At a time when there is great concern about the security of information technology, few people have a more informed perspective on this critical topic than Chief Security Officers (CSOs). This paper presents the results of a survey taken by several dozen CSOs and includes a discussion on some of the technologies that RSA Security's focus on solutions for identity and access management (I&AM) and encryption.
It wasn't Mary Ann Davidson's worst nightmare, but it was close. A fax from a hacker in the Middle East landed on her desk at Oracle Corp., proclaiming the discovery of a hole in the company's database software through which he could steal crucial information from such customers as Boeing Co., Ford Motor Co. and the CIA. The fax warned Davidson, the company's chief security officer, to contact the hacker immediately — or else. Luckily, the hacker hadn't found a real hole; he'd just misinterpreted a function of the program. More surprisingly, he meant no harm.
The Korean National Police Agency (NPA) announced on Wednesday that they have exposed an Internet site of professional hackers with more than 4,400 members. The police filed arrest warrants for two members of the group, including the leader of the group who is suspected of having organized Wowhackers, a group of professional hackers, while booking 11 others on suspicions of illegal hacking of government office Internet sites as well as those of private companies.
Computer code that exploits a critical new software vulnerability in the Windows XP and Windows 2000 operating systems is circulating on the Internet, according to security experts. Two examples of "exploit" code for a buffer overrun in the Windows Workstation Service were posted to security-related Internet discussion groups on Friday and Saturday. Both exploits have been tested and work, according to Dan Ingevaldson, director of X-Force at Internet Security Systems.
Patch management is a little like flossing your teeth. Everyone knows they're supposed to do it, but most of us still don't.
Some pundits say the simple answer for patching lies in proactivity. Get the patch applied before an incident occurs, and keep the problem from occurring rather than fixing it after the fact. That's a simple truth, but in practice, it's a lot harder to pull off than it sounds. It also contradicts the way security is usually addressed.