| 12.10.13 | What happens after a data breach occurs?

If you are unable to see the message below, click here to view.

Editor's Corner: US tech firms' open letter a first step only What's New: 1. Infographic: What happens after a data breach occurs? 2. Outdated security processes hinder innovation, says council 3. Microsoft, Mozilla, Opera say 'Non' to French agency certificates 4. McAfee closes on Blue Coat for lead in content security gateway appliance market 5. IT risk management spending to reach $71.1B, says IDC Spotlight: Employees use 'jammers' to hide jailbroken devices on corporate networks Also Noted: Microsoft disrupts botnet; 'We cannot trust' crypto; Much more... News From The Fierce Network: 1. Big data growth hampered by manpower projections 2. First cloud vendor pricing guide available 3. Start Menu coming back in 'next version of Windows' December 10, 2013 Subscribe | Website Refer FierceITSecurity to a Colleague This week's sponsors: HP HP Follow @fierceitsec on Twitter This week's sponsor is HP.   Frost & Sullivan Webinar: The lost art of vulnerability research Frost and Sullivan Senior Industry Analyst, Chris Rodriquez, believes a decline in vulnerability research has coincided with an increase in hacker attacks. And especially the advanced persistent threats (APTs) that have rattled security managers over the last few years. View the on-demand webinar "The lost art of vulnerability research" and learn how to help your organization prepare to fight the battle against cyber attacks. Editor's Corner US tech firms' open letter a first step only By Fred Donovan Comment | Forward | Twitter | Facebook | LinkedIn Under economic pressure from revelations that they knowingly or unknowingly handed over data to government spy agencies, a group of high-tech firms has published an open letter addressed to the White House and Congress calling for reforms in the NSA surveillance program, including banning bulk collection of phone data and publishing stats on government surveillance requests. AOL, Apple, Facebook, Google, LinkedIn, Microsoft, Twitter and Yahoo published the letter on Monday. "We understand that governments have a duty to protect their citizens. But this summer's revelations highlighted the urgent need to reform government surveillance practices worldwide. The balance in many countries has tipped too far in favor of the state and away from the rights of the individual--rights that are enshrined in our Constitution. This undermines the freedoms we all cherish. It's time for a change," the letter reads. The companies propose a series of reform principles for governments to endorse: limiting governments' authority to collect users' information, increasing oversight and accountability, fostering transparency about government demands, respecting the free flow of information and avoiding conflicts among governments. As noted by Jeff Jarvis of The Guardian, these measures are in the firms' economic interest because the disclosures by former NSA contractor Edward Snowden have underlined trust in these companies, particularly regarding the security of information held by them. Cloud customers, particularly in Europe, have turned away from a number of these firms because of concern about the security of their data. And as noted in Editor's Corners in this publication, a number of these firms were more than happy to comply with NSA orders when no one else knew about them.Their newfound respect for the U.S. Constitution has come late in the game. The open letter and principles are a first step in opening up the debate about the seemingly unrestrained surveillance of Internet and telecom firms by government agencies. But it is a first step only. -- Fred Read more about: Microsoft, Apple Sponsor: HP Marketplace > IT Made Easy with ManageEngine ServiceDesk Plus > Whitepaper: Embracing Trends and Technologies: Change is in Your Hands > eBook: Using Data Visualizations to Drive Business Decisions What's New 1. Infographic: What happens after a data breach occurs? By Fred Donovan Comment | Forward | Twitter | Facebook | LinkedIn Major data breaches are happening all the time. Just last week, more than two million passwords from Facebook, Gmail, Twitter and other accounts were stolen by hackers who installed keylogging malware on millions of computers. Last month, Adobe's mega-breach reached 150 million user records, a hack some are calling the largest in history. We all read about the breaches, but what happens after the breaches? What actions do enterprises take to mop up the mess? ThreatMetrix has put together an infographic that details what happens after the media spotlight has faded. Read more about: Adobe, data breach back to top This week's sponsor is HP.   Ponemon Report: 2013 Cost of Cyber Crime study According to the Ponemon Institute’s 2013 Cost of Cyber Crime study, the average cost to businesses of cyber crime is more than $7M per year—a 30% increase over last year. Read the study now for all the details. 2. Outdated security processes hinder innovation, says council By Fred Donovan Comment | Forward | Twitter | Facebook | LinkedIn The Security for Business Innovation Council, made up of security leaders from Global 1,000 companies, issued a report on Tuesday warning that outdated security processes are hindering business innovation. "The ad-hoc processes put in place for the days of perimeter-based security can't handle the scale and complexity of managing cybersecurity risks for a global enterprise today," the report, which was prepared in cooperation with security firm RSA, observes. The council calls on IT security teams to collaborate more closely with functional business groups to identify, evaluate and track cyber risks. The report identifies areas for security process improvement, including risk measurement, business engagement, control assessments, third-party risk assessments and threat detection.  