Microsoft appears to be listening to these minimalist pleas, at least when it comes to assigning an official name to Windows 7, the successor to Vista that’s slated for release sometime in late 2009.

In a Monday post to the Windows Vista team blog, Mike Nash, corporate vice president of Windows Product Management, announced that Windows 7 will be the official name of the OS, marking the first time that a Windows product code name will be carried over to the final version.

Nash acknowledged that Microsoft has employed a variety of naming approaches for Windows in the past, including version numbers (Windows 3.11) and dates (Windows 95/98/2000). But for Windows 7, Microsoft has decided that these so-called ‘aspirational’ names just won’t do, and that a simpler naming approach would better reflect its goals.

“The decision to use the name Windows 7 is about simplicity,” Nash wrote.

Nash also threw readers a dose of logic by noting that the Windows 7 name also denotes the fact that it’s the seventh version of Windows that Microsoft has developed.

Michael Cocanower, president of Phoenix-based solution provider ITSynergy, says Microsoft’s ‘aspirational’ names have been difficult for most customers to understand and follow. “The average user has no hope of knowing if Vista is before or after XP, or even ME, for that matter,” he said.

Cocanower says it makes sense for Microsoft to use version numbers for Windows and hopes the practice will continue. “This makes it easy for people to understand the sequence of things, and fits well into a geek’s way of thinking,” he said.

Andrew Kretzer, director of sales and marketing at Bold Data Technology, a Fremont, Calif.-based system builder, sees Microsoft’s move to simplify the Windows naming convention as a positive step that he hopes will soon be applied to Microsoft’s entire product line.

“Hopefully, this will be expanded to include a streamlining of product SKUs, licensing options and pricing as well. There was — and continues to be — an enormous amount of confusion among customers regarding the differences between all of the variations of Microsoft Vista,” Kretzer said.

And that’s just for starters, said Robert Hansen, founder and CEO of SecTheory LLC. “The list doesn’t cover all the other kinds of plug-ins that are vulnerable, or all the browsers or all the Web sites,” Hansen said in an interview Wednesday. “The list got so long so fast that it was impossible to keep track of all the sub-issues.”

On Tuesday, Hansen disclosed more information about “clickjacking,” the new class of vulnerabilities that he and fellow researcher Jeremiah Grossman, the chief technology officer at WhiteHat Security Inc., first mentioned during a semi-closed presentation at a New York security conference on Sept. 24. Hansen and Grossman had originally intended to present the bulk of their findings then, but agreed to withhold most of the information at the request of Adobe, which said it would quickly patch its software against clickjacking attack.

Early Tuesday, however, Israeli researcher Guy Aharonovsky posted a proof-of-concept demonstration that uses clickjacking tactics to invisibly reset Adobe System Inc.’s Flash privacy settings, and secretly turn on the computer’s webcam and microphone for remote spying.

Related Content

With the cat out of the bag, Adobe gave Hansen and Grossman the go-ahead to get specific about their findings. Hansen then posted a list of 12 different clickjacking scenarios on his blog.

“There are multiple variants of clickjacking,” Hansen said in the post. “Some require cross domain access, some don’t. Some overlay entire pages over a page, some use iframes to get you to click on one spot. Some require JavaScript, some don’t. Some variants use CSRF to pre-load data in forms, some don’t.”

Of the dozen he spelled out, only two have been resolved. Adobe has not, for example, patched Flash against one of the clickjacking vulnerabilities Hansen and Grossman reported to the company. Adobe issued a security advisory Tuesday, however, with instructions on how to secure Flash against webcam and microphone hijacking in lieu of a patch.

“[Aharonovsky’s] proof-of-concept was just a demonstration, but clickjacking can do all kinds of things,” Hansen said Wednesday. “If you think about the traditional Web applications that have a ‘Confirm’ button or an ‘Add a friend’ button or any kind of single-button click, they’re all going to be more vulnerable now.”

But he also said there’s no reason to panic; clickjacking wouldn’t make the Internet a much more dangerous place in the short term. “If we assume that the majority of Web applications are vulnerable to some exploit, and they are, then clickjacking is making things worse, but it’s already so bad that it doesn’t really matter,” Hansen said.

“We made it very clear that we didn’t feel that this was the end of the Earth,” he continued. “However, that doesn’t lessen the ultimate severity of problems like monitoring people remotely with webcams or getting people to transfer money from their bank accounts.”

