Trusted Computing Group News

Fighting Malware With Hardware Can Produce Better Security

Thu, 16 May 2013 00:00:00 GMT

Rather than trying to keep up with the threats posed by rapidly evolving malicious software, agencies can leverage the security features being built into hardware to ensure that computing devices are safe and remain uninfected, says Larry Hamid, chief architect for IronKey by Imation.

Malware has gone from being a nuisance to a serious tool for crime, espionage and possibly terrorism, Hamid said during a presentation at the FOSE conference in Washington, D.C. Responding to these developments puts defenders in a perpetual game of catch-up in which the bad actors have the advantage. Moving away from software for security solutions could help shift the advantage to defense, he said.

“They are fighting with software; what you have is the ability to use hardware,” he said.

Functionality built into hardware is robust, high-speed and reliable, but putting that functionality into software often is more economical, easier to distribute and implement and more flexible. There is a trend toward implementing security features into secure devices that need a high level of protection, however. These include the Trusted Computing Group’s Trusted Platform Module and Opal Storage Specification, full-disk encryption in hardware and boot-from-USB devices.

There is opportunity to greatly expand the security hardware provides by taking advantage of the pre-boot phase of secure devices, a phase that usually is limited to authentication before starting the operating system, Hamid said. Hardware can support not only authentication, but also cryptography and key management, digital signature verification and storage management.

Pre-boot antivirus and other types of scanning could be enabled so that devices can be checked and problems eliminated before they present a threat. Devices could be evaluated before booting to see if they conform to required or expected states, ensuring that all proper software and configurations are in place, no unexpected changes have been made and nothing improper has been added.

The Opal specification allows policy controls to be applied to storage devices, enabling partition of storage space with different requirements and limitations, such as read-only areas, hidden areas, encrypted and digitally signed areas.

The downside to enforcing these types of controls in hardware when a device is booted is the added time it takes to get up and running. But performing more security functions and tests with hardware prior to booting a device could undermine attackers’ advantage by catching their software before it has a chance to run.

“The hardware features are there today” to enable this, Hamid said.

Source: gcn.com

To read the original article click here.

Trusted Computing Group (TCG) to Talk Security Automation with Speakers from National Institute of Standards and Technology

Fri, 03 May 2013 00:00:00 GMT

What: Trusted Computing Group (TCG) will host a free webinar on security automation and the role of standards.

Steve Hanna, Distinguished Engineer at Juniper Networks and co-chair of the TCG Trusted Network Connect (TNC) Work Group and Dave Waltermire, SCAP Architect in the Computer Security Division of the National Institute of Standards and Technology, will talk about the war of info security and the battle between attackers and defenders.

The webinar will describe security automation as a way to automate security tasks and lay out a four-step process to automate more aspects of information security and better protect enterprise systems, networks and assets against today's sophisticated, automated attacks.

TCG recently published the Security Automation Architects Guide to advise users on how to specific, deploy and manage security automation processes and solutions. That guide is available at http://www.trustedcomputinggroup.org/resources/tcg_security_automation_architects_guide.

When: Wednesday, May 15, 3:00 p.m. Eastern/12:00 p.m. Pacific

Where: Register on the BrightTalk network at https://www.brighttalk.com/webcast/7423/72107.

Website: More information and the organization's specifications are available at the Trusted Computing Group's website, www.trustedcomputinggroup.org.

Tweet this: @TrustedComputin to host security automation webinar May 15 with #NIST. Steps to automate against attacks. http://bit.ly/16oeZsm

CONTACT: Anne Price

1-602-840-6495

Mobile 1-602-330-6495

press@trustedcomputinggroup.org

Twitter: @TrustedComputin

LinkedIn: http://www.linkedin.com/groups/Trusted-Computing-Group-4555624

Trusted Platform Module Aids Windows Mobile Device Security

Mon, 22 Apr 2013 00:00:00 GMT

Technology that already keeps enterprise data secure on servers and networks has made its way onto Windows mobile devices.

Windows-based notebooks and tablets incorporate the trusted platform module (TPM) chip, a product and specification that adhere to the Trusted Computing Group's security architecture.

The chip is installed on a device's motherboard and is available from vendors including Broadcom, Infineon Technologies and STMicroelectronics. Management of the chip is enabled by software from companies such as Wave Systems.

At the heart of TPM is its ability to provide mobile device security at the BIOS level. It allows for device authentication and is a way to store encrypted keys.

The technology can help IT reduce corporate data security risks that come with the bring-your-own-device (BYOD) movement in a couple of ways. Instead of allowing employees to use non-secure devices, IT can issue employees a Windows-based tablet PC with a TPM chip, or employees can bring their own.

"BYOD is scary for companies and consumers because that device in your pocket or tablet [allows you to do] banking and email, and a lot of businesses are concerned about that," said Lamar Bailey, director of security research and development at Tripwire in Portland, Ore.

However, TPM is not a panacea for mobile device security, and it needs to be used with other technologies. These include self-encrypting drives, Microsoft's BitLocker, mobile device management systems, antivirus software and tokens for VPN clients.

TRUSTED PLATFORM MODULE 1.2

TPM's 1.2 specification is supported by a host of major vendors such as Intel, Microsoft and Dell.

A subset of TPM is the mobile trusted module (MTM), a firmware upgrade for consumer-grade mobile devices. The MTM can store digital keys and passwords that help authenticate each device. However, MTM is still in its early phase.

For example, Windows 8 includes the Unified Extensible Firmware Interface (UEFI) to ensure that only valid software executes upon booting. This works along with TPM chips.

Companies have successfully deployed the TPM modules with defensive layers, according to Peter Renner, Microsoft professional services director at En Pointe Technologies, an IT reseller in Gardena, Calif.

Some people, however, don't believe TPM is a viable security solution for BYOD.

"If TPM were installed on employees' devices, it potentially could create issues for the employee down the road if they left the company and then needed certain types of IT service," explained Kyp Walls, senior director of product management at Panasonic System Communications Company of North America. Secaucus, N.J.-based Panasonic has incorporated TPM chips into its products since 2006.

In addition, the mobile device security technology may not work for devices owned by end users.

"The downside comes from the fact that the TPM is still not owned or managed by the enterprise," said Chris Crowley, a certified instructor at the SANS Institute, an organization that provides computer security training and certification in Bethesda, Md. "The TPM key is protected by the user, so if the user operating the device is not safeguarding the data, it remains at risk."

Standardizing on technology based on the trusted platform module can help, and some organizations have come to rely on it to mitigate their data security risks.

"Most of our machines have TPM chip technology in them," said Jan Pabitzky, chief information officer of the Geary County Schools in Junction City, Kan. "As we go through a replacement strategy, we will use TPM-only devices."

The school district is not alone in its security concerns.

The Ponemon Institute, a market research company in Traverse City, Mich., published a 2013 State of the Endpoint survey that revealed steeply growing security concerns surrounding mobile devices. In 2012, 73% of 671 IT pros who answered the survey said mobile devices posed a security risk for IT. Only 9% identified this as a risk in 2010. Other IT security risks included mobile/remote employees and the cloud.

Source: TechTarget

To read the original article click here.

Boeing technology offers secure, efficient way to tie together business, industrial nets

Mon, 22 Apr 2013 00:00:00 GMT

The Boeing Company is pioneering a way to securely bring together business IT networks with what ordinarily are entirely separate networks for industrial-control systems (ICS) in order to gain efficiencies and benefits in information-sharing in manufacturing.

Boeing's approach, which has been deployed in some of its airplane manufacturing plants, is leading to a new standards effort at the Trusted Computing Group (TCG) for what could be a revolutionary type of virtual private networking that could be applied not only to manufacturing ICS in the future but the "Internet of things," as it's now sometimes called. That could mean everything from electric or traffic systems to medical equipment in hospitals to nanny cams to oil and gas controls that when accessible via the Internet, are too vulnerable to hacker attacks.

"Boeing has done a great job in ICS security," says Stephen Hanna, distinguished engineer at Juniper Networks and chairman of the TCG's Trusted Network Connect work group where the new standard, influenced by what Boeing has done on a home-grown basis in its networks, is expected to be finalized by this fall.

The proposed standard is called the "IF-MAP Metadata for ICS Security." It applies an existing TCG standard known as "Interface for Metadata Access Points" (IF-MAP) to industrial-control systems.

