SAN FRANCISCO – In last year’s workforce study from ISC2, 56 percent of those surveyed said their security organization was short-staffed. A year later, figuring out what to do about that remains a challenge, and it is one not far from the minds of some of the attendees at the RSA Conference.

One answer may be to make sure that all aspects of IT consider security as a critical part of their operation. But that process often gets off to a rocky start for aspiring IT professionals, as many universities are not doing a good enough job of educating students on security – particularly those not going directly into the security field, argued Jacob West, HP’s CTO of Enterprise Security Products. 

“Honestly I think we’re doing almost nothing at the university level today to teach security,” he told SecurityWeek at the conference, where he presented on the topic earlier in the day.

For those pursuing a career in cyber-security, there is at least a clear career path and opportunities, he said. But for anyone seeking a career in IT where security is not their primary responsibility, the danger of security falling through the cracks is very real.

“[Developers] are not getting realistic expectations placed on them at the university level around the kind of coding that they do,” he said. “They are basically asked to provide certain functionality…and are supposed to provide it with a certain level of performance perhaps – some cases not even that – but they’re not expected to provide it in a robust way. They are not graded against frankly the same standards that code in the real world is graded against today, which is being in an adversarial environment and where a small mistake can lead to a huge security problem.”

Adding to the challenge of preparing a workforce is the dynamic realities of IT security, where change is perhaps the only constant. In a panel discussion, representatives from security certification body (ISC)² stressed that seeking professional certifications can help not only bolster an employee’s credentials, but also serve as proof of expertise regarding real-world situations.

The test for the group’s CISSP certification is updated with new questions every few months, and the test has to be retaken every three years for the credential to stay in good standing, explained Vehbi Tasar, director of professional programs development for (ISC) ², explained to SecurityWeek. When it comes to education, he said, the best learning usually comes on the job.

“All good security people learned their job doing the job,” he said. “They didn’t learn at the university. That is a big gap in my opinion because universities are teaching just the basic stuff. They are not necessarily teaching different angles that people will encounter. They cannot really; you cannot expect them to do it.”

West said during his presentation he would like to see additional programs from both the government and the tech industry to support those seeking to get into the field, and added later that it was critical to recruit women, who he said as a group continue to be underrepresented in IT security. To that end, earlier in the week, HP announced it was making $ 250,000 available in scholarships for women studying information security.

“It’s not as simple as adding a new class on security,” he said. “It’s the idea that we have to build security and the requirements of robust programming into everything we teach at the university level, and that’s a much broader problem.”

Tags:

• NEWS & INDUSTRY
• Management & Strategy

In the world of security, these types of announcements don’t happen often. While still bad news, the recently-disclosed data breach at Neiman Marcus has impacted fewer customers than the company first thought.

 In early January, the high-end department store warned that customer credit and debit card information was compromised as a result of a cyber attack.

Neiman Marcus did not originally say how payment card numbers were affected as a result of the data breach, but on Jan. 23 said approximately 1,100,000 customer payment cards could have been potentially affected after hackers used sneaky point-of-sale (POS) malware to obtain details of customer payment cards.

Now, according to the investigation of the data breach, the number of potentially affected payments cards is lower, and is now estimated to roughly 350,000.

“The number has decreased because the investigation has established that the malware was not operating at all our stores, nor was it operating every day in those affected stores, during the July 16 -October 30 period,” Karen Katz, President and CEO of Neiman Marcus, wrote in a notice posted to the company’s Web site.

“We do know, and our forensic reports have confirmed, that malicious software (malware) was clandestinely installed on our system and that it attempted to collect or “scrape” payment card data from July 16, 2013 to October 30, 2013,” Katz said.

Fortunately, Neiman Marcus does not use PIN pads its retail locations, so PINs were never at risk, unlike the recent data breach at Target.

Neiman Marcus told SecurityWeek in January that it was warned by its credit card processor in mid-December about potentially unauthorized payment card activity that occurred following customer purchases at Neiman Marcus stores.

Of the 350,000 payment cards that may have been captured by the POS malware, Katz said Visa, MasterCard and Discover told Neiman Marcus that, so far, approximately 9,200 of were subsequently in fraudulent transcations elsewhere.

The Neiman Marcus Group operates 41 Neiman Marcus branded stores, 2 Bergdorf Goodman stores, and 35 Last Call stores.

Tags:

• NEWS & INDUSTRY
• Incident Management
• Data Protection
• Tracking & Law Enforcement
• Cybercrime

Google announced on Friday it has acquired UK startup spider.io for its technology used in the fight against online advertising fraud.

