Ever since its acquisition of Q1 Labs back in 2011, IBM has been selling its QRadar security event management software in the traditional way, whereby customers pay a price and download the version they want.

On Tuesday, however, the company launched two new services that make the technology available through a cloud-based Software as a Service (SaaS) model instead.

IBM Security Intelligence on Cloud, for instance, is designed to help organizations determine whether security-related events are simple anomalies or potential threats. Built as a cloud service using IBM QRadar, the tool lets enterprises correlate security-event data with threat information from more than 500 supported data sources for devices, systems and applications. More than 1,500 predefined reports are also available for a variety of use cases.

Intelligent Log Management on Cloud, meanwhile, is the second new QRadar-powered service IBM launched on Tuesday. Aiming to simplify security and compliance data collection and reporting, the new tool uses analytics and a hosted, multitenant technology to deliver comprehensive compliance with real-time correlation and anomaly-detection capabilities.

“Security leaders are telling us they want increased visibility through the cloud and control throughout their hybrid IT environments,” said Jason Corbin, vice president for product management and strategy with IBM Security. “The option of doing predictive analytics via the cloud gives security teams the flexibility to bring in skills, innovation and information on demand across all of their security environments.”

The new products will be available mid-May with the optional addition of IBM’s managed security services for extra support. Pricing details have not yet been announced.

Technology managers are typically expected to take the point when a company is hit by a major cyber security crisis, but a more business-oriented leader might be more effective, says a new report from Booz Allen Hamilton.

It’s the business leaders who typically make all the big decisions affecting the whole company, said Bill Stewart, executive vice president at Booz Allen Hamilton.

“In a crisis, it doesn’t work that way,” he said. “The roles get flipped.”

But a technology manager is going to focus on the technology — on fixing the things that are broken and getting the adversary out of the systems.

[ ALSO: 5 steps to take when a data breach hits ]

But crisis management also involves legal issues, crisis communications, and other strategic decisions, that an IT manager might be unprepared for, or not have time to deal with.

In addition, technological solutions may sometimes be in conflict with what’s best for a company as a whole.

“They may have to shut the systems down, reconfigure things, and do other things that will affect the business,” Stewart said. “And they might not be in a situation where they understand the broader business objectives. Having someone who understands the broader business, helps them make better decisions.”

However, it may not make good financial sense for a company to have a full specialized crisis management team standing by at all times, ready to jump into action.

“There’s a whole suite of things that you may need, depending on the type of crisis and the scenario that you’re dealing with,” he said.

It makes more sense for a company to outsource a lot of this work, but Stewart urged companies to set up the plan, and find the right partners, well ahead of time.

“If you wait until you’re in a crisis it’s too late,” he said. “You have to do a lot of research, and you lose a lot of time there, then you have to get people in, and when you get people in, they have to learn the company and that wastes a lot of time.”

The looming Internet of Things

Another major change Booz Allen focused on in the report is the coming Internet of Things.

The combination of an increasing IP address space and falling technology prices, means that a networked devices will soon be showing up everywhere.

The number of cyber breaches occurring now will seem small in comparison.

“The Internet of Things is going to change the scale of things drastically,” Stewart said. “The exposure is going to be much greater.”

The problem is that the ordinary way of doing things puts security last, he said.

“Our tendency in developing IT infrastructure has been to build it so that it works as efficiently and as cheaply as possible,” he said. “And the result is that it doesn’t include security. Security has an operational cost.”

But with the rising scale and price tag of breaches, companies are starting to recognize the importance of security, and the value of building it in right from the start, he said.

“If you do embedded security, you can actually get to a better, more secure solution more cheaply than if you have to add it on at the end,” he said.

Ambiguous WordPress documentation led many plug-in and theme developers to make an error that exposed websites to cross-site scripting (XSS) attacks.

Such attacks involve tricking a site’s users into clicking on specially crafted URLs that execute rogue JavaScript code in their browsers in the context of that website.

The impact depends on the user’s role on the website. For example, if victims have administrative privileges, attackers could trigger rogue administrative actions. If victims are regular users, attackers could steal their authentication cookies and hijack their accounts.

The vulnerability stems from insecure use of two WordPress functions called add_query_arg and remove_query_arg and was discovered recently by researchers from code auditing company Scrutinizer.

The Scrutinizer researchers originally found the problem in the popular WordPress SEO and Google Analytics plug-ins developed by Yoast. Joost de Valk, Yoast’s founder and owner, then realized that the same error might exist in other plug-ins.

“I figured out that both the Codex and the developer documentation on WordPress.org for these functions were missing the fact that you had to escape their output,” de Valk said in a blog post Monday. “In fact, the examples in them when copied would create exploitable code straight away.”

