eEye scans for vulnerabilities, compliance problems

EEye Digital Security today unveiled a compliance and security management tool that can be used to ensure endpoint computers meet vulnerability-assessment standards required by various industry regulations.  Security management compliance and the cloud |View this product in a slideshow The Retina CS Compliance and Security vulnerability-management tool can generate reports to indicate whether corporate assets are in conformance with compliance initiatives including the Payment Card Industry (PCI) data security rules; healthcare's Health Insurance Portability and Accountability Act (HIPAA); Gramm-Leach-Bliley for the financial industry; and the federal government's Federal Information Security Management Act (FISMA) guidelines. Retina CA Compliance and Security leverages eEye's Retina Network Security Scanner and Blink Endpoint Protection to perform vulnerability scanning and centralize reporting via the compliance and security management console that Haber says was written in the Adobe Flex technology rather than simple HTML. Retina CS Compliance and Security is being offered in three forms: on-premises software, as a managed service, and an appliance option. Morey Haber, vice president of business development at eEye, says Retina CS Compliance and Security will also add support for the federal Security Content Automated Protocol specifications by early next year. "This is workflow-oriented with vulnerability scans, and we're creating vulnerability reports that are business-oriented based on compliance practices," Haber says.

Software pricing starts at $10,000 for 256 IP addresses, and the managed service starts at $7,548. These options are available today. The cost for the hardware appliance, which will be available by early next year, hasn't been released.

You've got questions, Aardvark Mobile has answers

Aardvark has taken a different tack with search. And now the people behind Aardvark are bringing that same approach to the iPhone and iPod touch. The online service figures it's sometimes more productive to ask a question of an actual person-usually someone from within your social network-rather than brave the vagaries of a search engine and its sometimes irrelevant answers. Aardvark Mobile actually arrived in the App Store nearly a week ago.

Aardvark Mobile tackles the same problem as the Aardvark Web site-dealing with subjective searches where two people might type in the same keywords but be searching for two completely different things. "Search engines by design struggle with these types of queries," Aardvark CEO Max Ventilla said. But developer Vark.com waited until Tuesday to take the wraps off the mobile version of its social question-and-answer service. What Aardvark does is tap into your social networks and contacts on Facebook, Twitter, Gmail, and elsewhere to track down answers to questions that might otherwise flummox a search engine-things like "Where's a good place to eat in this neighborhood?" or "Where should I stay when I visit London?" With Aadvark's Web service, you'd send a message through your IM client to Aardvark; the service then figures out who in your network (and in their extended network) might be able to answer the question and asks them on your behalf. The majority of questions are answered in less than five minutes. Ventilla says that 90 percent of the questions asked via Aardvark get answered.

The iPhone version of Aardvark works much the same way. The service pings people for an answer, and sends you a push notification when there's a reply. Instead of an IM, you type a message directly into the app, tag it with the appropriate categories, and send it off to Aardvark. In previewing the app, I asked a question about affordable hotels in Central London-two responses came back within about three minutes from other Aardvark users. If you shake your mobile device when you're on the Answer tab, Aardvark Mobile looks up any unanswered questions that you may be able to provide a response for (while also producing a very alarming aardvark-like noise). "We think Aardvark is particularly well-suited to mobile, and especially the iPhone given how rich that platform is to develop for," Ventilla said.

In addition to push notifications, Aardvark Mobile also taps into the iPhone's built-in location features to automatically detect your location-a feature that can help when you're asking about local hotspots. You don't have to already be using Aardvark's online service to take advantage of the mobile app. Aardvark Mobile requires the iPhone OS 3.0. The free Aardvark Mobile app lets you set up a profile on your iPhone or iPod touch; Facebook Connect integration helps you instantly build up a network of friends who are also using the service.

Windows Marketplace reveals fragmentation

Microsoft is making its Windows Marketplace for Mobile available to phones running older versions of its mobile software, although not all of the apps may be available to all Windows Mobile users. The Marketplace was initially only accessible by users of Microsoft's most recent software, Windows Mobile 6.5. It also said that the store now has 800 apps, triple the number available at the launch of the store in October. On Monday, Microsoft said users of phones running Windows Mobile 6.0 and 6.1 can now shop for and download apps from its Marketplace. But not all of those are available to everyone.

