Industry News

May 24th Reports that the Norwegian military has admitted to being targeted by a potentially serious cyber attack should act as a wakeup call to UK organisations on both sides of the private/public-sector divide, says Venafi, the Enterprise Key and Certificate Management (EKCM) solutions specialist.

According to Jeff Hudson, Venafi CEO, the rash of targeted cyber attacks in recent weeks against several major corporates such as Sony and now attacks against military targets shows that the cybercriminals are refining their attack strategy.

"It doesn’t take an industry expert to know that “the bad guys”, aka hackers, will always target the most vulnerable area of a company’s security fabric. Often the weakest link is poor encryption key and certificate management. Where previously cyberattacks against government systems and major corporates could be shrugged off or overlooked because of the efficacy of conventional,multi-layered IT security systems, it's clear that a new strategy is called for, " he said.  "That strategy now needs to draw in allied technologies such as pervasive encryption of all data both at rest and in motion which requires effective access controls and key and certificate management to protect an organisation's private data, which of course, is what the cybercriminals are really after in these types of attacks," he added.

The attack on the Norwegian military - in which 100 senior members of the country's defense department received an email plus attachment that appeared to come from the government was carefully planned and well executed, says Hudson, who added that it was interesting that at least one person is reported to have opened the attachment. This launched an unknown malware that executed commands that compromised the machine before it was stopped from spreading further.

This proves that - despite the best of security training and the high levels of security defences that military systems have all it takes is one click and the integrity of an organisation's IT resources are then put at risk. What needs to be developed, he explained, is a holistic approach to security that actually steps beyond the boundaries of conventional IT security and into new areas such as defending intellectual property rights and general working practices, as well as using integrated security to defend an organisation's digital assets.

There is now, says the Venafi CEO, clearly no such thing as a security silver bullet, so we have to start from the premise that an organisation's IT systems will be compromised in one form of another.

This isn't defeatism, says Hudson, but pragmatism at play. If you start developing a security strategy on the basis that the IT resource may be compromised by unknown means at some stage in the future, then you can better defend your valuable and sensitive digital assets.

"The Norwegian attack is an interesting example of this. It's unlikely that Norway's military will reveal the full facts of what happened, but it sounds as though their internal security systems were able to lock down the effects of the malware before it took hold," he said." This proves that a strategy of using multiple technologies, such as automation of key encryption and data protection systems, as well as good processes and best practices, can be useful. The days of set-it-and-forget-it IT security are now gone. Organisations need to wake up and smell the coffee," he added.

For more on Venafi: www.venafi.com

For more on the Norwegian military cyberattack: http://bit.ly/jBZ5yt

Venafi, the inventor of and market leader in Enterprise Key and Certificate Management (EKCM) solutions, today announced the findings of a survey which showed that 40% of IT staff admit that they could hold their employers hostage even after they’ve left for other employment by making it difficult or impossible for their bosses to access vital data by withholding or hiding encryption keys.

A third of survey respondents said that their knowledge of and access to encryption keys and certificates, used for both system authentication and data protection, means they could bring the company to a grinding halt with minimal effort and little to stop them. This is due to lack of oversight and poor management of their organisation’s encryption keys.

Astonishingly they claim that even after they have left they still could cause havoc with their knowledge of the encryption keys, shared passwords and weak controls. 40% of respondents admitted that they would still have access to vital information and could manipulate it to their own ends both to their company's financial and reputational detriment.

31% of respondents astonishingly said that they could still access organisational data because they could easily retain the encryption keys when they left and access the information remotely. Finally, 24%of respondents to the survey admitted that their fear of losing encryption keys is what is deterring them from investing in encryption key and certificate solutions to protect digital assets and secure sensitive system communications. Survey respondents would use an automated solution to encryption keymanagement if they knew it existed

The survey shows that 82% of companies now use digital certificates and encryption keys, however, 43% admit to being locked out from theirown information because people have left the organization or keys arelost and 76% would use automation if they knew it existed. These same companies are unaware of how to manage their keys and certificates, leaving them exposed to unplanned system outages, security risks and reduced access to critical data.

Jeff Hudson, Venafi CEO, said: “It’s a shame that so many people have been sold encryption but not the means or knowledge to manage it. They have found out the hard way after being locked out from their own information that they need an automated solution to manage the thousands of keys and certificates they have. Once the data'sprotected with encryption, the key becomes the data and the thing that must be managed and protected. Key Encryption is only half the solution. IT departments must track where the keys are and monitor and manage who has access to them. What this survey reveals is that organisations need to quickly come to terms with how crucial encryption keys are to safeguarding the entire enterprise as well as the heightened need for automated key and certificate management with access controls, separation of duties and improved polices. It’s no longer rocket science. Yet recent, costly breaches at Sony, Epsilonand elsewhere reinforce the need for both more encryption and effective management. There are some great solutions on the market that can manage and automate these assets at a click of a switch.”

This data is based on a survey sample of 500 IT security specialists taken at the InfoSecurity 2011 event in April this year. The full survey results set and executive summary can be viewed at:

www.venafi.com/InfoSecurity-data.

