administrators detect attacks? PARIS—Securing the cloud isn't just about protecting the network layer from external attacks; it's also about being able to detect fraudulent activities running on the cloud. At the OpenStack Summit here, a group of researchers presented their findings on how to use the OpenStack Ceilometer project—used primarily for billing and metering of cloud usage—to detect fraud. Debojyoti Dutta, principal engineer in the Office of the Cloud CTO at Cisco Systems, said that often the discussion about cloud is how to optimize for big data and application delivery, but the really important question that always needs to be answered is what is actually happening in any given cloud. The Ceilometer project first became part of the OpenStack platform with the Grizzly release in 2013, thanks to the contributions and support of AT&T, DreamHost, Rackspace, Red Hat and Hewlett-Packard. When looking at what's happening on a cloud, being able to detect fraud is important. Fraudulent activities can take many forms, according to Marc Solanas Tarre, software engineer in the Cloud lab at Cisco. For the purposes of his research, Tarre specifically looked to identify distributed denial-of-service (DDoS) attacks as well as mining operations for the Bitcoin cryptocurrency. "Not all things running in the cloud are good," Tarre said. "We can use Ceilometer data, add some machine learning, and with that will get us real-time fraudulent activity detection." There are three steps to identifying fraud in the cloud: collect, classify and then counteract. In the collection stage, the cloud administrator collects information on the cloud, including CPU utilization, network use and disk activity. The Ceilometer data collection can also be used to collect the relevant information every 5 seconds. In the simplest form of analysis, if there is a high degree of network utilization, there could be a DDoS attack. If there is a high degree of CPU utilization, the first thought an administrator might have is that a Bitcoin mining operation is present. Tarre cautioned, however, that in the cloud, simple analysis isn't always the right answer. For example, a Hadoop big data workload in some respects might mimic the same network and CPU usage patterns as a DDoS attack or Bitcoin mining operation. Julio Hernandez-Castro, lecturer in computer security at the University of Kent, in Canterbury, U.K., noted that the problem of figuring out what is good and what is bad is not completely trivial. As such, he said there is a need to apply an algorithm to classify the data. After some evaluation, Hernandez-Castro said he found that the Orange data mining tool is the most effective for his purposes to help classify the data properly. With the data collected and properly classified, the next step is to counteract. It's possible for an administrator to set up rules to stop the cloud resource that is being abused and block the user, according to Hernandez-Castro. While the method proposed by Hernandez-Castro can collect data every 5 seconds, he suggests what he referred to as a "metaclassifier" approach to improve accuracy. With the metaclassifier, data is collected every 5 seconds for at least an hour before a decision is made on what the cloud traffic is doing. Using the metaclassifier approach, a near 100 percent accuracy rate of detection is possible, he said. "No one will mine Bitcoin for just 5 seconds; they're going to mine for hours or even weeks," Hernandez-Castro said. "So doing a metaclassification for an hour is OK." From a user privacy perspective, Hernandez-Castro emphasized that monitoring the Ceilometer data is a privacy-friendly approach to fraud detection. "This technique is noninvasive. We're just using data that we would collect anyway because we need it for billing purposes," he said. "We're not spying on anyone, and the method works even if everything is encrypted." Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
Of the IT executives surveyed by Check Point, 42 percent noted that mobile security incidents cost their organizations more than $250,000. The vast majority (95 percent) of businesses face challenges with securing and supporting bring-your-own-device (BYOD) programs, strongly indicating the need for more robust security solutions for personal devices tied to the corporate network, according to a Check Point Software survey of more than 700 IT professionals. Of the security professionals surveyed this year, 82 percent expect the number of security incidents to grow in 2015. IT professionals report that the most common challenge faced by IT organizations in adopting a BYOD policy is securing corporate information (72 percent), followed by managing personal devices that contain corporate and personal data and applications (67 percent), and tracking and controlling access to corporate and private networks (59 percent). This year, businesses also saw an increase in remediation costs for mobile security incidents. Of the IT executives surveyed, 42 percent noted that mobile security incidents cost their organizations more than $250,000. "BYOD continues to grow at a fast clip—no longer can organizations say we aren't doing BYOD," Juliette Rizkallah, Check Point's vice president of global marketing, told eWEEK. "I think businesses realize that they need a long-term strategy around BYOD and are trying to assess which mobile solution blends best with their overall security infrastructure." The risk from Google Android-based devices increased from 49 percent in 2013 to 64 percent this year, as the platform with the greatest perceived security risk—as compared with Apple, Windows Mobile, and BlackBerry. Additionally, nearly all of the respondents (98 percent) expressed concern about the impact of a mobile security incident, with the greatest concern being the potential for lost and stolen