The IF-MAP protocol is used today to establish a database of security, device management and vulnerability information that's received and aggregated from any security product, such as intrusion-detection systems and firewalls for example, that support IF-MAP. Hanna says a couple of dozen vendors support IF-MAP today, including Lumeta with its IPSonar network-discovery tool, for example, which Juniper uses.

But what Boeing has done with the IF-MAP protocol tackles a different question: Since ICS networks have traditionally been maintained as wholly separate entities, sometimes not TCP/IP-based or only connected via leased lines, how can ICS devices be integrated into the increasingly high-speed business IT networks that are usually connected to the Internet?

There are often strong reasons to interconnect them, such as huge cost savings or a way to unite ICS devices across Internet boundaries when needed, or just for information-sharing purposes. "But it opens up a lot of security issues," Hanna points out.

Craig Dupler, technical fellow in Boeing's research and technology business unit, say Boeing understands the nature of such risk. But it was also clear that there would be a huge advantage in using the IT network there to interconnect some parts of its ICS at Boeing.

So a few years back, research engineers with expertise in networking security devised what became home-grown "black boxes" that Boeing today internally refers to as its "Control Systems Security Solution" at Boeing.

These CS3 black boxes, which support the IF-MAP protocol among other standards, basically act as proxies to protect ICS equipment by orchestrating what each ICS can connect to, whether it's another network or a device. There's a means for policy-based enforcement of encryption or identity management. It allows the IT department to manage non-IT devices on the business network but also to delegate controls to the ICS team.

"This is not a traditional VLAN," Dupler emphasizes. It's a way to orchestrate what the controls-systems team can see on the network and the IT department group can see and what they are allowed to manage in a fine-grained manner. "I don't want the heating and ventilation side to see what my robots are doing, for instance," says Dupler.

Not all technical experts at Boeing share the belief this is the best way to manage non-IT devices on an IT network, Dupler is quick to point out. It's still subject to debate. But Boeing is eager to see the type of home-grown CS3 black box it came up with become commercialized for wider use over the long term.

Not only are vendors Infoblox and Juniper interested in the evolution of the concept, but a former research engineer at Boeing, David Mattes, left to start a Seattle-based firm called Asguard Networks a year ago to commercially further Being's "black box" idea. The product Mattes came up with is called SimpleConnect, which supports IF-MAP for ICS. SimpleConnect is being tried out at Boeing under limited circumstances. Asguard Networks has other early-adopter customers as well, including a Florida water utility.

The SimpleConnect box "sits between the devices that need to be protected and a shared network resource, such as a business network or wireless or the Internet or a private network in a plant that needs to be further separated," Mattes says.

SimpleConnect provides a way to orchestrate in an automated fashion the cybersecurity for industrial controls systems by placing a private network overlay on top of a shared network. Eventually, the SimpleConnect box could gain additional security functionality, such as intrusion-detection or firewalling capability, Mattes adds.

However useful the security concept that Boeing pioneered for its own network use, one basic problem is that you can end up with too many black boxes abounding in the network, Dupler acknowledges. If Boeing's approach to security for industrial controls ever catches on and becomes widespread, Dupler says he hopes this security functionality might one day be boiled down to fit inside something small, such as a network-interface card.

Source: Network World

If you’d like to read the original article click here.

Ponemon Study Demonstrates 75% Cost Savings When Using Hardware-based Encryption

Thu, 18 Apr 2013 00:00:00 GMT

Mississauga, ON, Canada – April 18, 2013 - WinMagic Inc., the global innovator in full disk/drive encryption (FDE), along with the Ponemon Institute and industry leaders in Self Encrypting Drives (SEDs), LSI Corporation, Micron, PLEXTOR, Seagate, Samsung and Toshiba, today announced the results of a new study that compares the TCO of Software vs. Hardware-based FDE. In this study, it was found that hardware-based encryption solutions such as SEDs offer more than a 75 per cent cost savings when compared to software-based encryption solutions.

This study was commissioned by WinMagic and has received unprecedented industry support from leading SED manufacturers that have co-sponsored the work done by Ponemon. The purpose of the study was to learn how organizations are deploying software and hardware-based FDE solutions for desktop and laptop computers as well as determine the total cost and benefits for organizations. The Ponemon Institute surveyed 1,335 individuals in IT and IT security in four separate country samples: the United States (US), United Kingdom (UK), Germany (DE) and Japan (JP), representing a variety of industry sectors.

Key findings from the study include:

SEDs offer a significant savings as it relates to lost end-user productivity by reducing total idle time during encryption and excess time spent on traditional operation of the computer.
With SEDs there is no user or IT idle time during the encryption process as it happens instantly.
In the U.S. the per-user/per-year savings value of SEDs compared to software-based encryption is $300.
On average, when compared to software-based encryption, hardware based encryption with SEDs can offer a 75 percent total cost savings.
The TCO for all form of drive encryption is an astounding $300 to $600 per year while the average licensing cost for FDE solutions is less than $20 per year.
Regardless of the encryption method used, the benefits of encrypting data outweigh the total cost of ownership by a factor of 4 to 20x, depending on the country sample.

“For the past five years, we have been saying there are two key technologies that will drive significant change in the drive encryption market, SEDs and pre-boot networking. The results of this study clearly demonstrate the value that SEDs offer and we can enhance that value with our pre-boot networking solution - PBConnex,” said Thi Nguyen-Huu, CEO of WinMagic Inc. “We believe it’s important for businesses to be aware of security technologies such as SEDs and the benefits they offer. We’re very pleased to be working with these industry-leading OEM providers to share this information with the broader community and businesses globally.”

“In looking at our data, it is clear there is a substantial cost difference between software-based and hardware-based FDE methods,” said Larry Ponemon, Chairman and Founder of the Ponemon Institute. “The main source of differences between software and hardware FDE solutions concern IT tech time/labor, end-user productivity and licensing fees.”

The information revealed in this study, which touted the benefits of hardware-based encryption, really is an exciting revelation. WinMagic, recognized by leading SED OEMs as the industry leader in FDE and contributing member of the TCG, is one of the few software vendors today that has the ability to support both software FDE and hardware-based FDE.

SEDs are Hard Disk Drives (HDDs) or Solid State Drives (SSDs) that encrypt the data stored at a hardware level, built directly into the drive electronics, without the assistance of software. This means encryption is always on, the encryption keys never leave the drive and authentication is done independently of the Operating System.

Many drives today follow Trusted Computing Group (TCG) standards when manufacturing SEDs designed to Opal. Opal is a TCG-developed standard for building and managing SEDs. Opal is a common set of criteria that SED drive manufacturers follow to ensure compatibility. Many of the co-sponsors of this study are members of the TCG and support Opal standards in their SEDs.

A full Webinar walking through the results of this study will take place on April 30th, 2013. This Webinar will feature Larry Ponemon reviewing the results along with representatives from WinMagic, LSI, Micron, PLEXTOR, Samsung, Seagate and Toshiba in attendance. Registration can be found here: https://www.winmagic.com/ponemonstudy2/webinar

The full study summary can be found on WinMagic’s web site and is free to download at: https://www.winmagic.com/ponemonstudy2.

Industry feedback and support for the findings regarding SEDs in this study can be found here.

HGST Launches the Industry's First 12GB/S SAS Solid State Drives for HIgh-Performance Enterprise Applications and Massive Data Growth

Wed, 10 Apr 2013 00:00:00 GMT

Enterprise SAS/Fibre Channel SSD Leader Produces the Industry’s Highest Performance SAS SSDs for Demanding Financial and Online Transaction Processing, Cloud Computing and Big Data Environments

Industry-leading, 2.5-inch, 12Gb/s SAS SSD family includes:

High Endurance Ultrastar™ SSD800MH – sequential throughput of up to 1,200MB/s read and 750MB/s write; up to 145,000 read and 100,000 sustained write IOPS; up to 800GB; and the highest endurance rating at 25 full drive writes per day (DW/D) to support high-frequency trading and online transaction processing.
Mainstream Endurance Ultrastar SSD800MM – sequential throughput of up to 1,200MB/s read and 700MB/s write; up to 145,000 read and 70,000 sustained write IOPS; up to 800GB; and a high endurance rating at 10 full DW/D to support online gaming, big data and cloud computing.
Read Intensive Ultrastar SSD1000MR – sequential throughput of up to 1,200MB/s read and 700MB/s write; up to 145,000 read and 20,000 sustained write IOPS; up to 1,000GB (1TB); and an endurance rating at two full DW/D to support online audio/video streaming, cloud computing and other Internet applications.