Hansen remained convinced that the place to stymie clickjacking attacks for now is within the browser. “Absolutely. There are ways to patch your own site using “frame-busting” code, but that doesn’t work all the time and you’d have to update every single page with sensitive information. But I don’t think it’s unrealistic to think that the browser makers could release a quick patch,” he said.

Hansen and Grossman have been in contact with the security teams at Microsoft Corp., Mozilla Corp. and Apple Inc. responsible for Internet Explorer, Firefox and Safari, respectively. “I don’t have any idea about their timelines,” he acknowledged.

Even so, fixing browsers may in the long run be a short-sighted strategy. “Fixing each browser, as they get less and less alike, only adds a lot more complexity to the problem,” Hansen said.

The trouble with that approach? “When Jeremiah and I were looking at clickjacking, we found all kinds of random browser bugs,” said Hansen, describing the quantity as a “tons of bugs” and a “mess load” of flaws. “A lot of them were unrelated to clickjacking. But as other researchers start looking at clickjacking, they’ll find their own interesting bugs.”

Many will be, as Hansen and Grossman found, browser- or platform-specific. “As browsers get less and less alike, this [browser-specific bug finding] will get more and more common,” he said. Adding more code to plug clickjacking holes, with each browser handling the problem its own way, will invariably open them to new, as-yet-undiscovered attacks, Hansen argued.

For the moment, there’s little that end users can do to protect themselves and maintain the Internet’s usability, said Hansen. One tactic, only available for Firefox users, is to install the NoScript add-on, he said. “NoScript does a great job of supplementing [Mozilla’s] slowness in patching, but it’s not really the best way to protect users,” Hansen said, referring to NoScript’s content blocking, which can render some sites unusable.

“Finding a solution for clickjacking will be very complicated, which is why we don’t see a quick solution,” Hansen said. “But if we don’t give it the attention it deserves now, it could be used in the future for much more effective targeted attacks.”

For more enterprise computing news, visit Computerworld.

The D drive of the Eee Box B202, which launched in Japan last week, contains a virus file named “recycled.exe,” Asustek said in a statement. When the drive is opened, the virus begins copying itself to the main C drive on the machine and to any other removable drives or USB memory connected to the computer.

Despite repeated attempts to get more information from Asustek, the company has not confirmed that the problem is limited to only Japanese Eee Box PCs. The company also didn’t explain how the virus got into the computers.

The Eee Box is Asustek’s expansion into the desktop space of its hit Eee lineup of computers. The original Eee PC basically launched the entire category of low-cost or mini-laptops when it was introduced in mid-2007 at Taiwan’s Computex hardware show. In the last year the range has grown to include a handful of models with different screen sizes and hard-disk drives as Asustek attempts to make the most of its popularity.

Brisk sales of the machines haven’t gone unnoticed by other companies, and many major laptop vendors are now offering computers in the same space to compete with the Eee PC. Most recently Japan’s Toshiba launched its first offering in the category, following other vendors including Hewlett-Packard, Fujitsu and Acer.

1. RoboForm

RoboForm is one of the better-known password-management applications, but the $30 software (with a free version limited to saving ten passwords) is normally tied to one PC. Its built-in access to GoodSync.com lets it synchronize its account files across multiple systems, but doing so requires Windows network, FTP, or WebDAV access. In other words, setting it up between PCs across the Internet–such as your home and work PCs–could be a pain.

Instead, use Microsoft’s free FolderShare utility to sync the directory where RoboForm keeps its account files: My Documents\My RoboForm Data\Default Profile. Newly created files will automatically transfer between PCs, though you may have to restart RoboForm to see a new account created on another PC.

2. Passpack

The latest online storage features let Web sites tackle what has long been a security no-no: storing all your user names and passwords online. In addition to a site log-in, Passpack employs a “Packing Key” passphrase to encrypt your stored cache of account data. Once downloaded and decrypted, that cache stays only on the computer you’re using until you save it, at which point it’s encrypted again and re-sent to Passpack for storage. Passpack doesn’t ever have access to the packing key, and you can’t decrypt your passwords without it–so be careful not to lose the key.

You can use PassPack to log you in automatically to sites, though you might need to train it on a specific site. The free service allows you to store only up to 100 log-ins, but the company may add premium levels of service. While Passpack includes some good antiphishing measures, password-stealing attacks could prove to be an Achilles’ heel if they target the service’s log-in and packing key, so you might want to use it solely for less-important (namely, nonfinancial) sites until it has been around a while to prove itself.

