Cyber Security Institute

Tuesday, October 31, 2006

Employee Privacy, Employer Policy

Mark Rasch looks at two recent court cases where an employee’s reasonable expectation of privacy was more important than the employer’s ability to read any employee’s e-mail - despite a privacy policy that clearly stated any company e-mail can, and will, be monitored.  Your organization has a computer and Internet use policy.  It’s been reviewed by corporate counsel, approved by senior management, and implemented over the years.  The policy is comprehensive - it includes policies on expectations of privacy, employee monitoring, and the ownership of corporate electronic assets.  Now, during the course of an internal investigation, you want to read an employees’ e-mail, examine the contents of his company-supplied computer, and review his telephone calls made on the company-owned cell phone.  A pair of recent cases in the United States raise the fundamental question, “do you have a reasonable expectation of privacy at the workplace?”  In the United States at least, most people confronted with this question would answer a resounding no, right?


Bot nets likely behind jump in spam

A significant rise in the global volume of spam in the past two months has security analysts worried that bot nets are increasingly being used by spammers to stymie network defenses erected to curtail bulk email.  Estimates of the magnitude of the increase in junk email vary, but experts agree that an uncommon surge in spam is occurring.  On the low side, Symantec, the owner of SecurityFocus, has found that average spam volume has increased almost 30 percent for its 35,000 clients in the last two months.  Others have seen much more significant jumps: Spam black list maintainer Total Quality Management Cubed has seen a 450 percent increase in spam in two months, and the amount of spam filtered out every week by security software maker Sunbelt Software has more than tripled compared to six months ago.


Websense Launches New Threat Prevention Tool

Websense introduced its latest malware detection technology on Oct. 31, rolling out its ThreatSeeker application that will serve as the technological foundation for all of the company’s security software products.  As Web-based threats have shifted away from traditional attacks focused on software vulnerabilities to so-called zero day exploits aimed at previously unidentified flaws, traditional anti-virus and intrusion detection technologies have left users with inadequate protection, Websense officials maintain.  By utilizing a vast network of data mining machines, along with some 100 proprietary processes based on a combination of mathematical algorithms, behavior profiling and code analysis, the San Diego-based company claims that the technology can identify zero day threats and other attacks before they show up on corporate networks.


Monday, October 30, 2006

Report: IT Capital Spending Will Slow In 2007

Despite recent improvements in the economy, the outlook for IT spending in 2007 calls for slower growth, particularly as it relates to investments in hardware.  A recently released report by Forrester Research finds that overall tech spending will grow only 2 percent next year, compared with an estimated 6 percent this year and 7 percent in 2005.  Capital spending, which Forrester is forecasting to be up 3 percent totaling $354 billion this year, will decline by 1 percent in 2007.  According to the soon-to-be released 2007 VARBusiness State of The Market report, solution providers and integrators are budgeting for 25 percent growth, though services now accounts for 60 percent of their sales.


Thursday, October 26, 2006

Super Power Password Protection - Watching You Watching Me

Confidential emails, files, financial data, instant messaging data, you name it, find their way into the public domain and overnight a company is faced with a crisis or an individual’s private indiscretions become public property.  And regardless of whether or not in some cases there may be am issue of the “greater good”, ultimately questions have to be asked as to why nothing seems to be confidential anymore.  So who can have access to information, and why in spite of all the security that organisations have in their IT infrastructure is this still a daily occurrence?  In a recent Cyber-Ark survey of large enterprises over 50% of organisations admitted to rarely if ever changing the passwords for shared accounts in their infrastructure.  They are not being changed frequently according to the enterprise policy, mainly due to the overwhelming operation that must take place after their change—notifying administrators, changing scripts and applications and setting the passwords in services that use them.  Even more revealing was the admission that although 99% of enterprises enforced password changes for users on their PCs, only 1% changed the administrator password on the same device, and in the vast majority of cases the administrator password was the same on every PC in the company.


Wednesday, October 25, 2006

Security, Networks To Converge, And Move Offshore

A few years ago, when networking technology experts and traditional security experts got together, they could barely communicate.  Now, the two areas are converging at a rapid pace and business leaders should plan for more changes ahead, according to several experts who spoke Wednesday.  Both IT and physical security are likely to be driven by government regulations and business needs and are likely to move offshore, said panelists at InfoSecurity and the International Security Conference & Exposition.