SAN JOSE, Calif., April 9, 2013 – HGST (formerly Hitachi Global Storage Technologies and now a Western Digital company, NASDAQ: WDC) today announced the industry’s fastest and most advanced enterprise-class, multi level cell (MLC) SAS SSD family – the Ultrastar SSD800MH, Ultrastar SSD800MM and Ultrastar SSD1000MR. From the market share leader in enterprise SAS/FC SSDs, these HGST drives are the first to double today’s SAS interface speed. Designed for the most demanding applications where “hot” data is accessed frequently, such as high-frequency trading, online banking, cloud computing, online gaming, and big data analytics, HGST’s new 12Gb/s SAS SSDs help increase input/output per second (IOPS) and improve response times to mission-critical data in cloud and traditional IT datacenters environments.

Due to their rich SCSI heritage, SAS SSDs and high performance, high capacity hard disk drives (HDDs) will continue to be the building blocks of choice for future generations of high-performance enterprise servers and storage arrays. Leveraging HGST’s SSD market success, the new Ultrastar 12Gb/s SAS SSD family combines enterprise-grade, 25nm, highest-endurance, MLC NAND flash memory, industry-leading performance, advanced endurance management firmware and power loss data management techniques to extend reliability, endurance and sustained performance over the life of the SSD.

Enterprise-Class MLC SSDs – A Critical Enterprise Component

Increasingly in traditional IT and cloud hyperscale datacenters an application’s high-end processing functions are stored on SSDs, which are then paired with high-capacity hard disk drives (HDDs) that store the bulk of that application’s less dynamic content in tiered infrastructures. This mix of high-performance SSDs and high-performance and high-capacity enterprise-class HDDs deliver greater efficiencies of scale, improved asset utilization and help lower total cost of ownership (TCO).

Enterprise-class SAS SSDs and HDDs are proving to be the preferred solution for datacenter architects who have ruled out client-level SATA SSDs and desktop-class HDD combinations, which may deliver a lower price; but also can result in lower system uptimes. Likewise, putting all types of data on a high-end PCIe only infrastructure is prohibitively expensive.

Implementing a sound tiered storage strategy using HGST enterprise-class SSDs and HDDs can make a positive impact through improved service levels and cost savings. Using HGST’s highly reliable, high-endurance enterprise-class SSDs rated with the industry’s leading 2.0 million hours mean time between failure¹ (MTBF) specification can also help reduce current and long-term TCO as datacenter managers experience fewer failures, improved uptime, and receive the highest performance with improved latency and IOPS.

“SSDs along with high-performance and high-capacity HDDs are the main building blocks of choice for traditional IT and cloud hyperscale datacenters and represent a market that is expected to grow in excess of $16 billion by 2015,” said Jeff Janukowicz research director, Solid State Drives and Enabling Technologies at IDC. “SSDs, such as HGST's new SAS SSD family, continue to improve generation to generation to meet today’s enterprise workload requirements while driving down the price points to support high I/O applications.”

New HGST Ultrastar 12Gb/s SAS SSD Family: The Right Fit For High I/O Applications

As the first SSDs with 12Gb/s SAS, HGST continues to push performance limits. The new Ultrastar SSD800MH 12Gb/s SAS SSD delivers the highest sequential throughput with up to 1,200MB/s large block reads, and up to 750MB/s writes. It also delivers up to 145,000 read and 100,000 write IOPS, reaching speeds >100 times faster than HDDs, allowing rapid access to “hot” enterprise data for improved productivity and operational efficiency.

With this new generation, HGST has also improved its SSD “quality of service.” Quality of service refers to how quickly and efficiently the SSD can manage and process reads and writes to the drive. Like lanes on a highway, too much data traffic can cause congestion and slow performance. In tier 0/1 enterprise applications such as high-frequency trading, every millisecond counts. As the industry leader in enterprise SSDs, HGST uses unique firmware and controller technology to significantly improve command completion time requirements. The overall result is a 50 percent improvement in latency, a 300 percent improvement in I/O per second (IOPS) writes, and a 2x – 3x faster throughput compared to the earlier generation Ultrastar SSD400S SSD. Common firmware and controller technology across HGST’s enterprise-class SSD and HDD families also allows for seamless system integration and reduced qualification times.

Building solutions for the future, HGST’s new SSD family comes with three endurance levels – high endurance, mainstream endurance and read-intensive endurance. Each 12Gb/s SAS SSD family delivers an optimal balance of performance, reliability, cost and endurance to meet the unique and diverse workload requirements of nearly any enterprise application. The new Ultrastar SSD800MH high-endurance SSD rates at 25 full drive writes per day (DW/D) for five years, ideal for high-frequency trading or online transaction processing. The Ultrastar SSD800MM mainstream endurance SSD rates at 10 DW/D for five years, ideal for applications such as online gaming, big data, and cloud computing. The read-intensive 1TB Ultrastar SSD1000MR SSD rates at two DW/D for five years, perfect for streaming audio/video, cloud computing and other Internet applications.

“LSI and HGST have achieved a number of key milestones, including compatibility testing of the fastest 12Gb/s SAS RAID controllers and SSDs, and are prepared to lead the industry transition and market adoption of the new 12Gb/s SAS interface standard,” said Bill Wuertz, senior vice president and general manager, RAID Storage Division, LSI Corporation. “As the preferred enterprise interface of the future, 12Gb/s SAS is essential to unleashing the full performance potential of SSD storage solutions to help datacenters and cloud environments contend with massive data growth and accelerate application performance. It is also backward compatible with 6Gb/s SAS for investment protection in current SAS infrastructures.”

“Our Zebi storage arrays are specifically designed with de-duplication and compression in virtualized server and desktop environments where performance and capacity are critical. Using HGST’s reliable, high-performance and high-capacity SSDs and HDDs, combined with our innovative Zebi technology, gives our customers the best balance of performance, capacity, features and price,” said Rob Commins, vice president of marketing, Tegile Systems. “We’re proud to say that our award-winning Zebi HA2800 storage array uses HGST’s SAS SSDs, and we look forward to working with HGST on this new generation of 12Gb/s SAS SSDs to deliver even more performance and capacity to our customers.”

“With the industry’s highest SAS SSD performance, three endurance-level options, high-capacity and proven reliability, HGST offers the most-advanced 12Gb/s SAS SSDs for the enterprise where it is critical SSDs and HDDs integrate seamlessly in tiered storage environments for optimal efficiency,” said Brendan Collins, vice president of product marketing, HGST. “Combining more than 50 years of design and qualification experience with proven HGST SAS implementation across interface hardware and firmware, HGST’s new line of MLC SSDs provides simple, scalable and flexible solutions that ensure system compatibility and ease of integration into new or existing enterprise storage systems and designs.”

Availability HGST is currently qualifying its SSDs with select OEMs. Broader qualification samples are now available with channel distribution scheduled in June 2013.

Ultrastar 12Gb/s SAS self-encrypting SSD models are also available, which conform to the Trusted Computing Group’s Enterprise A Security Subsystem Class encryption specification, helping customers reduce the costs associated with drive retirement and extend drive life by enabling repurposing of drives.

The Ultrastar 12Gb/s SAS SSD family is targeted to achieve a 0.44 percent annual failure rate (AFR) or two million hour mean-time-between-failure (MTBF), representing HGST’s continued product strength. They are backed by a five-year limited warranty, or the maximum petabytes written (based on capacity). Please visit http://www.hitachigst.com/solid-state-drives for more information.

About HGST

HGST (formerly known as Hitachi Global Storage Technologies or Hitachi GST), a Western Digital company (NASDAQ: WDC), develops advanced hard disk drives, enterprise-class solid state drives, innovative external storage solutions and services used to store, preserve and manage the world’s most valued data. Founded by the pioneers of hard drives, HGST provides high-value storage for a broad range of market segments, including Enterprise, Desktop, Mobile Computing, Consumer Electronics and Personal Storage. HGST was established in 2003 and maintains its U.S. headquarters in San Jose, California. For more information, please visit the company’s website at http://www.hgst.com.

This press release contains forward-looking statements, including statements relating to expected availability dates for HDD products. These forward-looking statements are subject to risks and uncertainties that could cause actual results to differ materially from those expressed in the forward-looking statements, including changes in markets, demand, global economic conditions and other risks and uncertainties listed in Western Digital’s recent SEC filings, to which your attention is directed. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak on as of the date hereof, and HGST/WD undertakes no obligation to update these forward-looking statements to reflect subsequent events or circumstances.