Together with members of the WordPress team and researchers from Web security firm Sucuri, de Valk began checking other popular plug-ins for the same flaw and, sure enough, the instances started piling up.

A scan of only the top 400 plug-ins — the official WordPress repository has over 37,000 — revealed over a dozen vulnerable ones, according to Sucuri. Themes are affected too.

The plug-ins found to be vulnerable so far have received patches, so WordPress users are strongly encouraged to check their administrative dashboards for any available plug-in updates. Some plug-ins have been updated automatically, but others have not.

Because there are likely many more vulnerable plug-ins and themes that haven’t been identified yet, developers are advised to check their own code for insecure use of add_query_arg and remove_query_arg.

“Make sure you are escaping them before use,” the Sucuri researchers said. “We recommend using the esc_url() or esc_url_raw() functions with them. You should not assume that add_query_arg and remove_query_arg will escape user input.”

The official WordPress documentation for those functions has also been updated to better reflect the need to escape user input.

Depending on what the affected plug-ins do, they could open cross-site scripting flaws in front-end or back-end pages. This means in some cases XSS attacks can be launched against regular users while in others only against administrators.

For CIOs worried about access to shared resources in the cloud and the data center, Centrify has launched an identity-management service that aims to improve protection for IT management accounts

As enterprises embrace cloud-based apps, access to privileged accounts used to manage the most sensitive parts of the supporting infrastructure increasingly lie outside the corporate perimeter. In addition, the accounts are frequently shared by both internal IT and third parties such as contractors. The entire scenario makes important accounts more vulnerable to attacks, according to Centrify.

To address this issue the company on Tuesday launched CPS (Centrify Privilege Service), a cloud-based identity management offering that can be used to manage access to cloud and on-site systems by remote employees and third parties. It can be used to protect access to shared servers in the data center or in the cloud, along with routers, switches and social media accounts, for example.

Employees can log in using their regular credentials, rather than a shared password, and the service checks if they’re authorized, granting access if they are. But the password CPS actually uses to access the resource is hidden from the user, which adds a layer of security, according to Bill Mann, chief product officer at Centrify.

At the same time, the service monitors the session for forensics and compliance purposes. Security is also improved because CPS allows for systems to be accessed without giving VPN access to the full data center.

Centrify pitches CPS as having the same advantages as other cloud-based apps; fast deployment, ease of use and low up-front costs. Enterprises can also choose the Microsoft Azure data center that will host it. The company already offers an on-site version called Server Suite, which can be used alongside the cloud-based CPS, for backup or to be used on its own.

CPS was launched at the RSA Conference, which takes place this week at Moscone Center in San Francisco. It will become generally available in May priced from US$50 per user and month.

Send news tips and comments to mikael_ricknas@idg.com

A gang of criminals based on the West Coast is robbing banks in the East, using text messages and voice recordings to target small, local banks and credit unions.

Dublin-based mobile security company AdaptiveMobile has been investigating the gang, which has been in operation for the past five years.

The gang starts out by getting a phone number in their target bank’s area code to send the text message from.

In the message, they ask account holders to click on a URL or call a phone number. The phone number takes them to a voice recording that asks them for all their account details — up to and including ATM PINs.

“It’s a form of social engineering,” said Cathal McDaid, head of data intelligence and analytics at Dublin-based AdaptiveMobile. “People will tend to trust a message if it seems to come from the local bank.”

They deliberately schedule the messages to go out in the evenings, on weekends, and during holiday periods, when the banks are likely to be closed.

Christmas, New Year, and Martin Luther King Day are particularly targeted, said McDaid.

Not only are the banks more likely to be closed then, but customers might be spending money and have heightened concerns about their credit and bank accounts.

Plus, since the banks are small, they’re not likely to have staff manning the phones during the off-hours to answer questions.

In addition, the phone message specifically asks the customer to wait 24 hours before contacting the bank.

The wording of the text messages changes, to avoid filters designed to screen out spam. But a typical message might say that the account has been deactivated, and they need to visit a particular web page or call a certain number.

On a cell phone, it might be harder for a person to tell that the domain name is similar to, but not exactly that of the bank. And the fake website looks like the actual bank site, McDaid added.

AdaptiveMobile has calculated that over 110,000 people have been targeted over a four-month time period starting this past October.

“The conversion rate doesn’t have to be very high,” McDaid said. “It’s more than enough to pay for itself.”

He estimates that the banks have had several million dollars worth of losses.

This Wednesday, the company will be presenting a visualization of these attacks at the RSA conference. It is an animated view of how the attacks spread from region to region and bank to bank.

“We’re trying to figure out what’s actually happening,” McDaid said. “How exactly they’re doing this, how they implemented it, and what types of banks they’re targeting.”