NASSCOM-Data Security Council of India Announces Annual Information Security Summit 2012

NASSCOM-Data Security Council of India Announces Annual Information Security Summit 2012

NASSCOM-Data Security Council of India (DSCI) announced that the Annual Information Security Summit 2012 will be held on 11-12 December at Taj Lands End, Mumbai. The NASSCOM-DSCI Annual Information Security Summit this year will focus on the national cyber security elements- Framework, Machinery, Responsibility & Operations for all the critical information sectors like power, energy and finance where deliberation will take place on operating technologies like smart grid and industrial control system; the security and privacy imperatives of eCommerce, mCommerce and eGovernance application and platforms. The Summit will provide an opportunity to have focused discussions with government leaders along with global experts who will talk about the security ramifications at the global level. Special features such as celebrating the success of women leaders in the field of security, Workshop on IT Act and release of DSCI assessment frameworks will also be part of the annual summit. The addition of DSCIExcellence Awards 2012 to Corporate and LEAs this year along with Annual summit will truly make this as a platform where India Meets for Security. 

Who Should Attend:-

Organizations:

• User Organization – Banks, Finance, Telecom, Manufacturing, Energy
• Government & PSUs
• Technology & Service Providers
• Security Product/ Services Companies
• Academia

Individuals:

• Business Leaders
• IT Leadership
• Security & Privacy Leadership
• Security Professionals
• Security Implementer | Administrator | Officer

Participation benefits:

• Learn about new challenges, threats and vulnerabilities
• Gain Strategic direction & practical guidance
• Explore new approaches, practices, technologies and services
• Discover market developments and get a feel of technology products
• Discuss on public policies for cyber security and privacy
• Interact with national, government and global leadership

Agenda:- 

 

Tentative Agenda Topics for Annual Information Security Summit’12 : Day 1
Time	Session
0930 to 1015	Inaugural + Key Note
1015 to 1115	National Imperatives of Securing Operational Technologies … Smart Grids, Oil & Gas, & Public Utilities
1115 to 1140	Tea Break
1140 to 1200	Platinum Session 1 by Verizon
1200 to 1250	Protecting Key Economic Assets, Securing Financial Backbone …. Stock Exchange, Payment Infrastructures & Financial Switches
1250 to 1310	Platinum Session 2 by TCG
1310 to 1415	Lunch Break
1415 to 1430	Special feature
1430 to 1520	Architecting Security for New Age Banking … Business Models, Technology Transformations & Channel Revolutions in the midst of Organized, Focused, Advanced & Persistent Cyber Threats
1520 to 1540	Special feature by HP
1540 to 1640	Revolution named Clobile, Nightmare for Security? … Enterprise Mobility, Mobile Apps and Cloud Enablement Data driven Businesses
1640 to 1700	Tea Break
1700 to 1800	Data driven Businesses – Data reason for Empowerment and Concern … Big Data, Context Computing & Social Media Computing
1800 to 1900	Networking and Exhibition
1900 to 2030	DSCI Excellence Awards 2012 Corporate Law Enforcement
2030 Onwards	Cocktail Dinner
Day 2
Time	Session
0930 to 1030	Cyber Security, from National Responsibility to Global Accountability … Cyber diplomacy, converging national and international interests
1030 to 1100	Special Feature by CISCO
1100 to 1130	Tea Break
1130 to 1230	Securing Technology Transformation of Governance … eGovernance projects, Security Challenges & Solutions
1230 to 1315	Rendezvous with Women Security Leaders: Special Interaction …. Security, Challenges and Opportunities for Women
1315 to 1415	Lunch Break
1415 to 1515	Security Enablement of Growing Electronic & Mobile Commerce … Rising Volume & Growth of Commerce, Security as Enabler
1515 to 1600	Securing core, edge, access & connect: reappearance of network on agenda of security … Finding the role of network security: Infrastructure Core, Hyer-extensive organizations, Access complexities, Mobility & External exposures
1600 to 1630	Tea Break
1630 to 1730	Consumer Behaviors and Business Responsibilities In the Information Age … Responsible Behaviors, Fair Business Practices & Enabling Technologies

To Get Yourself Registrar For the Event Click Here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">NASSCOM-Data Security Council of India Announces Annual Information Security Summit 2012"https://www.voiceofgreyhat.com/2012/10/NASSCOM-DSCI-Annual-Information-Security-Summit.html</a>

Registration Open For Cairo Security Camp 2012 (Information Security Conference)

Registration Open For Cairo Security Camp 2012 (Information Security Conference) 

We have a very good news for hackers, security experts, cyber-security junkies. The good news is -the registration for Cairo Security Camp 2012 is now open. CSCAMP is an annual event targeting the Information Security Community of the Middle East and North Africa (MENA Region) organized by Blue Kaizen. IT Professionals and security practitioners from throughout the region are invited to attend. The Conference purpose is to gather, in one place, everyone interested in helping to improve and enrich the Information Security field in the MENA region. The Goal is to raise the level of information security field in the MENA region, hoping that one day we live up to international standards. Cairo Security Camp is the first annual conference organized by an Arab Country.