The council also offers five recommendations for how to move IT security programs forward: Shift focus from technical assets to critical business processes--expand beyond a technical view of protecting information assets and get a broader picture of how the business uses information by working with business units to document critical business processes;      Institute business estimates of cybersecurity risks--describe cybersecurity risks in quantified business terms and integrate these business impact estimates into the risk advisory process; Establish business-centric risk assessments--adopt automated tools for tracking information risks so business units can take an active role in identifying and mitigating risks and thus assume greater responsibility for security; Institute evidence-based controls assurance--develop and document capabilities to amass data that proves the efficacy of controls on a continuous basis; and Develop informed data collection techniques--develop a data architecture that can enhance visibility and enrich analytics and consider the types of questions data analytics can answer in order to identify relevant sources of data. For more: - read the council's report Related Articles: IT risk management spending to reach $71.1B, says IDC Firms can't outsource security oversight and risk, warns Manulife's CISO Q&A with Steve Durbin of the Information Security Forum Read more about: RSA, Microsoft, Apple, NSA back to top 3. Microsoft, Mozilla, Opera say 'Non' to French agency certificates By Fred Donovan Comment | Forward | Twitter | Facebook | LinkedIn Microsoft, Mozilla and Opera have followed Google's lead and revoked rogue digital certificates issued by a subordinate certificate authority of the French cybersecurity agency ANSSI, Computerworld reports. After a four-day probe, Google found that unauthorized digital certificates had been issued for a number of Google domains by an intermediate CA linked to ANSSI. In response, Google decided to revoke the certificates. "ANSSI has found that the intermediate CA certificate was used in a commercial device, on a private network, to inspect encrypted traffic with the knowledge of the users on that network. This was a violation of their procedures and they have asked for the certificate in question to be revoked by browsers," Adam Langley, security engineer with Google, explained in a blog. Following Google's announcement, Microsoft issued on Monday updates for Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2 that revoked the fraudulent certificates. However, no update is being issued for Windows XP or Windows Server 2003. "The improperly issued subordinate CA certificate has been misused to issue SSL certificates for multiple sites, including Google web properties. These SSL certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against several Google web properties. The subordinate CA certificate may also have been used to issue certificates for other, currently unknown sites, which could be subject to similar attacks," the Microsoft security advisory explained. Mozilla said it would revoke the rogue certificates in Firefox 26, which is scheduled to ship on Tuesday. Opera blacklisted the rogue certificates for older versions of its browser, but said users of the most recent version of its browser, Opera 12, were already protected because Opera 12 "did not trust ANSSI to begin with." For more: - read the Computerworld article - check out the Google blog - see Microsoft's security advisory Related Articles: Google to limit digital certificates to 5 years Emergency Alert System vulnerable to hijacking, warns IOActive Read more about: Microsoft, Google back to top 4. McAfee closes on Blue Coat for lead in content security gateway appliance market By Fred Donovan Comment | Forward | Twitter | Facebook | LinkedIn Second place McAfee has pulled into a virtual dead heat with Blue Coat at the top of the content security gateway market, according to third quarter revenue stats from Infonetics Research. Cisco, Websense and Symantec are all bunched together behind the market leaders, the market research firm notes. Overall, the market's revenue totaled $694 million in the third quarter, about the same level as the previous quarter. The content security gateway products provide security for firms' web and email traffic, such as spam and virus filtering. "Faced with a rapidly-changing threat landscape and a dizzying array of security choices, service providers are dialing back spending as they formulate their long-term protection strategies, leaving the content security market basically flat," says Jeff Wilson, principal analyst for security at Infonetics Research. One content security gateway market segment that is growing is software-as-a-service, which saw a 29 percent year-over-year jump in sales in the third quarter. Another segment, content security gateway software, makes up one third of market revenue. "SaaS continues to be a real bright spot in the content security market, and we look for this segment to top $1 billion by 2017," adds Wilson. For more: - see Infonetics' release Related Articles: Microsoft leads growing SaaS content security market, says Infonetics Worldwide IT security spending to reach $30.1 billion in 2017, says Canalys Read more about: cisco, McAfee back to top 5. IT risk management spending to reach $71.1B, says IDC By Fred Donovan Comment | Forward | Twitter | Facebook | LinkedIn