Turbotodd

Ruminations on IT, the digital media, and some golf thrown in for good measure.

Archive for the ‘privacy’ Category

Batten Down The Hatches! IBM’s X-Force 2012 Trend And Risk Report

leave a comment »

It’s been a busy year for IT security incidents. Yesterday, John Markoff and Nicole Perlroth with The New York Times told us about yet another incident, this time a cyberattack involving antispam group Spamhaus and an anonymous group unhappy with their efforts.

Based on disclosed incident details such as the vulnerability used and attack type, IBM X-Force was able to determine that the majority of the security incidents disclosedin 2012 were carried out by the top left quadrant above, with attackers going after a broad target base while using off-the-shelf tools and techniques. This can be attributed to the wide public availability of toolkits, and to the large number of vulnerable web applications that exist on the Internet.

Click to enlarge. Based on disclosed incident details such as the vulnerability used and attack type, IBM X-Force was able to determine that the majority of the security incidents disclosed in 2012 were carried out by the top left quadrant above, with attackers going after a broad target base while using off-the-shelf tools and techniques. This can be attributed to the wide public availability of toolkits, and to the large number of vulnerable web applications that exist on the Internet.

But the list goes on and on. From the discovery of sophisticated toolkits with ominous names like Flame to cross-platform zero-day vulnerabilities, both consumers and corporations have been inundated with advisories and alerts regarding emerging threats. The frequency of data breaches and incidents—which had already hit a new high in 2011—continued their upward trajectory.

At the mid-year of 2012, IBM’s X-Force team predicted that the explosive nature of attacks and security breaches seen in the first half would continue. Indeed this was the case. While talk of sophisticated attacks and widespread distributed denial-of-service (DDoS) attempts made the year’s headlines, a large percentage of breaches relied on tried and true techniques such as SQL injection.

What continues to be clear is that attackers, regardless of operational sophistication, will pursue a path-of-least-resistance approach to reach their objectives. Integration of mobile devices into the enterprise continues to be a challenge. In the previous report, X-Force looked at some of the pitfalls and perils of implementing BYOD programs without strict formulations of policy and governance to support the use of these devices.

That said, recent developments have indicated that while these dangers still exist, and X-Force believes mobile devices should be more secure than traditional user computing devices by 2014. While this prediction may seem far fetched on the surface, it is based on security control trends and requirements that are being driven into the market by knowledgeable security executives.

In its latest report, X-Force explores how security executives are advocating the separation of personas or roles on employee-owned devices. It also addresses some secure software mobile application development initiatives that are taking place today. The distribution and installation of malware on end-user systems has been greatly enabled by the use of Web browser exploit kits built specifically for this purpose.

The intense proliferation of social networking across the Internet poses new challenges to companies that need to control the sharing of confidential information. Any employee that has access to the Internet is going to be exposed to social networking sites and because they are so frequently accessed,they have become a favorite target of scam and phishing.

Click to enlarge. The intense proliferation of social networking across the Internet poses new challenges to companies that need to control the sharing of confidential information. Any employee that has access to the Internet is going to be exposed to social networking sites and because they are so frequently accessed,
they have become a favorite target of scam and phishing.

Exploit kits first began to appear in 2006 and are provided or sold by their authors to attackers that want to install malware on a large number of systems.  They continue to be popular because they provide attackers a turnkey solution for installing malware on end-user systems.

Java vulnerabilities have become a key target for exploit kits as attackers take advantage of three key elements: reliable exploitation, unsandboxed code execution, and cross-platform availability across multiple operating systems. Java exploits have become key targets in 2012 and IBM X-Force predicts this attack activity to continue into 2013.

As X-Force also reported in the mid-year, spam volume remained nearly flat in 2012, with India claiming the top country of origin for spam distribution, but the nature of spam is changing. Broadly targeted phishing scams, as well as more personalized spear-phishing efforts continue to fool end users with crafty social-engineering email messages that look like legitimate businesses. Also, fake banking alerts and package delivery service emails have been effective as attackers refine their messages to look like the authentic messages that customers might normally receive.