3. Password Hash

Another free browser-based option takes an entirely different approach to password security. If you have the Pwdhash (Password Hash) add-on for Firefox and Internet Explorer installed, pressing F2 prior to typing in a password runs that password through some mathematical “hashing” calculations.

The end result is a unique and strong password that transmits to the site and doesn’t have to be saved anywhere; meanwhile, you have to remember only one password. The tool will always generate the same password for the same site (provided you give it the same starter password), even if you use a different browser. If you’re at a PC where you can’t install the add-on, you can instead visit the PwdHash site to run the calculations manually, after which you can simply cut and paste the resultant password.

4. OpenID

Wouldn’t it be nice to use one account to log in to many different sites? Try OpenID. First sign up for free with your choice of OpenID provider; the pool includes big names such as Flickr, Verisign, and Yahoo. Then, when you visit a site that supports the technology, give it your OpenID. You’ll be sent to your provider for verification.

Once you’re vetted–which might entail your providing a password or correctly identifying preselected elements of an image map, as in myVidoop.com’s interesting setup–the provider tells the original site that you’re okay, and voilà, you’re logged in.

Not many sites use OpenID yet, largely because some security risks, such as phishing, still threaten the relatively new system. But you can save yourself a fair amount of hassle by using it for those nonsensitive sites that do support it.

5. ID Vault

Guard ID’s thumb drive can securely store all your online account data, and it can help guard against phishing by launching a stripped-down custom browser for use with financial accounts. While it’s easy to use, it’s not cheap: It costs $50 plus a $40 yearly subscription renewal.

Before you can use the device with a given PC, you’ll need to install downloadable software (available for Windows XP or Vista). Then you can add accounts from a list of known financial or shopping sites, or input data for other accounts you specify.

From then on, you connect the thumb drive, right-click the ID Vault system-tray icon, and select an account. After you provide a numeric code (which you choose during the device setup), ID Vault logs you in.

 (Source: Erik Larkin , PC World)

Bruce Mengler was arraigned Monday on five charges, including extortion and illegally accessing a protected computer. He pleaded not guilty to the charges and is scheduled to appear for another hearing in U.S. District Court for the Southern District of California late next month.

Court papers filed by prosecutors in connection with the case allege that Mengler accessed data about Maserati North America customers in March by using an automated program to guess PINs that the company provided to customers for logging into a promotional Web site. Once his program successfully identified a PIN, prosecutors claim, he would use it to log into the Web site and then download the customer data associated with that PIN, basically consisting of a person’s name and address.

Next, Mengler tried to extort money from Maserati North America in exchange for his silence about the data breach, according to the court documents. Prosecutors said that in an e-mail sent to officials at the Englewood Cliffs, N.J.-based company two days after he stole the data, Mengler told them that he had “mined” the Web site and downloaded the names and addresses of most of Maserati’s customers in the San Diego area.

“Would you like this lack of security & privacy to become public knowledge?” Mengler is alleged to have asked in his e-mail. “If you would like to buy my silence, make me an offer I can’t refuse.”In other e-mails, Mengler threatened to “blast” the information that he had obtained to media organizations around the country if he wasn’t paid off and wondered whether the company’s “brain dead web implementation” had been corrected. He boasted that he had more than 2,600 customer records and threatened to make them available to Maserati’s competitors.

“What dollar amount is each name worth to Maserati to not be released to the public?” Mengler asked in one of his messages, according to the court filings.

Maserati North America officials didn’t immediately return a call seeking comment about the incident and Mengler’s arraignment.

For more enterprise computing news, visit Computerworld. Story copyright Computerworld, Inc.

Infonetics Research interviewed 169 security professionals responsible for managing IPS in their organizations to find out whether the full functionality of the IPS filters for blocking attacks was actually used, and the reasons why if not. The study, commissioned by IPS vendor TippingPoint, included its product, as well as those from Cisco, IBM, McAfee and Sourcefire.

“People are still very cautious with IPS,” says Jeff Wilson, principle analyst for network security at Infonetics. “My main impression is we are still not in an all-IPS world, as much as everyone would like to pretend we are.”

Cisco is the dominant vendor in IPS, and the survey reflected that, with 77 Cisco IPS customers, along with 38 TippingPoint customers, 36 IBM ISS Proventia customers, 26 McAfee IPS customers and 15 Sourcefire IPS customers — which all offered detailed descriptions of how they use IPS in their companies. The average size of each company was 9,418 employees.

