CSO-central: news

BeCrypt, a leading supplier of data security solutions, today announced that it has joined the RSA Secured® Partner Program to certify interoperability between its DISK Protect® v4.2 Standard data security solution and the RSA SecurID® SID800 hardware token and RSA® Smart Card 5200. DISK Protect v4.2 Standard is the latest version of BeCrypt’s full disk encryption solution, which has many additional features such as providing more flexible use of removable media devices and secure, automated removal of encryption keys allowing the safe decommissioning of computers that may have held sensitive data.

Richard Brooks, Director of Sales EMEA at BeCrypt commented, “We originally certified DISK Protect with the RSA SecurID SID800 hardware token and RSA Smart Card in 2006. Today, we have certified the latest version of our product, DISK Protect v4.2 with these two products, showing BeCrypt’s commitment to providing our customers with a wide range of security solutions that continue to keep pace with the latest technology. We have seen a significant demand from corporate organisations, central and local government for data security solutions that include two-factor authentication, and we believe that the technical interoperability with these RSA products provide a truly flexible solution without compromising any aspect of security.”

DISK Protect secures the data on desktop and laptop PCs with three layers of security, full disk encryption, strong pre-boot authentication and optional removable media encryption, without any noticeable impact on performance. Full disk encryption is performed transparently on the fly, avoiding the risk that the user may forget to encrypt sensitive files.

Pre-boot authentication allows DISK Protect to encrypt the operating system and prevent data being accessed with low level tools. Removable media encryption secures data on USB and other connected devices.

The RSA SecurID solution is as simple to use as entering a password, but significantly more secure. Used in conjunction with RSA® Authentication Manager software, an RSA SecurID authenticator is engineered to function like an ATM card for a company network, requiring users to identify themselves with two unique factors — something they know (a password or PIN), and something they have (such as an RSA SecurID hardware authenticator in the form of a token) — before they are granted access to secure business information.

“As the business world evolves, an effective strategy to protect identities and digital assets is essential to the growth and success of an organization. Companies must feel confident that vital information and applications remain secure, both inside and outside their operations,” said D.J. Long, Senior Director, Corporate Development at RSA. “The RSA Secured interoperability partnership between BeCrypt and RSA is designed to help end users efficiently and cost-effectively manage the digital identities of diverse user bases – including employees, partners and customers.”

CESG approved versions of DISK Protect are available for protecting classified data. DISK Protect v4.2 currently is undergoing the final stages of FIPS 140-2 Level 1 validation, and may optionally be installed in a FIPS-compliant mode.

• Leave a comment...

Barracuda Networks, Inc., a leading provider of network security solutions, today announced the European introduction of the Barracuda Message Archiver, an integrated hardware and software appliance that allows organizations to improve their email storage efficiency and meet legal and regulatory compliance obligations.

In addition, the Barracuda Message Archiver offers greater ease of use and administration, enabling deployment in less than 60 minutes.

“In the US recent changes in the legal and regulatory framework have increased the pressure on organizations of all sizes to retain email messages for future search and retrieval,” said Paul Thackeray, vice president of EMEA for Barracuda Networks. “While the environment might not be as intense in Europe most companies here recognize that it is coming and want to put something in place today so they are prepared.

“With the Barracuda Message Archiver we have continued our successful formula of solutions that combine ease of deployment and affordability,” he continued.

About the Barracuda Message Archiver The Barracuda Message Archiver is a complete and affordable email archiving solution, designed to effectively index and preserve all emails, achieve legal and regulatory compliance needs, and make more efficient use of storage technology inside the IT organization. Leveraging standard policies and seamless access to messages, email content is fully indexed and backed up to enable administrators, auditors and end users quick retrieval of any email message stored in an organization’s email archive. Delivered by Barracuda Central, Energize Updates provide automatic updates to its extensive library of virus and policy definitions for enhanced monitoring of compliance and corporate guidelines, document file format updates needed to decode content within email attachments and security updates for the underlying platform to remain free of potential security vulnerabilities.

Pricing and Availability The Barracuda Message Archiver is available in three models: Barracuda Message Archiver 350, 450 and 650. Pricing is based upon model and starts at £3349 in the U.K. with no per user licensing fees. International pricing varies by region. For more information, please visit www.barracuda.com/archiver.

• Leave a comment...

SoftScan announced today the launch of SoftScan Web Security, a new hosted service that protects an organisation’s web traffic from malicious software attack. The service scans both internal and external web traffic and instant messaging data, in addition to providing support for managing usage policies.