Whether the target is individuals or the enterprise, once again, X-Force reminds organizations that many breaches were a result of poorly applied security fundamentals and policies and could have been mitigated by putting some basic security hygiene into practice.

Web applications are still topping the chart of most disclosed vulnerabilities, rising 14% in 2012 over the 2011 end of year numbers. As reported earlier in the mid-year report, cross-site scripting (XSS) dominated the web vulnerability disclosures at 53% of all publicly released vulnerabilities. Although SQL injection attack methods remain as a top attack technique, the actual disclosures of new SQL injection vulnerabilities remain lower than the 2010 peak X-Force recorded.

Social media has dramatically changed our lives with new ways to connect, personally and professionally. From this constant availability of information about individuals, attackers can readily access data to use in their activities.

Now, more than ever, individual employees who share personal details in their social profiles can be targeted for attacks.

The values for the evaluated threat and residualthreat can be determined by comparing thelikelihood or frequency of a threat occurring (high,medium, low) against the damage impact that couldhappen if the threat occurred (catastrophic, high,medium, low). The goal is to implement mitigationprocesses that either reduce the frequency of thethreat occurring or reduce the impact if the threatdoes occur. A requirement for this to be successful is to have aspecific, designated monitoring mechanism to monitorthe implementation of the treatment processes andfor the appearance of the threats. This monitoringmechanism should be monitored and alerts should beresponded to. It does no good to have network-basedanti-virus consoles gathering information about virusalerts across the network, if nobody is assigned tomonitor the console and respond to those alerts.Monitoring and responding is part of the mitigationprocess. (An example threat assessment and riskmitigation process chart is provided below, thoughthe IR team may identify a greater list.)

Click to enlarge. The values for the evaluated threat and residual threat can be determined by comparing the likelihood or frequency of a threat occurring (high, medium, low) against the damage impact that could happen if the threat occurred (catastrophic, high, medium, low). The goal is to implement mitigation processes that either reduce the frequency of the threat occurring or reduce the impact if the threat does occur. A requirement for this to be successful is to have a specific, designated monitoring mechanism to monitor the implementation of the treatment processes and for the appearance of the threats.

2012 X-Force Trend And Risk Report Highlight

Malware and the malicious web

  • In 2012, near daily leaks of private information about victims were announced like game scoreboards through tweets and other social media. Personal details, such as email addresses, passwords (both encrypted and clear text), and even national ID numbers were put on public display.
  • Based on data for 2012, it is not surprising that the bulk of the security incidents disclosed were carried out with the majority of attackers going after a broad target base while using off-the-shelf tools and techniques. X-Force attributes this to the wide public availability of toolkits and to the large number of vulnerable web applications that exist on the Internet.
  • The year began and ended with a series of politically motivated, high-profile DDoS attacks against the banking industry. An interesting twist to the banking DDoS attacks was the implementation of botnets on compromised web servers residing in high bandwidth data centers. This technique assisted in much higher connected uptime as well as having more bandwidth than home PC’s to carry out the attacks. In the sampling of security incidents from 2012, the United States had the most breaches, at 46%. The United Kingdom was second at 8% of total incidents, with Australia and India tied for third at 3%.
  • IBM Managed Security Services (MSS) security incident trends are markers that represent the state of security across the globe. The relative volume of the various alerts can help to describe how attacks are established and launched. They also frequently provide hints about how methods have evolved. Based on this, the main focus in 2012 may have been the subversion of systems, with larger coordinated attacks being executed across fairly broad swaths of the Internet.
  • IBM MSS has noted a dramatic and sustained rise in SQL injection-based traffic due, in large part, to a consistent effort from the Asia Pacific region. The alerts came from all industry sectors, with a bias toward banking and finance targets.
  • Web browser exploit kits (also known as exploit packs) are built for one particular purpose: to install malware on end-user systems. In 2012 X-Force observed an upsurge in web browser exploit kit development and activity—the primary target of which are Java vulnerabilities—and X-Force supplies some strategies and tips to help protect against future attacks (see end of post to download full report).
  • Java continues to be a key target for attackers. It has the advantage of being both cross-browser and cross-platform—a rare combination that affords attackers a lot of value for their investment. Web content trends, spam, and phishing Web content trends Top used websites are readily deployed as IPv6- ready, although attackers do not yet seem to be targeting IPv6 on a large scale.
  • One third of all web access is done on websites which allow users to submit content such as web applications and social media.
  • Nearly 50% of the relevant websites now link to a social network platform, and this intense proliferation poses new challenges to companies that need to control the sharing of confidential information.