The first step in IPS is typically the decision to use it in-band or not, and Infonetics found that 91% of TippingPoint customers did so, along with 70% of Cisco customers, 67% of IBM and McAfee customers and about 55% of Sourcefire customers.

Reasons cited for not wanting to run IPS in-band were reliability, throughput, traffic latency and false positives.

For those using IPS in-band, the next step is deciding how many of the device’s available filters to activate in order to block different types of attack traffic. The survey found those using IPS in-line often didn’t apply all the filters in blocking mode, but sometimes simply in alert mode. IPS filters to block were applied far more in TippingPoint and IBM equipment, but much less often in Sourcefire In IBM, Cisco and McAfee equipment, blocking and alert-only were activated about half-and-half in a mixed mode.

According to the survey, filter updates offered by vendors are applied 40% to 74% of the time, depending on the product..
As to why customers may be reluctant to apply new filters, independent analyst Richard Stiennon, who has seen the survey results, said IPS customers typically analyze filter updates in a lab before deploying them. Sometimes the filter signatures can “break the applications or block protocols,” Stiennon says. “Sometimes they not deployed.”

Stiennon — who created some controversy five years ago while a Gartner ananlyst when he declared IDSs “dead” — says this Infonetics survey gives him fuel to fan the flames of criticism once again.

“IDS should be dead because it’s still a failed technology,” Stiennon says, expressing the view that simply logging alerts about attacks is almost always a pointless exercise. “IPS equipment should be doing more to block attacks.”

He also says the TippingPoint equipment was purposely built to be an in-line IPS device but the Cisco equipment was not. Jeff Wilson from Infonetics also agrees that the Cisco IPS is not designed to be in-band and although Cisco is the market leader in IPS, Cisco “has the lowest overall usage of their platform as a true IPS in blocking attack traffic.”

While Gartner analyst John Pescatore hasn’t seen the Infonetics survey, he said Gartner’s own work with its clientele has shown it can take considerable time, even a year, for users to gain confidence in putting IPSs into in-line blocking mode.

“Why not turn it on 100%?” Pescatore asks. “You have performance issues on the boxes, they’re slowing down or may block legitimate traffic.” There are still significant issues of performance throughput in IPS that need to be addressed by the IPS industry, he says.

 (source:  Ellen Messmer , Network World )

Cloud computing will soon become an area of hot debate in Washington, D.C., with policy makers debating issues such as the privacy and security of data in the cloud, a panel of tech experts said Friday.

There are “huge challenges” facing policy makers in the next year or two as cloud computing becomes increasingly popular, said Mike Nelson, visiting professor for the Center for Communication, Culture and Technology at Georgetown University and a former tech policy adviser for U.S. President Bill Clinton.

Among the major policy issues to be worked out: Who owns the data that consumers store on the network? Should law enforcement agencies have easier access to personal information in the cloud than data on a personal computer? Do government procurement regulations need to change to allow agencies to embrace cloud computing?

Cloud computing is “as important as the Web was 15 years ago,” said Nelson, speaking at a Google forum on the policy implications of hosted applications and services. “We don’t have any idea of how important it is, and we don’t really have any clue as to how it’s going to be used.”

Despite the growing number of people using cloud services such as hosted e-mail and online photo storage, many consumers don’t understand the privacy and security implications, said Ari Schwartz, vice president and chief operating officer of the Center for Democracy and Technology, an advocacy group focused on online privacy and civil rights. So far, U.S. courts have generally ruled that private data stored in the cloud doesn’t enjoy the same level of protection from law enforcement searches that data stored on a personal computer does, he said.

“Consumers expect their information will be treated the same on the cloud as it is if it were stored at home on their own computers,” Schwartz said.

Forty-nine percent of U.S. residents who use cloud computing services would be very concerned if the cloud vendors shared their files with law enforcement agencies, according to a survey released Friday by the Pew Internet and American Life Project. Another 15 percent of respondents said they’d be somewhat concerned, according to the survey, released in conjunction with the Google policy event.

Sixty-nine percent of U.S. residents who are online use at least one of six popular cloud services, the survey said. Fifty-six percent of survey respondents use Web mail services, 34 percent store personal photos online and 29 percent use online applications such as Google Documents or Adobe Photoshop Express, according to the survey.

Among the concerns about cloud computing: 80 percent of respondents said they’d be very concerned if a vendor used their photos and other information in marketing campaigns. Another 68 percent said they’d be very concerned if the vendor used their personal information stored in the cloud to deliver personalized ads to them and 63 percent said they’d be very concerned if the vendor kept their data after they tried to delete it.

