Credit-card security standards questioned, survey says

Most IT security professionals who must comply with the industry standards to protect credit card data think those standards have no impact at all on actual security, according to new study by Ponemon Institute. 10 of the Worst Moments in Network Security History And they say the main benefit of meeting the standards isn't better security, its better relationships with business partners who regard payment card industry (PCI) compliance as an easy-to-read sign that businesses are paying attention to protecting the personal data of people who use credit cards, the study says. "PCI does not necessarily mean better security within the hearts and minds of respondents," says Larry Ponemon who conducted "PCI DSS Compliance Survey" for Imperva, which makes database and Web application security products. Those objectives are a list created by the Ponemon Institute as a way to make high-level comparisons of data security among different organizations. Overall, 57% of respondents feel that PCI standards have no impact on a set of 25 security objectives that they were asked about, the survey says.

The benefit of PCI compliance cited most often by the IT security pros polled was that it improves relationships with business partners, not that it made data more secure. No. 3 was that PCI compliance did improve the overall security posture of the business. That was followed closely by helping capture more IT funding for security. PCI compliance can be used as a lever to wrest IT security funding from corporate budget makers, the survey indicates. Much of this money would be spent on the same measures anyway, even if PCI compliance wasn't an issue, Ponemon says. Saying that money will help with PCI compliance is a better argument than saying it will make data safer, Ponemon says. "If you're striving just to improve security, it's hard to get the upper echelons to see the value," he says. "They are more likely to pay for PCI because it helps in working with business partners than because it's the right thing to do." On average the 560 security pros surveyed spend 35% of their IT security budgets on meeting PCI standards.

Protections dictated by PCI would be made simply because they are sound security practices. (Read a story rating apology letters from companies after a data breach.) When asked to assess the value they receive from PCI expenditures, 43% say they get what they pay for and 23% say they get more value than they pay for. In implementing the standards, respondents pick and choose what they protect. The rest, 34%, say they get less. The majority of respondents to the survey (55%) say they direct their PCI efforts toward protecting cardholder data only, with just 12% addressing security of all personal data. The most popular tool for protecting credit card data is the firewall, followed by antivirus/antimalware products and encryption of data at rest and in motion.

Just 22% say all their applications and databases are protected in accordance with PCI standards; 25% say protection of their applications isn't compliant at all. They find those four technologies to be the most cost effective as well. Other results of the survey:* The vast majority of respondents (79%) say they have suffered at least one data breach that resulted in loss or theft of credit card information.* Endpoints and wireless devices are regarded as the two weakest links in meeting PCI security, followed by paper documents and applications, the survey says.* The top three reasons for implementing security standards are to achieve an effective security posture (48%), obtaining buy-in from management (47%) and prioritizing security requirements (46%). PCI compliance most commonly falls to the CISO or the CIO on the technology side, but corporate legal departments are equal partners overall, the study finds, indicating the complex implications of compliance.

Alcatel integrating network layers for efficiency

Alcatel-Lucent on Wednesday set a course for tighter integration of the two main components of long-haul service-provider networks, saying it will help carriers streamline their infrastructure and run it more efficiently. Now, with the Converged Backbone Transformation Solution, it is leveraging its expertise in both technologies so the two can work more smoothly together and be managed more easily. The company is a major player in carrier optical transport and is gaining ground on Cisco Systems and Juniper in IP (Internet Protocol) routing, according to industry analysts.

The payoff for enterprises that rely on carriers to interconnect their offices could be both faster provisioning and lower prices, said Ray Mota of Synergy Research Group. The two domains have remained largely separate, but Alcatel said it will bring its IP and optical systems closer together, with more flexible capacity-handling and unified management. Most service-provider networks use electronic packet routers to direct Internet and private IP traffic, but also optical infrastructure to transport data over long distances. Today's IP and optical network elements effectively just hand off traffic to each other without much interaction, and they typically are managed by separate teams, said Lindsay Newell, vice president of marketing for IP at Alcatel. If you go to an optical vendor, you get an optical answer," Newell said.