¹ MTBF target is based on a sample, aggregate population of a drive family and is estimated by statistical measurements and acceleration algorithms under nominal operating conditions. MTBF ratings are not intended to predict an individual drive’s reliability. MTBF does not constitute a warranty.

One GB is equal to one billion bytes, and one TB equals 1,000 GB (one trillion bytes). Actual capacity will vary depending on operating environment and formatting.

Ultrastar is a registered trademark of HGST, a Western Digital Company. Western Digital, WD, and the WD logo are registered trademarks of Western Digital Technologies, Inc. All other trademarks are properties of their respective owners.

Secrets of Enterprise Storage

Sun, 31 Mar 2013 00:00:00 GMT

Legal compliance and privacy protection concerns and legislation are driving greater interest in preventing unauthorized access to data by companies. This is leading to a increasing interest in encrypting data so it cannot be read by anybody who doesn’t posses the encryption key. Protecting data from unauthorized access has become one of the critical issues for companies as well as governments.

Software encryption ties up the host microprocessors in decrypting encrypted data and the additional overhead that results makes this approach unattractive to many enterprise IT professionals. Fortunately there are encryption technologies that encrypt the data on the individual storage devices and allow for centralized key management by enterprise IT departments. By encrypting and de-encrypting data in the storage devices the host processing power is not burdened with the additional overhead of decryption.

Self-encrypting hard disk drives (SE-HDDs) and solid-state drives (SE-SSDs) are protecting data on some mislaid or stolen laptops from revealing secrets to unauthorized people. These drives are built to the standards of the Trusted Computing Group (TCG) Storage Work Group (http://www.trustedcomputinggroup.org/developers/storage/). The TCG OPAL standard covers self-encrypted storage devices used in client applications such as laptops.

These client applications typically have a single encrypted storage device. These client encrypted drives are currently a bit more expensive than the unencrypted versions and do not have widespread use yet. For reasons pointed out in earlier blogs solid-state drives are likely to have SE-SSD capabilities even if the host system doesn’t take advantage of this capability, since encrypted data can be rendered virtually unrecoverable by erasing the encryption key. This process is called crypto-erase and may be the only reliable way to purge sensitive data from SSDs.

In addition to client applications, the TCG has been developing standards for encrypted storage devices in storage array applications where a number of storage devices are used together to create a storage system with greater storage capacity, performance and/or data protection than can be provided with a single storage device. An important element in bringing self-encrypting storage technology to the data center is the creation of a universal key management standard. The TCG TPM Key Management Standard provides the ability to securely collect and organize storage device keys used in a storage system.

In addition to a universal key management capability for SE drives (SEDs), once these drives are removed from the storage system for repair or replacement, the data on the drive cannot be recovered without the encryption key. If this key is erased (crypto-erase) the data on the drive is effectively unrecoverable. Thus SEDs provide a convenient way to sanitize drives if they are removed from the data center. Likewise in today’s highly virtualized storage environments fast crypto-erase provides a way to protect client data when individual storage devices are re-purposed for other clients.

The creation of key management standards is leading to a boom in the availability and use of self-encrypted storage device technology in enterprise storage systems. All the major companies supplying enterprise storage devices (such as HDDs and SSDs from Intel, Micron, Samsung, Seagate, Toshiba and Western Digital) are including self-encryption in their product line. SAS and SATA enterprise storage with self-encryption are poised to become ubiquitous elements in data centers. Major storage system companies are promoting the use of SEDs in their storage systems. For instance, NetApp promotes the use of drive encryption in their SANtricity storage management software.

Self-encrypting drive technology is an important tool in providing customer privacy and preventing unauthorized access to data. Whether in client or enterprise applications this technology provides solid benefits and helps companies meet compliance and privacy protection requirements. Self-encrypting storage technology avoids the additional overhead of software encryption approaches, providing real-time data protection without the wait.

Hard disk drive and solid state drives utilizing the self-encrypting technology standardized by the Trusted Computing Group should become a common-place element in both client and storage array storage systems as suppliers and designers embrace these approaches to preserve the secrets of enterprise storage.

Source: Forbes.com

To read the original article click here.

Welcoming A New Sponsor: The Trusted Computing Group

Tue, 19 Mar 2013 00:00:00 GMT

he Security Ledger is a new, online publication that’s serious about reporting on security and “The Internet of Things.” While we’ve had tremendous success in our first six months of operation, any new endeavor involves some risk. That’s why I’m thrilled to have had the backing of some forward-looking sponsors: Qualys and Veracode. And today, I’m happy to add a new name to that list: The Trusted Computing Group (TCG).

For those of you who aren’t familiar with TCG, its best known as the group behind the Trusted Platform Module (TPM) secure, cryptographic chip that ships with almost every modern desktop and notebook PC. The TPM assures a hardware-based root of trust on compliant system, allowing TPM-equipped systems to securely generate cryptographic keys that can authenticate each endpont for use in secure, online transactions and communications.

But TCG actually does a lot more. As a security beat reporter, for example, I got familiar with the group in the process of covering the “NAC” – or Network Access Control” space. That technology was all about vetting the security of endpoints before admitting them to enterprise networks. It was a space that screamed out for cross industry standards, with every vendor and their sister foisting similarly-scoped, but incompatible standards for doing end point assessment and provisioning. TCG’s Trusted Network Connect was the first vendor neutral, open architecture for doing that.

Today, TCG is at the nexus of a lot of interesting stuff that’s brewing around online identity and securing embedded devices, critical infrastructure and the rapidly expanding universe of devices. At the RSA Conference, TCG members demonstrated a wide range of applications for TCG technologies including the TPM, TNC and TCG’s Opal-based self encrypting drives. As an example, I chaired a panel on the applications of TPM and emerging specifications around secure BIOS and secure boot against advanced persistent threat (APT) attacks.

Long and short: the TPM contains several PCRs (Platform Configuration Registers) that allow a secure storage and reporting of security relevant metrics. These metrics can be used to detect changes to previous configurations and derive decisions how to proceed. Microsoft’s BitLocker Drive Encryption is one example of this, and Windows 8 brings on-by-default support for TPM on TPM enabled systems.

Other RSA-related news included a demo by a firm called Asguard Networks that used TCG’s IF-MAP standard to create independent and isolated VPN overlay networks to secure communications between industrial control systems, while Microsoft, Juniper Networks and Infoblox used TNC specifications for endpoint identification, device profiling and network access control for securing a BYOD environment.

So, if you haven’t done so already, point your browser over to the Trusted Computing Group’s web page and check them out. And be sure to give them a big “thanks” for supporting independent reporting on security through their sponsorship of The Security Ledger!

Source: SecurityLedger.com

To read the original article click here.

PayPal CISO Michael Barrett Bullish on Password Alternative Standard

Wed, 13 Mar 2013 00:00:00 GMT

An alliance of technology firms, including PayPal and Lenovo, is confident it will succeed in providing viable alternatives to passwords for users to authenticate themselves with online services.

To achieve this, the Fast IDentity Online (Fido) Alliance has published a set of open standards aimed at enabling the interoperability of authentication technologies.

The standards are aimed at making online accounts more secure, by eliminating password theft and re-use, and giving PCs and mobile devices a bigger role in authentication.

Single password hazard

Most users of online services find it difficult to cope with multiple passwords and tend to use a single password for several accounts, making it only as secure as the least secure service provider.

Insecure passwords are a problem for online enterprises because of lost business, through user lockouts and forgotten passwords, and direct losses through fraud by cyber criminals using stolen credentials.

The Fido Alliance has consulted widely in the IT industry and no-one has denied the problem needs to be solved or that Fido’s approach is flawed, said Michael Barrett, president of the Fido Alliance and CISO at PayPal.

“Industry leaders agree there is a real need, that this is the right time to tackle it and that the Fido alliance is going about it the right way through open standards,” Michael Barrett told Computer Weekly.

For example, the Trusted Computing Group (TCG), which develops open standards for hardware-enabled trusted computing and security technologies, views the Fido standards as complementary to its own.

The TCG’s Trusted Platform Module (TPM) could be a valuable authentication methodology for use with the Fido standards, said Barrett.

Applications using Fido standards

In an implementation using TPM, a Fido-enabled system would interrogate the TPM cryptoprocessor in a user’s device to authenticate the user.

Similarly, a service provider using the Fido standards could authenticate a user by using a device’s microphone, fingerprint scanner or camera for biometric checks.