Brokerages lose $22M to hackers in three months

High-tech crooks using spyware are costing U.S. discount brokerages millions of dollars to repay clients who have been victimized by fraud, the brokerages said in recent days.  The U.S. Securities and Exchange Commission warned earlier this month that scammers were hijacking online brokerage accounts using spyware and operating from remote locations.  TD Ameritrade has said that it cost $4M in their third quarter from customers whose accounts had been hacked.  Harder hit was rival E*Trade Financial Corp., which last week said its fraud losses ballooned by $18 million in the third quarter from swindlers who stole clients’ identities and manipulated their accounts.


Five Things Every CSO Needs to Know About the Chief Privacy Officer

What does privacy have to do with security?  From the federal government to the private sector, CPOs are emerging as important players.  It’s essential that CSOs cultivate common ground with privacy executives.


Tuesday, October 24, 2006

Ponemon Report Shows Sharp Rise in the Cost of Data Breaches

NY 2006, PGP Corporation, Vontu, Inc, and The Ponemon Institute, a privacy and information management research firm, released the 2006 Annual Study: Cost of a Data Breach.  According to the Privacy Rights Clearinghouse, more than 330 data loss incidents involving more than 93 million individual records have occurred since February 2005.  According to the study’s 2006 findings, data breaches cost companies an average of $182 per compromised record, a 31 percent increase over 2005.


IP Theft Up in First Half of Year: Report

Counterfeits and intellectual piracy (IP) theft cost companies millions in the first half of 2006, according to a report released Tuesday.  An estimated 760 copyright and trademark intellectual property thefts in 69 countries between January and June 2006 cost companies nearly $700 million, up 7 percent from the year-ago period, according to Gieschen Consultancy’s 2006 Mid-Year Counterfeit & Piracy Intelligence Report.


It’s the People, Stupid

When asked to rank their top priorities, more than 4,000 security professionals in more than 100 different countries named two “people” issues: gaining support from management and getting users to follow security policies, researchers said.  “Over the past six years or so, there’s been a lot of emphasis on technology buying and technology implementation, but security professionals and their companies are really beginning to see that technology is only part of the answer.”


Zombies continue to chase Windows PCs

Malicious remote control software continues to be one of the biggest threats to Windows PCs, according to a new Microsoft security report.  More than 43,000 new variants of such insidious software were found in the first half of 2006, making them the most active category of malicious software, Microsoft said in a Security Intelligence Report published Monday. In June Microsoft also flagged zombies as the most prevalent threat to Windows PCs.  “Attackers, with financial gain in mind, are clearly concentrating a significant amount of development focus on this category of malware,” Microsoft said in the report.


Monday, October 23, 2006

Techniques For Measuring IT’s Effectiveness

Failed customer interactions, and those at risk of failure, represent a key opportunity for companies to improve the processes that matter most.  American Power Conversion takes note every time a customer interaction doesn’t hit the mark—say, when a product doesn’t ship on time.  APC considers that information even more valuable than its CRM success rate.  The company has created an alert system to notify the appropriate employees when a customer engagement is at risk of failing, giving APC a chance to take corrective action and minimize those failures. [Website note:  This is applicable to measuring security effectiveness as well.]


Critics concerned over Vista security changes

Last week, industry analyst firm Gartner warned companies to hold off on upgrading to the 64-bit version of Windows Vista if the firms rely on host-based intrusion detection systems.


Friday, October 20, 2006

Crisis Plans Undercut

Seventy-eight percent of 75 senior IT and business continuity professionals (8 percent of whom represent financial services organizations) surveyed report that their organizations have installed or are in the process of upgrading technology to support telecommuting or remote customer access in case of a disaster.  However, only 9 percent of respondents have an increased budget with which to work and, as a result, a mere 12 percent believe that their companies are adequately prepared to handle a pandemic or major health crisis.;jsessionid=SAGHGPOQ0RBQGQSNDLPSKH0CJUNN2JVN?articleID=193400864


Planning for an Internal IT Risk Assessment

When planning for an internal IT risk assessment, it is a good idea to have a solid understanding of risk management first.  The finance and accounting departments in most organizations now have a firm grasp on risk management from a business perspective, thanks to Sarbanes-Oxley.  However, when the IT Security department takes responsibility for an internal IT risk assessment, some things are lost in translation.  An effective risk management program protects the company and its ability to perform their mission.