Asked why they use cloud computing services, 51 percent said convenience was the major reason. Another 41 percent said the major factor was being able to access their information from multiple computers and devices.

One audience member suggested consumers’ growing use of cloud services doesn’t match with their concerns about the privacy of their data. Schwartz said consumers would embrace privacy protections if they were made easy to use.

“People are obviously making trade-offs in privacy when they use these services,” added John Horrigan, Pew’s associate director for research

Asked what policy recommendations they’d make to the U.S. government, Nelson and Schwartz suggested a change in government procurement regulations are needed for federal agencies to embrace cloud computing. But questions about data privacy and ownership are also important to address, Schwartz added.

The U.S. government should encourage the free flow of information around the globe, added Dan Burton, senior vice president for global public policy at cloud computing vendor Salesforce.com. The benefits of cloud computing could be hampered by laws that prevent the sharing of data across national borders, he said.

The government should avoid formulating specific policies governing cloud computing, according to Nelson. Government’s role should be to ensure competition and allow vendors to work out details, he said.

“I do think government has an almost infinite ability to screw up things when they can’t see the future,” Nelson said. “We have to have leadership that believes in empowering users and empowering citizens.”

(Source: Grant Gross of IT World )

The device, referred to as a “terminal server” in court documents, appears to be a router that was installed to provide remote access to the city’s Fiber WAN network, which connects municipal computer and telecommunication systems throughout the city. City officials haven’t been able to log in to the device, however, because they do not have the username and password. In fact, the city’s Department of Telecommunications and Information Services (DTIS) isn’t even certain where the device is located, court filings state.

The router was discovered on Aug. 28. When investigators attempted to log in to the device, they were greeted with what appears to be a router login prompt and a warning message saying “This system is the personal property of Terry S. Childs,” according to a screenshot of the prompt filed by the prosecution.

The disclosure is the latest turn in a bizarre story that has made headlines in San Francisco for the past two months. Childs, a network administrator with DTIS, was arrested June 12 on charges of network tampering after he refused to provide his superiors with administrative access to the city of San Francisco’s network, which he had managed for the past five years.

Related Content

Initially Childs refused to hand over administrative passwords to the city’s routers, which had been configured to wipe out all configuration information if they were reset.

After a dramatic jailhouse meeting with San Francisco’s mayor one week after his arrest, Childs handed over the data, but DTIS Chief Administrative Officer Ron Vinson said Wednesday that the city now expects to spend more than $1 million to clean up the mess. To date, DTIS has paid out $182,000 to Cisco contractors and $15,000 in overtime costs, he said in an e-mail interview.

The city has also set aside a further $800,000 to address the problem. Vinson did not specify what the additional money was expected to cover, but if the city has to hire network consultants to remap, reconfigure and lock down its network, this would not be an unreasonable estimate. The city has also retained a security consulting firm called Secure DNA to conduct a vulnerability assessment of its network.

Meanwhile, Childs remains in county jail, held on a $5 million bond. His supporters say he is a dedicated city employee who was pushed too far by incompetent management, while the county’s district attorney argues that he concealed a violent criminal past when hired by the city and remains a threat to the city’s network. Childs served prison time following a 1983 robbery conviction, a fact he concealed in his city job application forms.

In court filings, prosecutors say Childs has not provided passwords to city-owned encrypted hard drives or access to two Corsair Flash Survivor USB drives that may contain sensitive information.

In a report filed before the city disclosed the hidden router, a court-appointed expert witness for the defense wrote that DTIS could easily prevent Childs from accessing the networks. “I have seen no evidence that Mr. Childs is a ‘computer hacker,’ and by taking a number of simple steps, DTIS could block access by Mr. Childs to San Francisco networks,” wrote Doug Tygar, a University of California, Berkeley computer science professor.

Childs’ next court appearance is set for Sept. 24. If convicted, he faces up to seven years in prison.

(Source: Robert McMillan , IDG News Service )

The software was published late Friday night by Kevin Finisterre, a researcher who said he wants to raise awareness of the vulnerabilities in these systems, problems that he said are often downplayed by software vendors. “These vendors are not being held responsible for the software that they’re producing,” said Finisterre, who is head of research with security testing firm Netragard. “They’re telling their customers that there is no problem, meanwhile this software is running critical infrastructure.”

