Cyber Security Institute

Thursday, April 26, 2007

Microsoft adds security muscle

The Redmond, Wash., software giant announced this week that it is setting up security response and research operations in Ireland and Japan and launched a preview of a new online Malware Protection Center.  Microsoft is taking on incumbents such as Symantec, McAfee and Trend Micro, the world’s top three antivirus companies, to conquer part of the multibillion dollar security market.  Industry watchers say Microsoft has done an impressive job building its security organization, though the scaffolding has yet to come off.


Wednesday, April 25, 2007

Companies Say Security Breach Could Destroy Their Business

One-third of companies said in a recent poll that a major security breach could put their company out of business, according to a report from McAfee.  The security company unveiled a study Tuesday showing that 33% of respondents said they believe a major data-loss incident involving accidental or malicious distribution of confidential data could put them out of business. To protect customers, employees, and shareholders, data loss prevention needs to become a top priority at every level of the organization, from the board room to the lunch room.


Compliance drives security configuration management

Spending on products that monitor security configurations across various systems in an enterprise is on the rise and compliance initiatives are fueling the spending according to analysts who follow the market.  In many cases an auditor is coming in and saying that there are short comings in change and configuration management so we’re seeing more activity from in on the operations side.  While a number of niche players are capitalizing on the spending, some are broadening their reach as businesses seek vendors that can provide a wider range of services.  In a study conducted last year by Forrester, Altiris and BindView, security vendors that were both acquired by Symantec, were identified as the leaders in the market, followed by LANDesk Software and BigFix.  There’s no doubt that Symantec saw the security configuration management as a growing trend and needed to broaden the features of its product, Kark said.


Tuesday, April 24, 2007

Malware Spikes in 1Q As Hackers Increasingly Infect Websites

The number of new pieces of malware spiked in the first quarter of this year, and the majority of the new threats are being embedded in malicious Web sites.  According to a study from Sophos, an antivirus and anti-spam company, researchers discovered 23,864 new threats in the first three months of 2007. 


Monday, April 23, 2007

The RAND Corporation last week sounded the alarm for refocusing the nation’s attention on a potentia

The RAND Corporation last week sounded the alarm for refocusing the nation’s attention on a potential pandemic outbreak, warning that the country is underprepared for a disaster that could claim as many as 2 million U.S. lives.  Lurie said a pandemic might kill 2 million U.S. residents and 50 million worldwide.  The federal government has invested more than $5 billion since the terrorist attacks of Sept. 11, 2001, to upgrade the countrys ability to prevent and respond to large-scale public health emergencies, she said.


Sweetening the Honeypot

New free tools and services aimed at making honeynets more manageable are now becoming available: The Honeynet Project next month will roll out its new Global Distributed Honeynet as well as new honeynet tools, Dark Reading has learned, while the New Zealand Honeynet Alliance has begun offering client-based honeynet services for organizations that can’t run their own servers.  Most enterprises have avoided running these servers for fear of inviting trouble and because managing them and sifting through the data has been a time-consuming, resource-intensive process.  And while honeynets provide lots of attacker- and attack data, they’re passive nodes that don’t actually stop attacks.


Thursday, April 19, 2007

Users Confess Security Fears

Maverick staff, portable media, and stolen laptops are just some of the issues keeping CIOs and IT managers up at night, according to a panel discussion here this week.  “Shortly after I came on board we had an experience where some burglars broke into one of our buildings and stole about eight laptops,” he said, explaining that the laptops contained personal information on employees.  Since the theft, SAIC has developed a comprehensive strategy for dealing with both physical and cyber security.  “As good as we’re getting at this thing, this is the one thing that keeps me awake at night,” said Cole.  Another panelist, Richard Villars, the vice president of storage systems at IDC, highlighted the emerging risk posed by maverick, yet influential, members of staff.


Targeted Attacks on the Rise

It’s the other end of the threat spectrum: Instead of a massive attack on hundreds of your users, it’s one message, sent to a single user, containing a backdoor Trojan—or worse.  Such narrowly-targeted attacks are becoming more popular than ever, according to a new report issued today by MessageLabs.  The messaging security company says it identified 716 emails in 249 targeted attacks last month.  Most of the email attacks came in the form of malware hidden in a Microsoft Office document.  Some 45 percent of the attachments were PowerPoint; 35 percent were MS Word files.


Tuesday, April 17, 2007

Employers warned on e-mail spying

A new ruling which said a college had breached a woman’s privacy by secretly monitoring her e-mails, means employers cannot spy on staff, say legal experts.


Monday, April 16, 2007

Top 10 Internet Crimes of 2006

The Internet Crime Complaint Center filed its annual report last month, but didn’t get the attention it deserved.  This is the sixth annual report by the U.S.-based center, which is run by the FBI and the National White Collar Crime Center.  The complaint center, dubbed IC3, compiles its figures by drawing on the flood of complaints pouring into U.S. law enforcement and regulatory agencies.  The list of crimes runs the gamut, led by various financial scams (auction fraud, failure to deliver goods or money, credit card fraud), followed by other acts that have become a daily feature of online life (computer intrusions, spam, child pornography).  By far the most reported crime: Internet auction fraud, garnering 45 percent of all complaints.