The discrepancy between the total number of apps and the number of apps in the online store demonstrates the downside to a business model like Microsoft's, with an OS that can be used on different kinds of phones. Microsoft's Web site that lets anyone browse through the Marketplace has just 376 applications. "People may not see all of them on the Marketplace website or smartphone catalogue, either because of regional access or because certain apps have specific device requirements such as GPS, screen sizes, etc.," Todd Brix, senior director of mobile services and platform product management for Microsoft, said in an e-mailed statement. The model allows end-users the luxury of choosing the phone design they prefer, but it comes with limitations in interoperability. The Android Market has 12,000 apps and so far doesn't seem to have significant issues with application interoperability. However, Google's Android operating system is also running on phones with different form factors.

Apple is on the other end of the spectrum, because it makes both the software and the hardware and also runs the app store. Microsoft says there are more than 18,000 commercial applications available for Windows Mobile. That vertical integration is at least part of the reason that there are now 100,000 applications in the iPhone App Store. Developers of those apps must submit them in order for them to appear in the new Marketplace. Otherwise, they are only available through third-party sites. "Windows Marketplace for Mobile will not aggregate all available applications, but rather provide customers with a single source for purchasing quality tested applications backed by a money back guarantee," Microsoft said in a statement.

Detailing contingency planning

On Oct. 27, 2009, the National Institute of Standards and Technology (NIST) Information Technology Laboratory (ITL) Computer Security Division (CSD) published Special Publication (SP) 800-34 Revision (Rev) 1, "DRAFT Contingency Planning Guide for Federal Information Systems" and requested comments from readers by Jan. 6, 2010. The official announcement described the SP as follows: SP 800-34 Revision 1 is intended to help organizations by providing instructions, recommendations, and considerations for federal information system contingency planning. The guide defines a seven-step contingency planning process that an organization may apply to develop and maintain a viable contingency planning program for their information systems. Contingency planning refers to interim measures to recover information system services after a disruption. The guide also presents three sample formats for developing an information system contingency plan based on low, moderate, or high impact level, as defined by Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems.

Authors Marianne Swanson, Pauline Bowen, Amy Wohl Phillips, Dean Gallup, and David Lynes include two of the six authors of the June 2002 original version of SP 800-34 (Swanson, Wohl, Lucinda Pope, Tim Grance, Joan Hash and Ray Thomas) and have, as usual for NIST ITL CSD, done a superb job of preparing a framework that lays out a sound basis for business continuity planning (BCP). The 150-page SP begins with an introduction presenting the purpose, scope and audience for 800-34 Rev 1. Page 13 of the PDF file describes the purpose as providing "guidelines to individuals responsible for preparing and maintaining information system contingency plans (ISCP). The document discusses essential contingency plan elements and processes, highlights specific considerations and concerns associated with contingency planning for various types of information system platforms, and provides examples to assist readers in developing their own ISCPs." This document explicitly excludes discussion of disaster recovery. Despite the inclusion of "for Federal Information Systems" in the title, SP 800-34 Rev 1 has a great deal of value for all information assurance and business continuity specialists. The scope is defined as "recommended guidelines for federal organizations"(p 14) and the audience is "managers within federal organizations and those individuals responsible for information systems or security at system and operational levels. Indeed, the authors write, "The concepts presented in this document are specific to government systems, but may be used by private and commercial organizations, including contractor systems." They then list a wide range of specific job titles of people likely to find the document useful, including IT managers, CIOs, systems engineers, and system architects. It is also written to assist emergency management personnel who coordinate facility-level contingencies with supporting information system contingency planning activities."(p 15) However, references to Federal Information Processing Standards (FIPS) in no way prevents the guidelines from serving organizations outside the U.S. federal government.

The authors describe the structure of the document clearly as follows (p16): • Section 2, Background, provides background information about contingency planning, including the purpose of various security and emergency management-related plans, their relationships to ISCPs, and how the plans are integrated into an organization's overall resilience strategy by implementing the six steps of the Risk Management Framework (RMF)…. • Section 3, Information System Contingency Planning Process, details the fundamental planning principles necessary for developing an effective contingency capability. This section presents contingency planning guidelines for all elements of the planning cycle, including business impact analysis, alternate site selection, and recovery strategies. The principles outlined in this section are applicable to all information systems. The section also discusses the development of contingency plan teams and the roles and responsibilities commonly assigned to personnel during plan activation. • Section 4, Information System Contingency Plan Development, breaks down the activities necessary to document the contingency strategy and develop the ISCP. Maintaining, testing, training, and exercising the contingency plan are also discussed in this section. • Section 5, Technical Contingency Planning Considerations, describes contingency planning concerns specific to the information systems listed in Section 1.3, Scope. The nine appendices provide practical templates and checklists of great utility in BCP. There is so much valuable information here that is offered in a structured, clear presentation that every IA professional concerned with BCP should read – and, I hope, comment on – this draft publication.