Cairo Security Camp 2012 Venue Details:

Target Venue: TBD

Target Date: 18th – 24th of November 2012

Organizers: BlueKaizen.org

Who should attend?

- Chief Security Officers.

- Corporate/Government Security Directors.

- Information Security Managers.

- Information Security Experts.

- Information Security Professionals.

- Information Security Officers.

- Information Security Students.

- Information Security Education & Training Specialists.

- Government Agency Security Specialists.

- Information Security Programs Professors.

- CIOs/ IT Managers.

- IT/ System Administrators.

We would also love to share with our readers that Voiceofgreyhat feel proud to take part is this event  as official Media Sponsor CSCAMP. Its our honor to be associated with Blue Kaizen. Being the official media partner, Team Voiceofgreyhat wishes a huge sucess of Cairo Security Camp 2012. For more details about the event, click Here.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Registration Open For Cairo Security Camp 2012 (Information Security Conference)"https://www.voiceofgreyhat.com/2012/08/Registration-Open-For-Cairo-Security-Camp-2012.html</a>

T.E.N. Announces 2011 Information Security Executive® (ISE®) Central Awards Nominees

T.E.N., a technology and information security executive networking and relationship-marketing firm, announced that nominations have closed for the ISE® Central Awards 2011. Finalists and winners of the Information Security Executive® Awards for both Executive and Project categories will be announced at the ISE Central Executive Forum and Awards Gala to be held on June 7, 2011 at the Westin Galleria Hotel, Dallas, Texas. 

Executives nominated for the ISE® Central Award in the Executive category are defined as leaders who improve their organization's risk management, data asset protection, privacy and network security efforts while proactively implementing security technology and processes. Judges evaluated these leading nominees based on the following criteria: responsibilities, aligning security with the business, leadership, vision of the future, applying innovation, and building technology partnerships. Nominees include:

• Zulfi Ahmed, CISO, Pepsi
• Joe Bernik, CISO, Fifth Third Bank
• Bill Davis, Data Security Officer, Amarillo National Bank
• Keith Fricke, ISO, Catholic Health Partners
• Doug Jacoby, CISO, Baker Hughes
• Chad Mead, VP & Global Leader: Technology Governance Risk and Control and CISO, Cargill, Inc
• John Petrie, VP & CISO, Harland Clarke Holdings Corporation
• John South, CISO, Heartland
• Kevin Swailes, Director Global IP Protection, COE (Center of Excellence), GE Energy
• Scott Sysol, CISM, CISO and VP of Information Technology, Service Management & Security, CUNA Mutual Group
• Amy Wang, Director, Information Services and Information Security Officer, Henry Ford West Bloomfield Hospital

The ISE® Central Award in the Project category garnered an outstanding range of information security projects that were deployed and completed in the last 12-18 months and have had the greatest positive impact within their organization. Judges evaluate projects based on scope, defined goals, ability to execute and overall results achieved for the organization. Nominees and their project titles include:

• Allstate Insurance: Information Security Risk Management Program
• AT&T: End to End Data Protection, Risk Mitigation & PCI Compliance
• CUNA Mutual: SailPoint Identity IQ Full Suite Implementation
• Electronic Arts: BSOC - Business Security Operation Center
• GE Energy: DLP for IP Protection
• Henry Ford West Bloomfield Hospital: Create a Collaborative Security Culture
• Medical Mutual of Ohio: Symantec DLP (Vontu) Implementation
• Michigan State University Residential & Hospitality Services: Kellogg Center PCI-DSS
• Nationwide: Effective Risk Management = Effective Business Management Enabling the Business Through Effective Risk Management
• Southern Union Company: Network Access Control Project

"We're pleased to announce that the ISE® Programs were chosen as the third most attended programs for IT Security Executives in 2011. They function as an idea incubator, provide a channel for research, education and information sharing, speed knowledge transfer and promote best practices," said Marci McCarthy, CEO and President of T.E.N. Eligible nominees were selected from the U.S. central region including Arkansas, Illinois, Indiana, Iowa, Kansas, Louisiana, Michigan, Minnesota,Missouri, Nebraska, North Dakota, Ohio, Oklahoma, South Dakota, Texas and Wisconsin.