According to Google, the spider.io team has spent the past 3 years building a “world-class ad fraud fighting operation” that the search giant plans to integrate into its products. 

“By including spider.io’s fraud-fighting expertise in our products, we can scale our efforts to weed out bad actors and improve the entire digital ecosystem,” Neal Mohan, VP, Display Advertising at Google’s DoubleClick unit, wrote in a blog post announcing the acquisition.

“Our immediate priority is to include their fraud detection technology in our video and display ads products, where they will complement our existing efforts,” Mohan continued. “Over the long term, our goal is to improve the metrics that advertisers and publishers use to determine the value of digital media and give all parties a clearer, cleaner picture of what campaigns and media are truly delivering strong results. Also, by including spider.io’s fraud fighting expertise in our products, we can scale our efforts to weed out bad actors and improve the entire digital ecosystem.”

Terms of the acquistion were not disclosed.

Earlier this month, Google acquired security startup SlickLogin, an Israeli company working on innovative authentication solutions that leverage mobile and audio technology.

Related: Flashback Trojan Targets Big Profits Through Google Ads Fraud Scheme

Related: ‘One-Click’ Scammers Changing Tactics: Symantec

Tags:

• NEWS & INDUSTRY
• Fraud & Identity Theft

It is not uncommon for vendors to give security advisories. This time however, it appears a hacker gave at least one victim an unexpected heads up.

According to Ars Technica, a user of an Asus router uncovered a text file on his external hard drive. The message read as follows: “This is an automated message being sent out to everyone effected. Your Asus router (and your documents) can be accessed by anyone in the world with an Internet connection.”

The note also instructed the user to read information on how to protect against the attack, which took advantage of a vulnerability uncovered last year by researcher Kyle Lovett. According to Lovett, the issue allows hackers to “traverse to any external storage plugged in through the USB ports on the back of the router.”

Asus did not respond to a request for comment on the issue. However, Softpedia reported that the vulnerability was addressed last week in a firmware update by Asus.

Earlier this month, a list of nearly 13,000 IP addresses reportedly tied to the vulnerable routers was posted on the Internet. The list contained the names of files stored on the hard drives of impacted users have been published as well.

The list of impacted routers includes RT-N66U, RT-N66R, RT-AC56U, RT-N56R, RT-N56U, RT-N14U, RT-N16, RT-N16R, RT-AC66R and RT-AC66U. More information about the updates for each model can be found here.

Just recently, researchers at the SANS Institute warned about a worm exploiting a vulnerability in several Linksys routers. The worm, dubbed ‘TheMoon’, takes advantage of a flaw that has since been patched by Linksys. Users are advised to apply the relevant updates.

Tags:

• NEWS & INDUSTRY
• Vulnerabilities

Kickstarter, a web site that serves as a funding platform for creative projects, said on Saturday that malicious hackers gained unauthorized access to its systems and accessed user data.

“On Wednesday night, law enforcement officials contacted Kickstarter and alerted us that hackers had sought and gained unauthorized access to some of our customers’ data,” Yancey Strickler, Kickstarter’s CEO, wrote in a security notice. “Upon learning this, we immediately closed the security breach and began strengthening security measures throughout the Kickstarter system.”

According to Strickler, customer information accessed by the attacker(s) included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords.

“Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one,” Strickler said.

The company said via Twitter that “old passwords used salted SHA1, digested multiple times. More recent passwords use bcrypt.”

Strickler said that no credit card data was accessed by the attackers, and that so far only two Kickstarter user accounts have seen evidence of unauthorized activity.

Kickstarter did not say how many user accounts were affected in the breach, but the company says that since launching in 2009, more than 5.6 million people have pledged $ 980 million, funding 56,000 creative projects through its platform.

“As a precaution, we strongly recommend that you create a new password for your Kickstarter account, and other accounts where you use this password,” the advisory suggested.

“We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come,” Strickler wrote. “We are working closely with law enforcement, and we are doing everything in our power to prevent this from happening again.”

*Updated with additional details on password encryption.

Tags:

• Network Security
• NEWS & INDUSTRY
• Cybercrime

This is the beginning of a series of postings I’ll be doing on security metrics. It’s a topic that I don’t think we, as a community, have a particularly good grasp of – probably because security, as a field, is only just beginning to professionalize to the point where (in some markets) it’s getting more than a nod as a necessary evil. I can’t even imagine the number of times in my career that I have heard a security practitioner say something like, “We have to speak to executives in the language of business!” which often gets mistaken for “use lots of PowerPoint and buzzwords” but which really means: Be able to quantify what you’re talking about. And that’s where metrics come in.