“We see more and more imaginative attempts to infiltrate networks with malicious software,” says CTO Diego d’Ambra SoftScan. “The dynamic and open nature of the internet makes it easy for IT-criminals to exploit and they often hit where it is least expected. With users frequently being led to infected websites through links in their email or instant messaging service, securing web traffic is a priority. Particularly when you consider that even websites you trust can be carriers of malware – often through third party content.”

SoftScan Web Security is a hosted service, which means that there is no need for the installation or updating of software – the solution is updated and optimised on an ongoing basis using the information gathered from the traffic SoftScan handles.

There are three elements to the service:

• Web Malware Scanning
• Web Filtering
• Instant Messaging (IM) Control

Web Malware Scanning stops spyware and viruses at the internet level, before they have a chance to infiltrate a company’s network. It also protects against both known and unknown malware-threats. Web Filtering makes enforcing a company’s internet policy easy by allowing customised access policies to be created on user or group level depending on an organisation’s requirements. IM Control helps to manage the increasing use
of Instant Messaging, e.g. Windows Live Messenger, AOL and Yahoo.

“Employees visiting inappropriate websites is increasingly a problem for companies. It is not so much that staff are wilfully breaking company rules, more that modern technology can sometimes be a challenge. To help overcome this we’ve included a function which scans web search results from sites such as Google in real-time to support the company’s internet policy by visually marking unsafe and forbidden websites. This prevents employees from accidentally visiting infected or inappropriate websites,” continues Diego d’Ambra.

• Leave a comment...

US company 8e6 Technologies, the leading independent provider of web filtering and insider threat management solutions, today announced it is expanding into the UK web filtering market with the appointment of security VAD (value added distributor) Wick Hill. 

8e6 Technologies, a web filtering pioneer established for over twelve years, firmly believes it can offer the UK market a better and more cost-effective alternative to Websense, after the elimination of SurfControl in 2007.

8e6 Technologies’ flagship R3000 Internet Filter is an appliance-based solution, which is easy to install and maintain. It provides both high performance and easy integration, with excellent scalability. 8e6’s own URL database is enhanced by Intelligent Footprint Technology (signature-based/pattern detection for IM, P2P and Web proxies). The product provides real time and forensic reporting, as well as several unique features such as proxy blocking, laptop filtering, X-strike and multi-level admin. The R3000 provides an excellent feature set and represents good value with a low total cost of ownership.

Eric Lundbohm, 8e6 Technologies’ vice-president of marketing, said: “Enterprises and educational organisations in the United States have long experienced the value of our unique, top-of-line filtering and reporting solutions. We are excited to partner with Wick Hill to help bring our award winning solutions to UK organisations who also value the importance of best-of-breed network security solutions.”

Ian Kilpatrick, chairman Wick Hill Group, commented: “The maturity of the web filtering market means that the bulk of the opportunities are at the point of renewal. With the superior functions of 8e6 and the current changes in this sector, we expect significant migration to 8e6.”

• Leave a comment...

Symantec Corp. today released the Symantec IT Risk Management Report Volume II, revealing that awareness of the importance of IT risk management is increasing, however several myths persist. Despite the finding that practitioners are embracing a more balanced approach that encompasses security, availability, compliance and performance risks, misunderstandings of IT risk management can lead to potential IT system failures, and ultimately impact business continuity. The report also indicates process issues cause 53 percent of IT incidents, while IT often underestimates the frequency of data loss incidents.

The comprehensive report, driven by the analysis of more than 400 in-depth, structured surveys with IT professionals worldwide, identifies key issues and trends, and analyses and dispels the following four myths commonly associated with IT risk:

• The myth that IT risk management is focused only on IT security;
• The myth that IT risk management is project driven;
• The myth that technology alone can manage IT risk;
• The myth that IT risk management has already become a formal discipline.

Myth One: IT Risk is Security Risk

Despite traditional perceptions associating IT risk primarily with security risks, survey results indicate the emergence of a broader view among IT professionals. Of the survey respondents, 78 percent gave “critical” or “serious” ratings to availability risk as opposed to security, performance and compliance risks, with 70, 68 and 63 percent respectively. The fact that only 15 percent separate the highest and lowest scoring risk-types indicates that IT professionals are adopting a more balanced, less security-centric view of IT risk.