In the pre-9-11 world, getting on a plane was as easy as emptying your pockets and walking through a metal detector. In the post-9-11 world, airline passengers must take off their shoes, their belts, empty their pockets and be subjected to invasive body scans and pat-downs that add dignity and privacy to the price of an airline ticket. But a new Star Trek-like handheld scanner may signal the end to some of those more invasive security checks.

"Benjamin Franklin once said that those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety," said Mitchel Laskey, CEO of Brijot®, maker of the AllClear^TM, a handheld screening device that the company claims can scan for security risks without pat-downs or invasive imaging. "While I can't disagree with the idea of using security screening to make our airways safer, I knew that there had to be a better way than taking naked pictures of people or patting them down like common criminals. That's why we developed the AllClear."

The AllClear is a handheld, battery-powered, passive millimeter wave people screening device that detects metallic and non-metallic objects and provides an alternative to the need for pat-downs, according to Laskey.

"The AllClear addresses the world's need for concealed item detection while protecting the safety and privacy of people being screened," Laskey said. "Instead of being a metal detector that only looks for metal objects, or an imaging device that takes a picture, it uses millimeter waves to detect concealed objects. Millimeter waves are naturally occurring forms of electromagnetic wave energy ranging from approximately 30 GHz to 300 GHz or 1 mm to 10 mm in wavelength. The AllClear is a passive millimeter wave system, so the AllClear measures the natural millimeter wave energy naturally generated by bodies and objects, enabling screeners to detect anomalies without the need for a pat-down or an imaging scanner."

The new technology enables the device to detect without ever touching the person being screened:

Metallic objects
Liquids
Solids
Powders
Explosives
Currency (paper)
Ceramics
Drugs (various types)
Contraband (including CDs, DVDs, Blu-Ray discs, cell phones, etc.)

"The AllClear's passive millimeter wave system is different from other scanners that use active millimeter waves, so there is no radiation involved with the screening," Laskey added. "It poses no health risks, so it's safe for everyone, including children, pregnant women, and people with pacemakers."

According to the company's website (www.brijot.com), the device does not need to be in contact with a person's body. All surfaces of a person can be scanned without contact - including the hair, top of head, chest, arms, sides, groin area, legs, and ankles. Laskey added that the device could not only end the lion's share of invasive security procedures, but also speed up the lines at airport security checkpoints.

"The AllClear only requires one operator, minimal training, and is easy to use," he said. "The time it takes to screen a person using the AllClear is similar to using a handheld metal detector and takes less time than a pat-down. What's more, it's not just for airports. It can be used anywhere security measures are taken to keep the public safe - schools, public buildings, courthouses, concert venues, theme parks and more. We think that it's time Americans feel safer again, without having to give up their privacy or dignity to do it."

Origin Storage has welcomed a breakthrough in memory encryption that will allow instant-on memory - non-volatile main memory - to be used more securely on desktop and laptop computers.

According to Andy Cordial, managing director of the secure storage systems specialist, the use of non-volatile memory for instant-on facilities with conventional computers – as opposed to tablet machines - has been held back because of worries about data held in the computer's memory being accessible when the PC - and its security systems - is switched off.

"This breakthrough by Carolina State University researchers means that sections of the instant-on memory can be encrypted, with data flowing into and out of that memory segment being encrypted on-the-fly, in much the same way as our encrypted drives (http://bit.ly/mwrbrI) operate," he said.

"And also like our range of encrypted drives, there is no time-lag or latency involved with the encryption. This is really great news, as having this feature on instant-on computers will not only speed up the boot time of desktop and laptop computers significantly, but it will also help to raise the awareness of encryption," he added.

Cordial went on to say that, although awareness of the need for encryption at all stages in data usage is growing, there are still a lot of computer users that are blissfully unaware of the risks they are running in not encrypting data when it is at rest.

A growing number of users, he explained, are aware of the need to encrypt sensitive and personal data in transit, such as across the Internet or in an online banking Web browser, but it is the data storage side of things that is so often ignored.

The new i-NVMM encryption system will selectively choose which data to keep encrypted in memory, meaning, for example, that spreadsheet or word processing sections of active memory can be automatically encrypted – and so protected - when a machine is turned off, he says.

Then, when the machine is turned back on, whether or not the user has shut down the relevant application(s) before they turned the computer off, they can rest assured that the data is away from prying eyes, until such time as they wish to reload that information.

"It's also important to understand that, even whilst the computer is switched off, and the usual security systems that run in the background of the PC are not operating, cybercriminals cannot gain access to the memory dump of the system, and steal it," he said.

"Our observations suggest that, in a growing number of instances, corporate secrets now require protection by encryption, so preventing theft of intellectual property. With the additional layer of security that i-NVMM brings to the technology table, data can be better protected," he added.

"And, of course, it's technologies like i-NVMM that will allow instant-on memory to be used in desktop and laptop computers, without any worry of the memory data being insecure. And that's no bad thing."

For more on Origin Storage: www.originstorage.com