information. Worryingly, the study found 87 percent of surveyed professionals believed that the greatest security threat to mobile devices was careless employees. Nearly two-thirds of the respondents believed that recent high-profile breaches of customer data were likely due to employee carelessness. Despite careless employees as the weakest link into businesses, 91 percent of IT professionals saw an increase in the number of personal mobile devices connecting to their networks over the past two years. In 2014, 56 percent of those surveyed managed business data on employee-owned devices, up from 37 percent in 2013. IT professionals were also asked if mobile devices, such as smartphones or tablets, were allowed to connect to their corporate networks. Most reported broad use of mobile devices within their organizations, with 95 percent saying that they had mobile devices connecting to corporate networks, including 74 percent who allowed both personal and company-owned devices, 20 percent who allowed only company-owned mobile devices, and 1 percent who had only personal mobile devices. Not a single dedicated security professional indicated that they expected the number of mobile security incidents to decrease this year, although among all IT professionals, including those for whom security was only part of their job, 7 percent felt that the steps they were taking to ensure security would decrease the number of security incidents. "I think that the statistic is that 87 percent of employers believe employees are a greater threat than hackers was the most surprising result. It reinforced the need we were seeing in the market for a solution that not only protects an organization but also enables employees to do what they need to on their devices without worrying that they are leaking sensitive information, accessing malicious Websites," Rizkallah said. "Employee education and technology need to work synergistically to combat mobile security issues and concerns."
More than two-thirds of respondents to a Ponemon Institute survey say it's more difficult to protect sensitive data in the cloud using conventional security practices. A majority of IT organizations are kept in the dark when it comes to protecting corporate data in the cloud, putting confidential and sensitive information at risk, according to a Ponemon Institute study commissioned by data security specialist SafeNet. Nearly three-quarters (71 percent) of IT professionals confirmed that cloud computing is very important today, and more than three quarters (78 percent) believe it will be over the next two years. The respondents also estimate that 33 percent of their organizations' total IT and data processing requirements are met with cloud resources today, and that is expected to increase to an average of 41 percent within two years. However, 70 percent of respondents agree that it is more complex to manage privacy and data protection regulations in a cloud environment, and they also agree that the types of corporate data stored in the cloud—such as emails, and consumer, customer and payment information—are the types of data most at risk. "Cloud security will get simpler as cloud providers build more security features and integration points for enhanced security from security vendors and partners," David Etue, vice president of corporate development strategy at SafeNet, told eWEEK. "This maturity will simplify cloud security, making it easier to deploy and manage. On the other hand, we are really at the beginning of the cloud journey for most enterprises." More than two-thirds (71 percent) of respondents said it is more difficult to protect sensitive data in the cloud using conventional security practices, and nearly half (48 percent) say it's more difficult to control or restrict end-user access to cloud data. As a result, more than one-third (34 percent) of IT professionals surveyed said their organizations already have a policy in place that requires the use of security safeguards such as encryption as a condition for using certain cloud computing resources. The survey also revealed that 71 percent of respondents found the ability to encrypt or tokenize sensitive or confidential data important, and 79 percent said it will become more important over the next two years. On average, half of all cloud services are deployed by departments other than corporate IT, and an average of 44 percent of corporate data stored in the cloud environment is not managed or controlled by the IT department. Because of this, just 19 percent of respondents feel very confident that they know about all cloud computing applications, platforms or infrastructure services in use in their organizations today. Along with this lack of control over the sourcing of cloud services, views on who is actually accountable for cloud data security are mixed, with 35 percent of respondents saying it is a shared responsibility between the cloud user and the cloud provider, while 33 percent say it is the responsibility of the cloud user and 32 percent say it is the responsibility of the cloud provider. Regarding access to data in the cloud, 68 percent of respondents also say that the management of user identities is more difficult in the cloud, and 62 percent of respondents say their organizations have third parties accessing the cloud. Nearly half (46 percent) say their company uses multifactor authentication to secure third-party access to data in the cloud environment. About the same percentage (48 percent) of respondents say their organizations use multifactor authentication for employees' access to the cloud.
EyeVerify's latest biometric eye authentication and identification product, Eyeprint ID v2.0, will be released in January 2015 as an SDK for developers who want to build the capabilities into mobile apps that demand strong, reliable security. EyeVeri...
