Microsoft on Tuesday unveiled several upcoming Office 365 improvements, including mobile device management (MDM) and data loss protection (DLP) controls.

The announcements were made during the Day 1 keynote of the Microsoft TechEd Europe conference, taking place this week in Barcelona. Julia White, general manager of Microsoft Office, took the stage to demonstrate the ability to connect the cloud-based Azure Active Directory (AD) service with an on-premises Active Directory in "six clicks" during a setup process. With Azure AD in place, IT pros can have their security and auditing functions in one place, she said.

White also described the ability to edit policies for MDM. The policies get embedded into managed apps, such as Office for iPad apps, she said, and the capability will be "natively built into Windows 10." For instance, IT pros can set copy and paste restrictions on managed apps to protect company data.

White also talked about the coming DLP capabilities. With DLP, IT pros have access to Office 365 console reports, which show the rules that can be set up. They also show if users are trying to override the rules. If they are, IT pros can modify the policies to add additional restrictions, if wanted. For instance, restrictions can be set regarding the disclosure of credit card information. Alerts can be set up, as well. End users will get policy tips, so they will become aware of the policy restrictions set by IT.

These Office 365 capabilities are being rolling out at various times, but the target date seems to be the first quarter of next year.

Data Loss Prevention
Microsoft already has some DLP capabilities in its OneDrive for Business and SharePoint Online services, including an e-discovery capability. However, the capability to add policy restrictions that can block and restrict access to content will be rolled out in these apps "in the coming months," according to a Microsoft blog post on DLP.

The first app to get the new DLP controls will be Excel, followed by Word and PowerPoint. DLP will work "natively" in Office applications, Microsoft is promising, and the protection scheme will work at the file level, as well as for e-mail, document libraries or OneDrive for Business folders.

IT pros will have access to built-in DLP templates to add rules. They can review incident reports showing attempted policy overrides. Additional policy controls for Office 365, such as information rights management, will arrive in the first quarter of 2015.

File Classifications
Microsoft also plans to extend its file classification infrastructure capability of the Windows File Server to Exchange Online, OneDrive for Business and SharePoint Online, starting in the first quarter of 2015. Office documents can be classified using this scheme and policies can be set to avoid information disclosure.

OneDrive for Business and SharePoint Online also have "advanced encryption at rest," which is a capability that Microsoft calls "per-file encryption." Per-file encryption creates a key for every file stored. It also creates a new key for any variants of those files.

Mobile Device Management Capabilities
Microsoft is planning to roll out its new MDM capabilities for Office 365 in the first quarter of 2015. Some of these capabilities are being built into Office 365 management, but other capabilities will be available through Microsoft Intune.

A Microsoft MDM blog post outlined the following Office 365 MDM capabilities:

* Ability to set security policies for devices that connect to Office 365.
* Ability to set specific security policies for devices, such as "device level pin lock and jailbreak detection."
* Ability to set "selective wipe," which allows corporate data to be removed remotely, while retaining personal data on a device.
* Ability to have MDM management built "directly into productivity apps," which avoids having to set all-in-one management policies across apps.
* Ability to manage MDM policies through the Office 365 administration portal.

Microsoft is planning to add these new MDM capabilities to its Office 365 "Business, Enterprise, EDU and Government plans."

Microsoft Intune Enhancements
Microsoft Intune optionally will add other MDM capabilities for Office 365 users. It's not quite clear when those capabilities will be available, but Microsoft listed them as follows:

* Ability to restrict user actions, such as copy and paste, including the ability to set policies for line-of-business apps using the Microsoft Intune app wrapper.
* Ability to control the viewing of content via the "Managed Browser, PDF Viewer, AV Player and Image Viewer Apps."
* Ability to integrate Microsoft Intune with System Center 2012 Configuration Manager for a single-console MDM view.
* Ability to automatically provision enrolled devices, which will automate the deployment of "certificates, Wi-Fi, VPN and email profiles."
* Ability to bulk enroll corporate devices.
* Ability to provide end users with a "self-service Company Portal," which allows them to enroll their devices and install their own apps.

On top of that Office 365 news, veteran Microsoft reporter Mary Jo Foley has reported from the TechEd Europe event that Microsoft plans to release the next version of the Microsoft Office suite, which she called "Office 16 for Windows," in the "second half of 2015."

