information protection from the unseen
TRANSCRIPT
It sECURItY
An Independent AdvertIsIng supplement by medIAplAnet to tHe sAn frAncIsco cHronIcle
manage your risks, and protect your most valuable assets
byodlearn about the truth behind the hype
take controlof your company’s cloud security
PROTECTION FROMTHE UNSEEN
The future of security is here. Is your company prepared ?
August 2012
new MediUMSTO prOTeCT yOUr
infOrMATiOn
new MediUMS
2
- Continuous Testing, Vulnerability Detection, and Assessment
Protect your brand and online applications from hackers with the leading application security solutions for Web, Cloud, and Mobile.
don’t take chances with your application and data security.
- Instantaneous, Accurate Results and Comprehensive Reports
FREE analysis and cost of a breach to your business at www.cenzic.com/risk-calculator
2 · August 2012 An Independent AdvertIsIng supplement by medIAplAnet to tHe sAn frAncIsco cHronIcle
ChALLENgEsWhen managing your company’s risk, it’s important to know the true cost of a security breach.
Raising awareness: The first step in mitigating security breaches
t he cost of a secu-rity breach not only hits a fi rm in the pocket-book, but could also do harm to the company’s
reputation. The total costs associ-ated with breakdowns in cyber security are higher than many IT managers assume.
PGP Corporation, a global leader in enterprise data protection, and the Ponemon Institute, a privacy and information management research fi rm, recently put a dollar number to data breach incidents; fi nding it costs U.S. companies $204 per compromised record. The average total per-incident costs ring in at $6.75 million. Financial institutions, telecom and health care are obvious tar-gets, but Robert D. Rodriguez, the Chairman and Founder of the Security Innovation Network (SINET) whose focus is on the advancement of IT security inno-vation into the industry and gov-ernment markets, warned smaller “low laying fruit” companies also need protection. “If you are a CEO of a small company, your number one goal is running your company, not worrying about breaches.”
A case in point is David Campeas, CEO of Princeton One,
a nationwide recruiting company whose fi rm endured two breaches in the last 18 months.
“Thankfully neither resulted in any data lost. Aside for the inter-nal costs of resetting servers, pass-words and procedures, the cost of outside consultants coming in to fortify our security ran into the $1500-$2500 range for each occur-rence,” said Campeas.
Beyond the dollar cost, there are damages to consider. “There are direct costs, but also threats to a brand’s reputation and lost trust with customers and trust is of utmost importance,” said Rodriquez who feels it is impor-tant to spread the message of breaches and seek innovative solutions.
“In the fi ve years we have con-ducted this study, we have contin-ued to see an increase in the cost to businesses for suff ering a data breach,” said Dr. Larry Ponemon, chairman and founder of The Ponemon Institute. “With a vari-ety of threat vectors to contend with, companies must proactively implement policies and technolo-gies that mitigate the risk of fac-ing a costly breach.”
we recoMMend
mediaplanet’s business is to create new customers for our advertisers by providing readers with high quality editorial content that motivates them to act.
Follow us on Facebook & twitter! facebook.com/MediaplanetUSAtwitter.com/MediaplanetUSA
faye BrookMan
it securitYthird edition, august 2012
publisher: ryan [email protected] director: cahill [email protected]: adam [email protected]
Contributors: Faye brookman, david campeas, Marcus carey, ramses gallego, John Pironti, dr. larry Ponemon, robert d. rodriguez, dave shackleford,bala venkat
photo Credit: all photos courtesy of istockphoto.com.
distributed within: the san Francisco chronicle, august 2012
John pirontibyod: from threat to opportunity
pAge 3
BYOD: FROM THREAT TO OPPORTUNITY
Cementing the cloud
The AbC’s of application securityAssess – Block – Correct There are over 600 M web sites and counting. Detect vulnera-bilities proactively, incorporate intelligence at the application layer and queue timely correc-tion mechanism into SDLC.
Scan applications weeklyStay ahead of the hacker curve by doing weekly scans on web, cloud, and mobile applications.
persistent testingWith every product update, new feature — make sure to test per-sistently to secure your business and brand.
dynamic application security testingThe threat vector is rapidly mov-ing. Applications in produc-tion remain vulnerable and it’s imperative to do continuous testing of production applica-tions for new vulnerabilities.
wAyS TO liMiT Online
riSk
An Independent AdvertIsIng supplement by medIAplAnet to tHe sAn frAncIsco cHronIcle
wAyS TO
4
Bala venkat, cenZic eXecutive
Best practices to reduce your risk
An Independent AdvertIsIng supplement by medIAplAnet to tHe sAn frAncIsco cHronIcle August 2012 · 3
mediaplanet’s business is to create new customers for our advertisers by providing readers with high quality editorial content that motivates them to act.