Wednesday, October 18, 2006

Europe prepares for data breach notification legislation

The European Commission has published proposals for a change in law that would force telecoms firms to notify regulators and customers of all breaches of data security including, for example, lost laptops and stolen backup tapes.


Monday, October 16, 2006

Phishers more successful than first thought

A higher than expected percentage of internet users are falling victim to phishing scams, US academics claimed today.  Researchers at Indiana University’s School of Informatics said that phishers targeting US adults could be netting responses from as much as 14 per cent of the targeted users per attack.


Sunday, October 15, 2006

Saudi passes cybercrime laws

The council responsible for enacting laws in Saudi Arabia has passed the Kingdom’s first legislation to address the rise in electronic crime..  The 120-member Shoura Council last week approved all 16 sections of the law, which deals with offences such as hacking, defamation and the spread of terrorism.


Friday, October 13, 2006

Targeted Trojan attacks on the rise

On December 1, 2005, two e-mail messages were sent from a computer in Western Australia to members of two different human rights organizations.  Each e-mail message carried a Microsoft Word document with a previously unknown exploit that would take control of the targeted person’s computer and open up a beachhead into the group’s network.  The attack failed, as did a second attempt to infiltrate the same human-rights groups a week later, due in no small part to an overabundance of caution on the part of e-mail security provider MessageLabs, which initially blocked the e-mails based on the strangeness of the Word attachments.  The attacks only targeted a single person at each organization and, after the two attempts, never repeated.  Such targeted Trojan horse attacks are quickly becoming a large concern for corporations, the military and political organizations, said MessageLabs security researcher Alex Shipp.  The e-mail security provider intercepted 298 such attacks between May 2005 and May 2006, and the threat of targeted Trojans is only increasing.  “If you haven’t noticed these attacks and you are a big company, you have likely already been attacked,” Shipp told attendees at the Virus Bulletin 2006 conference.” 
Targeted Trojan horse attacks are quickly becoming a major issue for the antivirus and computer-security industries.


Thursday, October 12, 2006

A-Listing Your Apps

Whitelisting is getting a second look by some enterprises worried that unknown threats might get past antivirus and other blacklisting systems.  Whitelisting, the process of spelling out exactly which applications can run on a client machine, traces its roots to the mainframe and is typically considered overkill in today’s networks, as well as a potential management headache.  But the rise in zero-day attacks and paranoia about users running whatever they want on their machines (think peer-to-peer apps), or introducing malware via USB sticks, has led some organizations to think retro.


Wednesday, October 11, 2006

Oracle commits to rating vulnerabilities

Database maker Oracle announced that the company’s quarterly Critical Patch Updates (CPUs) will give administrators more guidance by providing a summary of the flaws fixed in the update and grading the threat posed by each issue.  The company will grade the severity of each flaw using the Common Vulnerability Scoring System (CVSS), highlight flaws that are remotely exploitable by an unauthenticated user and summarize the vulnerabilities fixed by a patch.


Compliance: A Multi-Front War

SOX. GLBA. HIPAA. PCI. FFIEC. HSPD-12. FIPS 140. If you’re dealing with any of these regulations in your IT security job, you know the pain of compliance projects.  More and more security groups—particularly those in large enterprises—are finding that they’re working on simultaneous, often overlapping projects that come from multiple project teams working on different compliance initiatives.  “If you’re a public company, you’re dealing with [Sarbanes Oxley].  And I would say 30 to 40 percent of the enterprises we work with are dealing with at least one more set of regulations,” says Marne Gordan, director of regulatory affairs at Cybertrust, which offers security consulting service for many Fortune 1000 companies.  Officials at Accenture and Symantec Security Transformation Services—a joint organization unveiled by the two companies yesterday—said the need to eliminate “silos” between compliance projects was a key driver for the partners’ venture.