Auction site eBay has found itself in the midst of another security storm after apparently choosing to leave a security hole wide open - in the interests of user functionality - as customer details were being stolen.

It is the latest in a trio of serious cybersecurity problems at the company this year, following a database breach in May, and the theft of details from its StubHub ticket site customers two months later.

eBay allows highly visual JavaScript and Flash content to be included in its listings, which is a somewhat unsurprising step - however, the company reportedly knew for months that a number of hackers were manipulating this code for malicious content, and left the ability to add the code largely as it is, in the interests of offering sellers attractive auction listings.

Cyber criminals have been using the technology to introduce cross-site scripting (XSS) - in which customers are led to a fake, eBay-mimicking site to enter their payment details. At least 100 exploited listings have been identified by the BBC, which reports that the problems continue even though eBay may have been aware of them since February.

'Not An Okay Situation'

Security experts have lambasted eBay's handling of the problems. Chris Oakley, principal security consultant at testing firm Nettitude, says he would expect "all organizations, particularly those with vast quantities of customer data to protect" to have the required, standard cross site scripting defenses in place.

"This hat-trick of security incidents will surely do the company no favors in terms of restoring and maintaining consumer confidence," adds Paul Ayers, European VP at data security vendor Vormetric, and Mikko Hypponen, chief research officer at security firm F-Secure, describes the situation as "not okay". Independent expert Graham Cluley told The Drum website that eBay was not in "proper control" of the situation, which he described as "embarrassing".

Solving The XSS Problem

Experts have proposed a number of solutions for eBay, including simply removing the harmful code or listings, or providing its own Javascript editor in which sellers' code can be more easily managed and controlled.

Dr Adrian Davis, EMEA managing director at security organization (ISC)2, tellsForbes that XSS is a well known threat, adding that "we can't afford to tolerate relatively simple security issues like this, especially for a company as massive as eBay".

Sites with the issue "need to update their current code to remove the vulnerability", he says. "Functionality for the user would not be impaired, providing the code running in the browser and application is written properly."

He warns that developers need to be much better trained to write secure code and not focus solely on usability, with "fully qualified and certified individuals, such as those holding (ISC)2's CISSP or CSSLP" qualifications being involved "throughout the entire process".

"This is an issue that must rise above the purely technical considerations and go onto the agendas of management and business leaders that are driving the development projects. Only then would we see investment in curbing incidents like these."

Act Much More Quickly

Randy Gross, chief information officer at industry association CompTIA, says that it is "always difficult" for organizations to strike the right balance between security and convenience. But he adds: "With financial transactions, especially given recent high profile attacks, the pendulum needs to swing hard back toward security and give consumers the confidence their information is secure."

Fayaz Khaki, an associate director of information security at IDC, adds in aForbes email interview that it is always difficult for large and complex sites, such as eBay, to be completely XSS free. "However, once an XSS vulnerability has been identified the organization must act quickly to remove the vulnerability", even if it means removing a listing.

Active content such as Javascript, he says, should only be used where completely necessary, and regular monitoring and vulnerability assessments ought to be carried out to minimize risk.

"XSS vulnerabilities have existed for a number of years and really companies such as eBay, that came into existence solely as an internet organization, should be on top of these types of vulnerabilities and should have the capability to identify and mitigate these vulnerabilities very quickly."

eBay said in a statement that cross site scripting risks exist across the internet, and that it has "hundreds" of engineers and security experts who collaborate with researchers to make its own site both usable and safe.

It added: "We have no current plans to remove active content from eBay. However, we will continue to review all site features and content in the context of the benefit they bring our customers, as well as overall site security."

Criminals behind cross site scripting and phishing activity adapt their code and tactics "to try to stay ahead of the most sophisticated security systems", it said. "Cross site scripting is not allowed on eBay and we have a range of security features designed to detect and then remove listings containing malicious code."

http://www.bankinfosecurity.com/card-brands-launch-security-initiative-a-6610

In addition to the card brands, the coalition will include banks of all sizes, credit unions, acquirers, retailers, point-of-sale device manufacturers and industry trade groups, the card brands say in announcing the effort.

"The recent high-profile breaches have served as a catalyst for much needed collaboration between the retail and financial services industry on the issue of payment security," says Ryan McInerney, president of Visa Inc. "As we have long said, no one industry or technology can solve the issue of payment system fraud on its own."