Nominations are sent to T.E.N.'s distinguished panel of ISE® judges for review and scoring. Judges have the final approval in determining whether an executive or project team is qualified to participate as a nominee at either the regional or national level. Finalists and winners are not announced publicly until the evening of the awards.

The ISE® Central Distinguished Panel of Judges for this year's awards include:

• Mark Chamberlain, Executive Director, IT Security Management, USAA
• Chris Leach, SVP and Chief Information Security Officer, ACS, a Xerox Company
• Vickie Miller, Director of Information Security, FICO
• Robert Myles, Assistant Vice President, Information Security, CISO, University of Texas Southwestern
• Gene Scriven, Chief Information Security Officer and Vice President, Sabre-Holdings Inc.
• Tim Stanley, Director, Information and Infrastructure Security, Waste Management
• Julie Talbot-Hubbard, Director of IT Risk and Security Management, Cardinal Health
• Brian Wrozek, IT Security Director, Texas Instruments Incorporated

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">T.E.N. Announces 2011 Information Security Executive® (ISE®) Central Awards Nominees"https://www.voiceofgreyhat.com/2011/04/ten-announces-2011-information-security.html</a>

Microsoft Started "BlueHat" Contest for Better Security

As any Jedi knight knows, the temptation to turn to the Dark Side is difficult to resist. The same can be true for White Hat hackers--malware fighters who discover vulnerabilities in software.

The black market prices for those kinds of security flaws are as tantalizing to ethical hackers as the malevolent side of The Force was to Luke Skywalker. Microsoft wants to temper those temptations, though, and has announced a contest that offers more than $250,000 in prizes for developing better solutions to counter security threats.

Microsoft's "BlueHat Prize," announced by the company at the Black Hat security conference in Las Vegas Wednesday, offers a grand prize of $200,000, a runner-up purse of $50,000, and a third-place award of a one-year subscription to MSDN Universal--a developer's platform for Microsoft products--worth $10,000--to security researchers who design the most effective ways to prevent the use of memory safety vulnerabilities. Those kinds of vulnerabilities can create problems like buffer overflows that can be exploited by Net miscreants to compromise computers.

“As the risk of criminal attacks on private and government computer systems continues to increase, Microsoft recognizes the need to stimulate research in the area of defensive computer security technology," Matt Thomlinson, Microsoft’s General Manager of Trustworthy Computing Group, said.

“Our interest is to promote a focus on developing innovative solutions rather than discovering individual issues," Thomlinson continued. "We believe the BlueHat Prize can catalyze defensive efforts to help mitigate entire classes of attacks."

Top Experts Needed:-

In offering the prize, Microsoft hopes to attract the world's top experts to focus their "little gray cells" on a major security problem. “Microsoft wants to encourage more security experts to think about ways to reduce threats to computing devices," observed Katie Moussouris, senior security strategist lead for the Microsoft Security Response Center.

“We’re looking to collaborate with others to build solutions to tough industry problems," she added. "We believe the BlueHat Prize will encourage the world’s most talented researchers and academics to tackle key security challenges and offer them a chance to impact the world."

The Origin of the Concept:-

According to Microsoft, it got the idea for the BlueHat prize from a previously launched security information-sharing program. That initiative, the Microsoft Active Protections Program (MAPP), allows Microsoft to share information with security vendors around the world so they can release protection technologies to their customers much faster. The success of that program got Microsoft thinking about mounting a similar effort for the security research community.

One vendor with praise for BlueHat was Adobe, a company that's no stranger to software with vulnerabilities. “The Microsoft BlueHat Prize announced at Black Hat [on August 3] is an exciting new initiative and a great example of encouraging community collaboration in the defense against those with malicious intent," observed Adobe's Senior Director for Product Security and Privacy Brad Arkin.

“This call for entries promises to stimulate research activity within the broader security community on how to mitigate entire classes of attacks, rather than thinking about software security as a challenge best addressed one bug at a time," he continued. "This research has the potential to lower costs for third-party developers and increase the level of security assurance for end users."

Here are the official rules and guidelines for the competition. Contest submissions will be accepted until Sunday, April 1, 2012, Microsoft said. A panel of Microsoft security engineers will judge submissions based on the following criteria: Practicality and functionality (30 percent); robustness--how easy it would be to bypass the proposed solution (30 percent); and impact (40 percent). The winners will be announced at Black Hat USA conference in 2012.