Spam and phishing

  • Spam volume remained nearly flat in 2012.
  • India remains the top country for distributing spam, sending out more than 20% of all spam in the autumn of 2012. Following India was the United States where more than 8% of all spam was generated in the second half of the year. Rounding out the top five spam sending countries of origin were Vietnam, Peru, and Spain.
  • At the end of 2012, IBM reports that traditional spam is on the retreat, while scam and spam containing malicious attachments is on the rise. In addition, attackers are demonstrating more resiliency to botnet take downs which results in an uninterrupted flow of spam volume.

Operational Security Practices

Vulnerabilities and exploitation

  • In 2012, there were over 8,168 publicly disclosed vulnerabilities. While not the record amount X-Force expected to see after reviewing its mid-year data, it still represents an increase of over 14% over 2011.
  • Web application vulnerabilities surged 14% from 2,921 vulnerabilities in 2011 to 3,551 vulnerabilities in 2012.
  • Cross-site scripting vulnerabilities accounted for over half of the total web application vulnerabilities disclosed in 2012. Cross-site scripting dominated the web vulnerability disclosures. Fifty-three percent of all publicly released web application vulnerabilities were cross-site scripting related. This is the highest rate X-Force has ever seen. This dramatic increase occurred while SQL injection vulnerabilities enjoyed a higher rate than 2011 but were still down significantly since 2010.
  • There were 3,436 public exploits in 2012. This is 42% of the total number of vulnerabilities, up 4% from 2011 levels.
  • Web browser vulnerabilities declined slightly for 2012, but not at as high a rate as document format issues. While the overall number of web browser vulnerabilities dropped by a nominal 6% from 2011, the number of high- and critical severity web browser vulnerabilities saw an increase of 59% for the year.
  • Few innovations have impacted the way the world communicates quite as much as social media. However, with the mass interconnection and constant availability of individuals, new vulnerabilities and a fundamental shift in intelligence-gathering capabilities has provided attackers and security professionals alike with information useful for enhancing their activities.
  • Rather than seeing a particular enterprise as an individual entity, attackers can view enterprises as a collection of personalities. This gives attackers the opportunity to target specific people rather than enterprise infrastructures or applications. Furthermore, targeted people may also be targeted as individuals and not just as employees. In other words, the personal activities and lives of employees can be leveraged to target an enterprise.

Emerging Trends In Security

Mobile

  • Prediction: Mobile computing devices should be more secure than traditional user computing devices by 2014. This is a bold prediction that IBM recently made as part of its look ahead in technology trends. While this prediction may seem far-fetched on the surface, it is based on security control trends and requirements that are being driven into the market by knowledgeable security executives.
  • Separation of personas or roles: While a small percentage of enterprises have dealt with BYOD by using virtualized desktop solutions to separate and control enterprise applications and data from the rest of the personally owned device, a greater number of enterprises have wanted or required some form of separation or dual persona on mobile devices. This difference in use or adoption could be the result of greater numbers of devices driving greater risk in the percentage of personally owned mobile devices versus personally owned PCs in a BYOD program.
  • In many cases, enterprises have made significant investments into implementing Secure Software Development Life Cycle (SSDLC) processes. Today’s mobile application development benefits from this. Tools exist to support secure development as part of the process instead of being conducted in qualification or production. As a result, it should be more common for enterprises to have more securely developed mobile applications than their existing legacy applications. Closure of vulnerabilities in some traditional computing applications may only conclude as existing versions are sunset and replaced with newer, more securely developed replacements.
  • Over 2012, it is safe to conclude that more enterprises are supporting BYOD or the use of personally owned devices than previously. In the last two years, IBM Security has spoken to hundreds of global 2000 customers and out of those interviewed, only three said they had no plans to implement any kind of BYOD program.