His company is best equipped to make these systems work more closely together because it has experience making both parts, Newell said. "If you go to a router vendor, you get a router answer. Alcatel says it is skilled in both. Current routers from most vendors can map one router port to one wavelength of light for optical transport. One thing Alcatel aims to provide is a more granular way of feeding traffic from IP routers into optical infrastructure. Alcatel is introducing that technology, called IP over dense wave-division multiplexing, on its service routers now. Alcatel plans to offer the ability to send traffic from multiple ports or from multiple virtual LANs into a single wavelength, Newell said.

But IP over DWDM isn't ideal, because it wastes optical capacity if there isn't enough traffic from the IP port to fill the wavelength, Newell said. Carriers can use this to make more efficient use of each wavelength, so potentially they won't have to deploy or light up as many wavelengths, he said. The company will implement the capabilities using existing and emerging industry standards, adding some proprietary features of its own but keeping its products interoperable with gear from other vendors at a more basic level. This could save space and power in carrier facilities as well as money. Also through closer integration, Alcatel will allow IP routers to send traffic straight across the optical network, bypassing unnecessary IP routing along the way. At a higher level, Alcatel said it can integrate the management of both network layers because it supplies both.

This core router bypass capability will let traffic destined from, say, Los Angeles to New York go straight to its destination without going through an IP router in Chicago, Newell said. Among other things, the IP and optical management systems will know what resources are available on each and be able to communicate fault management alarms. The Converged Backbone Transformation Solution is a set of features that will roll out over time. Ultimately, the IP network elements will be able to reroute traffic if there's a failure in the optical layer, and vice versa. Immediately, Alcatel is delivering features including IP over DWDM on service routers and the initial elements of information exchange between IP and optical, such as common alarm views and fault isolation.

Later it will offer more dynamic interaction between the layers, including dynamic provisioning for failover, Newell said. Next year, the company plans to provide static provisioning for port-level and VLAN traffic grooming. The integration ultimately can save carriers at least 30 percent in capital expenditures on a network built from the ground up with the new technology, according to Newell. Many carriers are grappling with data traffic that is growing far faster than the revenue they can collect for it, and this type of streamlining approach could help them, Synergy's Mota said. Savings for carrier networks with a large amount of existing infrastructure will be more incremental, he said.

Quick actions help financial firm avoid security disaster

While most of the IT world has been spared a devastating security attack like Blaster and Sasser for the last few years, the damage wrought by all manner lesser-known computer viruses continues to inflict corporate pain. 10 of the Worst Moments in Network Security History For example, New York City-based investment firm Maxim Group, faced a security ordeal this year when a virus outbreak pummeled the company's Windows-based desktop computers and servers. "On early April 15th, a few people called to say they were having problems with their computers," relates John Michaels, CTO there in describing how the investment firm's IT staff started to get an inkling that morning that something was terribly wrong. "After looking into it, we knew something bad was happening, affecting all our users, and my servers." Malware was disabling applications by corrupting .exe files so they wouldn't open once they were closed, while also making thousands of connections to servers, saturating the network. "It damaged all the .exe files by corrupting them," says Michaels. "People were logging on and getting a blank screen." The virus was altering the registry of the computers. Maxim Group didn't have a centralized antivirus product in place, having allowed various groups to go their own way with differing products. In response, Maxim Group told the approximately 325 computer users not to shut down the computers while Michaels and his team contacted vendors for assistance.