-News Source (PC World)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Microsoft Started "BlueHat" Contest for Better Security"https://www.voiceofgreyhat.com/2011/08/microsoft-started-bluehat-contest-for.html</a>

Nullcon - International Security Conference [Goa 2012]

null - The open security community is a registered non-profit society and by far the largest security community in India with more than 2000 members comprising of information security professionals, ethical hackers and law enforcement professionals that focuses on infosec research and assisting Govt. and private organizations with cyber security issues. null has 7 chapters through out India - Pune, Bangalore, Mumbai, Hyderabad, Delhi, Chennai and Bhopal, interacting with around 5000-6000 people by various activities like monthly meets, security camps, workshops, talks at various events & organizations and executing security projects. 

nullcon portal http://null.co.in provides free information on security research, responsible vulnerability disclosure, open source security software project, white papers, presentations, monthly chapter meets.

We see that currently there is a disconnect between the Govt. agencies and private organizations when it comes to cyber security and aim to fill the gap in a vendor neutral way. We have many projects running that help organizations tighten their security infrastructure, including Keeda Project and nullcon - International Security Conference and Trainings.

Keeda Project is a database of vulnerabilities found in the wild which are reported to us by the members or anonymous researchers and we take action by immediately contacting the concerned organization and the respective CERT with information on the vulnerability and assist them in mitigating the threats.

As a part of null initiatives we organize nullcon - International Security Conference (http://nullcon.net), our annual flag-ship event. It is held in Goa in the month of February. At nullcon we call upon security experts from around the world to deliver talks and workshops on the latest technology and techniques in the security and hacking world. The talks range from web hacking, security & hacking tools, smart phone hacking, cyber warfare to zero day vulnerabilities.

The year 2012 marks a revolutionary change and unprecedented expansion in the way nullcon is organized. With the overwhelming support of our esteemed sponsors, enthusiastic participants and volunteers - null is organizing TWO conferences in 2012   

- nullcon Goa on 15-18th Feb 2012 and nullcon Delhi in Oct 2012

nullcon Goa continues to be a mix of hacking, security and business briefings with a lot of technical events for all the security geeks.

nullcon Delhi will focus more on the Corporate and the Government sector. It will include events geared towards business prospects in information security such as the exquisite Exhibit Space and Demo Zone for cutting-edge technology and products, business networking events and parties.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Nullcon - International Security Conference [Goa 2012]"https://www.voiceofgreyhat.com/2012/01/nullcon-international-security.html</a>