According to Barret, the Fido Alliance’s mission is similarly complementary to what companies such as Google are doing to make online authentication as easy and as secure as possible at the same time.

“From the positive response we have received since publishing the standards is growing my confidence that we will pull this off,” he said.

All in the timing

Barrett believes Fido will succeed where others have failed, mainly due to its timing.

He believes that X.509, for example, was not only too complex, but it was conceived for a world in which there was an even mix off offline and offline activity, rather than a world that is predominantly online.

“In the late 1990s there were tens of millions of internet users and there was no understanding of the problems that would arise with billions of users, as we have today,” said Barrett.

Other attempts at solving the problem of online authentication have failed because no-one completely trusts a single entity all the time. “That’s what Microsoft’s Passport taught us,” he said.

Choice of authentication technologies

In contrast, the Fido approach uses a standards-based protocol that allows online service providers to use any authentication technology of their choice.

“It will be up to market forces to determine what the most commonly used technologies will be for particular situations,” said Barrett.

Fido enables an authentication framework into which authentication suppliers can integrate their technologies, which will help prevent supplier lock-in for online service providers.

Support crucial to momentum

Barrett believes another key aspect of Fido’s success will be that is supported by an alliance of authentication providers, equipment manufacturers and online services that need to authenticate users.

While PayPal is the first major online service or “relying party” to join the Fido Alliance, some large financial services firms are expected to join soon, he said.

Building momentum in the industry is one of the challenges to Fido’s success, but Barrett believes the business benefits will drive the first trials in the enterprise, particularly in small and medium businesses.

“Big companies are not necessarily the most profitable and SMBs typically need help in dealing with fraud, so are probably the most fertile ground for Fido trials because the approach will work well,” he said.

While Barrett would not be drawn on PayPal’s plan to implement the Fido standards, he confirmed that the online payments firm plans to carry out both internal and external facing pilots in 2013.

He expects to see Fido standards gathering momentum in 2014 as technologies conforming to the standards mature and are rolled out.

Smartphone manufactures are also likely to be early adopters of Fido standards, said Barrett, noting Apple’s acquisition of Authen Tec in late 2012 that has led to speculation that future iPhones will feature fingerprint readers.

“Android device makers are unlikely to want to be left behind, but they will need Fido standards to make it work, so it is reasonable to suppose we may see Fido-based smartphones by the end of 2013,” Michael Barrett said.

Source: ComputerWeekly.com

To read the original article click here.

RSA 2013: Standards Core to LA County Security Strategy

Fri, 01 Mar 2013 00:00:00 GMT

Standards are the key to a successful security strategy, says Robert Pittman, chief information security officer of Los Angeles County.

All LA County IT security policies correspond to industry-recognised certifications, standards and best practices, he told the Trusted Computing Group session at RSA Conference 2013 in San Francisco.

The policies reference best practices set by organisations such as the Cloud Security Alliance, National Institute of Standards and Technology, and the Trusted Computing Group (TCG).

These policies are deployed county-wide, overseen by security engineering teams within the county’s 34 departments.

These teams report to the department information security officers along with county-wide community emergency response teams, which act like a “neighbourhood watch”, said Pittman

The departmental officers report to an information security steering committee, which meets monthly to review the county’s IT security status.

The steering committee has identified ten top priorities, said Pittman, which include web application protection, risk management, and compliance with all the major regulatory frameworks such as HIPAA, HITECH and PCI DSS.

Encryption is one priority, with the country implementing full disk encryption in 2007 for around 12,000 laptops.

“We have embraced the use of TCG’s Trusted Platform Module (TPM) and we are currently evaluating the use of self-encrypting drives (SEDs),” said Pittman.

Incident response is another priority and includes threat intelligence and relationship-building with law enforcement.

“Incident response is important because our systems are being probed all the time, with about 21 incidents a year,” said Pittman.

The top ten list includes non-technical priorities such as the county’s annual recognition awards programme that promotes competition around security between departments, and the socialisation of security initiatives by involving business units, the help desk and county psychologists.

Re-emphasising the importance of policies and standards, Pittman said: “Policies influence behaviour like traffic signs and standards influence technologies and business models.

“They also ensure consistent operational support and risk architecture across the county, and potentially reduce cost by reducing technical complexity,” he said.

Source: ComputerWeekly.com

To read the original article click here.

At 10, Trusted Computing Group Sees a New World of Threats

Wed, 27 Feb 2013 00:00:00 GMT

SAN FRANCISCO — The Trusted Computing Group, an industry security standards organization, is celebrating its 10th anniversary at this week's RSA security conference.

Best known for the Trusted Platform Module (TPM) security chip, the organization more recently has published specs for integrating network security information into the government's Security Content Automation Protocol (SCAP). Sessions at its conference workshop will focus on network security trends and data protection in a rapidly changing IT landscape.

"Sophisticated, targeted threats and the challenges of mobile devices are two ends of the security spectrum," said Wave Systems' Brian Berger, a TCG board member.

With the number of user endpoints on the Internet being measured in the billions — many of them untethered wireless devices — building security into those devices and enabling secure network access controls is becoming an imperative.

"The definition of mobile and mobility has changed, and that changes the context of security," Berger said. "Security has to catch up."

TCG was formed in 2003 and that same year adopted specifications for its signature TPM. Since then the chip, a cryptoprocessor that can store data securely in hardware, has become almost ubiquitous, with some 600 million shipped in computing devices from desktop and laptop PCs to mobile phones and automotive systems. Since then, it has slowly worked its way into the security infrastructure of end devices. It is a core component of Microsoft Windows 8 security and also is used by the Google Chromebook.

Despite the support for the group's efforts from government entities such as the National Security Agency, the pace of TPM adoption by government has been — at best — deliberate.

"Government moves at government's pace," Berger said. But in the past several years, TPM has been showing up as a requirement in government purchasing vehicles.

The National Institute of Standards and Technology calls the chip "the foundation for an entire ecosystem" of PC security, enabling the secure storage and passing of information within and between computers. But government had little input into the development of the first versions of the specification, and they did not meet Federal Information Procession Standards, required for government crypto systems.

But NSA has been participating in the development of TPM 2.0, which is expected to be FIPS 140-2 or 140-3 certified. NSA also is working with TCG to create protection profiles to allow certification of self-encrypting drives, another TCG specification that is gaining adoption.

Last fall, TCG released draft specifications for standardizing content using the government's SCAP in TCG's Trusted Network Connect (TNC) architecture. The two protocols handle different domains of IT security. The TNC standards focus on network security, while SCAP, developed by NIST, focuses on endpoint compliance. Using them in tandem could help improve endpoints security.

Source: GCN.com

To read the original article click here.

IBM: New iOS Mobile Security Software

Sun, 24 Feb 2013 00:00:00 GMT

Here's an overview of the latest news releases issued in advance of RSA Conference 2013:

IBM announced security software that helps organizations proactively reduce the security risk to iOS enterprise applications. Now, clients can build security into the initial design of mobile applications so that vulnerabilities can be detected early in the development process, before being deployed to customers or employees. This announcement further expands IBM's MobileFirst initiative, and expands IBM's strategy to provide organizations with a mobile platform that spans application development, integration, security and management.

Lockheed Martin and Fixmo, Inc. have integrated technologies to provide a new level of secure authentication for consumer grade mobile devices with unparalleled ease of use by joining forces with Fixmo's SafeZone and Lockheed Martin's Mandrake SG technology. This new 'Secure Gesture' capability will be featured in demonstrations at the RSA conference in San Francisco Feb. 25 - March 1 at booths 0135 and 341.

Science Applications International Corporation (SAIC) introduces DigitalEdge, a versatile big data software platform capable of real-time, high-volume data ingestion and processing from a variety of complex data sources - helping organizations streamline business operations and enabling decisive action.

Wave Systems Corp., the Trusted Computing Company, is delivering enterprise-grade management and security on the newest generation of tablets running Microsoft's Windows 8 operating system. Wave's security solutions are designed to augment the existing management infrastructure enterprises own today to deliver modern mobility that's simple to use, always connected and always secure.

To view these and other news releases, please visit our RSA Conference 2013 Press page.

Source: bankinfosecurity.com

To read the original article click here.