Nearly 40 percent of businesses don't realize they have more business data stored in Salesforce than in any of the other five or six "leading" cloud storage services. Here's a multiple choice question for all IT folks who think they know the cloud storage market. Which one of the following services do you believe holds the most business data overall: a) Boxb) Dropboxc) Microsoft SharePointd) Google Drivee) Salesforce.com If you chose Salesforce.com, you are on the right track. Salesforce is not a storage application per se, but in practice it certainly is, since it is a customer relationship management tool that is required to store and secure all the data needed to run an account. Although Salesforce has a secure storage layer, its information governance controls are limited. Nearly 40 percent of businesses don't realize they have more business data stored in Salesforce than in any other approved corporate cloud file repository (including Dropbox, Box, Google Drive, and Sharepoint.com). Research Reveals Risk Issues This factoid was contained in a recent research project by Silicon Valley-based Adallom, which will make public its report on Nov. 5. Adallom's first Cloud Risk report is an analysis of cloud application usage for more than 1 million enterprise SaaS-enabled users over four dominant SaaS platforms: Salesforce, Box, Google Apps, and Office 365, between October 2013 and October 2014. Two-year-old Adallom, which already has a substantial lineup of customers, secures enterprise software-as-a-service (SaaS) application usage, audits user activity, and protects employees and digital assets from threats in real time. "Customers use us to get an understanding of who's interacting with the data in cloud applications, where the data is going, and obviously about risk management," Adallom Vice President of Strategy Tal Klein told eWEEK. Adallom was founded in 2012 by Assaf Rappaport, Ami Luttwak and Roy Reznik, all former members of the Israeli Intelligence Corps' Unit 8200 and alumni of the Talpiot program. The company name originates from Ad Halom, otherwise known as the “last line of defense.” In-Depth Look at SaaS Usage The research provides an in-depth view of SaaS usage beyond common shadow IT, and it exposes risk that exists right under IT's nose, including: --on average, a company shares its corporate files with 393 external domains, and 5 percent of an average company's files are accessible by anyone on the Internet; --significant portions of authorized SaaS users have full administrative access: 7 percent in Salesforce (average deployment size is 2,000 users), 4 percent in Google Apps (average deployment size is 19,000 users) and 2 percent in Box (average deployment size is 1,400 users); --more than 5 percent of files are orphaned files (files without owners) and 2 percent of orphaned files were created by users no longer with the company (a huge data retention risk in the event of an eDiscovery event); and --80 percent of companies have at least one corporate zombie user (suspended or terminated employee whose account has not been deleted), which also costs enterprises money. This report is the first of its kind to detail application usage patterns and risky behaviors for the top SaaS applications used by businesses, Klein said. "The findings in this report reaffirm the need for a new approach to data governance, risk management, and security in the context of cloud adoption," he said. Perimeter and endpoint security solutions provide minimal protection against new, emerging, and largely unknown risks. Therefore, enterprises need to proactively invest in new controls like Identity and Access Management (IAM) solutions and Cloud Access Security Brokers. Some Other Data Points Other findings in the Adollam report included: --In the cloud, zombies are real: 11 percent of all enterprise SaaS accounts are "zombies," inactive assigned users that are at best eating up the cost of a license, and at worst increase the attack surface of the organization. --More admins, more problems: Every administrative account represents a real and present risk to the enterprise. In some SaaS applications, Adallom discovered an average of seven administrators out of every 100 users. --80 percent of companies have at least one former employee whose SaaS application credentials have not been disabled: Deprovisioning continues to plague organizations, credential creep makes the problem unwieldy. --Nineteen percent of users bypass identity and access management controls: Rebalancing the enterprise security portfolio from exclusively preventative controls to blended risk management based compensating controls is necessary. The company has secured $4.5 million in Series A funding from Sequoia Capital and Zohar Zisapel in addition to $15 million in Series B funding led by Index Ventures with contributions from Sequoia.