Going Mobile: Security in the Age of Ubiquity

This isn’t an official rant, but there’s one thing that drives me completely insane.  It’s a link in a message in my email.
As you might imagine, there are many touch points running a $2 billion security business. A lot of that gets manifested in Web-based applications that get issued for everything that happens within the organization: ordering prototype equipment, managing travel, hiring, and promotions. All of these apps generate an email. Any given day, I get 20 of these emails, and I have to respond to every one of them.
While all that’s expected is a review of the data and a simple click for approval, I’m often traveling and mostly working on a traditional email-only device, and so this simple task is impossible. Within a few hours these requests pile up and everyone’s freaking out, “Tom, you didn’t approve this yet?” My solution: I call my admin and go over each one of these decisions on the phone, often at odd hours. It’s ridiculous.
I find myself fantasizing about the ability to have just one device that I hold in my hand that allows me make all the important decisions I have to make every five minutes. Back to reality: I log onto my laptop, boot up, find a hot spot, launch the VPN, generate a token, connect, sync my mail, find the link, and then comes the magic “click.” Or I wake up my executive assistant.
Why the trouble? Simple: the enterprise needs to have security.  But this security blanket must extend beyond traditional corporate PCs to include the new consumer end point as well. A new study by Deloitte shows that companies will buy more than 10 million tablet computers this year and that for the first time, sales of personal computers will represent less than half of the total computing device market. And yet, for many of us, today the security blanket doesn’t cover the device du jour.  It needs to.  In a new world of myriad mobile devices, cloud-based apps and increasing rich media, we need to rethink security. Three major trends sweeping through the enterprise—the rapid rise of the consumerized end point , the adoption of cloud computing, and growing use of high definition video conferencing —are transforming business and demanding a fundamental shift in how security is developed and deployed. 
It’s time for a change. Security was developed when the enterprise network was relatively static and the Internet experience was totally different. Users came to work and sat at a desk that had a PC that rarely moved. It was connected by a wire to a port in the wall and it had a controlled set of software—the “corporate image,” which included security scanning and configuration.  This corporate end point was one of the primary places that security was enforced. The other place security was injected was at the edge of the corporate network.  Branch and remote traffic was backhauled to a small number of egress points where the corporate network met the Internet. Known as the DMZ, this is the place where network security traditionally resides: firewalls, IPS systems, Web and email gateways.
But today, as we work in a more distributed, mobile and cloud-oriented world, this traditional “hub and spoke” model of the network no longer makes sense. A vast array of consumer devices have flooded into the enterprise and blown the end point into a million pieces.  Furthermore, DMZ is becoming less relevant because the Internet touches the network in thousands of places, not ones or tens of places.
Additionally, companies engage in increasingly complex business relationships with contractors, partners, and suppliers, and often the number of non-traditional employees that need to access corporate assets exceeds the number of employees that need access! A new era of mobile computing and the modern, global, outsourced business has yielded a dynamic, uncontrolled, highly mobile user community.  And it’s not just users that are on the move, but corporate data is as well.  With the rapid onset of data center virtualization, cloud computing, and SaaS, it’s getting quite difficult for the IT team to point a finger and say, “my data resides here.”   
We need a new architecture to provide security in this type of world. Security solutions based on physical infrastructure, and policy expressed in terms of a particular device, the corporate PC, an IP address, network port, or application protocol are becoming useless in a mobile, borderless world. The new security architecture needs to have higher-level constructs so that a policy can be expressed in terms of the who, what, where, when, and how of security as opposed to the IP address. It needs to be separated from the physical infrastructure underneath it and instead, have security flow through it. And, it needs to be highly distributed so it can be deployed in hundreds of locations around the world—wherever the borderless enterprise touches the unwashed Internet.
The security architecture of tomorrow is no longer at the beginning or the end. It’s in the middle; it’s everywhere. In the future, security is a fabric that permeates the network, both within the corporate WAN and in the public cloud.
The good news for me is that within Cisco we have deployed our next gen security system.  “Eating our own caviar” as John Chambers likes to say.  So now I can read my email on my iPhone, and with our secure mobility solution, I can just click right through to my enterprise apps and approve away.  Huzzah!

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Going Mobile: Security in the Age of Ubiquity"https://www.voiceofgreyhat.com/2011/05/going-mobile-security-in-age-of.html</a>

eEye to Showcase IT Security Solutions that Simplify Vulnerability and Compliance Management at SecureWorld Expo in Atlanta

eEye Digital Security, a provider of IT security and unified vulnerability management solutions, will exhibit at the SecureWorld Expo in Atlanta, Georgia, May 3-4, 2011. The company’s CTO, Marc Maiffret, will participate as an industry expert on a network security panel discussion. The conference brings together the security leaders, experts, senior executives, and policy makers who shape the direction of security across Information Security, Physical Security, Compliance, IT Audit, Computer Forensics, Enterprise Risk Management, Business Continuity, and Security Management.

eEye invites the media and SecureWorld Expo attendees to explore the company's latest innovations, demonstrated in Booth 313, primarily the company’s Retina CS Management solution, Retina Insight reporting engine, as well as add-on modules for Configuration Compliance, Government Regulatory Reporting, and Patch Management.

eEye CTO, Marc Maiffret, will offer insights on the Industry Expert Panel, "Network Security: Finding the Right Management Program," to be held on Tuesday, May 3, 1:15-2:00 PM during the Open Vendor Sessions portion of the conference.

“It’s part of the eEye philosophy to regularly engage in dialogue with other security leaders and the IT security community at large,” said Marc Maiffret, CTO, eEye. “As a speaker on the Network Security panel, I’d like to open communication around some simple, practical tactics that IT professionals can use to significantly improve the security of their organization.”

At the event, eEye will encourage SecureWorld Expo attendees to take advantage of several free, online resources that the company provides to the IT security community. Retina Community is a free vulnerability scanner for up to 32 IPs, now being used by nearly four thousand organizations. Zero Day Tracker provides a catalogue of the newest zero-day vulnerabilities, instructions for quick remediation, and a historical record of past vulnerabilities.eEye’s Vulnerability Expert Forum (VEF), hosted by Maiffret and the eEye Research Team, is a popular monthly webinar attended by hundreds of IT security professionals seeking insight and information on recently announced critical vulnerabilities from Microsoft and other software vendors.

eEye is participating in SecureWorld Expo’s “Dash for Prizes.” Attendees can register at the eEye Booth (313) throughout the two-day conference to win an Amazon Kindle and a $25 gift card. Winners will be announced during the last break of the conference on Wednesday, May 4. Attendees must be present to win.