To learn more on how your organization can work to address these types of vulnerabilities, download the full IBM X-Force 2012 Trend And Risk Report here.

IBM To Acquired StoredIQ

leave a comment »

IBM today announced it has entered into a definitive agreement to acquire StoredIQ Inc., a privately held company based in Austin, Texas.

Financial terms of the deal were not disclosed.

StoredIQ will advance IBM’s efforts to help clients derive value from big data and respond more efficiently to litigation and regulations, dispose of information that has outlived its purpose and lower data storage costs.

With this agreement, IBM adds to its prior investments in Information Lifecycle Governance. The addition of StoredIQ capabilities enables clients to find and use unstructured information of value, respond more efficiently to litigation and regulatory events and lower information costs as data ages.

IBM’s Information Lifecycle Governance suite improves information economics by helping companies lower the total cost of managing data while increasing the value derived from it by:

  • Eliminating unnecessary cost and risk with defensible disposal of unneeded data
  • Enabling businesses to realize the full value of information as it ages
  • Aligning cost to the value of information
  • Reducing information risk by automating privacy, e-discovery, and regulatory policies

Adding StoredIQ to IBM’s Information Lifecycle Governance suite gives organizations more effective governance of the vast majority of data, including efficient electronic discovery and its timely disposal, to eliminate unnecessary data that consumes infrastructure and elevates risk.

As a result, business leaders can access and analyze big data to gain insights for better decision-making. Legal teams can mitigate risk by meeting e-discovery obligations more effectively. Also, IT departments can dispose of unnecessary data and align information cost to value to take out excess costs.

What Does StoredIQ Software Do? 

StoredIQ software provides scalable analysis and governance of disparate and distributed email as well as file shares and collaboration sites. This includes the ability to discover, analyze, monitor, retain, collect, de-duplicate and dispose of data.

In addition, StoredIQ can rapidly analyze high volumes of unstructured data and automatically dispose of files and emails in compliance with regulatory requirements.

StoredIQ brings powerful, innovative capabilities to govern data in place to drive value up and cost out.

StoredIQ brings powerful, innovative capabilities to govern data in place to drive value up and cost out.

“CIOs and general counsels are overwhelmed by volumes of information that exceed their budgets and their capacity to meet legal requirements,” said Deidre Paknad, vice president of Information Lifecycle Governance at IBM. “With this acquisition, IBM adds to its unique strengths as a provider able to help CIOs and attorneys rapidly drive out excess information cost and mitigate legal risks while improving information utility for the business.”

Named a 2012 Cool Vendor by Gartner, StoredIQ has more than 120 customers worldwide, including global leaders in financial services, healthcare, government, manufacturing and other sectors. Other systems require months to index data and years to configure, install and address information governance. StoredIQ can be up and running in just hours, immediately helping clients drive out cost and risk.

IBM intends to incorporate StoredIQ into its Software Group and its Information Lifecycle Governance business.

Building on prior acquisitions of PSS Systems in 2010 and Vivisimo in 2012, IBM adds to its strength in rapid discovery, effective governance and timely disposal of data.  The acquisition of StoredIQ is subject to customary closing conditions and is expected to close in the first quarter of 2013.

Go here for more information on IBM’s Information Lifecycle Governance suite, and here for more information on IBM’s big data platform.

(Almost) Live @ Information On Demand 2012: A Q&A With IBM’s Jeff Jonas

with 2 comments

Jeff Jonas sat down last evening with Scott and I in the Information On Demand 2012 Solutions EXPO to chat about privacy in the Big Data age, and also gave a sneak look into the new “Context Accumulation” technology he’s been working on.

You really ought to get to know IBM’s Jeff Jonas.