Lord Kelvin –  If you really understand metrics, maybe you’ll have a unit of measurement named after you, like he did. What is the unit of measurement for computer security, anyway?

During the course of this series I’m going to hit on a range of topics from why metrics are important and what they are, to bottom-up analysis of your business process, and top-down analysis of your mission, then the problems of normalization and data-sharing, as well as suggestions on how to present data. I’m not going to pretend to you that metrics are insanely exciting as a field, because they aren’t. On the other hand, metrics are how you learn where you’re going and, as the great quip goes, “If you don’t know where you’re going, how will you know when you get there?” William Thompson, Lord Kelvin, once observed that “If you can not measure it, you can not improve it.” That, in short, is almost all we’d have to say about metrics in computer security – our goal is to improve, and right now many of us are following popular fads or traditions, instead of seriously studying what we’re doing.

Thompson also said, “There is nothing new to be discovered in physics now, All that remains is more and more precise measurement.” which goes to show you that it’s a bad idea to think that your field of study is immune to change. Computer security is hardly immune to change – in fact it’s more characterized by constant flux than anything else – which is what makes it so hard: we are chasing a mixture of configurations and practices that surround a variety of applications and protocols all of which are mutating at a very high rate. When I started in this field the first firewall I built needed to effectively handle 5 protocols (DNS, NNTP, SMTP, FTP, and TELNET) and it didn’t even need to support a full command-set for those protocols. Today, the complexity of security has grown out of pace with the number of applications and protocols.

In other words, it’s a good time to be alive. Enjoy the ride.

Next up: Why should you care about metrics? We’ll look at where metrics fit into the organizational structure and why they are an important part of executive knowledge.

Tags:

• INDUSTRY INSIGHTS
• Network Security

FireEye, a provider of solutions that help companies block advanced cyber attacks, has expanded its FireEye Security Platform in an effort to offer customers a single solution that spans from threat detection and alerts to remediation.

The enhancements incorporate endpoint protection and managed security services from Mandiant, the company FireEye recently acquired for roughly $ 1 billion. Additionally, the updated platform includes new analytics and intrusion prevention capabilities, FireEye said. 

The FireEye Security Platform is powered by the company’s Multi-Vector Virtual Execution (MVX) engine that conducts signature-less analysis in a specialized sandbox to provide protection across the primary threat vectors—Web, email and files. FireEye’s Security Platform also has been updated to include FireEye Dynamic Threat Intelligence.

Overall, FireEye said that the new capabilities of its FireEye Security Platform include:

Intrusion Prevention System – A new intrusion prevention system applies FireEye’s MVX technology to validate attacks and minimize the time and resources security teams spend investigating false alerts. Users get actionable insight from validated alerts so they can focus on alerts that present the greatest risk and accelerate incident response.

Endpoint Threat Detection & Response – The platform now incorporates Mandiant’s endpoint threat detection and response products (formerly sold as Mandiant for Security Operations). FireEye customers can now confirm when network and email alerts result in compromise.

Threat Analytics – New threat analytics capabilities allow security teams to apply FireEye’s threat intelligence to security event data generated from their existing security infrastructure so they can find and scope attacks as they are unfolding. A cloud-based solution, the threat analytics can perform real-time correlation of event logs against FireEye’s threat intelligence to identify when attackers are active in an environment.

Managed Defense Subscription Services – New subscription services build on FireEye’s continuous monitoring subscription service by offering additional expertise from Mandiant’s Managed Defense service. Organizations will now be able to choose from an expanded menu of monitoring and protection services and draw on FireEye security analysts to actively hunt for adversaries to find and stop attacks as they begin to unfold.

“FireEye is enabling us to address new layers of security infrastructure with the advanced technology that made their core products so effective,” said Brandy Peterson, CTO, FishNet Security. “The new platform will allow us to approach our customers with the right mix of new technology, updates for outdated products and services to help protect them from today’s advanced attacks.”

The new products and services are expected to be available during the first half of 2014, the company said.

Tags:

• Network Security
• NEWS & INDUSTRY
• Security Infrastructure

SAN FRANCISCO – Californian leaders want to make it compulsory for smartphones or tablets sold in the state to have built-in “kill switches” to counter the rocketing number of thefts of the devices.

State senator Mark Leno and other elected officials on Friday unveiled legislation requiring that new smartphones or tablets have technology that could be used to remotely render them useless.

Backers called the bill the first of its kind in the United States; opponents fear it may allow hackers to shut down people’s devices.

“With robberies of smartphones reaching an all-time high, California cannot continue to stand by when a solution to the problem is readily available,” said Leno, a Democrat representing San Francisco.