About eEye Digital Security 
Since 1998, eEye Digital Security has made vulnerability and compliance management simpler and more efficient by providing the only unified solution that integrates assessment, mitigation, protection, and reporting into a complete offering with optional add-on modules for configuration compliance, regulatory reporting, and integrated patch management. eEye’s world-renowned research and development team is consistently the first to uncover critical vulnerabilities and build new protections into our solutions to prevent their exploit. Thousands of mid-to-large-size private-sector and government organizations, including the largest vulnerability management installations in the world, rely on eEye to protect against the latest known and zero-day vulnerabilities. More at eeye.com.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">eEye to Showcase IT Security Solutions that Simplify Vulnerability and Compliance Management at SecureWorld Expo in Atlanta"https://www.voiceofgreyhat.com/2011/04/eeye-to-showcase-it-security-solutions.html</a>

Oracle to Mitigate 73 Security Vulnerabilities in Upcoming Critical Patch Update

Oracle is all set for the upcoming critical patch update. The pre-release announcement by the company indicates that in all 73 vulnerabilities associated with numerous products will be mitigated during the next critical patch update. The update will mitigate security vulnerabilities associated with Oracle database server, fusion middleware, enterprise manager, e-business suite, supply chain products, PeopleSoft, JD Edwards suite, Siebel CRM, industry applications, Sun products and Open office suite.

The company releases quarterly critical patch updates on Tuesday closest to 17th day of January, April, July and October. The company uses Common Vulnerability Scoring System (CVSS) version 2.0 to rate vulnerabilities. The vulnerabilities are assigned scores based on the prerequisites for exploiting the vulnerability, ease of exploit, and impact of the attack on availability, confidentiality and integrity. Base scores range from 0.0 to 10.0 with ten being the most severe vulnerability.

Vulnerabilities may be caused by technological flaws, programming errors, and other human errors. Developers are required constantly upgrade their technical skills through online IT degree courses, training programs and refresher courses to deal with ever evolving threats.

The critical patch update will address six vulnerabilities in database server. The vulnerabilities affect components such as application service level management, database vault, Oracle help, security service, warehouse builder, UIX and network foundation. Two of the six vulnerabilities do not require authentication for exploitation of vulnerabilities. Highest base score for security flaws affecting database server is 6.5. The update will mitigate 9 flaws associated with fusion middleware, 6 of which are exploitable without authentication.

The vulnerabilities affect Oracle help, HTTP server, JRockit, outside In technology, security service, WebLogic server, portal and single sign on. Oracle has assigned highest severity score of 10 for vulnerabilities affecting fusion middleware. 4 vulnerabilities will be fixed in Oracle applications, 2 of which are exploitable without authentication. The vulnerabilities have been assigned a base score of 4.3 and affect application object library, applications install, and web ADI. The update will resolve a flaw in Supply chain products suite, which is exploitable without authentication. Highest base score for vulnerability in supply chain products suite is 4.3 and affects Agile technology program.

14 security flaws have related to PeopleSoft Suite will be fixed in the upcoming critical patch, 1 of which is exploitable without authentication. Highest base score for security flaws associated with PeopleSoft suite is 4.3 and affects PeopleSoft Enterprise, Enterprise CRM, ELS, HRMS and People tools. The critical patch update will resolve 8 issues associated with JD Edwards suite, 7 of which are exploitable without authentication. Highest base score for vulnerabilities in JD Edwards suite is 6.4 and affects EnterpriseOne tools.

The update will address a vulnerability associated with industry applications, which affects InForm. Highest base score for vulnerability in industry applications is 5.5. 8 security flaws will be mitigated in Sun products suite, seven of which are exploitable without authentication. Oracle has assigned highest severity score of 10 for security flaws affecting Sun products suite. The components affected include Java Dynamic Management Kit, Java system web server, Solaris, OpenSSO Enterprise, GlassFish Enterprise server, java system application server, java system access manager policy agent, and java system messaging server.

The upcoming critical patch update will fix 8 security issues related to Open Office suite, of which 7 are exploitable without authentication. Highest base score for security flaws in Open Office suite is 9.3. Open Office, StarOffice and StarSuite are affected by the vulnerabilities.

Vulnerabilities are identified by professionals qualified in IT degree programs and security certifications such as penetration testing. Developers encourage both in-house and independent security researchers to detect and report security flaws so that they can be mitigated before exploitation by attackers.