Trusted Computing Group Members to Show RSA Attendees Demos of Secure Drive, BYOD, Authentication, Embedded and Mobile at Monday Seminar Session

Fri, 22 Feb 2013 00:00:00 GMT

PORTLAND, Ore., Feb. 22, 2013 – At its RSA Conference USA 2013 session, Trusted Computing Group (TCG) and members will host 12 demos showing new ways to leverage widely available security solutions for data protection, authentication, and network identity and access management.

The seminar Trusted Computing: Billions of Secure Endpoints in 10 Years will be Monday, 10 a.m. – 2 p.m. in the Esplanade room, Moscone South. Los Angeles County Chief Information Security Officer Robert Pittman will talk about security challenges, followed by panel sessions with leading industry analysts, technologists and end users.

Demos will include a number of new ways to solve current and emerging security issues.

Absolute Software will show remote management of TCG Opal-based self-encrypting drives via a cloud interface.
Asguard Networks will implement TCG’s IF-MAP industrial control systems security specification to manage multiple independent private isolated networks, working with Juniper Networks’ IF-MAP 2.0 server.
Fraunhofer SIT will use attestation based on the Trusted Platform Module (TPM) to secure mobile ad hoc networks, securing them against attacks by verifying status and identity. The IF-MAP specification is used to show the network status graphically.
Lumeta, Juniper Networks and Infoblox show how to implement automated enforcement of network policy, protecting against backdoor attacks by discovering rogue or unauthorized network connections and dynamically managing access privileges. Clients and servers based on IF-MAP and TNC Policy Decision and Policy Enforcement Point specifications are implemented.
Hirsch Identive will use IF-MAP to integrate data from its physical security management system to network access control. Users must be physical present, for example, to gain network access.
Microsoft, Juniper Networks and Infoblox use various TCG Trusted Network Connect (TNC) specifications for endpoint identification, device profiling and network access control for securing a BYOD environment.
MITRE Corporation will show a prototype for high security TPM provisioning for the enterprise, bypassing traditional and inherently insecure software provisioning methods. Demonstration code will be made available.
NCP will demonstrate the integration of different IT security systems, including as firewalls, intrusion detection and a VPN, to counter threats from remote devices. If threats are detected, access to the device is limited or shut down; the TPM is used to check the health of remote embedded systems to determine if they will be connected.
Nokia’s Lumia 920 mobile device will demonstrate secure boot and support for device integrity, which provides a secure foundation for trusted applications and services.
Self-encrypting solid-state drives (SSDs) from Samsung will be shown for performance, security and protection against breach laws.
Wave Systems will demonstrate the role of UEFI and secure booth and the TPM; managed SEDs; and how infected devices can be detected and denied network access.
WinMagic will show how SEDs based on the TCG Opal specification are managed in Windows 8 environments, preventing attacks.

The Trusted Computing Group (TCG) is a not-for-profit organization that develops, defines and promotes open, vendor-neutral, global industry standards based on a hardware root of trust, for interoperable trusted computing platforms. Billions of endpoints use TCG standards to ensure system integrity, protect networks and secure data. For more information, see www.trustedcomputinggroup.org and on Twitter and LinkedIn.

-- 30 --

Brands and trademarks are the property of their respective owners.

Tweet this: #RSA2013 @TrustedComputin session 2/25. http://bit.ly/10PHESD

CMS Products Announces CE-Secure DiskVault FIPS Certification

Wed, 20 Feb 2013 00:00:00 GMT

DiskVault Meets Trusted Computing Group Opal SED Specification

IRVINE, Calif.--(BUSINESS WIRE)--CMS Products Inc. a leading innovator in encryption, security technology for business, government and military users, today announced the National Institute of Standards and Technology (NIST) certification of its CE-Secure DiskVault-FIPS product line (FIPS indicates the Federal Information Processing Standard). The DiskVault-FIPS external USB and Module bay SED storage solutions have been certified to FIPS 140-2 level 2. DiskVault-FIPS solutions are designed to be “management ready” for secure managed environments or operated as standalone encrypted storage/backup devices. Storage capacities range from 500 gigabyte (GB) to 4 terabytes (TB) and meet the Trusted Computing Group (TCG) standards. “As businesses look for additional storage, it’s important for data to be highly secured without sacrificing performance,” said Ken Burke, president, CMS Products, Inc. “Data breach is becoming more common and costs businesses millions annually. By encrypting the drive itself, customers can protect their data from intruders without affecting performance.”

The CE-Secure DiskVault-FIPS product line integrates Seagate’s world-class, self-encrypting drive (SED) Momentus Thin and Enterprise Capacity hard drives. “We choose Seagate as our SED partner because they are innovators and the leaders in hard drive hardware encryption,” added Burke.

The Opal standard for SEDs was created by the Trusted Computing Group (TCG), which develops standards for secure computing. The TCG Opal standard is designed to ensure interoperability across vendors, technologies and platforms. While traditional SEDs based on the Opal standard have shipped for several years, this is the first time they have been available as a government-grade FIPS certified external solution.

As enterprises make mission-critical data available to employees, legal and compliance regulations in their respective industries must also be considered.

“The combined Seagate and CMS offering will provide security-conscious customers with a highly secure, manageable external data protection solution,” said Bob Griswold, senior vice president of product line management at Seagate. “External hardware-based encryption and security provides a level of trust and performance not achievable by software encrypted devices. CMS’s new CE-Secure DiskVault – FIPS Edition will help companies ensure that they meet regulatory requirements such as HIPAA, Sarbanes-Oxley and more.”

About CMS Products

Established in 1983, CMS Products, Inc. is a leading innovator in data backup, encryption and security technology for business users and consumers. CMS products are sold in more than 90 countries, with installation of more than four million units worldwide.

CMS Products offers an extensive line of personal computer security products including encrypted USB flash drives, external encrypted USB hard drives, and encryption software, as well as full Disaster Recovery solutions including external hard drives that support system recovery and backup software which creates a full system recovery that can be used to restart a failed computer.

Source: BusinessWire.com

To read the original article click here.

Delayed Reaction

Fri, 01 Feb 2013 00:00:00 GMT

Despite the ubiquity of the Trusted Platform Module, holdups exist and adoption remains slow. Deb Radcliff reports.

In 2008, an unencrypted laptop went missing from the car of a worker at Barnabas Health, New Jersey's largest health care system. And, although fewer than 2,000 records were exposed, the health care provider subsequently made self-encrypting drive (SED), a type of hardware-based encryption, a mandatory part of its mobile device upgrade process.

“Everyone who gets a new laptop must have SED enabled,” says Hussein Syed (below), director of IT security at Barnabas Health, which consists of 4,600 physicians, seven medical facilities and two business offices. “We don't want to incur another incident because someone left a document on a device and then lost it.”

The encryption cannot be tampered with by users, and access is easier because assigned users now need only one master login to access all their provisioned resources (via Active Directory). SED takes only minutes to initially encrypt the full contents of the hard drive, compared to 36 hours using an older, software-based disk encryption. And, using a third-party encryption management service from Wave Systems, machines can be provisioned just as quickly, says Syed.

Now, with SEDs present in virtually every one of its 1,280-issued laptops, Saint Barnabas is turning its attention to SED's companion technology, Trusted Platform Modules, or TPMs.

Maturing encryption

TPM, which began shipping in October with Windows 8 and the Windows 12 management server, has become ubiquitous. The specification integrates with other modules from The Trusted Computing Group (TCG) to support system integrity checks, disk encryption, key management and other functions at machine speed.

TCG, parent to both TPM and SED, claims there are more than a billion PCs, servers, embedded systems, network gear and other devices with TPM and/or SED functionality embedded in them. Yet, according to analysts, actual adoption of these technologies is difficult to measure and has been slow to catch on.

“I am surprised at the modest adoption of hardware roots of trust, in spite of the ubiquity of embedded TPMs in enterprise-class machines,” says Derek Brink, an analyst with Aberdeen Group, a Boston-based provider of intelligence research. “It seems a question of commitment and will, rather than waiting for the technology to be available and mature.”

In a comparison study Aberdeen published last June, 41 companies using SED experienced 50 percent fewer incidents and saved $80 per endpoint per year versus 81 companies that used other forms of disk encryption.

One thing holding up widespread adoption of TPM and SED is interoperability, according to users and analysts. Apple, Google and Microsoft all use different standards, not all of which support TPM, says Roger Kay, founder and president of the Massachusetts-based analyst firm Endpoint Technologies Associates (ETA). The other problem is key management, he adds.

“As with PKI encryption for the PC world, the problem is the certificate authority (CA),” he says.

