Network World - National Harbor, Md. — Security monitoring — the type involving traditional security information and event management (SIEM) — can be done in some public cloud environments, according to Gartner. And if you’re using public cloud services, it’s time to think about doing it.

Security monitoring of assets that the enterprise has placed in cloud is still not a common practice, but it really should be, said Gartner analyst Anton Chuvakin during his presentation this week at the Gartner Security and Risk Management Summit. There is always a “loss of control” when turning corporate data assets over to the cloud, Chuvakin says, but “you can compensate by increasing the visibility that comes with collection of logs and network traffic.”

READ MORE …

Network World - When it comes to information security, there are a lot of “misperceptions” and “exaggerations” about both the threats facing businesses and the technologies that might be used to protect their important data assets, according to Gartner analyst Jay Heiser.

[MORE GARTNER: 7 major trends forcing IT security pros to change]

These false assumptions all add up to “security myths” that have gained wide credence among security pros, the employees they’re trying to protect from data loss and the business managers apt to blame chief information security officers (CISO)  for breaches and other mishaps. Heiser, in his presentation on this topic at the Gartner Security & Risk Management Summit held in National Harbor, Md., held forth on his “Top 10 Security Myths”:

READ MORE …

The National Security Agency and the FBI are tapping directly into the central servers of nine leading U.S. Internet companies, extracting audio and video chats, photographs, e-mails, documents, and connection logs that enable analysts to track foreign targets, according to a top-secret document obtained by The Washington Post.

The program, code-named PRISM, has not been made public until now. It may be the first of its kind. The NSA prides itself on stealing secrets and breaking codes, and it is accustomed to corporate partnerships that help it divert data traffic or sidestep barriers. But there has never been a Google or Facebook before, and it is unlikely that there are richer troves of valuable intelligence than the ones in Silicon Valley.

READ MORE …

The National Security Agency is currently collecting the telephone records of millions of US customers of Verizon, one of America’s largesttelecoms providers, under a top secret court order issued in April.

The order, a copy of which has been obtained by the Guardian, requires Verizon on an “ongoing, daily basis” to give the NSA information on all telephone calls in its systems, both within the US and between the US and other countries.

The document shows for the first time that under the Obama administration the communication records of millions of US citizens are being collected indiscriminately and in bulk – regardless of whether they are suspected of any wrongdoing.

READ MORE …

Security researchers from antivirus vendor ESET discovered a piece of cyberespionage malware targeting Tibetan activists that uses unusual techniques to evade detection and achieve persistency on infected systems.

The malware, which was dubbed Win32/Syndicasec, bypasses the UAC (User Account Control) mechanism in Windows to run arbitrary commands with elevated privileges without prompting users for confirmation.

[ MORE: Researchers uncover new global cyberespionage operation dubbed Safe ]

It exploits a design flaw in the Windows UAC whitelist functionality that was documents back in 2009 by a developer named Leo Davidson. In fact, the malware uses Davidson’s proof-of-concept code with almost no modifications, said Alexis Dorais-Joncas, Security Intelligence Team Lead at ESET, Thursday in a blog post.

READ MORE …

Security experts have long touted a layered approach to cyber security as the most effective way to thwart network intruders, but the strategy can be less effective than the industry would like organizations to believe, according to a report released this week by NSS Labs.

A comparison of cyber defense technologies — next-generation firewall, intrusion prevention systems and endpoint protection — shows a “significant correlation of failures to detect exploits,” noted the study, authored by NSS Labs Research Director Stefan Frei.

[ CLEAR CHOICE TEST: Top two-factor authentication tools ]

“Such detection failures present a serious challenge to the security industry as they allow an attacker to bypass several layers of defense using only a small set of exploits,” NSS reported.

READ MORE …

When you think about people advocating privacy, it’s doubtful that Eric Schmidt, Google Executive Chairman, springs to mind. Just the same, Schmidt told The Telegraph, “Whenever there’s a conflict, the logic of security will trump the right to privacy.”

Regarding privacy, David House, chairman of Brocade Communications, said, “Give it up, it’s over – everybody’s going to know everything.” At the Ethernet Innovation Summit, House said not to worry about Google tracking every click to serve up ads. “It’s just a computer out there that knows about you. This is just a bunch of data and big data and databases that’s marketing to a market of one.” The real privacy threat is from hackers, according to House. “Everything is going to be known about you, and the guy who can hack into it is going to know everything about you. It’s the hacker you need to worry about, not Google itself.”

READ MORE …

Google plans to upgrade the security of its SSL (Secure Sockets Layer) certificates, an important component of secure communications.

[ALSO: Potential weakness in SSL/TLS security downplayed]

SSL certificates are used to encrypt communication and verify the integrity of another party with which a user is interacting. Its strength lies in the length of the private signing keys used for the certificates.

Keys that are less than 1,024 bits are considered weak, and 512- and 768-bit keys have been factored to reveal a private key. Google has been using 1,024-bit keys, but will move to 2,048-bit keys, wrote Stephen McHenry, Google’s director of information security engineering, in a blog post Thursday.

“We will begin switching to the new 2048-bit certificates on August 1st, to ensure adequate time for a careful rollout before the end of the year,” he wrote. “We’re also going to change the root certificate that signs all of our SSL certificates because it has a 1024-bit key.”

READ MORE …

The mantra is old, grant you, but worth repeating since its obvious from the amount of cybersecurity breaches that not everyone is listening.

Speaking at the Georgetown Cybersecurity Law Institute this week,  Deputy Attorney General of the United States James Cole said there are a ton of things companies can do to help government and vice-versa, combat cyber threats through better prevention, preparedness, and incidence response.

[RELATED: FBI/IC3: Impersonation, intimidation and scams, yep that's the Internet]

[IN THE NEWS: No humor zone: 33 things you should never say to a TSA agent]

“Some of this may seem quite basic to many of you, but it doesn’t hurt to hear it again.  Unless we work together, we will not be able to address the cyber threat successfully,” Cole said.

READ MORE …

WASHINGTON — After three years of grueling internal debate, the chairman of the Joint Chiefs is poised to approve new rules empowering commanders to counter direct cyberattacks with offensive efforts of their own — without White House approval.

Once signed, the new cyber rules contained in the US military’s new standing rules of engagement (SROE) — the classified legal document that outlines when, how and with what tools America will respond to an attack — will mark a far more aggressive tack than envisioned when the process started in 2010, or even much more recently. To date, any cyber action requires the approval of the National Security Council (NSC).

A defense spokesman said that much of the focus on cyber has revolved around defensive action, and that pre-emptive offensive action would still require presidential approval.

READ MORE …