Email Looms as IT Threat

Yet that’s what turned up in a survey of 1,043 email users conducted by a the Association for Information and Image Management, which calls itself the Enterprise Content Management (ECM) association (an example of what happens when you seek to modernize your name but still own a longstanding brand and URL).  For respondents in companies of all sizes, formal policies govern things like acceptable employee use of email systems, acceptable content of messages, mailbox size, and a company’s ownership of the email.  Just 30 percent of respondents said they had any email encryption policy in place, and 37 percent had a policy for instant messaging—this despite 61 percent of respondents reporting concern about theft of confidential info or intellectual property via email.


Tuesday, October 10, 2006

Britons fear cybercrime more than burglaries

A survey released by the UK government has revealed that the British public is now more fearful of cybercrime than burglary and crimes against the person such as muggings.  The survey was carried out by Get Safe Online, a cybersecurity awareness campaign launched last year by the British government, UK’s Serious Organised Crime Agency and private technology companies.  According to its results, Internet users fear bankcard fraud the most (27 percent), followed by cybercrime (21 percent) and burglary (16 percent).  According to the survey, 52 percent of those questioned did some of their banking online; nearly a third (32 percent) used the Internet to pay their bills, while just under a quarter (23 percent) shopped for groceries over the net.


Midmarket IT pros have NAC for identity, access management

Todd Towles has been around the block enough times to know that regardless of a company’s size, IT administrators must always authenticate users and keep tight control of their network behavior.  Otherwise, malicious people will have little trouble stealing sensitive information, which can all too easily be used to destroy the company’s reputation or commit identity fraud against customers.  Towles is an IT security consultant who today works for a large financial enterprise, but most recently worked for a retail chain closer to the midmarket with about $2 billion in annual revenue and 12,000 or so employees.  In both environments, he said, IT managers must always reevaluate the resources that users are able to access. But global enterprises have more money to spend on controls like two-factor authentication, smart cards and tokens.


Symantec Says The Worm And Virus Problem Is Solved. Here’s What’s Next

Phishing and other attempts to steal data and money are the real problems, CEO John Thompson says. So Symantec’s next group of security offerings will focus on the integration of technologies that protect information.  Symantec announced some of the specific products, services, and strategy behind its “Security 2.0” initiative it’s been hinting about the past several weeks.  The more relevant threats today are phishing and fraud as well as organized crime’s interest in stealing and reselling personal information, and its Security 2.0 products are aimed at those.


Q1 Labs Survey Shows Network and Security Professionals Seeking One Solution That Combines SIEM and

Q1 Labs, a leading network security management company, surveyed over 200 companies to learn how they are managing network security today and the technology directions they want for the future.  The convergence of network and security organizations has continued with more people now reporting to converged organizations.  The findings indicated that 31% say the responsibility for network security resides in the networking organization alone, up from 20%, while shared responsibility for security and networking has increased from 28% in 2004 to 35% now.  When asked whether it is important to combine network behavior monitoring and security information monitoring in one solution, a resounding 70% agreed while only 8% disagreed.


Conducted by Harris Interactive, the study found that IT executives are increasingly aware of energy

Conducted by Harris Interactive, the study found that IT executives are increasingly aware of energy, with three quarters of the nearly 200 executives queried saying energy efficiency has become a buying priority. David Douglas On the other hand, the study found that many IT directors—38 percent of respondents—do not know how much they are spending on electricity.  “There are people out there running out of power in their data centers and thinking about energy but have not yet moved to the next stage—managing power consumption, which is a sizable piece of their budget,” said David Douglas, Sun’s vice president of eco-responsibility.


Monday, October 09, 2006

How Insecure Do You Think You Are?

A new Cisco sponsored global study of 1,000 remote workers indicates that IT workers may well be engaged in more insecure activities than they are willing to admit.  Users are apparently aware of insecure activities, such as opening e-mail attachments from unknown senders; yet they still open the attachments and e-mails.  The study, which was conducted by research firm InsightExpress, reveals a number of such security contradictions.