Upload
brian-mckenna
View
214
Download
2
Embed Size (px)
Citation preview
ne
ws
5In
fose
curity
Tod
ay
May/Ju
ne 2
004
Cyber attacks on banks double from 2003Brian McKenna
CA launches co-managed VA and patch management serviceBrian McKenna
Online security attacks on the global
financial sector have doubled in the last
year. Deloitte and Touche’s second annual
Global Security Survey indicates a dramatic
increase in the respondents reporting system
breaches among financial institutions.
The survey, released on 27 May, showed that
the number of financial institutions whose
systems have been compromised in the last year
has increased by 39% to 83%. Moreover, 40%
of victims said they had sustained financial
loss.
The survey sampled 100 companies,
including 31 of the world’s top 100 financial
services firms, 23 of the top 100 banks, and 10
of the top 50 insurance companies.
A senior banking source at a City of London
institution confirmed that cyber attacks and
financial losses have increased in the last year.
“ There can be no doubt of that” , he said,
“ though it is hard to get an overall picture.
Some colleagues at other institutions are saying
it is ‘business as usual’ while others do report
significant financial losses.”
Eighty-seven per cent of the professional
services firm’s respondents said they had fully
deployed anti-virus measures, which is down
from 96% in 2003. While this might indicate a
loss of faith in traditional AV technology,
caused by the success of network worms such
as Blaster and Sasser, the City of London
banking source expressed scepticism. “ It’s more
that anti-virus is lacking at the customer end,
especially regarding phishing attacks” .
Deloitte and Touche failed to put a number
on the scale of the loss due to the increased
volume of attacks.
The banking source said that “ losses are
starting to get on a par with credit card fraud
losses, but at present it is more about brand
damage and internal disruption” .
Computer Associates has announced a new vulnerability management
and remediation service that will be co-managed by the vendor and
its customers. The service is available in the US, and will be rolled out in
Europe during 2005.
The vendor will do vulnerability assessment and provide remediation
software, as a service, but will stand back from patch deployment. “ No
one wants to give someone else control over the remediation of their IT
assets” , said Marc Camm, vice president, CA's eTrust Managed
Vulnerability Service.
“ The magnitude and the way we have done this marks a first for
Computer Associates” , said Samuel Curry, vice president, eTrust. “ It’s
neither outsourcing nor in-sourcing, but co-management.”
Curry explained that the service begins with an assessment of a
client’s environment, which is then mocked up in CA vulnerability
operations centres, operating 24/7.
CA will compete with MSSPs, said Curry, “ but it is a new breed,
especially in enterprises with 5,000 nodes and upwards. And the model is
new since it is not all or nothing, but a negotiation between vendor and
client.”
Curry confirmed that the consultative cast of the service indicates a
change in the vendor’s way of working. “ Even so, the overall stress will
be on the reseller channel in the next year.”
Simon Perry, divisional vice president, security strategy said that the
so-called vulnerability operations centers will extend from the US to
Europe in EMEA 2005. He also maintained that the competition – such
as Foundstone and Qualys – fail to “ do the remediation piece.”
Perry also said that the company’s Q4 results “ will be the strongest
ever in EMEA; we will be neck and neck with the US. This compares
with the situation 18 months to two years ago when our market share
was significantly lower in EMEA than it was in North America.”
Part of the reason for that was, he said, the fact that “ we are playing
the role of security adviser” , highlighting the development of a services
dimension to the vendor.
The company also announced release 8 of eTrust Vulnerability
Manager, which, it says, combines VA, patch and configuration
management, automated remediation, and compliance analysis on a
single appliance. The product is a core element to the new co-managed
service.
The Open University has been using Vulnerability Manager since
September 2003. Jamie See, technical analyst at the OU, said that the
product enabled his team to fend off Sasser. He has no plans to buy in
the new co-managed service.
The service’s pricing starts at $80 per node per year for 5,000 nodes.
Rich Ptak, an industry analyst at Ptak, Noel & Associates said:
“ vulnerability assessment and security network monitoring has been
provided by boutiques up till now. CA is the first major vendor to enter
this area.”
Bombardier Aerospace is an early adopter of the service. “ By co-
managing vulnerability activities, my team will be better able to focus on
strategic activities,” said Alain Paquette, manager, Group Infrastructure
Management.
CA’s Perry