Most organizations will require a third-party intermediary, such as Wave Systems, which needs to interoperate with other CAs, say analysts. There will also be those with enterprise expertise in key management who will want to manage their own keys.

Rooting rootkits

To support enterprise key management and interoperability, the Trusted Computing Group is putting a lot of emphasis on Windows 8 endpoints, including built-in TPM supportable through Windows 12 server. TPM enhances support for SED and includes a pre-boot system integrity check that the accessing system's basic input/output system (BIOS) and registries haven't been changed from a pre-measured state.

“TPM has mainly been used by a small segment of PC users to tie their Windows Bit Locker and other encryption keys to user devices,” says Steven Sprague, CEO of Lee, Mass.-based Wave Systems. “Now, these features are native.”

Of all the features in TPM today, machine attestation – or the ability to boot up in safe mode, check the machine's integrity and remotely attest that its settings have not been changed – is the most important feature, says Neil Kittleson, Trusted Computing portfolio manager for the Commercial Solutions Center at the National Security Agency (NSA).

Since the TCG's inception 10 years ago, the NSA has been heavily invested in using the nonprofit's technologies in its high assurance platform, or HAP.

“TPM capabilities represent a shift against today's attackers who are embedding rootkits beneath the notice of today's software-based security solutions,” Kittleson says. “We found TPM works very well for our high-assurance platforms.”

In a demo, a simulated attack on a TPM-protected device at the NSA stopped malware from spreading out of a virtual machine onto a host system. Researchers demonstrated a failed attestation when an infected device tried to connect. In that case, access was denied, and an alert sent to the mobile management administrator as the authentication server detected changes in the registry.

Despite this success, TPM is only in use among a “miniscule amount of devices” used across the vast defense network supported by the NSA, says Kittleson.

Adoption of Windows 8 and the upgrade of the key management infrastructure should help speed adoption across the Defense Department networks and other organizations supported by the NSA. It should also propel the Barnabas operation into full adoption.

While deployments may seem slow at this time, the licensing costs of TPM modules are declining, and interoperability standards are improving, say experts. This market penetration, combined with new risks introduced as mobile endpoints continue to proliferate, means it is only a matter of time before the use of TPM technologies becomes more common than not, both Syed and Kittleson say.

“The real driver is mobility,” ETA's Kay adds. “If every device is a potential attack point, we need to protect those endpoints with hardware-based security.”

Source: SCMagazine.com

To read the original article click here.

Los Angeles County CISO Robert Pittman to Keynote Trusted Computing Group RSA Conference USA 2013 Seminar

Fri, 25 Jan 2013 00:00:00 GMT

Panel Sessions to Include Industry Analysts and Users in Commercial and Government Enterprises

PORTLAND, Ore., Jan. 25, 2013 – Los Angeles County Chief Information Security Officer Robert Pittman will address attendees at the RSA Conference USA 2013 on “The Top 10 Priorities in IT Security for the County of Los Angeles and the Importance of Industry Standards.” He will headline the Trusted Computing Group (TCG) seminar, Trusted Computing: Billions of Secure Endpoints in 10 Years, Mon., Feb. 25, 10 a.m. – 2 p.m.

Pittman has more than 30 years of experience in information technology and security and was awarded CSO of the Year by Info Security Products Guide 2012 Global Excellence Awards. He has written for the Information Security Management Handbook series and participates in industry advisory boards and committees.

Panels to Address APTs, Network Security, Data Protection

Pittman will be followed by a series of panel sessions. Charles Kolodgy, IDC, will lead discussion on APTs and recent NIST recommendations on security. He will be joined by Frank Molsberry, technologist, office of the CTO at Dell; Stacy Cannady, CISSP and senior systems security specialist, DMI; Sunil Gottumukkala, principal lead program manager in the Windows Security and Identity team at Microsoft; and Robert Thibadeau, senior vice president and chief scientist, Wave Systems.

Phil Schacter, Gartner, will lead a panel on network security with Paul Roberts, founder, Security Ledger; Phyllis Lee, NSA; Steve Venema, associate technical fellow at The Boeing Company; and Dave Waltermire, SCAP architect, NIST.

A third panel led by Eric Ogren, Ogren Associates will talk about protecting content from unauthorized access with NSA’s Jon Rolf; Dr. Michael Willett, Storage Security Strategist, Samsung; Hussein Syed, director IT security, Barnabas Health; and Clain Anderson, director, Lenovo.

Attendees can see new Trusted Computing demonstrations from a range of TCG members during session breaks. The session is free to those registered for an RSA Conference or Expo pass. More info here.

TCG Members to Talk Security Automation in RSA Conference Session

On February 28, 2012, 1:00 p.m. - 2:00 p.m., Stephen Hanna, Distinguished Engineer, Juniper Networks, TCG TNC Co-chair and David Waltermire, Security Automation Architect, National Institute of Standards and Technology (NIST) will co-present “Upgrade to a Machine Gun - Automate Your Defenses Technology Infrastructure (TECH-R35).” The session will demonstrate how to use the latest open standards and architectures to build an automated defense system.

Brands and trademarks are the property of their respective owners.

Tweet this: LA County CISO to headline #RSA2013 @TrustedComputin session 2/25. http://bit.ly/10PHESD

Could IF-MAP Accelerate Big Data Security Analytics?

Wed, 23 Jan 2013 00:00:00 GMT

Based upon recent ESG research data, it is easy to conclude the big data security analytics is inevitable. In fact, large public sector and commercial organizations are already experimenting with technologies like Hadoop, Splunk, and PacketPig to bring the security and big data analytics world together.

While big data security analytics will roll out faster than most people think, there are bound to be some speed bumps along the way. In fact, some of the more annoying short-term issues will be around basic operational tasks like collecting, normalizing, and sharing security data in a multitude of formats, schemas, and syntaxes.

These issues reared their ugly head in a recent ESG research project:

• 54% of large organizations have “significant difficulties” or “some difficulties” with security data normalization
• 54% of large organizations have “significant difficulties” or “some difficulties” with security data capture
• 52% of large organizations have “significant difficulties” or “some difficulties” with security data sharing

How can the industry address these problems? By providing standard data formats and APIs that eliminate data integration limitations and customization requirements.

I’ve blogged about industry standards before. For example, MITRE has done a great job with Common Vulnerabilities and Exposures (CVEs) but support for its many other security standards is fairly limited. It seems like a no-brainer to me that leading security vendors like Check Point, Cisco, HP, IBM, McAfee, RSA, Symantec, and Trend Micro should get more involved.

Aside from the MITRE standards, here’s another suggestion: In order to accelerate big data security analytics effectiveness and efficiency, the security industry should get behind the Interface for Metadata Access Points (IF-MAP) standard introduced by the Trusted Network Connect (TNC) sub-group of the Trusted Computing Group (TCG) in 2008. Juniper is a big IF-MAP supporter as is Enterasys and Infoblox.

Why is IF-MAP a good fit for big data security analytics? In simple terms, IF-MAP allows devices to share information in a standard well-defined way. What’s more, IF-MAP provides this data sharing for a broad range of use cases including physical security, cloud computing, grid computing, etc. If nothing else, IF-MAP makes a lot of sense in the era of BYOD and mobile computing.

IF-MAP isn’t a big data security analytics requirement but it could go a long way toward making data collection, normalization, and sharing a bit easier. This is especially important because there aren’t enough trained security professionals available to labor through this with manual processes and custom coding. Furthermore, IF-MAP isn’t just about security analytics; it’s about security policy enforcement automation. Once again this could help reduce time, labor, and money – and make us all more secure.

Source: NetworkWorld.com

To read the original article click here.

Drive-by and XXS Attacks Will Increase in 2013 -- But Why?

Thu, 10 Jan 2013 00:00:00 GMT

Drive-by download attacks and cross-site scripting attacks (XSS) are set to remain top attack methods in 2013, according to the latest threat report from the European Union (EU) cyber security agency, Enisa. But why do they continue to grow in popularity with attackers?

Perhaps the most obvious reason is that they are invisible and can be launched through links and malicious code on compromised legitimate websites unlikely to figure on any corporate watch lists.

But beyond that, drive-by attacks are becoming easier to carry out because of the increasing availability of exploit kits, according to Tim Rains, director of Microsoft Trustworthy Computing.

These exploit kits – of which blacole or blackhole is the best-known – make it easy for attackers to exploit vulnerabilities in popular software installed on most consumer and enterprise computers.