“It is encouraging to see Symantec’s report highlight that organisations are recognising the criticality of managing IT risk in areas such as availability and performance in addition to security,” said Jon Oltsik, senior analyst at Enterprise Strategy Group. “In today’s connected world, businesses are starting to understand that failures across a broad spectrum of systems can impact the business operations and results.”

The report findings confirmed that security and compliance risks often attract attention because of their high visibility and impact—63 percent of respondents rated data loss incidents as having a serious impact on their business. However, increased emphasis is being placed on availability risks, which the report shows can flow through the value chain and create impacts measuring in millions of dollars, even from minor performance issues. Researchers at Dartmouth and the University of Virginia recently determined that a hypothetical Supervisory Control and Data Acquisition (SCADA) network failure at an oil refinery would result in an estimated economic impact of $405 million, with the supplier only bearing $255 million of the impact while others in the supply chain would assume the remaining loss (http://www.ists.dartmouth.edu/library/207.pdf).

Myth Two: IT Risk Management is a Project

The myth that IT risk management can be addressed in a single project, or even as a series of point-in-time exercises across budget periods or years, ignores the dynamic nature of the internal and external IT risk environment. IT risk management should be approached as an ongoing process in order to keep pace with the changing landscape businesses face today. IT security, availability, compliance and performance incidents can impact the modern organisation at an alarming rate. The report revealed the following regarding the frequency of different types of IT incidents:

• 69 percent expect a minor IT incident once a month;
• 63 percent expect a major IT failure at least once a year;
• 26 percent expect a regulatory non-compliance incident at least once a year;
• 25 percent expect a data-loss incident at least once a year.

The report shows that the most effective organisations take a more holistic approach. However, many organisations appear to be failing to implement some fundamental risk management controls, such as asset classification and management, where only 40 percent of participants rate their performance as 75 percent effective or higher. In addition, only 34 percent of participants believe that they have an up-to-date inventory for their wireless and mobile devices, which are essential in today’s business world.

Myth Three: Technology Alone Mitigates IT Risk

While technology plays a critical role in risk mitigation, the people and processes supported by technology also determine the effectiveness of an IT risk management program. According to the report, process issues cause 53 percent of IT incidents. Several controls also showed a decline in ratings from the previous report one year ago, causing increasing concerns. For instance, process controls such as training and awareness decreased from nearly 50 percent in Volume I to only 43 percent of respondents rating their training and awareness programs as more than 75 percent effective.

Similar to Volume I, the new report also shows very little improvement for the low rating of the asset and inventory classification control. Finally, only 43 percent of participants rate data lifecycle management “greater than 75 percent” effective, a 17 percent decline from Volume I. Weakness of these controls suggests that assets will be treated equally, so that some systems, processes and objects will be overprotected and others under protected from IT risk, resulting in cost and service inefficiencies.

Volume II of the IT Risk Management Report highlighted a 10 percent improvement in the number of participants rating secure application development “more than 75 percent effective.” The report also signals that problem management is rising on the agenda.

Myth Four: IT Risk Management Has Already Become a Formal Discipline

The report makes it clear that IT risk management is an evolving business discipline, rather than a precise science, due to reliance on the experience accumulated by individuals and organisations as they keep pace with a changing business and technology environment. There is a growing understanding that IT risk management incorporates elements of operational risk management, quality control and business and IT governance. In addition, practitioners may come to see IT risk management as a set of fixed principles and relationships, universally applicable across industries and geographies.

Industry Differences

The report also sheds light on the state of IT risk management within particular industries. Highlights include that healthcare participants expected the most IT incidents of any industry sector. Given the complexity and highly personal nature of healthcare services, as well as stringent compliance requirements, this is cause for some concern. Telecommunications ranked highest in deploying IT risk management controls, followed closely by banking and financial services. This success is likely driven by increased governance and compliance scrutiny of these sectors and concerns over the protection of personal data.

“Now in its second year, the IT Risk Management Report provides IT professionals and C-level executives with unparalleled insight into the discipline of IT risk management—ranging from understanding what’s working and what’s not to providing actionable guidance and best practices for effective program execution,” said David Thompson, group president, Symantec Information Technology and Services Group. “Better understanding of the practice of IT risk management empowers organisations to take calculated risks with confidence and use IT to drive competitive advantage.”

Click here to listen to further discussion on Symantec IT Risk Management Report.

The Symantec IT Risk Management Report Volume II is available http://www.symantec.com/business/theme.jsp?themeid=inform.

• Leave a comment...