[SecurityRatty] tag: reinforces

BitDefender Tops Latest Rootkit Detection Test by AV-Test.org

Tue, 27 May 2008 09:28:30 +0000

MOUNTAIN VIEW, CA–(Marketwire - May 27, 2008) - BitDefender®, an award-winning provider of antivirus software and data security solutions, announced today that BitDefender Internet Security Suite 2008, running on Microsoft Windows XP, received top rootkit detection results in a test conducted by AV-Test.org last month. On Microsoft Windows Vista Ultimate, BitDefender was also one of the top three products.

The tests, running on Microsoft XP Home Edition and Microsoft Vista Ultimate Edition, pitted 60 active malware samples (both rootkits and malware hidden using rootkits) against a selection of antivirus software packages.

While the results of the test showed that detection and removal of running rootkits is a problem for most major antivirus companies, BitDefender Internet Security 2008 managed to remove 23 rootkits and 27 hidden malware programs, a success which BitDefender CTO Bogdan Dumitru partly attributed to the B-HAVE pro-active detection technology developed by BitDefender.

“The results of tests conducted by independent organizations like AV-Test.org, reinforces BitDefender’s success as we strive to improve our proactive detection technologies,” said Bogdan Dumitru, BitDefender’s CTO.

For further details on the results of this test, please visit AV-Test.org (http://www.av-test.org). Details on the company’s testing techniques can also be obtained here.

Jordan the SpywareBiz mascot highly recommends BitDefender for your XP and Vista machines.

Visit SpywareBiz.com to purchase this great product.

PayPal denies plan to block Safari

Sun, 20 Apr 2008 20:00:00 +0000

PayPal has denied claims it plans to lock Safari users out of its online payments service as it reinforces its protections against online credit fraud.

Cisco reinforces physical security family

Tue, 01 Apr 2008 20:00:00 +0000

Cisco upgrades physical-security product line, with the Cisco High Definition 1080P Intelligent Camera for indoor use and the introduction of the Cisco Physical Access Manager for electronic-access control for existing door readers, locks and biometric devices.

Gartner IT GRC Predictions

Wed, 13 Feb 2008 14:30:00 +0000

I just had a chance to take a look at some recent research put out by Gartner on the IT Governance, Risk & Compliance Management space (IT-GRC).

They do an artful job laying out the customer desired capabilities and scoping the size of the market opportunity.

A couple key points to soak in:

IT GRCM products provide functions that address needs expressed by 75% of the Gartner client base.
Gartner estimates that software license revenue for vendors...was $73million for 2007, and we project a growth rate of 70% for 2008.

This reinforces previous posts with hard numbers that 2008 is indeed the year of IT Risk Managment. Here are links to those previous posts...

I highly recommend heading up to Gartner's website and reading each report;

Then come take a look at how Securityworks can help solve your IT-GRC needs by accomplishing those defined needs and capabilities.

Users continue to ignore security policies, while security organizations are overlooking non-technical controls

Thu, 13 Dec 2007 09:37:00 +0000

IT Compliance Institute had an article posted this morning that reinforces the point; "it's not the software/hardware/infrastructure/etc but the people and processes that expose the biggest risks to a company.

The article doesn't reveal who/where the survey was taken but it does highlight some key security items that people usually cut corners on.

Fifty-six percent said they had accessed office e-mail via a public wireless hotspot
52 percent said they had accessed office e-mail via a public computer.
Eight percent admitted to having lost a mobile device containing corporate information.
Sixty-three percent admitted to sending corporate documents to their personal e-mail addresses so they could work at home.

There are security technologies out their (e.g., encryption, data leakage) that can help with each item but the challenge is keeping up with other IT technologies being deployed and business demands/challenges the users are trying to productively solve. Bottom line, you can't bypass making sure you have the right policies, procedures and education in place for your users (aka non-technical controls).

After reading this I decided to do some searching around for some type of survey numbers around technical vs. non-technical controls. I didn't see much out there but did come across this ("Is Information Security Under Control') from IEEE Computer Society published in early 2007.

The survey focused in on 80 of the highest quality security controls as determined by a group of experts. From that list of 80 their wasn't a place that specifically counted the number of non-technical vs. technical controls BUT, there were two very interesting graphs.

The first one (figure 2 in the article. - see below) showed the top 10 with the highest level of quality implementation. It revealed that 6 are technical controls and 4 are non-technical controls. Meanwhile, the second graphic (figure 3 in the article - see below) showed the bottom 10 related to quality of implementation. It revealed that 3 are technical while 7 were non-technical.

So just running crude number here shows 11 of those 20 were non-technical controls while 9 were technical controls. The articles goes on to make the statement "...we found that of all 80 practices surveyed, management controls (non-technical controls) had substantially lower implementation ratings then controls in the technical and operational categories... Organizations must realize that a large proportion of information security problems extend far beyond technology and learn to appreciate the role that less technical controls, such as policy development, play in minimizing security breaches' impact on mission-critical operations.

So this begs the question, "when was the last time your security group considered software products that help with managing these non-technical controls instead of just technical controls?" I've talked with numerous enterprises that have installed or are investigating various software products like Vulnerability Assessment, Patch/Configuration Management, Antivirus, SEIM, data leakage, etc. Maybe it's time to do something for your non-technical controls also and consider adding IT-GRC products to that 2008 budget/priority list.