By Amit Klein, CTO Trusteer

Executive version: http://www.trusteer.com/docs/bind9dns_s.html

A patch for this vulnerability is available and can be downloaded from the ISC website. I advise enterprises and ISPs to patch their BIND servers.

Continue Reading »

By Arun Sood

Information is critical to decision making in a corporation. Companies are beginning to apply risk management approaches to managing the IT infrastructure.  Vendors like Symantec and McAfee are also responding to this need.  Proactive Risk Management methodology enables the study of a variety of trade-offs.  However, for quantitative security risk management, it is necessary to have a quantitative metric.  The lack of easily measurable and understandable metrics is a big hole in the conventional reactive models of prevention and detection.
Continue Reading »

This is a short post that will be followed by a longer post soon.  I am concerned that Google’s great revenue and success is based on botnet-based click fraud to a much greater degree than is commonly known.  I am getting a lot of anecdotal information that doesn’t add up and am looking into this more.  This could be the Enron of the Internet.  If you have click fraud stories send them to jim@reavis.org.

By Jim Reavis

This tidbit may not rank up there with curing polio or the invention of YouTube, but I think it is pretty significant - you decide.  It hasn’t been announced yet, but folks in DC tell me that NIST (the National Institute for Standards and Technology) is working on a project to map between the ISO (International Organization of Standardization) 27001 certification standard for information security management systems requirements and NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems.  Folks tell me that the goal of this is to come up with an ISO 27001 certification that is acceptable to the Feds to allow government agencies to comply with the Federal Information Security Management Act (FISMA).

NIST 800-53 is good stuff, in fact I know of several private sector companies who use it as the framework for their information security programs.  The problem with standards are that there are too many of them.  The world changed significantly when we dumped an alphabet soup of networking protocols such as DECnet, OSI, IPX/SPX, Netbeui for just one: the Internet Protocol, or IP.  I don’t see NIST as bailing on all the good work of 800-53, I see them translating it into the flexible format of ISO 27001.  Federal agencies will have a more efficient means of complying with FISMA, and the rest of the world has a stronger ISO 27001 to leverage within their security programs.

Could this be the domino that creates a regulatory standardization chain reaction?  Could ISO 27001 become the default framework for IT auditors, and the way forward for SOX 404 compliance?  Japan has already figured this out, and has roughly 2,000 27001-certified companies as opposed to about 60 in the U.S.  Nothing happens overnight, but replacing security prescriptions inside of regulations with a pointer to international standards will be a great thing.  Businesses will spend less on compliance and more on their business.  Security gaps will be reduced in business-to-business and government-to-business communications.  Perhaps we will all be able to focus on real problems and not so much on the checklists.  

By Jim Reavis

This is only a rumor, if it were an actual event you would be instructed by the authorities where to redeem your SYMC stock.  Multiple Friends of Risk Bloggers have told me that Symantec has been in talks with investors over their strategic options, with the most likely outcome (if anything happens) being a move to go private!  Stepping out of the public markets would likely accelerate the massive industry shakeup we have been seeing, it may soon become pointless to have information security indices if we don’t have stocks to track.

I want to stress that the FoRBs (Friends of Risk Bloggers - of course) are not insiders with Symantec, I am certainly not an insider, my investments consist of a little dirt and contributing to my doctor’s 401k.  However, they are smart people who do pay attention.  Symantec’s stock has been up and down of late, I think John Thompson is a great CEO and has made some very smart moves to beef up their enterprise solutions, perhaps a couple of years sans SOX will allow the execs to focus more on the business and aligning their healthy security and storage product portfolio with market needs.

We can be certain that the megadeals we have seen in information security are not over.  I would certainly think that since Google bought Postini, MessageLabs will get picked up soon, I would assume their Star Technologies Services spinoff announcement in June was the necessary precursor to get a deal done.

I hope to see a bunch of you at BlackHat, with all the M&A going on, we can play musical nametags! 

By Jim Reavis

This is my first blog entry on behalf of Securent as a member of their advisory board.  As some of you may know, application security has been a very important issue to me, and a big part of the advisory work I have been involved with has dealt with initiatives in this space.  As an advisory board member for SPI Dynamics and a moderator for many events within their Secure Software Forum, I have been an advocate for taking a lifecycle approach to software development and getting the software developers to work more closely with the information security team – and to do it earlier.  Progress is being made to secure applications, but what I have learned from my experience so far is that while we do need to do a better job of collaboration between application development and security, we also need to better evaluate the risks of our applications.  By doing threat modeling to understand your application attack surfaces and performing a risk assessment it becomes evident that we need to apply some fundamental changes to application architecture.  Here are some of the outcomes of those risk assessments I have seen: Continue Reading »

Score another one for industry consolidation and the trend towards IT virtualization.  Google Apps is getting increasingly enterprise-ready.  Click here for the CNet news brief.