As chief scientist of the IBM Entity Analytics group and an IBM Distinguished Engineer, Jeff has been instrumental in driving the development of some ground-breaking technologies, during and prior to IBM’s acquisition of his company, Systems Research & Development (SRD), which Jonas founded in 1984.

SRD’s technology included technology used by the surveillance intelligence arm of the gaming industry, and leveraged facial recognition to protect casinos from aggressive card counting teams (never mind the great irony that IBM’s Yuchun Lee was once upon a time one of those card counters — I think we need to have an onstage interview between those two someday, and I volunteer to conduct it!)

Today, possibly half the casinos in the world use technology created by Jonas and his SRD team, work frequently featured on the Discovery Channel, Learning Channel, and the Travel Channel.

Following an investment in 2001 by In-Q-Tel, the venture capital arm of the CIA, SRD also played a role in America’s national security and counterterrorism mission. One such contribution includes a unique analysis of the connections between the 9/11 terrorists.

This “link analysis” is so unique that it is taught in universities and has been the widely cited by think tanks and the media, including an extensive one-on-one interview with Peter Jennings for ABC PrimeTime.

Following IBM’s acquisition of SRD, these Jonas-inspired innovations continue to create big impacts on society, including the arrest of over 150 child pornographers and the prevention of a national security risk poised against a significant American sporting event.

This technology also assisted in the reunification of over 100 loved ones separated by Hurricane Katrina and at the same time was used to prevent known sexual offenders from being co-located with children in emergency relocation facilities.

Jonas is also somewhat unique as a technologist in that he frequently engages with those in the privacy and civil liberties community. The essential question: How can government protect its citizens while preventing the erosion of long-held freedoms like the Fourth Amendment? With privacy in mind, Jonas invented software which enables organizations to discover records of common interest (e.g., identities) without the transfer of any privacy-invading content.

That’s about where we start this interview with Jeff Jonas, so I’ll let Scott and myself take it from there…

IBM Announces New Security Solutions, Focuses On Cloud, Mobile, Big Data

leave a comment »

Today, IBM made a move designed to reduce the biggest security inhibitors that organizations face in implementing cloud, mobile and big data initiatives with the announcement of a broad set of security software to help holistically secure data and identities.

I blogged about IBM’s 2012 Global Reputational Risk and IT Study recently, the headline of which was this: Managing reputational risk is crucial to many organization’s business, and managing IT is a major part of their efforts.

I also interviewed Brendan Hannigan, the general manager of IBM’s Security Systems Division, at IBM InterConnect last week about some of these critical security matters.

Today, IBM made a move designed to reduce the biggest security inhibitors that organizations face in implementing cloud, mobile and big data initiatives with the announcement of a broad set of security software to help holistically secure data and identities.

New IBM Security Solutions

IBM’s new software capabilities help clients better maintain security control over mobile devices, mitigate internal and external threats, reduce security risks in cloud environments, extend database security to gain real-time insights into big data environments such as Hadoop, and automate compliance and data security management.

Along with IBM Security Services and IBM’s world-class research capabilities, this set of scalable capabilities supports a holistic, proactive approach to security threats spanning people, data, applications and infrastructure.

“A major shift is taking place in how organizations protect data,” said Brendan Hannigan, General Manager, IBM Security Systems. “Today, data resides everywhere—mobile devices, in the cloud, on social media platforms. This is creating massive amounts of data, forcing organizations to move beyond a traditional siloed perimeter to a multi-perimeter approach in which security intelligence is applied closer to the target.”

IBM is unveiling ten new products and enhancements to help organizations deliver real time security for big data, mobile and cloud computing.

Real Time Security for Big Data Environments 

State of the art technologies including Hadoop based environments have opened the door to a world of possibilities. At the same time, as organizations ingest more data, they face significant risks across a complex threat landscape and they are subject to a growing number of compliance regulations.

With today’s announcement, IBM is among the first to offer data security solutions for Hadoop and other big data environments.