The founder of F5 Networks is now leading Tempered Networks and leveraging the Host Identity Protocol as a way to secure the Internet of things. It's hip to talk about the Internet of things, and today security vendor Tempered Networks is using HIP (Host Identity Protocol) to secure IoT. Tempered Networks is the rebranded name for a company formerly known as Asguard Networks. The roots of Asguard are with its founder David Mattes, who now will be the CTO of Tempered, while the founder of F5 Networks, Jeff Hussey, serves as president and CEO. Mattes explained to eWEEK that he first started working on the problem of IoT security while at Boeing, as the airline manufacturer was building out its distributed supply chain for the 777 aircraft. The idea was to have a "tempered" layer in the communications stack that adds cryptography to all communications. By leveraging HIP—a technology specification that was originally proposed by Verizon and Ericsson and jointly developed with Boeing—Tempered Networks has enabled organizations to have isolated overlay networks in which communication between industrial systems can be protected and secured, according to Mattes. "The elegance of HIP is that it can provide a backward-compatible interface to the application layers and add a cryptographic identity," he said. From a product perspective, Tempered Networks has HIP switches that sit in front of equipment, and there is also a conductor technology that orchestrates policy and handles monitoring. The Tempered Networks platform is intended to protect data in motion. Mattes noted that encryption for data at rest is outside of the purview of what Tempered Networks is offering. Another area that is outside of Tempered Networks' platform is integration with enterprise IT identity stores, such as Microsoft Active Directory. However, that integration with enterprise identity is on the company's near-term road map, according to Mattes. The road map for Tempered Networks also includes a possible software-as-a-service (SaaS) offering for managing and monitoring a HIP-secured network. Asguard Networks got its start under Mattes' leadership in 2012, and with the transition and rebranding today to Tempered Networks, CEO Hussey is aiming to position the technology to solve a wider array of problems than just industrial control systems. "Our challenge is people trying to do Internet of things security with traditional methodologies, like firewalls," Hussey said. Hussey sees Tempered Networks in a position somewhat similar to what F5 Networks was in 15 years ago. He founded F5 Networks and evolved that company from being just a simple network load balancer to becoming an application delivery controller market leader. "When I started F5, I think the total available market for load balancers was in the hundreds of thousands, and now it's in the billions," Hussey said. "By any measure from any market size, the total available market for Internet of things security in converged infrastructure is a market worth tens of billions today, so I like our prospects." Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
The vendor is pushing its end-to-end security strategy, and at the show, will talk about everything from endpoints to firewalls. Dell's complex security strategy comes down to a relatively simple—if not easy-to-achieve—single goal: Be the top single vendor of end-to-end security offerings. It's a strategy that driven Dell over the past several years to invest billions in buying security firms—including SecureWorks in 2011 and SonicWall, AppAssure and Quest in 2012—to help fill out its capabilities, and one that was a central theme in mid-October during the vendor's inaugural Dell Security Peak Performance Conference. At the show, CEO Michael Dell reportedly outlined his company's security roadmap for 600 of its channel partners, including plans to include encryption throughout Dell products and to enhance the security of its network switches. "Security is not a new thing for us," Dell told the partners during a keynote address, according to news site CRN. "It was part and parcel of what we did in the data center and the client businesses. But now we are weaving them together in profound ways. Think about endpoint encryption and how do we bring network security and the network together. Think about what is going on in converged infrastructure. We are building a complete set of solutions." Security also looks to be a centerpiece the upcoming Dell World 2014 show, a three-day conference in Austin, Texas, that kicks off Nov. 4. According to the show's agenda, more than a dozen breakout sessions will touch on such subjects as mobile and email security, endpoint security, security for the Internet of things (IoT) and firewalls. Dell officials also will talk about security in educational institutions in the era of mobile computing and bring-your-own-device (BYOD). All of this falls in line with Michael Dell's understanding that, as the company evolved from a PC maker to a fuller enterprise IT solutions and services provider, security would become an even more important part of what the vendor does, according to John McClurg, vice president and chief security officer for Dell Global Security. The CEO wanted to ensure that Dell addressed security "across the full spectrum" of its offerings, McClurg, who has been with Dell for more than three years, told eWEEK. The company recently got some strong validation of its strategy, with 63 percent of its resellers in a survey taken just before the partner security summit last month saying it was very important or important to offer their customers end-to-end security solutions—from network and mobile security to identity and access management--from a single vendor. Only 7 percent said doing so was not important. A key part of what Dell offers in security addresses what McClurg calls "wetware"—the human element. According to IBM's recent Security Services 2014 Cyber Security Intelligence Index report, about 95 percent of IT security breaches reportedly can be attributed to some kind of human error. More employees are doing more work over more devices—not only PCs, but also smartphones and tablets—from other locations—on the road or at home. Add in the fact that work is increasingly being done in the cloud, and the need to ensure security while increasing access to corporate data and networks for employees is growing rapidly. In addition, thanks to such social networks as Facebook and Twitter, the risk of human-related security issues is expanding. Security solutions need to address employees as "extended beings" whose work life can expand beyond the confines of their working spaces, McClurg said. Security efforts need to be "contextually aware" to work in the "open nature of the world we experience," he said. "Where our private lives begin and our professional lives begin is breaking down," McClurg said.