Online IT courses, e-tutorials, security blogs and alerts from computer emergency response teams could help users in gaining insights on security threats, their implications and importance of security updates. Users must keep track of the security releases and install necessary updates to safeguard their systems and data from unauthorized access. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Oracle to Mitigate 73 Security Vulnerabilities in Upcoming Critical Patch Update"https://www.voiceofgreyhat.com/2011/04/oracle-to-mitigate-73-security.html</a>

Cloud Computing: Managing Risk and Compliance in the Cloud

Cloud computing represents today's big innovation trend in the information technology (IT) space. Because it allows enterprises to deploy quickly, move swiftly, and share resources, cloud computing is rapidly replacing conventional in-house facilities at enterprises of all sizes.

Unfortunately, in their eagerness to adopt cloud platforms and applications, enterprises are neglecting to recognize and address the compliance and security risks that come with implementation. Often the ease of getting a business into the cloud - a credit card and a few keystrokes is all that is required - provides a false sense of security.

However, shortcomings in the cloud providers' security strategy can trickle down to the businesses that leverage their services. In this context, damages can range from pure power outages impacting business performance, data loss, unauthorized disclosure, data destruction, copyright infringement, to brand reputational loss.

Risk in the Cloud
For enterprises planning to transition their IT environment to the cloud, it is imperative to be cognizant of issues such as loss of control and lack of transparency, which are often overlooked. Cloud providers may have service level agreements in place, but security provisions, the physical location of data, and other vital details may not be well defined. This leaves enterprises in a bind, as they must also meet contractual agreements and regulatory requirements for securing data and comply with countless breach notification and data protection laws.

Whether organizations plan to use public clouds, which promise an even higher return on investment, or private clouds, better security and compliance is needed. To address this challenge, organizations should institute policies and controls that match their pre-cloud requirements. At the end, why would you apply less stringent requirements to a third-party IT environment than your own - especially if it potentially impacts your business performance and valuation?

Recent cyber-attacks and associated data breaches of Google and Epsilon (a marketing services firm) are prime examples of why companies need to think about an advanced risk and compliance plan that includes their third-party managed cloud environment.

To protect your business, you should insist that your cloud service provider provides visibility into security processes and controls to ensure confidentiality, integrity, and availability of data.

Best Practices for Cloud Risk Management
According to Jim Reavis, co-founder and executive director of the Cloud Security Alliance (CSA), main inhibitors to the adoption of cloud computing in large organizations are consistent and standardized frameworks, open standards, interfaces that address security controls, and easy-to-implement processes to provide assurances on levels of Governance, Risk, and Compliance and security in cloud environments.

According to a report by Forrester Research (Compliance with Clouds: Caveat Emptor, August 2010) organizations should not wait for the cloud industry to step up its support for regulatory compliance, but instead security professionals should look beyond their cloud providers for compensating controls to aid cloud sourcing.

This view is obviously shared by IT and security leaders, who responded to the 2011 Global State of Information Security Survey of PricewaterhouseCoopers, CIO Magazine, and CSO Magazine, as they identified compliance (34%) and regulatory compliance (33%) among the top five business issues that will drive information security spending in their organization in 2011.

As cloud computing is still an emerging technology space, advice on how to address cloud risk management is limited. What best practices should organizations follow? Probably the best bet are the guidelines developed by the Cloud Security Alliance, a non-profit organization formed to promote the use of best practices for providing security assurance within cloud computing.

The CSA defines three distinct stages of a cloud adoption life cycle, starting with cloud risk readiness assessment, cloud risk operations monitoring, and finally leading to cloud audits (an area that still requires further standardization).

Cloud Risk Readiness
When you transition your IT infrastructure to a cloud environment you have to find ways to determine how to trust your cloud provider with your sensitive data. Practically speaking, you need the ability to assess security standards, trust security implementations, and prove infrastructure compliance to auditors.