The decision to change that practice was made on the spot. It wasn't easy. "Symantec took about three days to identify what the variant of the virus was," Michaels says. "They said they had never seen a variant of this." The virus was finally identified as a variant on "Sality," an older virus that strikes at .exe and now also will install a backdoor and Trojan. "We asked Symantec, are we the only ones telling you about this? Antimalware vendor Symantec was called in to set up a centralized antivirus server, while also attempting to analyze what the malware was and advise on clean-up. And they said 'We have 3 million infected.'"Cleaning up more than 300 virus-riddled PCs was a huge headache. In the course of beating back Sality, Michaels says he also contacted another vendor, Cymtec Systems, whose product he had demoed, to install the security vendor's Sentry gateway, which monitors traffic and bandwidth usage, enforcing Web site policies and blocking antimalware.

Symantec advised total re-imaging of the computers, which Maxim Group undertook, a process that consumed several weeks. The reason for the Sentry gateway is to prevent employees from going to "Web sites they probably shouldn't," especially as Web surfing raises the risks of malware infection, Michaels says. To this day, Michaels says he's not sure how the Sality variant got into Maxim Group's network to explode in that April 15 outbreak. "Maybe it was a Web site or a USB device, I don't know," Michaels says. But the virus outbreak also showed there was communication from the infected PCs to what might be a botnet. "They were connecting to rogue Internet sites," Michaels says, saying Sentry would help monitor for that kind of activity in the future. But on that day things changed in terms of the investment firm deciding to enforce stricter Internet usage policies. "Before this episode, we allowed social network sites, but we don't now," Michaels says. And are the old Blaster and Sasser worms that struck with such devastation over half a decade ago gone?

Social networking sites are gaining a reputation as places where malware gets distributed, and if there's no clear business reason for using them, they're put off limits. Unfortunately not, says the "Top Cyber Security Risks" report released this week by SANS Institute in collaboration with TippingPoint and Qualys. The report — which examined six months of data related to 6,000 organizations using intrusion-prevention gear and 100 million vulnerability-assessment scans on 9 million computers to get a picture of various attack types — notes "Sasser and Blaster, the infamous worms of 2003 and 2004, continue to infect many networks."

DOJ expands review of planned Microsoft-Yahoo agreement

The U.S. Department of Justice has asked Microsoft Corp. and Yahoo Inc. to hand over more information regarding their proposed search partnership. Nina Blackwell, a spokeswoman for Yahoo, said both companies are cooperating with federal regulators. "[We] firmly believe that the information [we] will be providing will confirm that this deal is not only good for both companies, but it is also good for advertisers, good for publishers, and good for consumers," she added. A Microsoft spokesman confirmed in an e-mail to Computerworld today that the DOJ requested additional information, but added that it came as no surprise. "As expected, we received additional request for information about the agreement earlier this week," wrote the spokesman, Jack Evans. "When the deal was announced, we said we anticipated a close review of the agreement given its scope, and we continue to be hopeful that it will close early next year." Evans declined to disclose exactly what information the DOJ is looking for.

Microsoft and Yahoo announced late in July that they had finalized negotiations on a deal that will have Microsoft's Bing search engine powering Yahoo's sites, while Yahoo sells premium search advertising services for both companies. Microsoft officials contend that the deal with Yahoo will improve competition in the search market. The partnership, which was a year-and-a-half in the making , is aimed at enabling the companies to take on search behemoth Google as a united force. Matthew Cantor, a partner at Constantine Cannon LLP in New York and an experienced antitrust litigator, disagrees. He argues that since Yahoo will cease being a competitor in the search market, the DOJ is likely to say the Microsoft/Yahoo partnership is anticompetitive . In an interview today, Cantor applauded the DOJ's request for more information. "Most deals clear without a request for additional information.

Cantor said last month that when Yahoo's own search tool disappears, only two major search engines will remain - Google and Microsoft's Bing. This is not run-of-the-mill," said Cantor. "The government believes there are potential antitrust concerns raised here. Nonetheless, Blackwell told Computerworld that Yahoo is still hopeful the deal will close early next year. They would only request additional information if there was some kind of presumption that the deal will cause antitrust effects." Cantor added that he thinks it could take months for Microsoft and Yahoo to pull this new information together, perhaps until the end of this year.