Security firms leap into Cahoot debate

Security firms leap into Cahoot debate

November 2004 ISSN 1353-4858 Featured this month Contents NEWS Security firms leap into Cahoot debate Security firms leap into Cahoot debate At lea...

272KB Sizes 0 Downloads 47 Views

November 2004 ISSN 1353-4858

Featured this month

Contents NEWS Security firms leap into Cahoot debate

Security firms leap into Cahoot debate At least three IT security companies were prompt to comment on the avoidability of Cahoot's well-publicized security breach of 5 November. RSA, Kavado, and Netegrity stepped forward to offer advice. The BBC exposed Abbey's online bank to be guilty of a security blunder introduced during a system upgrade twelve days previously. The upshot of the breach was that customers were able to see details of other people's accounts, but unable to move money around. Turn to page 2...

1

American Express deploys appliance for secure file transfer

2

IBM’s support for the Liberty Alliance brings standard convergence for federated identity a step closer

3

FEATURES Internet threat levels The value of Internet alerts

Identity management - don’t forget Human Resources Many organizations are turning to identity and access management for better security, improved efficiency, maintenance of data quality as well as help with regulatory compliance. However, as more employee role changes occur, employees and non-employees are not losing their electronic privileges when they should. Dale Young at Insight Consulting advocates that IT should make the most of human resources in any identity management process. HR are the authoritative source of employee whereabouts and job descriptions. By getting HR buy-in at the beginning of the project, and leveraging HR life-cycle and life-events, this can significantly reduce an identity access management project life-cycle as the data and structures are already used within the business. This article discusses how to liaise with HR and use its intelligence to manage employee identities. Turn to page 5...

4

Access management Human resources have a vital role to play within employee identity and access management

5

Architecture reviews Does IT hang together?

8

Threat Assessment Assessing cyber-threats in the information environment

10

Virtualisation Divide and conquer

18

REGULARS Vulnerability roundup Microsoft leaves Win2000 XPSP1 users

Internet threat level systems - useful or alarmist? The terrorist attack warnings issued by the US Department of Homeland Security bear a resemblance to the colour coded Internet threat level systems devised by certain IT security organizations. These systems take real-time data from remote sensors and combine that with data about new vulnerabilities and exploits. Bruce Potter examines some threat level systems that are available to IT security professionals today. He reviews alert offerings from ISS, Symantec and SANs. Turn to page 4...

in lurch News in brief Events

16 3 20

ISSN 1353-4858/04 © 2004 Elsevier Ltd. All rights reserved This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use.

NEWS

Editorial office: Elsevier Advanced Technology PO Box 150 Kidlington, Oxford OX5 1AS, United Kingdom Tel:+44 (0)1865 843645 Fax: +44 (0)1865 853971 E-mail: [email protected] Website: www.compseconline.com Editor: Sarah Hilley Senior Editor: Sarah Gordon International Editoral Advisory Board: Dario Forte, Edward Amoroso, AT&T Bell Laboratories; Fred Cohen, Fred Cohen & Associates; Jon David, The Fortress; Bill Hancock, Exodus Communications; Ken Lindup, Consultant at Cylink; Dennis Longley, Queensland University of Technology; Tim Myers, Novell; Tom Mulhall; Padget Petterson, Martin Marietta; Eugene Schultz, California University, Berkeley Lab; Eugene Spafford, Purdue University; Winn Schwartau, Inter.Pact Production/Design Controller: Esther Ibbotson Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: (+44) 1865 843830, fax: (+44) 1865 853333, e-mail: permissions@elsevier. com. You may also contact Global Rights directly through Elsevier’s home page (http:// www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: (+1) (978) 7508400, fax: (+1) (978) 7504744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: (+44) (0) 20 7631 5555; fax: (+44) (0) 20 7631 5500. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and e-mail addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer. 02158 Printed by Mayfield Press (Oxford) LImited

2

Network Security

Security firms leap into Cahoot debate ...continued from page 1

Tim Pickard strategic marketing director RSA Security, Emea commented: "This is graphic proof of RSA Security's assertion that username and password security is totally inadequate for today's ecommerce. Enlightened electronic traders such as AOL in the service provision sector and Credit Suisse in the online banking environment, have already committed to the next generation of secure log-on service. Strong, two-factor authentication, incorporating something that the user knows and something that the user has, would dramatically improve the security of consumers in this type of environment." Netegrity, meanwhile said, in a statement “although no financial loss was suffered, the damage to Cahoot's brand and customers' confidence could be longlasting". And Vik Desai, CEO of Web pplication security provider Kavado said that "banks owe a duty of care to protect their customers privacy and also a legal obligation under the Data Protection Act. We already protect many financial institutions customers from this sort of security breach, but some are yet to make a minor investment in the inexpensive technology available which can be quickly and easily installed to protect customers from both the mistakes of IT departments and also attacks by cyber criminals.” "This security breach could easily have been prevented by installing Web application firewalls which prevent applications allowing unauthorized access, even in the event of the IT department making a mistake. In this instance the technology would have prevented access to account details without the user name and password being supplied, and secondly would have alerted the bank to the security problem in the system upgrade".

American Express deploys appliance for secure file transfer Brian McKenna umbleweed CEO Jeff Smith has said that American Express is among a group of customers using its new secure file transfer appliance.

T

The product is designed, says the $42m turnover company, to provide a turnkey, high-performance means of exchanging large or sensitive files over the Internet. Its SecureTransport software provides multi-protocol file transfer service based on open standards, including guaranteed delivery, DMZ streaming, and automation to integrate with back end systems. This same technology is now available in a Linux-based product, the Tumbleweed 'SecureTransport Appliance'. "American Express is now exchanging more and more information with the AS2 standard - an authentication and encryption standard for the messaging of files across a public network. Wall Mart uses the standard which is why it is a standard!" said Smith. American Express partners Pepsi and Microsoft are using the AS2 standard to interact with it, said Smith. "We are now seeing financial services institutions who've been using file transfer for their own applications, such as cash management, starting to use the products to interface with retailers or manufacturing firms. "American Express found the appliance implementation easier to deploy. They were also attracted to our multitiered security architecture, with appliances at the perimeter and software internally". The appliance shipped in early October and is also in production at MassMutual. Smith confirmed the price for the American Express deployment to be in the region of a few million dollars.

November 2004