Specifically, Guardium now provides real time monitoring and automated compliance reporting for Hadoop based systems such as InfoSphere BigInsights and Cloudera.

Highlighted data security solutions:

NEW: IBM InfoSphere Guardium for Hadoop

ENHANCED: IBM InfoSphere Optim Data Privacy

ENHANCED: IBM Security Key Lifecycle Manager

To learn more about the data security portfolio go here.

Mobile Security: Improving Access and Threat Protection

Today IBM is also announcing risk-based authentication control for mobile users, integration of access management into mobile application development and deployment as well as enhanced mobile device control.

IBM is also announcing a comprehensive Mobile Security Framework to help organizations develop an adaptable security posture to protect data on the device, at the access gateway and on the applications.

Highlighted mobile security solutions:

NEW: IBM Security Access Manager for Cloud and Mobile

ENHANCED: IBM Endpoint Manager for Mobile Devices

Go here to learn more about specific mobile security product attributes.

Cloud Security: From Inhibitor To Enabler

While the cloud can increase productivity with anywhere, anytime information access, it can also introduce additional challenges for enterprise security.

IBM today is announcing security portfolio enhancements designed to address these new challenges, providing improved visibility and increased levels of automation and patch management to help demonstrate compliance, prevent unauthorized access and defend against the latest threats using advanced security intelligence.

With IBM’s new SmartCloud for Patch Management solution, patches are managed automatically regardless of location and remediation cycles are reduced from weeks to hours thereby reducing security risks.

Additionally, IBM is announcing enhancements to its QRadar Security Intelligence Platform that provides a unified architecture for collecting, storing, analyzing and querying log, threat, vulnerability and security related data from distributed locations, using the cloud to obtain greater insight into enterprise-wide activity and enable better-informed business decisions.

The new IBM Security Privileged Identity Manager is designed to proactively address the growing insider threat concerns and help demonstrate compliance across the organization.

IBM Security Access Manager for Cloud and Mobile which provides enhanced federated single sign-on to cloud applications is now available with improved out-of-the-box integration with commonly adopted SaaS applications and services.

Highlighted cloud security solutions:

NEW: IBM SmartCloud for Patch Management

NEW: IBM Security Access Manager for Cloud and Mobile

NEW: IBM Security Privileged Identity Manager

ENHANCED: QRadar SIEM and QRadar Log Manager

Visit here to learn more about specific cloud security product attributes, please visit

Enhanced Mainframe Security Capabilities

In addition, IBM is announcing mainframe security capabilities that enhance enterprise-wide security intelligence based on QRadar security solution integration that provides real time alerts and audit reporting.

The mainframe offers Common Criteria Evaluation Assurance Level 5+ (EAL 5+) certification for logical partitions, providing a platform for consolidating systems, helping protect private clouds, and helping secure virtualized environment.

New IBM Security zSecure improvements help to reduce administration overhead, automate compliance reporting, enforce security policy, and pro-actively detect threats.

Highlighted zSecure security solutions:

ENHANCED: IBM Security zSecure

Through IBM Global Financing, credit-qualified clients can take advantage of 0% interest for 12 months on qualifying IBM Security products and solutions.

About IBM Security 

With more than 40 years of security development and innovation, IBM has breadth and depth in security research, products, services and consulting.

IBM X-Force is a world-renowned team that researches and evaluates the latest security threats and trends. This team analyzes and maintains one of the world’s most comprehensive vulnerability databases and develops countermeasure technologies for IBM’s security offerings to help protect organizations ahead of the threat.

IBM has 10 worldwide research centers innovating security technology and nine security operations centers around the world to help global clients maintain an appropriate security posture.

IBM Managed Security Services delivers the expertise, tools and infrastructure to help clients secure their information assets against attacks, often at a fraction of the cost of in-house security resources.

The Institute for Advanced Security is IBM’s global initiative to help organizations better understand and respond to the security threats to their organization. Visit the Institute community at www.instituteforadvancedsecurity.com.