In particular, attackers use this exploitation technique to target browser plug-ins such as Java. Enisa reports that Java exploits represent the biggest cross-platform threat.

The link with ubiquitous software demonstrates what is probably the biggest reason these attack methods remain effective and popular, said Rains, who lists drive-by attacks and XSS among his top five threat predictions for 2013.

Enterprises struggle to keep up to date

“For large enterprise, it has always been a challenge to keep all software and systems up to date to ensure they have all the latest security improvements,” he said.

On top of this challenge, few organisations are able to say if all versions of a targeted piece of software have been patched.

“While they may understand the need to keep Java up to date, they may not realise they have several versions of Java running in their environment that need to be updated continually,” said Rains.

Attackers are taking advantage of these gaps around the world, including the UK where drive-by attacks have crept into the top 10 threats in the past two years.

Top 10 UK cyber threats

In data for the second quarter or 2012 published in the Microsoft Security Intelligence Report volume 13, half the top 10 threats for the UK were exploits delivered through drive-by downloads as well as spam and phishing.

“That is a high percentage, considering the UK did not have a single exploit in its top 10 threat list two years ago,” said Rains.

The key for enterprises to guard against this kind of threat is to keep all software and systems up to date, he told Computer Weekly.

“In 2013, enterprises should look at what popular software they have in their environment and assess how likely each is likely to become the next target,” said Rains.

Hackers use video and audio for malware

Enterprises should also pay at10tion to trends such as attackers using video and audio files to install malware, he said.

Microsoft threat analysis has identified a Trojan downloader family that uses this tactic, called ASX/Wimad. This has crept into the top 10 lists of threats in several locations around the world.

The Trojan takes advantage of the fact that many video formats allow scripts to be run, so attackers simply have to add malicious scripts to popular films designed to download more malware.

“I suspect this upward trend will continue in 2013 as attackers continue to take advantage of people’s desire for free entertainment and software,” said Rains.

Data drawn from a range of Microsoft security tools on 600 million systems worldwide shows that in the second quarter of 2012, 5.5% of systems in the UK that were infected with malware were infected with the ASX/Wimad Trojan.

Consumerisation exacerbates cyber threats

But if attackers are targeting video and audio, why is this relevant to enterprise security?

It is not uncommon for employees to use business computers and systems to search for and store such content, said Rains.

“In the past, when attackers have targeted computer games, this type of infected content turned up regularly on corporate systems where you would not expect it to be,” he said.

The likelihood of finding such content is even greater now with the proliferation of consumer devices in the corporate environment.

“Consumerisation of IT is making keeping track of this kind of threat even more challenging because of the growing number of almost completely unmanaged and unmanageable devices that are accessing corporate data such as email and surfing the internet without restriction,” said Rains.

CISOs manage data access and security risk

In an attempt to get the situation under control, he said many CISOs are not trying to manage the device, but instead are focusing on managing access to data and the security of data.

“We are seeing a change in how CISOs are trying to manage the risk around corporate data to enable the benefits of consumerisation,” said Rains.

Threats such as the ASX/Wimad Trojan underline the importance of having information security policies in place as well as the technologies and processes to enforce them,” he said.

Malware rootkits set to evolve in 2013

Technology developments is another key area enterprise should keep an eye on according to Rains. He predicts rootkits will evolve in 2013 due to the recent introduction of the Unified Extensible Firmware Interface (UEFI) and secure boot, two new technologies designed to provide more protection against rootkits and other boot loader attacks.

“As systems that use these technologies, such as Windows 8, become more pervasive, I expect to see purveyors of rootkits attempt to innovate and evolve their malware because the bar has been raised significantly,” said Rains.

He believes the technologies provide significant protection against rootkits and will provide much value in terms of risk management and security to Microsoft customers looking to move off Windows XP SP3 before the products reaches the end of its life in April 2014.

“Features like secure boot and UEFI help get to a point where we have a trusted platform because when the machine boots up, rootkits are unable to run before the OS and anti-malware kicks in,” said Rains.

Keeping all software up-to-date, running anti-malware software from a trusted source, and demanding software that has been developed using a security development lifecycle will continue to be best practices in 2013, said Rains.

“These are among the best measures enterprises and consumers can take in light of how the threat landscape is evolving. If all software is kept up to date, it makes it harder for attackers to be successful,” he said.

Source: ComputerWeekly.com

To read the original article click here.

Trusted Computing Group Commends National Institute of Standards and Technology (NIST) on Mobile Security Recommendations

Thu, 20 Dec 2012 00:00:00 GMT

Special Publication 800-164 Recommends Highly Secure Hardware Root of Trust

PORTLAND, Ore., Dec. 20, 2012 – Trusted Computing Group (TCG), which enables security in more than 1.7 billion endpoints, has commended the National Institute of Standards and Technology (NIST) on its recent recommendations to base security for mobile devices in a hardware-based root of trust (RoT).

The agency issued Special Publication 800-164 “Guidelines on Hardware-Rooted Security in Mobile Devices”, in October for industry comment. The report notes in its abstract, “Many mobile devices are not capable of providing strong security assurances to end users and organizations. Current mobile devices lack the hardware-based roots of trust that are increasingly built into laptops and other types of hosts.”

NIST’s report goes on to note, “Hardware RoTs are preferred over software RoTs due to their immutability, smaller attack surface, and more reliable behavior.”

Brian Berger, TCG director and marketing work group chair, commented, “TCG’s approach to security based on the hardware-based root of trust has been vetted by the world’s leading IT, security and computing companies and proven more secure than software-based approaches. As simple cellphones have morphed into connected, high-value computing systems, it only makes sense to offer them the same security, based in interoperable industry standards widely available to all, to protect sensitive personal, financial and corporate data.”

TCG has long advocated the hardware root of trust to secure systems and data. To enable such trust, it developed the TPM, or Trusted Platform Module, specification. Discrete or integrated implementations of the TPM now protect more than 500 million systems.

Today’s BYOD environment also is forcing enterprises to deal with a growing number of unknown and potentially dangerous devices. TCG has extended the core concepts of the TPM into a draft Mobile Trusted Module (MTM) specification. The MTM also supports the Trusted Execution Environment (TEE), which was developed by industry as an open approach to adding security to mobile devices.

The Trusted Computing Group (TCG) provides open standards that enable a safer computing environment across platforms and geographies. Benefits of Trusted Computing include protection of business-critical data and systems, secure authentication and strong protection of user identities, and the establishment of strong machine identity and network integrity. Organizations using built-in, widely available trusted hardware and applications reduce their total cost of ownership. TCG technologies also provide regulatory compliance that is based upon trustworthy hardware. More information and the organization’s specifications and work groups are available at the Trusted Computing Group’s website, www.trustedcomputinggroup.org. Follow TCG on Twitter and on LinkedIn.

Brands and trademarks are the property of their respective owners.

Tweet this: #TCG commends #NIST recommendations for HW RoTs to secure mobile devices

Trusted Computing Group to Discuss, Demonstrate Data Protection Solutions at Storage Visions 2013

Mon, 10 Dec 2012 00:00:00 GMT

PORTLAND, Ore., Dec. 10, 2012 – The Trusted Computing Group (TCG), a worldwide open industry standards organization, once again will sponsor the Storage Visions 2013 conference, January 6-7, Las Vegas and host a session on security, as well as demonstrations of secure drives.

Storage Visions 2013, with the theme “PetaBytes are the New TeraBytes,” will explores the convergent needs of digital storage to support cloud content distribution and sharing, user generated content capture and use and professional media and entertainment applications.

TCG members will participate in a panel, “Safe at Last: Protecting, Storing and Recovering Personal and Commercial Content,” on January 6. Michael Willette, Samsung, will moderate the session, which will cover the challenges facing security and protection of stored content, including content on mobile devices as well as at home and in the cloud. Panelists include Chris Bross, DriveSavers; Robert Day, Linuxworks; Robert Thibadeau, Wave Systems; Dave Anderson, Seagate Technology; Les Kristoff, CMS Products; and Allison Boerum, Kroll Ontrack.

TCG members CMS Products, Samsung and Wave Systems will show self-encrypting drives, or SEDs, based on TCG’s Opal specification. These drives are among the billion endpoints using Trusted Computing Group specifications or technologies.

Brands and trademarks are the property of their respective owners.

Tweet this: @TrustedComputin to host session, sponsor #SV2013, demo SEDs for data protection Jan. 6-7, http://bit.ly/QoeKpV