Businesses will spend slightly more this year, but struggle with finding knowledgable security professionals, according to a survey by Ernst & Young. Companies will spend marginally more money on technology and staff to defend their IT systems and data in 2015, but they continue to have problems hiring knowledgable security professionals, according to a survey conducted by business-services firm Ernst & Young. About 52 percent of the more than 1,800 organizations surveyed expect security budgets to increase, compared to 43 percent whose budgets will remain unchanged. More than half of firms identified the lack of skilled professionals as a major reason for their inability to bolster system security, according to the survey. "Good resources are scarce and you have to find new ways to provide needed security services," Chip Tsantes, chief technology officer of the cyber-security practice at Ernst & Young, told eWEEK. “You have to be more creative to find the skills that you need.” The lack of information-security professionals has been a common theme over the past five years. More recently, government hiring and the increase in the number of devices added to networks requiring security support has led to a continue shortfall in skilled security people, which Cisco estimates at 1 million workers worldwide. The lack of adequate staff undermines a variety of security efforts, according to the survey. About a third of companies do not have the capability to assess threats in real-time; only 13 percent of firms believe they are meeting their information-security needs; and between a third and 45 percent of organizations gave themselves poor grades in a variety of cyber-security areas. Companies without adequate staff need to prioritize efforts and focus on technologies and processes that give them better visibility into threats and their current risks, Tsantes said. "You can't monitor everything, and that means you must make sure that you are focused on the most critical assets," he said. "Security teams need to direct the business to protect those assets and focus their efforts." As in past years, companies flagged employees as the most likely source of threats to their information, but this year businesses identified a variety of external threats—such as criminal syndicates and hacktivists—as the most probable threats. The survey found that 57 percent of respondents identified employees as a threat source, but criminals (53%), hacktivists (46%) and lone-wolf hackers (41%) were all deemed more likely a threat than the next highest internal actor, contractors. To develop employees into a security asset rather than a vulnerability to be exploited, companies frequently train and focus on education. However, businesses should also track their employees' security awareness, according to the report. While 55 percent of companies do not rate their employees' security knowledge on performance evaluations, establishing workers as a potential line of defense should be priority for companies. "If employees understood that their own job security was under threat because the security of the organization was under threat, and that cyber-security was a performance metric, this could encourage a permanent change in awareness and behavior," the Ernst & Young report concluded.
Google plans to disable support for SSL 3.0 in an upcoming Chrome release. Mozilla has similar intentions. Google researchers first publicly disclosed a flaw dubbed "POODLE" in the SSL 3.0 protocol on Oct. 14. Though Google made a patch available for servers to help mitigate the risk, one of the best long-term solutions to the flaw is for browser vendors to drop support for SSL 3.0, which is now what Google is pledging to do for its Chrome browser. The POODLE, or Padding Oracle On Downgraded Legacy Encryption, vulnerability could potentially enable an attacker to access and read encrypted communications. SSL 3.0 is a legacy protocol that has been replaced by the newer TLS 1.2 although many browser and server vendors have still supported SSL 3.0 as a fallback mechanism. In a mailing list posting, Google developer Adam Langley wrote that for the upcoming Chrome 39 stable release, SSL 3.0 fallback will be disabled. "SSLv3 fallback is only needed to support buggy HTTPS servers," Langley wrote. "Servers that correctly support only SSLv3 will continue to work (for now), but some buggy servers may stop working." If a user hits a server or online application that doesn't work, due to the SSL 3.0 fallback removal, Chrome will show a yellow badge over the lock icon in the browser. By disabling the fallback and showing the yellow warning badge, Google is giving site owners a chance to update their sites before dropping SSL 3.0 entirely. The current plan is for Chrome 40 to completely disable SSL 3.0 support. Google isn't the only browser vendor to take steps to limit the risk of POODLE. The upcoming Mozilla Firefox 34 release is also set to remove support for SSL 3.0. Microsoft however is taking a slightly different tack for its Internet Explorer browser. There is now a "Fix it" tool from Microsoft to disable support for SSL 3.0. When POODLE was first reported on Oct. 14, Microsoft wrote in an advisory that, "considering the attack scenario, this vulnerability is not considered high risk to customers." Apple has also taken steps to limits its users' exposure to POODLE. In its Mac OS X operating systems, Apple has not entirely blocked SSL 3.0, but rather has disabled the use of CBC, or cipher block chaining, with Secure Sockets Layer (SSL), which is at the root cause of the POODLE flaw. Though the POODLE flaw was disclosed two weeks ago, to date there have been no public reports of any exploitation as a result of the vulnerability. In contrast, a SQL injection vulnerability reported in the open-source Drupal content management system on Oct. 15 was exploited by attackers within seven hours. The fact that POODLE has not been actively exploited is likely due to a number of factors, including very low usage of SSL 3.0. Mozilla noted when POODLE was first disclosed that SSL 3.0 only accounted for 0.3 percent of all HTTPS connections. Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.