Top Priorities

The initial focus of the group will be on the adoption of payments cards using chip technology based on the EMV standard that's widely used in other nations. The cards offer greater security than magnetic-stripe cards that are now commonly used in the U.S.

Other areas of focus for the new group will include:

Promoting additional security solutions, including tokenization and point-to-point encryption. "While EMV addresses the physical point of sale, the need to protect mobile and online transactions is critical," the card brands say in their announcement. "In tokenization, the traditional account number will be replaced with a unique digital payment code, providing an additional layer of security."
Developing an actionable roadmap for security across all segments of the payments industry.

"One of the critical roles we play is to protect consumers and businesses against criminals and fraudsters," says Chris McWilton, president of North American markets for MasterCard. "Only through industry collaboration and cooperation will we address the real and immediate issue of security and maintain consumer confidence and trust. EMV will be the next step in these efforts, alongside enhanced security solutions for online and mobile channels."

The formation of the group, the card brands say, is an acknowledgement of the need for all parties involved in the payments process to work together and will "ensure all voices can contribute to the strategic direction of payment security."

MasterCard and Visa also expect the new group to engage with other ongoing security efforts, including proprietary risk councils, EMV task forces and standards management bodies.

Assessing the Efforts

News of the card brands' focus on tokenization and point-to-point encryption is encouraging, says Gartner analyst Avivah Litan. The efforts could make a meaningful difference if standards are created for the technologies "so that one vendor's solution [is] interoperable with another," she says.

"These standards have been lacking in the market, and, as a result, especially with point-to-point encryption, retailers and card acceptors are somewhat hesitant to adopt the technology out of valid fear of vendor lock-in and the pricing and competitive disadvantages that go along with that," Litan says.

"Visa and MasterCard have had plenty of time to work on these standards," she says. "Let's see if they do something meaningful and actionable this time."

Read More:
http://dymanassociatesprojects.com/
http://dymanassociatesprojects.com/about.html
http://dymanassociatesprojects.com/cyber.html
http://www.buzznet.com/groups/dymanassociatesprojects/

We would like to introduce ourselves as a Manufacturer of Duoblock type Industrial OIL / GAS Burners, their spares & accessories. The Proprietor, Mr. B. H. Panchal is having vide experience in Erection, Commissioning & Servicing of M/S OERTLI & KLOCKNER type OIL / GAS Burners with M/S. IAEC INDIA LTD; BHANDUP, MUMBAI. We manufacture Oil / Gas Burners, their Spares, Accessories & Controllers like Positioner controllers, Electronic Low Water probe relay etc.

We also manufacture replacement spares for the Boilers manufactured by M/S. IAEC INDIA LTD., MUMBAI and any other Make & Brands of The Boilers & Burners. We Design & Manufacture Import substitute for special purpose Burners & their accessories. We also Sale & Services LANDIS & GYR, SATRONIC, PETERCEM & other Make & Brands of Sequence controllers for Oil & Gas Burners. We also undertake Guaranteed repairs of all types of the Burners & Boilers components, Controllers & their accessories.

Dyman & Associates Risk Management Projects utilizes its decades-old track record in cyber security to provide protection for your employees, intellectual property, and other precious assets. Our consultants not only have many years of experience, but are also dedicated to the regular honing of their skills and keeping current on the innovations in hacking techniques and security trends.

Our services include:

* Cloud Security
* Mobile Security
* Incident Response
* Computer Forensics
* Electronic Discovery
* Penetration Testing

Quite often, organizations muddle through crises in isolation, undertaking prime decisions within a vacuum. Dyman & Associates Risk Management Projects has the collective know-how to minimize your exposure to risk and help make your business become more resilient. We will work diligently for your benefit. We believe that honesty, reliability, and excellent customer service serve as the foundation for lasting relationships. Moreover, we supply empathy, humility, and a promise to give back to our community.

Dyman & Associates Risk Management Projects

Cyber Security
The increase of incidents of cyber-attacks against businesses and government agencies in the United States continues. FBI Director Robert Mueller revealed that, "Terrorism is still FBI's top priority. But very soon, we expect that the cyber threat will replace terrorism as the number one threat to national security".


Source: http://dymanassociatesprojects.org/