Follow us on Facebook & twitter! facebook.com/MediaplanetUSAtwitter.com/MediaplanetUSA
John Pironti,
risk and security advisor,
isaca
dave shackleford,
sans certified instructor
INsIght
BYOD: FROM THREAT TO OPPORTUNITY
Cementing the cloud
■■ Question: can an employee bring their own mobile devices onto a company’s network in a secure way?
■■ Answer: yes, through education and control a company can maintain a strong and secure mobile network.
The acronym BYOD strikes fear into the hearts of IT security profes-sionals. But with the right policies, controls and culture, they can man-age the risk of the bring-your-own-device reality. And it is reality.
“Some say the appropriate acro-nym is IBMD — I’m Bringing My Device,” said Ramsés Gallego, vicepresident of global IT association ISACA. “BYOD implies an invitation, but employees are using and stor-ing company data on their personal devices whether you like it or not.”
Many orga-n i z a t i o n s are looking to lever-age cloud computing technology
and cloud-based services today, but many have concerns about information security in these environments. There are good reasons to have concerns, ranging from several high-profile failures and data breaches in the cloud, Amazon experiencing multiple outages in the last two years, and Dropbox admitting a recent secu-rity breach.
While these security failures and concerns tend to be high profile, stoking fears about cloud
navigating truth, lies and decisions to Manage risk
With all the noise around secu-rity and threats these days, it’s hard to know what to focus on or even where to get started to protect yourself. If you don’t know what your real level of risk is, it can be impossible to improve your security posture. Here are three short tips on how to spot the truth, avoid the lies and make the necessary decisions to manage your risk effectively:
■■ Scan your IT environment to identify where you actually have potential security holes
■■ Prioritize them for reme-diation based on criticality and likely impact
■■ Introduce the necessary mit-igating controls, for example patch management, disabling unneeded services, uninstall-ing certain software, imple-menting solutions such as anti-virus, firewalls, IPS
Bay Area SecureWorld Exposanta clara convention center
september 19th & 20th
Marcus Carey,security researcher,rapid7
Only 9% Of eMplOyeeS USe wOrk-iSSUed MObile deviCeS.
As evidence, an ISACA survey found that only 9 percent of employ-ees use work-issued mobile devices, while nearly half use personal devices for work.
Develop and drive awareness of a clear BYOD usage policy. Ensure you establish and communicate your expectations on the use of per-sonal devices for business activities.
Implement and maintain con-trols, including the ability to log access and usage information for sensitive data.
Embrace but educate. Employees should understand the personal and professional risks associated with
security overall, there’s much to be said about new security services and capabilities in the cloud. For example organiza-tions looking to detect and block Distributed Denial-of-Service (DDoS) attacks, new cloud pro-vider companies offer security “in
BYOD. Education about the personal benefits increases buy-in and fosters a culture of security awareness.
Now that nearly every employee, from the CEO to interns, possesses a smart device, preparing for BYOD is not optional — it’s a mandate. Fortu-nately, companies are seeing oppor-tunity in BYOD — if it’s secured prop-
the cloud” that can help mitigate the threat. Traditional security vendors are adapting their prod-ucts to work in virtual machine formats, and cloud environments ranging from firewalls to intru-sion detection systems. Other vendors provide centrally-man-aged host-based security tools for cloud systems, while others — often called Identity-as-a-Ser-vice providers, or IDaaS — offer identity and access management services across a plethora of more traditional cloud services. For organizations building private and hybrid clouds, there are tools available for encrypting entire virtual machines and managing keys internally, with strong role and policy management capa-
erly — including less equipment to purchase and maintain, as well as employees using devices that are more effective for their roles.
bilities. Quite a few specialized virtual firewalls and other virtual appliances are available for prod-ucts like OpenStack and VMware cloud technologies, too.
Organizations like the Cloud Security Alliance (CSA) are work-ing to provide security controls standards, metrics, and reporting avenues for cloud service provid-ers and their customers alike. There’s no getting the genie back in the bottle on cloud services. Fortunately, it’s not all “doom and gloom” on the security front, and will only get better with time. don’t Miss!
Marcus carey
so how can you combat threats?