Finisterre released his attack code as a software module for Metasploit, a widely used hacking tool. By integrating it with Metasploit, Finisterre has made his code much easier to use, security experts said. “Integrating the exploit with Metasploit gives a broad spectrum of people access to the attack,” said Seth Bromberger, manager of information security at PG&E. “Now all it takes is downloading Metasploit and you can launch the attack.”

The code exploits a flaw in Citect’s CitectSCADA software that was originally discovered by Core Security Technologies and made public in June. Citect released a patch for the bug when it was first disclosed, and the software vendor has said that the issue poses a risk only to companies that connect their systems directly to the Internet without firewall protection, something that would never be done intentionally. A victim would have to also enable a particular database feature within the CitectSCADA product for the attack to work.

Related Content

These types of industrial SCADA (supervisory control and data acquisition) process control products have traditionally been hard to obtain and analyze, making it difficult for hackers to probe them for security bugs, but in recent years more and more SCADA systems have been built on top of well-known operating systems like Windows or Linux making them both cheaper and easier to hack.

IT security experts are used to patching systems quickly and often, but industrial computer systems are not like PCs. Because a downtime with a water plant or power system can lead to catastrophe, engineers can be reluctant to make software changes or even bring the computers off-line for patching.

This difference has led to disagreements between IT professionals like Finisterre, who see security vulnerabilities being downplayed, and industry engineers charged with keeping these systems running. “We’re having a little bit of a culture clash going on right now between the process control engineers and the IT folks,” said Bob Radvanovsky, an independent researcher who runs a SCADA security online discussion list that has seen some heated discussions on this topic.

Citect said that it had not heard of any customers who had been hacked because of this flaw. But the company is planning to soon release a new version of CitectSCADA with new security features, in a statement, (pdf) released Tuesday.

That release will come none too soon, as Finisterre believes that there are other, similar, coding mistakes in the CitectSCADA software.

And while SCADA systems may be separated from other computer networks within plants, they can still be breached. For example, in early 2003, a contractor reportedly infected the Davis-Besse nuclear power plant with the SQL Slammer worm.

Related Content

“A lot of the people who run these systems feel that they’re not bound by the same rules as traditional IT,” Finisterre said. “Their industry is not very familiar with hacking and hackers in general.”

(Source: Robert McMillan , IDG News Service)

IT security

Ten percent of IT operating budgets is devoted to security in 2008, an increase from 8% last year, a Forrester study released Thursday revealed. In a survey of 1,255 security decision-makers at North American companies, 21% expect to increase IT security spending in 2009, compared with 6% who expect security spending to decrease. The rest will keep their security budgets stable. Those are impressive numbers in this economy, analyst Khalid Kark said in a keynote during Forrester’s Security Forum in Boston.

“I remember when the security budget was less than 4% of the IT budget,” Kark said. “This number is amazing. In this tough economic time, three out of four of us are saying we’re going to keep this 10% budget and one in five of us are saying we’re going to increase this budget in the next 12 months. Wow, that’s great.”

If there is a downside for security-minded IT professionals, it’s that more money brings greater scrutiny. More red tape, processes and approvals are needed to justify purchases of even relatively minor security products, Kark said. (Compare security products.) An organization-wide focus on security also brings higher expectations and sometimes conflicting expectations from the various departments in a business.

Related Content

But IT security pros are enjoying greater influence with business executives. Security has been the top priority for CIOs in Forrester surveys for four straight years, and 30% of security decision-makers surveyed report having a “dotted-line relationship” with the board or CEO. Another 19% report having such direct links to the executive committee.

“We’ve all been frustrated in making the case for information security, getting [the business executives] to buy in. But I think times have changed,” Kark said. “I remember the time when I had to wait two weeks to get a meeting with the CIO, let alone the CEO.”

Kark attributes this change in attitude partly to data breaches and resulting media coverage and lawsuits that focus public scrutiny on information security. But the shift has also occurred because IT professionals have spent years arguing that security deserves greater attention, and CEOs are starting to get it, he said.

The challenges of security are numerous, and include protecting customer information and corporate intellectual property while developing disaster recovery capabilities, Kark said. Businesses must also decide whether it’s appropriate to merge IT security with physical security. While that convergence makes sense in some cases, in other businesses the two types of security are operated so differently that a convergence creates more problems than it solves, Kark said.

(source:  Jon Brodkin , Network World)

Need help with your Network Security? Let the Development Programming team and our highly qualified Network Managment team at Business Exponents assist you, we have extensive knowledge of custom web applications and IT infrastructure. Our experts can create a custom Apps to help your business save money today. Don’t wait around while you are wasting money, Contact Us Today!