Security roundup: virtualization is key to public cloud security; China, Russia accused of cyber-espionage; More Duqu for you

And there's a changing of the guard at Cisco plus baking security into chips...

Ever been in an argumentative mood? Well, last week we were, with editors here coming up with 33 red-hot arguments, such as open source vs. proprietary, or which browser is better.

We got argumentative on security topics, too. We asked whether you should share data-breach information, with one side arguing against it unless you're forced to, and the other saying it will help the community as a whole to stop cybercrime. We're asking readers to vote their opinions online, and interestingly, about three-quarters spoke out in favor of sharing breach information.

More on security: The Security All-Stars

In a story on the "bring your own device" (BYOD) phenomenon, we focused on the question of whether corporations should say "yes" to employees wanting to use their personal iPhones, Android devices, iPads or any mobile device they own for business use on the corporate network.

Out of those who voted, about 28% said "Yes, but it is not my choice to do so," about 38% said "Yes, but I must review the devices first," and about a third said, "No way. I have seen too many viruses."

The BYOD debate story shows some businesses with close association to the federal government are contractually restricted from allowing employee-owned devices, and that the U.S. government is not a BYOD workplace at all. Former White House cybersecurity adviser Richard Clarke says the BYOD question is among the most important enterprise security questions today.

Virtualization holds a key to public-cloud security

While conventional wisdom says virtualized environments and public clouds create massive security headaches, the godfather of Xen, Simon Crosby, says virtualization actually holds a key to better security. Isolation -- the ability to restrict what computing goes on in a given context -- is a fundamental characteristic of virtualization that can be exploited to improve trustworthiness of processes on a physical system even if other processes have been compromised, says Crosby, a creator of the open source hypervisor and a founder of startup Bromium, which is looking to use Xen features to boost security.

China blasting

In further efforts to confront cyber-espionage from nation states, the U.S. government last week issued a report blasting China and Russia for stealing information for economic gain.

"Chinese actors are the world's most active and persistent perpetrators of economic espionage," the report from the office of the National Counterintelligence Executive said. The report said China's intelligence agencies often leverage people who have inside access to corporate networks to gain trade secrets and copy them to removable media.

Last week, Enterprise Strategy Group, in a survey of 244 security professionals, found that the majority of them believe they have been hit by the kind of stealthy infiltration to steal information of economic or military value. Many today call this the "advanced persistent threat," and the survey also found that APT concerns are leading to an increase in security budgets and more involvement from the executive management in the doings of the IT and security department.

The governments of the U.S. and the United Kingdom showed some solidarity last week as Vice president Joseph Biden and British Prime Minister David Cameron condemned efforts by some countries to censor their citizens' use of the Internet. They also made the case that free expression online has long-term benefits.

Biden said, "No citizen of any country should be subject to a repressive global code when they send an email or post a comment to a news article," For his part, Cameron said, "Governments must not use cybersecurity as an excuse for censorship or to deny people their opportunities that the Internet represents."

More on Duqu

Last week researchers provided more insight into Duqu, the windows-based Trojan seen as a successor to Stuxnet, though Duqu is now seen as more aimed at reconnaissance of networks rather than attempts to interfere with operation of industrial control systems. It was learned that Duqu attempts to exploit a Windows kernel zero-day vulnerability, but as of this writing remains unclear exactly when Microsoft, which is suggesting a workaround, might issue a patch against Duqu.

Changing of the guard at Cisco

Chris Young, former senior vice president at VMware, has been tapped to head up the security direction for Cisco, now that Tom Gillis, formerly vice president of the security technologies business unit, has left to pursue an entrepreneurial opportunity elsewhere, according to Cisco. Cisco has created the Cisco Security Group by combining two formerly separate units, the security engineering unit that Gillis had directed, with what was called Cisco's global government security solutions. Young, as senior vice president, is expected to head up Cisco's security direction, and he starts work on Nov. 14.

Baking security into chips

The cutting-edge intelligence research development arm of the government wants to take advantage of the world's semiconductor manufacturing capacity but make sure that US security and intellectual property protection is baked in. The Intelligence Advanced Research Projects Activity (IARPA) group is looking to fund development of new, advanced chip-making technology under a program it calls Trusted Integrated Chips. TIC would feature what IARPA calls "split-manufacturing," where fabrication of new chips would be divided into Front-End-of-Line manufacturing consisting of transistor layers to be fabricated by offshore foundries and Back-End-of-Line development that would be fabricated by trusted US facilities.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags virtualizationsecuritydata breach

More about APTCiscoFacebookGoogleLANMicrosoftTICVMware Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts