Industry News

• Enterprise Security suffering from Information Overload..

• Security Policies can be a legal savior

• Be Savvy about Security Audits

• "Security is NOT a Product, it is a Process"..Bruce Schneier

• Does Your CSO Need to be a Techie?

• Most providers unprepared for HIPAA..

• HIPAA compliance does not come in a BOX..

• Bug Bear WORM Security Alert! and Analysis, What it does? What you can do?

_______________________________________________

Does your CSO need to be a Techie?
Source: SearchSecurity.com
URL: http://www.searchSecurity.com/...
Date: 21 Oct 2002

More enterprises are creating top-level security positions, but job descriptions vary greatly, as do the titles. Current chief security officers and consultants offer their opinions on how a security officer should function and on how technology savvy the CSO should be.

Full Article:
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci858301,00.html

back to top

_______________________________________________

Most providers unprepared for HIPAA
Source: Information Week
URL: http://www.informationweek.com...
Date: 21 Oct 2002

Health care providers and insurers, despite having to years to prepare for compliance with the Health Insurance Portability and Accountability Act's privacy regulations, have not begun implementation work. Health care institutions must be compliant with HIPAA's privacy regulations by April 2003, but only a few have started work to identify what needs to be up to HIPAA standards in their organizations.

Full Article:
http://www.informationweek.com/story/IWK20021020S0001

back to top

_______________________________________________

HIPAA compliance doesn't come in a box
Source: SearchSecurity.com
URL: http://www.searchSecurity.com/...
Date: 17 Oct 2002

In this column, contributor Kevin Beaver urges health care organizations not to rely on vendor enticements that try to sell HIPAA compliance in a box. Compliance is the result of a mixture of technologies and the integration of policies and procedures with business processes.

Full Article:
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci857626,00.html

back to top

Beware of Bugbear, One Hairy Beast
Newest big worm blends antivirus disabler, mass e-mailer, Trojan, keystroke logger, and more
September 30, 2002

About the Virus
Discovered September 30, Bugbear (technically known as W32/Bugbear@MM) is a perfect example of today's new blended-threat worms. By leveraging multiple infection paths, disabling anti-virus (AV) and firewall software, and exploiting an Internet Explorer vulnerability, Bugbear greatly increases its chance of propagating in the wild. Bugbear can also install a backdoor and keystroke-recorder, making it one nasty worm.

Full Article:

http://www.watchguard.com/alerts/

"Security Is Not a Product; It's a Process"

In April 1999, someone discovered a vulnerability in Microsoft Data Access Components (MDAC) that could let an attacker take control of a remote Windows NT system. This vulnerability was initially reported on a public mailing list. Although the list moderator withheld the details of that risk from the public for more than a week, some clever hacker reverse-engineered the available details to create an exploit.

Then, an exploit script (written in PERL) was publicly posted on the Internet. At about the same time, Microsoft created a patch and work-around to prevent attackers from exploiting the vulnerability on users' systems. Microsoft also issued a security bulletin on the topic, as did several other security news outlets.

But patches don't magically fix security vulnerabilities. Over Halloween weekend, hackers attacked and defaced more than 25 NT-based Web sites. Seems like a bunch of security administrators didn't bother updating their configurations.

This sort of thing goes on all the time. Another example: Microsoft issued a bulletin and a patch for a data access vulnerability in Internet Information Server (IIS) last year. Recently, experts demonstrated that Compaq, Dell, CompuServe, PSINet, and NASDAQ-AMEX never bothered installing the patch and were still vulnerable.

A vulnerability is reported and a patch is issued. If you believe the news reports, that's the end of the story. But in most cases patches never get installed. This is why most systems on the Internet are vulnerable to known attacks for which fixes exist.

Security is not a product; it's a process. It's the process of paying attention to vendor updates for your products. Not only network and network security products -- browsers, firewalls, network operating systems, Web server software -- but every piece of software you run. Vulnerabilities in your word processor can compromise the security of your network.

It's the process of watching your systems, carefully, for signs of attack. Your firewall produces audit logs. So do your UNIX and NT servers. So do your routers and network servers. Learn to read them, daily. Learn what an attack looks like and how to recognize it.

No security product acts as magical security dust; they all require time and expertise to make work properly. You have to baby-sit them, every day.

The Microsoft bug mentioned above:
http://www.microsoft.com/technet/security/bulletin/ms99-025.asp
http://www.microsoft.com/technet/security/bulletin/fq99-025.asp

News report:
http://www.fcw.com/pubs/fcw/1999/1101/fcw-newsfedwire-11-01-99.html

Why vulnerabilities don't get fixed:
http://www.computerworld.com/home/print.nsf/all/991122CD52 [link dead; try http://www.computerworld.com/cwi/story/0,1199,NAV47_STO37633,00.html]