This section helps contingency planners identify, select, and implement the appropriate technical contingency measures for their given systems.

Apple leaves Chamber of Commerce, citing green policies

Don't look for any Apple executives at the next U.S. Chamber of Commerce mixer wearing any of those "Hello, My Name is..." stickers. The trade group has been a very vocal opponent of current legislative efforts to reduce greenhouse gasses Apple's resignation comes in the wake of comments last week from Chamber of Commerce president Thomas J. Donohue who said that his group supported federal legislation to reduce carbon emissions but criticized a bill passed by the House of Representatives this summer "because it is neither comprehensive nor international, and it falls short on moving renewable and alternative technologies into the marketplace and enabling our transition to a lower carbon future." That was apparently the final straw for Apple, which has made a strong push to reduce the environmental impact of its products in recent years. The computer maker has resigned its membership in the business trade organization, citing opposition to the U.S. Chamber of Commerce's stance on greenhouse gasses. In a letter to Donohue, Catherine A. Novelli, the company's vice president of worldwide government affairs wrote: As a company we are working hard to reduce our own greenhouse gas emissions by relying on renewable energy at our facilities and designing more energy-efficient products for our customers. ... For those companies who cannot or will not do the same, Apple supports regulating greenhouse gas emissions, and it is frustrating to find the Chamber at odds with us in this effort.

The Washington Post reports that three other companies have pulled out of the group because of its climate policy-Pacific Gas and Electric, PNM Resources, and Exelon. Apple's not the only company to part ways with the U.S. Chamber of Commerce over this issue. A fourth company, Nike, resigned from the Chamber of Commerce board, but remains a member. [Hat Tip: SFGate.com's Bottom Line blog]

Acresso who? Macrovision spinoff changes name, again

Under a legal threat from another software firm with a similar name, Acresso Software Inc. is changing its name to Flexera Software after just 19 months. Acresso sells software such as software its installation utility, InstallShield, and software license manager, FLEXnet, to software vendors and enterprises. The company will officially announce the change next Tuesday, but had already notified partners and customers on Thursday.

It was spun out of Macrovision Corp. after the unit was acquired by venture capital firm Thoma Brava Cressley in April 2008. Macrovision retained the digital rights management (DRM) apps for which it is best-known. Acresso, which the company said was derived from the Latin word "Cresco" for "to grow, increase" faced a "challenge" on its name from ERP software maker Agresso Software , said Randy Littleson, senior vice-president of marketing for Acresso. "Our executive team decided that there were better ways to invest our time and money, and that we didn't need this distraction," Littleson said. "The action we're taking will let us avoid a potential lawsuit." Acresso did not immediately return an e-mailed request for comment. It changed its company name in July to Rovi Corporation. Acresso was founded in 1980 and has annual revenue of about $475 million. That dwarfs Acresso, which has 375 employees and annual revenues of $115 million.

It also has 3,500 employees at 16 offices globally. Flexera will be the fourth name in five years facing long-time users of InstallShield, which was bought by Macrovision in 2004. Perhaps predictably, early public reaction to the new name tended towards the sarcastic. "As if the makers of InstallShield hadn't already done enough damage to their brand, let's just go change names yet again!" wrote Christopher Painter, an InstallShield consultant, on his blog yesterday. "Acresso Software is becoming Flexera Software for no apparent reason. Littleson said the company considered changing its name to Installshield, being that it is its best-known product, but ultimately came to the conclusion that it didn't represent the breadth of its application stable. Go ahead. #ScrambleMyBrands," another tweet said. He dismissed the notion, brought up by some bloggers , that the new name will cause legal trouble or just confusion with a solar and wind power company Flexera. "We're quite aware of it.

We think this is very different, compared to when it was two software companies." That's one of the reasons why it's Flexera Software," he said. "How similar are we to an energy company?