IBM Announces New Chief Privacy Officer, Christina Peters

with one comment

IBM’s new Chief Privacy Officer was announced earlier today. Christina Peters has worked as a practicing attorney with IBM since 1996, and has handled a wide range of complex transactional, policy, compliance, litigation, and cybersecurity matters in the United States and internationally. Peters was educated at Dartmouth College and Harvard Law School, where she was an Executive Editor of the Harvard Law Review.

An important announcement earlier today from IBM: The appointment of the company’s new Chief Privacy Officer, Christina Peters.

Peters has worked as a practicing attorney with IBM since 1996 (first in Germany, later in the US), and has handled a wide range of complex transactional, policy, compliance, litigation, and cybersecurity matters in the United States and internationally.

Peters was educated at Dartmouth College (summa cum laude) and Harvard Law School (magna cum laude), where she was an Executive Editor of the Harvard Law Review.

Following a District of Columbia Circuit clerkship, Peters worked at D.C.-based law firm, Covington & Burling. Prior to joining IBM, she was a Robert Bosch Fellow in Germany, where she worked at the Federal Cartel Authority and Deutsche Telekom.

In her new role, Peters will guide and oversee IBM’s global information policy and practices affecting more than 400,000 employees and thousands of clients. She will lead the company’s global engagement in public policy and industry initiatives on data security and privacy, and continue to serve on the advisory board of the Future of Privacy Forum.

Peters also is responsible for a worldwide team of legal, data protection and technical professionals at IBM who address privacy and data security in the leadership manner expected of the company’s global brand.

IBM was the first major corporation to appoint a Chief Privacy Officer in 2000 and has consistently applied advanced techniques and technologies across its global business operations and practices. IBM’s numerous privacy advancements include:

  • First company to adopt a global privacy code of conduct.
  • First to adopt a genetic non-discrimination policy.
  • First to establish a policy to only advertise on websites with visible privacy statements.

IBM Strengthens Measures For Mobile Workplace Security

with one comment

Guaranteed, if you asked any CIO or VP of IT what was one of their chief concerns as they think about enabling their enterprise to take better advantage of the opportunity that mobile computing presents, the subject of security would come up.

And I’ve got the data to prove it.  But I’m not going to bore you with the gory details just yet.  I want to instead turn to discussing some new solutions (we’ll come back to the data shortly).

Mobile Security By Design

Today, at the IBM Innovate event down in Orlando, Florida, IBM announced new software to help organizations develop mobile applications that are more secure by design.

Now, clients can build security into the initial design of their mobile applications so that vulnerabilities will be detected early in the development process.

Today’s announcement further expands IBM’s strategy to provide clients with a mobile platform that spans application development, integration, security and management.

With more than five billion mobile devices in the world — and only 2 billion computers — the shift to mobile devices as the primary form of connecting to corporate networks is increasing rapidly. Securing those devices is becoming a top priority for security executives and CIOs.

As companies embrace the growing “Bring Your Own Device” (BYOD) trend, the need to secure the applications that run on these devices is becoming more critical.

I said I’d returned to some data.  How about this: According to the 2011 IBM X-Force Trend and Risk Report, mobile exploits increased by 19 percent in 2011. 

In addition, according to the recently released data from the IBM Center for Applied Insights study, 55 percent of respondents cited mobile security as a primary technology concern over the next two years.

The rapid consumerization of mobile endpoints, applications and services has created the urgent need to secure corporate applications on employees’ devices. 

With the latest release of the IBM Security AppScan portfolio, IBM now offers a robust application development security solution, allowing clients to integrate mobile application security testing throughout the application lifecycle.

“We are seeing increased demand from companies looking to extend their corporate applications to mobile devices,” said Stuart Dross, Vice President of Sales and Marketing, Cigital, Inc. “The ability to scan native and hybrid mobile applications for security vulnerabilities is a major step forward in securing sensitive data and mitigating security risks.”

Security On the Go

Mobile applications represent a new threat target, since they carry a higher risk of attack compared to web application vulnerabilities.

Attackers are increasingly focusing on mobile applications because many organizations are not aware of the security risks introduced by the most basic mobile applications.