To quickly evaluate your tolerance for moving asset to various cloud computing models (e.g., public cloud, private cloud, community cloud, or hybrid cloud) you should apply the followings steps:

1. Identify the assets for the cloud deployment (e.g., data, applications, functions, processes)
2. Evaluate the assets as it relates to criticality to the business and answer questions such as:
   
   • What impact would the business face if the asset became public information?
   • What impact would the business face if the asset would be accessed by the cloud service provider?
   • What impact would the business face if the application would be attacked or corrupted by an outsider?
   • What impact would the business face if the stored data were unexpectedly modified?
   • What impact would the business face if the asset were unavailable for a period of time?
3. Map the asset to the potential cloud deployment model
4. Evaluate potential cloud service models and providers and answer questions such as:
   
   • Does the cloud service provider meet current standards for security (e.g., assessment of threat and vulnerability management capabilities, continuous monitoring, business continuity plan)
   • Is the cloud service provider compliant with applicable regulations and can it pass a regulatory audit?
   • Can the cloud service provider generate dynamic and detailed compliance reports that can be used by the provider, auditors, as well as your internal resources?

Considering that many organizations deal with a heterogeneous cloud eco-system, comprised of infrastructure service providers, cloud software providers (e.g., cloud management, data, compute, file storage, and virtualization), platform services (e.g., business intelligence, integration, development and testing, as well as database), it is often challenging to gather the above mentioned information in a manual fashion. Thus, automation of the vendor risk assessment might be a viable option, especially if the same software tool can be leveraged for the other stages of the cloud adoption life cycle.

In addition, it's important to select a software tool that provides compliance controls assessment frameworks and content from regulations such as PCI DSS 2.0, FISMA 2010, SOX, NIST, ISO, CSA, SANS and BITS, threat controls content from CSA, as well as cloud risk dashboards and reports.

Cloud Risk Operations

A portion of the cost savings obtained by moving to the cloud should be invested into increasing the scrutiny of the security qualifications of an organization's cloud service provider, particularly as it relates to security controls, and ongoing detailed assessments and audits to ensure continuous compliance.

In this context, organizations should consider leveraging monitoring services or security risk management software that achieves:

• Continuous compliance monitoring
• Segregation and virtualization provisioning management
• Automation of CIS benchmarks and secure configuration management integrations with security tools such as VMware vShield, McAfee ePO, and NetIQ SCM
• Threat management with automated data feeds from zero-day vendors such as VeriSign and the National Vulnerability Database (NVD), as well as virtualized vulnerability integrations with companies such as eEye Retina and Tenable Nessus

Automated technology, which allows a risk-based approach and continuous monitoring for compliance, would be suitable for enterprises seeking to protect and manage their data in the cloud.

Cloud Risk Audit
This stage of the cloud adoption life cycle has not been very well defined yet and therefore requires further standardization driven by an increase in cloud deployments.

Nonetheless, when evaluating cloud service providers, organizations should ensure that they perform automated regulatory health checks and provide transparency in their infrastructure (IaaS), platform (PaaS), and software (SaaS) environments.

Practical Tips in Selecting the Right Cloud Risk Management Tool
When assessing Cloud Risk Management services or software, organizations should apply the following selection criteria:

• Choose a vendor that offers an all-encompassing solution, meaning providing methodologies, frameworks, tools, and best practices to properly assess and manage your organization's cloud initiatives across all three stages of your cloud adoption life cycle. The solution should cover Governance, Risk, and Compliance (GRC), as well as Security in the form of threat and vulnerability management capabilities.
• Choose an automated technology with an open architecture, since many organizations have invested heavily in security tools. This will allow data to be fed from the existing tools into the Cloud Risk Management tool and provide an aggregated view into both IT and business compliance and risk.
• Make sure you work with a vendor that offers a solution that is content rich and includes many of the regulations (PCI, FISMA, SOX, etc.), frameworks, and standards that are applicable to your organization.
• Seek out a vendor or service provider that can add value by offering innovative technology that goes beyond the traditional view of GRC. Namely, ensure that beyond governance and compliance, the areas of security (e.g., threat and vulnerability) and risk (e.g., enterprise risk management) are well covered, as it ensures higher return on investment.
• Since you measure the success of a technology implementation by the time it takes to achieve value from its investment, it's crucial to engage with a vendor that offers the most efficient time-to-value. From a deployment perspective, this means that an on-site implementation should not exceed 90 days and as a managed service client, you should be up and running within 30 days.

Summary
There is no doubt that cloud computing will continue growing and, as it does, continue to get safer. But data breaches at some of the largest enterprises highlight the fact that there are still many risks associated with cloud adoption. Constantly changing government regulations are making it more difficult to keep compliant during the audit process as well. While it's exciting to be at the frontline when it comes to embracing a new technology that is poised to change the way we conduct business, we must remember that these technologies almost always come with new risks that have not yet been fully addressed.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Cloud Computing: Managing Risk and Compliance in the Cloud"https://www.voiceofgreyhat.com/2011/04/cloud-computing-managing-risk-and.html</a>