Making sure security is a priority in the starting point of development can lead to fewer holes for hackers to take advantage of, according to what experts have said. This means fewer patches and higher quality software, something Jeremiah Grossman, chief technology officer for consulting firm WhiteHat Security, said is necessary.

Over the years, developers have seemed to avoid the additional costs and resources of making sure security is implemented from the start, as Gonsalves said there has a prioritization of performance over security. Now, more threats exist in the cyber world than ever before and there must be more protection for companies, as they have a greater amount of sensitive information online. Matthew Neely, director of research and development for consulting firm SecureState, said especially for larger businesses, there is more demand than ever for the applications and software used to be secured from the start. However, it may still take a bit of time to have the same level of security for smaller organizations.

"Getting it past the medium to the small companies is going to be hard, because of the resources required to put people in to do the security testing and to train the people," he told CSO Online.

Ensuring apps are built stronger
A recent report from HP found that 69 percent of web applications scanned have at least one SQL injection error and 42 percent had a cross-site scripting vulnerability. Matthew Schwartz, editor of InformationWeek, wrote that it is time for companies to start taking the security in development of applications far more seriously and said it should begin from the birth of the app itself.

Schwartz spoke with Jerry Hoff, VP of the static code analysis division at WhiteHat Security, who gave some tips for having more secure apps and started by saying that user input is not going to be a friend of business when developing apps. He added that organizations need to know which vulnerabilities are out there that have the potential to harm a company and have controls in place in the language the business and its IT department uses.

"If you're working in a particular language – even if you're a manager – you should know the security controls for that platform," said Hoff. "That should be like a seatbelt or airbag that's already built into cars. They should just have that as part of their toolkit."

Other tips from Hoff printed by Schwartz for developing a secure app include:
- Do not write in the security controls within the company unless there is a stated security expert in place
- Be sure to have a security resources that can be used to ensure the app is being secured in the best way possible
- Continuously apply new security controls, as the best way to prevent attacks is to always be on top of the new technology and information that is available

Hoff said every company will have different ways of controlling data security but each needs to figure out its methods and keep up with them as often as possible.

Data Security News from SimplySecurity.com by Trend Micro.

"Today we're introducing a new security feature to better protect your Twitter account: login verification," said Jim O'Leary, a member of the social site's product security team, in a blog post. "This is a form of two-factor authentication. When you sign in to twitter.com, there's a second check to make sure it's really you. You'll be asked to register a verified phone number and a confirmed email address."

The feature will be gradually rolled out, according to Twitter, and will look to stop the email phishing schemes which have affected multiple brand-name businesses across the social media giant's website. They will also prevent breaches of password data from across the web, which InformationWeek said happens when attackers can access an account if passwords have been reused elsewhere.

Data security professionals believe that this development has been a long time coming for the microblogging site. Mark Risher, CEO of Impermium, told the news source that this "significantly raises the bar" of security for many of the attacks the website has been experiencing. However, since this is an optional feature, he said Twitter must inform users that it will only be useful if it is configured in advance. To do this, users of the website can go to the account settings page, check "Require a verification code when I sign in," and receive a six digit number via SMS message on every attempted log-in.

Why now?
The attacks are being claimed by the Syrian Electronic Army (SEA), which has also included The Onion and Reuters, among others, have forced Twitter's hand in evolving security for its users. With this large string of attacks, something had to be done to make sure people are safer online than they have been in past days, but some security professionals are already critiquing the way it is being done, according to InformationWeek. Sean Sullivan, an adviser at F-Secure Labs, said on Twitter that he believes that the company should be using authenticator apps instead of SMS messaging. Risher also questions if Twitter will be monitoring for unusual login patterns.

"We hope that Twitter has incorporated proactive monitoring in addition to this authentication feature," said Risher. "Locking the front door is important, but without intelligent systems determining when, how and whether to allow access – even for people with the 'key' – account hijacking vulnerabilities will persist."

Back on Twitter's blog, O'Leary said this is only the first step toward improving security, as they will need users to enroll in the SMS program to have login verification. The engineering work will allow them to deliver better security enhancements in the future, he wrote. However, there may still be impending threats, as one member of the SEA told Vice Magazine that there are still security holes they know of in Twitter's model that could make the company and its users uncomfortable, adding "we are not going to give up."

Even with vague threats, everyone is happy to see Twitter taking steps to protect the security of its users. Barmak Meftah, chief executive officer of security company AlienVault, told Bloomberg that it is necessary to have in place as social media websites are big targets for hackers. Any effort to make sure these websites are safe is a big one, he said, and believes it is great that Twitter is trying what they can to ensure the data security of users.

Security News from SimplySecurity.com by Trend Micro.

Reuters reported that DHS Secretary Janet Napolitano will direct the agency to share classified data on vulnerabilities that may be unknown to application developers. These indicators would then be shared with security partners who can detect and block the exploit from taking advantage of companies and their infrastructure. Jeff Jacoby, director of information systems, operations and services at Raytheon, told CSO​ Online that this privileged information will never leave the service provider at any point.

This move toward a greater level of information sharing is something many security experts have been waiting for years to see, but limiting the data flow is something that many experts would not like to see, the website said.

"While it is understandable that the government is starting slowly, I would like to see much broader sharing of information," said Wolfgang Kandek, chief technology officer for vulnerability management company Qualys. "From an offensive point of view, it is certainly valuable to maintain a certain number of exploits in private, but for defense the best option is to share the vulnerability information with the software vendor as quickly as possible."

House of Representatives Intelligence Committee Chairman Mike Rogers told Reuters that he was glad to share this information with companies but said it needed to be kept in check to help avoid tipping off cybercriminals or rival organizations. Michael Daniel, the White House cybersecurity policy coordinator, recently told a summit that the program was still evolving with what kind of information would be shared and said this would continue to evolve in step with the threats themselves.

One problem with how this information sharing program will work, according to Andrew Braunberg, research director for NSS Labs, is that the government wants to have its own access to zero-day threat vulnerabilities. It has been recently revealed that the U.S. government is one of the top buyers of these types of threats for their own purposes, leading Braunberg to say that the government wants the situation to go both ways.

"They don't really want these vulnerabilities to disappear because they want to use them offensively, but they don't want the same vulnerabilities to allow hacking of U.S. assets," he told CSO.

Security News from SimplySecurity.com by Trend Micro.

These clearances, deemed as "extraordinary" by Reuters, show that the government is getting more serious about the need to collaborate between public and private bodies. These attacks are seen as becoming more serious against U.S. entities over the past few years and McFeely did not discuss any details of the investigation. The news organization said thus far, banks have had to spend millions of dollars to get operations securely back online. Banks which have been affected include JP Morgan Chase & Co, Bank of America, Wells Fargo and Citigroup, among others.

McFeely said the FBI has changed its stance 180 degrees from where it used to be on letting these companies behind the curtain, as executives are starting to work harder to secure international help against this kind of cybercrime, according to Reuters. The FBI has also warned 129 countries about 130,000 internet protocol addresses that have been used by these attacks, many of which were infected by viruses before being ordered to attack the bank websites.

One big issue with international talks has been a lack of willingness to share information and make arrests, but McFeely said that may be coming soon. Hackers who have been identified by name may travel outside of their country and be detained, something he said will be a "big deal" the first time it happens.

Recent ATM heist shows cause for alarm
To illustrate just how big of a target financial institutions have become, Bank Info Security said a recent cyberheist that took place was announced by federal authorities earlier this month which saw $45 million be chased out of ATMs from around the world in extremely well timed and short streaks. Avivah Litan, an analyst with Gartner, told the news source that this closely resembled the 2008 RBS WorldPay heist and ATM cashout which saw $9 million disappear in theft.

"These attacks keep repeating themselves," Litan says. "There are tens of thousands or more financial institutions to attack in this manner across the globe, and there is plenty of fodder for the criminals."

Litan said one of the most trouble aspects of this breach is that it is very difficult to discern the points of the network that were breached by these criminals. There are many parties in the payment chain and it is hard to assign blame for any of these types of threats. Simply pointing fingers, she said, is a lose-lose proposition for all parties involved.

There must be work done on all ends to share information about these attacks to gain information in an effort to eventually slow down these data security issues.

"Until then, we will continue to try to keep a leaky insecure payment system secure," Litan said. "It reminds me of the little Dutch boy who stuck his finger in the dyke and successfully stopped the seawater from flooding his home town. He was successful because he stopped the leak when it was very small. I think we are too late when it comes to our global card payment systems. We probably need at the least, a major cyber-army, in this instance."

Security News from SimplySecurity.com by Trend Micro.

The news arm of the company monitored when subscribers had logged onto the service, which allows companies to access Bloomberg's services to analyze and monitor the financial market and trades, to find out which types of functions they had looked at. These services, which are found in almost every banking and trading company, according to the New York Times, cost an average of more than $20,000 per year. The company said it was a mistake to allow reporters to look at this information and disabled it after Goldman Sachs complained that a reporter had pointed out that a partner had not logged into the program lately when inquiring about that particular person's employment status.

Following this incident, many prominent financial service professionals have become very concerned about the link between this terminal business and the Bloomberg news room. The Times said it is threatening the credibility of both services, as Wall Street relies on the secure and timely transmission of data between qualified traders. If Bloomberg's services are seen as a conflict of data security interests, it could be viewed as a huge problem for these businesses.

"On Wall Street, anonymity is critically important. Secrecy and the ability to cover one's tracks is paramount," said Michael J. Driscoll, a former senior trader at Bear Stearns who now teaches at Adelphi University, according to the news source. "If Bloomberg reporters crossed that line, that's an issue."

The New York Post first reported on this abuse of the Bloomberg terminal service by reporters, with analysis showing that there may have been several hundred reporters that have used the controversial technique. Bloomberg has more than 2,400 journalists employed worldwide, so the use of the service in this way has potential to have been spread even more than this.

Insiders told the Post that Bloomberg employees could not only tell which employees logged onto the service, but how many times they used certain functions. This has left many wondering just how secure their information is on this service and if other private aspects of their business have been leaked without their knowledge.

"You can basically see how many times someone has looked up news stories or if they used their messaging functions," said one Goldman insider, according to the news source. "It made us think, 'Well, what else does [Bloomberg] have access to?'"

Making matters worse is new information that has been released by the Financial Times. This news organization found that more than ten thousand private messages were sent between users of the Bloomberg financial terminals were leaked online. This will likely make it ever harder for the company to gain back its credibility as it struggles to restore faith in the privacy of its services among Wall Street thought leaders. There are now two long lists that show messages between traders are some of the world's largest banks and their clients, the Times said. This will clearly make the road to redemption that much harder for Bloomberg as officials try to save face with both private sector clients and increasingly concerned government regulators.  

Fallout from this issue
Thus far, the Post reports that no reports have lost their job over this issue. Bloomberg spokesman Ty Trippet said in light of concerns, journalists no longer have any access to customer relationship information. According to Forbes, Matt Winkler, Bloomberg's editor-in-chief, said reporters should not have access to any of this kind of information, adding that he is apologetic that he did and saying that it is an inexcusable incident.

However, Forbes said calling it an error makes this incident sound like something that happened due to carelessness or bad judgment, when in fact there was a decision to let these reporters look at privileged information, Winkler said.

"There was good reason for this, as our reporters used to go to clients in the early days of the company and ask them what topics they wanted to see covered," he writes. "Understanding how clients used the terminal was more important then."

Forbes said whether this information was used innocently or not, it likely will not have much effect, as the invasion doesn't really mean much compared to the value of this subscription to customers of the company. Even so, news organizations will need to start thinking about the implications of sharing sides of their other revenue and advertising with reporters, as companies will want to have more trust in the security of the company they are working with.

Data Security News from SimplySecurity.com by Trend Micro

"Not every backup product uses service accounts, but there are some general best practices for those that do," he said. "First, avoid using a service account to run backup agents if at all possible (most modern backup agents do not require a service account). It's better to use the Local System account instead. If the backup server requires a service account to communicate with protected servers or backup targets, then it is best to use a dedicated service account with a very strong password."

These service accounts should be given inconspicuous names, Posey wrote, as too obvious a name will let any hacker who might be looking at the network get an easy lot of data to steal. After this, it is important for companies to be sure employees have clearly defined access privileges mapped to their unique job roles. No employee in a business needs access to the whole lot of data, so there must be logging in place to ensure only those who truly need it have access to high-value information.

Physical security is not to be overlooked either, Posey said, as this is one of the most important aspects of preserving backup integrity. This is especially true for companies that back up to on-site disk, but even in a cloud backup scenario, businesses must have certain assurances that the data is being kept physically safe.

Although the backup effort can be very difficult in many instances, PCWorld said there are ways to take the pain out transitioning to a new model. The website said companies can first decide what they want to backup, understand what environment the data exists in and find techniques that best lineup with how the business works. Protecting the most essential information will help the company get back up and running if an incident does occur. After this, organizations will need to make sure processes and procedures are in place to ensure backups are done properly and be sure copies can be successfully restored.

"Be sure that you have adequate time to back up all the data that's important to your business, and be sure to understand the time required to restore that data in case of loss or corruption," the website said. "You'll also need to regularly check and test your equipment, media, and processes."

Data Security News from SimplySecurity.com by Trend Micro

"Both nations firmly agree we need improved multilateral cyber coordination and we're working to do just that," the official said, according to the news source. "Cyber will also be on the agenda for discussions at the upcoming NATO conference in June."

British Defence Secretary Phil Hammond was recently in Washington, D.C., to meet with U.S. Defense Secretary Chuck Hagel to discuss cyber issues and other military concerns, according to Killer Apps. Hagel said much of the conversation focused on the physical aspect of defense but said there will be more cooperation than ever in the digital realm, calling it a "priority area." Hammond added that the U.K. and U.S. remain in lockstep on these projects as they look to take them even further into the future.

The impetus for improved cyber and data protection makes more sense when recent attacks from foreign countries are put into focus. It has been reported that defense contractor QinetiQ was compromised by an advanced persistent threat by an attack group operating in another country. Dark Reading said this group accessed information about U.S. drone and robot weaponry and was able to bring competing products to the market.

A wide area of concert
A larger report compiled by Bloomberg, which cited investigators who were hired by QinetiQ, as well as stolen and leaked emails by Anonymous, found that ongoing attacks against the contractor were launched by a group called Comment Crew. Earlier reports from this year found that the group had attacked and compromised 141  businesses across 20 different industries. The company that found these attacks, Mandiant, said the attackers were actually from the People's Liberation Army Unit 61398, an elite military hacking unit, and may spread out further than China.

"In four days of furious activity, the hackers rifled at least 14 servers, taking particular interest in the company's Pittsburgh location, which specialized in advanced robotics design," according to the Bloomberg report. "The Comment Group also used [a network administrator's stolen] password to raid the computer of QinetiQ's Huntsville, Alabama-based technology control officer, which contained an inventory of highly sensitive weapons-systems technology and source code throughout the company. The spies had got their hands on a map to all of QinetiQ's digital secrets."

Investigators who were hired by QinetiQ said despite multiple warnings from many organizations, the contractor's network had been compromised and officials failed to realize that the attacks were persistent. They did not react accordingly and IT professional Christopher Day told Bloomberg that they found intruders in many divisions and across product lines. There was almost no place within the company's servers without a persistent threat going at it. As a result of this, terabytes of sensitive data were stolen.

Defending against APTs 
Warwick Ashford wrote on Computer Weekly that what usually makes these threats advanced is the combination of infiltration techniques that most businesses and government agencies cannot stop in concert. However, he said taken individually, these techniques are easy to defend against and are not unstoppable. The effectiveness of guarding against advanced persistent threats has to mean businesses have a depth of security, detection capabilities, a response and recovery plan, as well as security and awareness training across the entire organization.

"By bringing together in-house capabilities with third-party expertise in the form of a network forensics capture and analysis service, an organization can reach an acceptable level of risk with regards to APTs and blended threats," Mike Westmacott, security consultant at Information Risk Management, told the news source. "Such an approach will also prove invaluable if an attack takes place, as it will help the company to continuously improve its security posture."

If a company has been affected by an APT incident or attack, they need to have a stated approach for how the IT department can shut down the attack and preserve evidence of the attack to make sure what happened is known exactly. This means there must be a plan for event analysis to learn lessons from the event and develop even strong technological and procedural controls.

The last line of defense must be the people in the organization being able to recognize when something isn't quite right on a network. John Walker, member of the security advisory group of the London chapter of ISACA, told Ashford that there should be security awareness training and educational programs to help improve employee understanding of these attacks.

"Whatever an individual's role is within the business, from chief executives to secretaries, businesses must ensure that everyone is provided with an adequate level of security awareness training so they will be able to identify anything suspicious," Walker said.

Data Security News from SimplySecurity.com by Trend Micro.

"Once an attacker or piece of malware is inside the network, it can often lurk unseen among the mass of data that enterprise systems generate and trying to locate it, even if you're aware that an attack has taken place is extremely difficult," he wrote. "That's why the new frontier of enterprise security is big data and statistical analysis specifically in machine data. Every interaction with a 'machine' – whether it's a website, mobile device, application server, corporate network, sensor or electronic tag, and whether it's automatically generated or a manual transaction – leaves a trail and a record."

The have been a few major issues that have come out to affect the Internet security landscape among enterprises in the past couple of years, Seward wrote, including the fact that organizations are now essentially under constant attack. While hackers were more sporadic years ago, there are now a greater number of cybercriminals online who are trying to steal money or data and perhaps just trying to cause a business to go down. These attacks understand how much pressure IT departments are under to keep up with trends and know many don't monitor as well as they should, so many of these hackers can become very difficult to stop once they have made their way into a network.

With this constant threat of attack, Seward wrote on The Guardian that IT departments have turned into a reactive and administrative role where many businesses end up purely responding instead of trying to stop these attacks before they start. This means most are not coming up with new and creative ways to stop these attackers, instead simply giving in to the fact that they will have to deal with these attacks eventually. Seward said these organizations should start using big data to help see these attacks before they infect the business and stop them at their root.

"The days of rules-based security engines looking for known threats are drawing to a close, as they're simply not built to handle the volume and sophistication of attacks today," he said. "To truly understand the nature of the threats they face, companies need to move beyond traditional approaches to security and delve deeper into the machine data being generated every second of every day."

Securing the big data itself
Patrick Gray wrote on TechRepublic that the big benefit of big data is that it can consolidate huge data sets from many source and use them to solve a business or data security problem. However, organizations cannot forget to secure the big data itself, as he said security is often an afterthought by companies in these sets. Especially for companies that have a lot of confidential sales, customer or employee information, security should be one of the first thoughts when using big data.

"Also, remember that a key element in any type of security is the human element," Gray wrote. "If you have neither the time nor inclination to implement extensive security, ensure that staff with access to the data can be trusted, and that they understand the nature of the data they're dealing with. Where consultants are involved, ask to see their data security policies, and ensure they're appropriate for the type of data the consultants will have access to."

Data Security News from SimplySecurity.com by Trend Micro.

Ng Tock Hiong, CTO for Cisco Singapore, told Phneah that data centers were run differently and had specialized functions such as storage, networking and applications that were conducted independently. There was minimum collaboration and these areas were siloed, as not many companies had full collaboration across the organization.

"Virtualization, however, changed the dynamics of data center management by unifying applications, networks, storage, and servers," Phneah wrote. "The integration demands a holistic skill set as IT becomes embedded in business activities, he explained. For example, a person who is skilled in application development will now have to understand how the software is linked to the backend and the related implications."

CR Srinivasan, vice president of global product management for data center services at Tata Communications, told Phneah that when it comes to hiring a new data center employee these days they need to have an understanding of the technology around them, what kind of security is needed and specific areas of expertise. Employees also need to have a nose for the current issues, Srinivasan said, such as knowing how to deal with running out of space, cooling challenges and the management of the facility.