IT risk management spending is forecast by IDC to reach $71.2 billion in 2014, 16.5 percent of all IT spending. That amount will increase to $87.4 billion by 2017, increasing at a 7 percent compound annual growth rate, IDC predicts. Risk management is core to business strategies across the banking, capital markets and insurance sectors, the research firm notes. "Regulatory pressures, tightening, and oversight resulting from the financial and economic upheavals of the past decade and the first three years of the current decade continue to be prime motivators for risk management investments," says Michael Versace, global research director for IDC financial insights. "Risk IT strategies and investments over the forecast period will remain critical as policymakers around the globe stay focused on capital buffers, trade transparency, accounting and reporting improvements, internal control and IT system continuity, third-party risk, financial crime and fraud, and the impact of cyber threats on the safety and soundness of the financial marketplace," he says. According to a recent survey by consulting firm Nexia, 48 percent of companies plan to increase spending on risk management next year, while another 48 percent plans to maintain the same level of investment. Nexia surveyed 73 companies and more than 40 advisory firms in 23 countries. While two-thirds of the companies said they have a formal risk assessment process in place, 57 percent of companies have yet to put a formal risk management training program in place and 38 percent of companies say risk tolerances are only reviewed annually or less frequently. For more: - see IDC's release - read the Nexia report Related Articles: Cloud-based security to spur growth in specialized threat analysis and protection market BYOD, IoT among security risks to enterprises next year, says ISF Firms can't outsource security oversight and risk, warns Manulife's CISO Read more about: Risk Management, IDC back to top Also Noted TODAY'S SPOTLIGHT... Employees use 'jammers' to hide jailbroken devices on corporate networks Employees are downloading insecure "Jailbreak Jammer" apps that enable them to access the corporate network with a jailbroken smartphone, warns Marble Security Labs. "This is a significant risk to the enterprise, especially those allowing BYOD, because experience shows us that even just one compromised device can eventually lead to a massive breach," warns David Jevans, Marble Security founder and chief technology officer. Jailbroken smartphones open up the company data, emails, passwords and address books to hackers, Jevans warns. Read more > Microsoft disrupts ZeroAccess botnet. Article (Security Week) > 'We cannot trust' Intel and Via's chip-based crypto, FreeBSD developers say. Article (Ars Technica) > Experian: Obamacare, regulations to shape data breach landscape. Article (Infosecurity Magazine) > Despite cloud computing security risks, infosec pros know their role. Article (TechTarget) > Facebook seeks open source help from Mac OS security tool. Article (eWeek) And Finally… Judge rules chimps aren't people. Article (Wired) Marketplace > IT Made Easy with ManageEngine ServiceDesk Plus ManageEngine ServiceDesk Plus is an ITIL-Ready Help Desk Software with integrated asset and project management. True to our tagline, "IT Made Easy", ServiceDesk Plus wins hands down when it comes to ease of use, out of the box settings and integration. Visit http://www.servicedeskplus.com/ to check out the list of features that come at just $995 and to download a 30-Day Free Trial! > Whitepaper: Embracing Trends and Technologies: Change is in Your Hands In this whitepaper learn about these three key trends and technologies, how to be successful in the introduction of new IT services and how to embrace best practices for change adoption to facilitate simplified, reliable and cost-effective implementations. Learn More > eBook: Using Data Visualizations to Drive Business Decisions Big data visualizations are undeniably valuable. They can quickly relay important information for decision making, surpassing the capabilities of their traditional counterparts. Find out how key decision makers are using this information. Download this eBook today. ©2013 FierceMarkets This email was sent to ignoble.experiment@arconati.us as part of the FierceITSecurity email list which is administered by FierceMarkets, 1900 L Street NW, Suite 400, Washington, DC 20036, (202) 628-8778. Refer FierceITSecurity to a Colleague Contact Us Editor: Fred Donovan. VP sales and business development: Jack Fordi. Publisher: Ron Lichtinger. Advertise General advertising: Jack Fordi. Press releases: Fred Donovan. Request a media kit. Email Management Manage your subscription Change your email address Unsubscribe from FierceITSecurity Explore Our Network You may enjoy these publications from FierceMarkets: FierceBigData FierceBioMarkers FierceBiotech FierceBiotechIT FierceBiotech Research FierceCable FierceCIO FierceCIO:TechWatch FierceCMO FierceCFO FierceContentManagement FierceCRO FierceDeveloper FierceDiagnostics FierceDrugDelivery FierceEMR FierceEnergy FierceEnterpriseCommunications FierceFinance FierceFinanceIT FierceGovernment FierceGovernmentIT FierceHealthcare FierceHealthFinance FierceHealthIT FierceHealthPayer FierceHomelandSecurity FierceITSecurity FierceMedicalDevices FierceMedicalImaging FierceMobileGovernment FierceMobileHealthcare FierceMobileIT FierceMobileRetail FierceOnlineVideo FiercePharma FiercePharmaManufacturing FiercePracticeManagement FierceRetail FierceSmartGrid FierceTelecom FierceVaccines FierceWireless FierceWireless:Europe FierceWirelessTech Hospital Impact StorefrontBacktalk