“Today we are officially stepping in and requiring the cell-phone industry to take the necessary steps to curb violent smartphone thefts and protect the safety of the very consumers they rely upon to support their businesses.”

The legislation would leave service providers or manufacturers, including iPhone maker Apple, facing fines if smartphones or tablets sold in California beginning next year don’t include mechanisms to instantly disable them.

The bill will be introduced within a few months, according to Leno.

More than half of robberies in San Francisco involve mobile devices, and that share is three-quarters across the bay in the city of Oakland, according to Leno’s office.

“The wireless industry must take action to end the victimization of its customers,” San Francisco district attorney George Gascon said.

“This legislation will require the industry to stop debating the possibility of implementing existing technological theft

Related: Venafi Launches Certificate-based Mobile Device “Kill Switch”

Related: ‘Internet Kill Switch’ – Is this Technically Feasible in the US?

Tags:

• Mobile Security
• NEWS & INDUSTRY

SAN FRANCISCO – Californian leaders want to make it compulsory for smartphones or tablets sold in the state to have built-in “kill switches” to counter the rocketing number of thefts of the devices.

State senator Mark Leno and other elected officials on Friday unveiled legislation requiring that new smartphones or tablets have technology that could be used to remotely render them useless.

Backers called the bill the first of its kind in the United States; opponents fear it may allow hackers to shut down people’s devices.

“With robberies of smartphones reaching an all-time high, California cannot continue to stand by when a solution to the problem is readily available,” said Leno, a Democrat representing San Francisco.

“Today we are officially stepping in and requiring the cell-phone industry to take the necessary steps to curb violent smartphone thefts and protect the safety of the very consumers they rely upon to support their businesses.”

The legislation would leave service providers or manufacturers, including iPhone maker Apple, facing fines if smartphones or tablets sold in California beginning next year don’t include mechanisms to instantly disable them.

The bill will be introduced within a few months, according to Leno.

More than half of robberies in San Francisco involve mobile devices, and that share is three-quarters across the bay in the city of Oakland, according to Leno’s office.

“The wireless industry must take action to end the victimization of its customers,” San Francisco district attorney George Gascon said.

“This legislation will require the industry to stop debating the possibility of implementing existing technological theft

Related: Venafi Launches Certificate-based Mobile Device “Kill Switch”

Related: ‘Internet Kill Switch’ – Is this Technically Feasible in the US?

Tags:

• Mobile Security
• NEWS & INDUSTRY

OpenDNS, the company best known for its DNS service that adds a level of security by monitoring domain name requests, today announced that its Umbrella security service is now integrated with the FireEye Web Malware Protection System (MPS).

Launched by OpenDNS in November 2012, Umbrella is a DNS-based security solution delivered through the cloud that helps protect users from malware, botnet and phishing threats regardless of location or device. 

Adding FireEye’s behavioral analysis technology to Umbrella will provide OpenDNS customers with real-time protection against custom malware, zero-day exploits and advanced persistent threats (APTs), the company said.

Using predictive threat detection and enforcement, the combination of OpenDNS and FireEye will enable customers to extend security policies to the cloud and transparently protect any user and any device, both on and off the corporate network.

“Malicious activity detected by FireEye is automatically fed to the Umbrella service to enhance security policy enforcement, protecting customers from infection and preventing data leakage,” the company explained.

David Ulevitch, CEO of OpenDNS, called the partnership a “force-multiplier for Enterprise security.”

The announcement of the partnership was made at the FireEye 2014 Momentum Partner Conference, taking place in Las Vegas this week.

“Through this partnership, we are able to extend FireEye’s advanced threat protection to the cloud and provide centralized security policy enforcement to any device, on or off the network,” said Didi Dayton, vice president of worldwide strategic alliances at FireEye.

Because Umbrella resolves more than 50 billion DNS requests each day through its OpenDNS network, it is able to collect massive volumes of data and gain unique insight into emerging security threats and attacks. Using data collected from its DNS requests, OpenDNS leverages big data analytics to predict and block cyber threats without the need for manual intervention by security teams.

FireEye’s technology utilizes an isolated virtual environment (Virtual Execution Engine) to analyze file behavior and detect malicious code embedded in common file types. FireEye delivers alerts to OpenDNS when new threats are detected.

The OpenDNS-FireEye integration extends enforcement beyond the eroding network perimeter, Ulevitch said. “Together we can detect, alert and block advanced threats before damage can be done.”  

The Umbrella service with FireEye integration is available immediately.

Tags:

• Network Security
• NEWS & INDUSTRY
• Malware