Beyond the traditional threats, for example, a hacker could perform a SQL injection or scripting attack on the applications. Mobile applications also come under attack from malware and phishing, or scanning QR codes with malicious scripts.

Additionally, mobile applications have vulnerabilities specific to mobile devices because they often store sensitive data that can be leaked to malicious applications. This data, once stored locally, typically is outside the protection of the corporate security programs.

The new AppScan analysis capabilities will find these vulnerabilities to help developers build more secure mobile applications.

Mobilizing the Workforce

With today’s announcement, IBM extends its market leading static application security testing to native Android applications, which allows clients to conduct their own testing for mobile applications.

In the past, for mobile application security testing to be done, clients would have to send their applications and software IP (Intellectual Property) to an offsite vendor to test for vulnerabilities. This approach doesn’t scale and the response time is too slow, as mobile applications undergo constant revisions and updates.

Organizations need to address mobile application security testing in-house early in the software development life cycle.

In addition to the mobile application testing capabilities, there are significant new capabilities from which customers can benefit:

  • Integration with IBM’s QRadar Security Intelligence Platform allows for increased security intelligence when an application is moved into production. By correlating known application vulnerabilities with user and network activity, QRadar can automatically raise or lower the priority score of
    security incidents.
  • A new Cross Site Scripting (XSS) analyzer which uses a learning mode to quickly evaluate millions of potential tests from less than 20 core tests. This new XSS analyzer finds more XSS vulnerabilities faster than any previous version of AppScan.
  • New static analysis capabilities help companies adopt broad application security practices through simplified on-boarding of applications and empowering non-security specialists to test faster than with prior releases.
  • Predefined and customizable templates that provide development teams the ability to quickly focus on a rule set prioritized by their security teams, helping corporations focus on key issues for them across their organization.

In addition to the QRadar integration, AppScan offers integration points with IBM Security Network IPS and IBM Security SiteProtector, and is a regular complement sold with IBM Guardium and IBM Security Access Management solutions for end-to-end application security.

The approach is to provide a comprehensive and integrated security framework for applications across the development and production lifecycle.

IBM has a broad portfolio of mobile security solutions, ranging from helping secure data on the device, to running safer mobile applications.

IBM has been steadily investing in the mobile space for more than a decade, both organically and through acquisitions, building a complete portfolio of software and services that delivers enterprise-ready mobility for clients.

IBM Security AppScan will be generally available this quarter.

Written by turbotodd

June 5, 2012 at 4:25 pm

Live @ IBM Smarter Commerce Global Summit Madrid: IBM Product Manager Mark Frigon On Smarter Web Analytics & Privacy

leave a comment »

Mark Frigon is a senior product manager with IBM’s Enterprise Marketing Management organization, a key group involved in leading IBM’s Smarter Commerce initiative. Mark’s specialties are in Web analytics (he joined IBM as part of its acquisition of Coremetrics) and Internet privacy, an issue that has come to the forefront in recent years for digital marketers around the globe.

Effective Web metrics are critical to the success of businesses looking to succeed in e-commerce and digital marketing these days, and IBM has a number of experts who spend a lot of their time in this area.

One of those here in Madrid at the IBM Smarter Commerce Global Summit, Mark Frigon, is a senior product manager for Web analytics in IBM’s Enterprise Marketing Management organization.

Mark sat down with me to discuss the changing nature of Web analytics, and how dramatically it has evolved as a discipline over the past few years, including the increased focus by marketers on “attribution,” the ability to directly correlate a Web marketing action and the desired result.

Mark also spoke at the event about the importance for digital marketers around the globe to be more privacy-aware, a topic we also discussed in our time together, calling out in particular the “Do-Not-Track” industry self-regulatory effort that intends to put privacy controls in the hands of consumers.

If you spend any time thinking about Internet privacy or Web analytics, or both, this is a conversation you won’t want to miss.

Follow

Get every new post delivered to your Inbox.

Join 2,342 other followers

%d bloggers like this: