Security roundup for Nov. 4: virtualization is key to public cloud security; China, Russia accused of cyber-espionage; More Duqu for you

The greatest tech arguments and Baking security into chips

Ever been in an argumentative mood? Well, last week we were, with editors here coming up with 33 red-hot arguments, such as open source vs. proprietary, or which browser is better.

We got argumentative on security topics, too. We asked whether you should share data-breach information, with one side arguing against it unless you're forced to, and the other saying it will help the community as a whole to stop cybercrime. We're asking readers to vote their opinions online, and interestingly, about three-quarters spoke out in favor of sharing breach information.

More on security: The Security All-Stars

In a story on the "bring your own device" (BYOD) phenomenon, we focused on the question of whether corporations should say "yes" to employees wanting to use their personal iPhones, Android devices, iPads or any mobile device they own for business use on the corporate network.

Out of those who voted, about 28% said "Yes, but it is not my choice to do so," about 38% said "Yes, but I must review the devices first," and about a third said, "No way. I have seen too many viruses."

The BYOD debate story shows some businesses with close association to the federal government are contractually restricted from allowing employee-owned devices, and that the U.S. government is not a BYOD workplace at all. Former White House cybersecurity adviser Richard Clarke says the BYOD question is among the most important enterprise security questions today.

Virtualization holds a key to public-cloud security

While conventional wisdom says virtualized environments and public clouds create massive security headaches, the godfather of Xen, Simon Crosby, says virtualization actually holds a key to better security. Isolation -- the ability to restrict what computing goes on in a given context -- is a fundamental characteristic of virtualization that can be exploited to improve trustworthiness of processes on a physical system even if other processes have been compromised, says Crosby, a creator of the open source hypervisor and a founder of startup Bromium, which is looking to use Xen features to boost security.

China blasting

In further efforts to confront cyber-espionage from nation states, the U.S. government last week issued a report blasting China and Russia for stealing information for economic gain.

"Chinese actors are the world's most active and persistent perpetrators of economic espionage," the report from the office of the National Counterintelligence Executive said. The report said China's intelligence agencies often leverage people who have inside access to corporate networks to gain trade secrets and copy them to removable media.

Last week, Enterprise Strategy Group, in a survey of 244 security professionals, found that the majority of them believe they have been hit by the kind of stealthy infiltration to steal information of economic or military value. Many today call this the "advanced persistent threat," and the survey also found that APT concerns are leading to an increase in security budgets and more involvement from the executive management in the doings of the IT and security department.

The governments of the U.S. and the United Kingdom showed some solidarity last week as Vice president Joseph Biden and British Prime Minister David Cameron condemned efforts by some countries to censor their citizens' use of the Internet. They also made the case that free expression online has long-term benefits.

Biden said, "No citizen of any country should be subject to a repressive global code when they send an email or post a comment to a news article," For his part, Cameron said, "Governments must not use cybersecurity as an excuse for censorship or to deny people their opportunities that the Internet represents."

More on Duqu

Last week researchers provided more insight into Duqu, the windows-based Trojan seen as a successor to Stuxnet, though Duqu is now seen as more aimed at reconnaissance of networks rather than attempts to interfere with operation of industrial control systems. It was learned that Duqu attempts to exploit a Windows kernel zero-day vulnerability, but as of this writing remains unclear exactly when Microsoft, which is suggesting a workaround, might issue a patch against Duqu.

Changing of the guard at Cisco

Chris Young, former senior vice president at VMware, has been tapped to head up the security direction for Cisco, now that Tom Gillis, formerly vice president of the security technologies business unit, has left to pursue an entrepreneurial opportunity elsewhere, according to Cisco. Cisco has created the Cisco Security Group by combining two formerly separate units, the security engineering unit that Gillis had directed, with what was called Cisco's global government security solutions. Young, as senior vice president, is expected to head up Cisco's security direction, and he starts work on Nov. 14.

Baking security into chips

The cutting-edge intelligence research development arm of the government wants to take advantage of the world's semiconductor manufacturing capacity but make sure that U.S. security and intellectual property protection is baked in. The Intelligence Advanced Research Projects Activity (IARPA) group is looking to fund development of new, advanced chip-making technology under a program it calls Trusted Integrated Chips. TIC would feature what IARPA calls "split-manufacturing," where fabrication of new chips would be divided into Front-End-of-Line manufacturing consisting of transistor layers to be fabricated by offshore foundries and Back-End-of-Line development that would be fabricated by trusted U.S. facilities.

Learn more about this topic

The Security All-Stars 

Tech arguments 

U.S. report warns of Russia, China cyber spying

Insider Tip: 12 easy ways to tune your Wi-Fi network
Join the discussion
Be the first to comment on this article. Our Commenting Policies