There are a number of new data center security technologies that are coming out now to help make the jobs of these workers easier, including smart cards, IP cameras and security control platforms, according to TechTarget. Corey Needles, data center manager at Latisys told the website that in terms of looking at new technology, companies should do this every year to 18 months, which means companies need to be hiring IT workers who are forward thinking and always looking to expand their knowledge base.

Linux an important skill to have 
According to the 2012 Linux Job Survey and Report by Dice, 63 percent or recruiters are looking for those with Linux skills. About 85 percent of these managers said finding people with this skill is not easy, however, so there is certainly room for those in IT careers to learn more in an effort to get hired into these jobs. Phneah wrote on ZDNet that IDC reported that Linux will be one of the two primary operating systems in the cloud and open source technology will increase just how important it is, as one big reason why Linux is such an important skill to have right now.

Linux is only one of many skills that data center employees will need in the future, as Ng told Phneah that the challenge will now be to accelerate the time required to enhance the skill levels of workers, especially when it comes to being sure security is well in place.. Educational institutes working with IT departments is one way companies can help make things go a bit more smoothly when dealing with employee retention. 

New expectations 
With all of these new skills needed, there are new expectations for the data center staff, according to what Adriaan Oosthoek, managing director at TelecityGroup UK, wrote on Data Center Dynamics.

"In the past ten years, the industry has enjoyed extraordinary growth," he wrote.  "And as the world becomes ever more 'connected' the role of the highly-connected data center as the enabling environment for the digital economy becomes ever-more important. As a result, the roles and expectations of data center managers and engineers have evolved – reflecting the critical importance of our services to our customers' businesses."

It recently became clear, Oosthoek said, that greater efficiencies could be achieved by making sure data center employees can each specialize in a specific area. While he admitted that it's nice to have a jack-of-all-trade on staff, there are some people that are far more accustomed to working with one particular area or skill than others and companies should look to leverage such strengths. Some data center workers may be able to work well with their hands while others could be more adept at working in a customer-facing position.

The key to bringing the next generation of the data center staff is to work alongside educational institutes and make sure companies spell out what skills they demand so young workers can become specialized in the well-needed areas, according to Oosthoek.

"It is essential that this expertise is captured and fed more widely into university education as soon as possible to ensure the data center industry can utilize the appropriate skills to sustain growth in the future," he wrote on Data Center Dynamics. "Only through the on-going development of IT skills will we be able to continue to deliver the level of service our customers expect, reflecting the critical importance of the role of the data center manager and engineer in today's data center industry."

Data Security News from SimplySecurity.com by Trend Micro.

"You've got all these different controls, they all talk about assets differently, they all present different information," says Dwayne Melancon, CTO of Tripwire, according to Chickowski. "So how do I roll that up into a small number of indicators that actually helps me develop confidence that I'm secure or my risk score is going down?"

This is a question that will not be simple for companies to answer, but Melancon said it is essential that they start looking to them now as normalizing data helps companies make better comparisons and security decisions.  Steve Schlarman, eGRC solutions manager at RSA told Chickowski that a project to help normalize these metrics needs to start by identifying a set of security risks that can be consistently measured with metrics over time. Organizations need to make sure this data can be quickly aggregated and analyzed to extract maximum value.  

Starting with looking at the data security of the business first and going from there should help establish a good list of what needs to be normalized, Melancon said. While IT folks sometimes start with the controls instead of what business function needs to be protected, he said this can often times leave a business with more controls than they need to help secure a business and make the process far too complex for the good of the company.

Tech Republic said using risk management as a way to protect the company may have some cons, including perhaps focusing too much on something that hasn't happened yet, but with a good program in place, the website said businesses can have a good view of their threats, vulnerabilities and the impact it could have on the organization.

"Security risk management integrates well with the way business managers make decisions," the website said. "It allows security managers to speak a language decision makers understand."

Data Security News from SimplySecurity.com by Trend Micro.