Internal IT Threats in Europe 2006

InfoWatch and the world’s—first-ever annual study on the problems of internal IT security in Europe.  The findings are based on surveys InfoWatch conducted with a range of middle- and upper-tier IT management professions from 410 companies across Europe.  The EU1—unlike the US—has had no directives requiring the mandatory notification of victims in cases of data breach, and companies have been slow at times to initiate notification procedures.  It is natural that company management would fear the major costs—both financial and in terms of lost reputation—which accompany a data leak.  And rather than initiate costly procedures against themselves, some have opted to hope that the problem will just go away, especially in the typical case of a lost or stolen laptop.  Such a policy of avoidance can result in hefty losses for those whose data is held on the computer and who become victims of identity theft as a result.  Many companies have, of course, been proactive in dealing with such leaks, notifying those affected, setting up advice hotlines, providing bank account monitoring and bringing in the law-enforcement agencies.  But while, to date, admissions of data leakage across the EU have relied on companies choosing to make that information public—a decision which has depended on how the company perceives its best interests in the circumstances—that may soon change.  While InfoWatch welcomes the growing appreciation among IT managers of the importance of viable preventative solutions to internal information security, InfoWatch looks forward to being able to share with their partners and clients the clearer picture of data leakage across Europe that the proposed EU directive will stimulate.


SCADA State of Denial

Utilities and other process-oriented companies that run supervisory control and data acquisition (SCADA) systems are starting to feel the heat of security vulnerabilities—and hackers.  Some of these risks—and bugs—are unique to their environments, which historically weren’t secured because they were built to be isolated, closed systems, but they also share the same Microsoft vulnerabilities as a typical enterprise does.  These once-cloistered systems and networks are increasingly using off-the-shelf products such as Microsoft-based operating systems and IP-based networking equipment, and require interconnection via the Internet as well, which also opens the door to attackers from the outside in addition to the inside.  With critical infrastructures at risk when it comes to power (nuclear and otherwise), water, and transportation companies running these systems, the stakes are obviously much higher.  One of the biggest missing links is authentication: Many don’t even bother using authentication because they consider their systems closed and therefore safe, he says.


Thursday, April 12, 2007

How Much Would Data Theft Cost You? Calculate It Online

Darwin Professional Underwriters, a specialty insurance company and provider of technology liability insurance, has posted an online calculator to help IT managers calculate how much their company stands to lose from data theft.  The Tech//404 Data Loss Cost Calculator is a free, interactive tool designed to assess the impact of a data breach or identity theft data loss incident, according to a release.  On Wednesday, Forrester Research Inc. released its own calculations, noting that the average security breach can cost a company between $90 and $305 per lost record.


IBM Offers Reference Tool

IBM announced the availability of a free, Web-based tool that provides clients with an information guide of best practices based on IT Service Management and governance initiatives.  The new version of the IBM Tivoli Unified Process (ITUP) is the industry’s broadest “how to” source of information on industry best practices.


E-mail monitoring may violate European laws

Monitoring employees’ Internet and telephone use at work may contravene human rights laws in Europe, according to a ruling in a landmark case in the European Court of Human Rights last week.  The case involved a public-sector employee who won $5,910 in damages and $11,820 in court costs and expenses after her communications were intercepted by her employer, Carmarthenshire College, based in South Wales.  Lynette Copland successfully took the U.K. government to court after her personal Internet usage and telephone calls were monitored by one of her bosses in 1999.  The ruling means that the private use of company telecommunications equipment and Internet access may be protected under European human rights legislation, if the company has an acceptable personal-use policy and fails to inform employees that their communications may be monitored.


Blanket Discovery for Stolen Laptops

Mark Rasch discusses the legal issues behind the discovery and recovery of stolen laptops that use LoJack-style homing devices to announce their location, and the location of the thieves, anywhere in the world


Blanket Discovery for Stolen Laptops

Bloggers post confidential information, defamatory information, or just annoying information.  Websites host stolen credit cards, hacking tools and techniques, or other things that you might not want.  In the course of investigating these things, companies or law enforcement agencies frequently need to rely on information in the hands of third parties.  An example of this is the various companies that offer data or computer locator services.  If a corporate computer is reported lost or stolen, these services use various means to identify the computer, or the data on it.  When the target computer is then used - generally to get online - the computer essentially “phones home” with its location.  The computer doesn’t really give its location.  At best, it can reveal the Internet Protocol (IP) address of the network it is on.  While this information is helpful to the true owner of the computer, it is not sufficient to locate and/or recover the stolen hardware.


Monday, April 09, 2007

How SOA increases your application security risk

Service-oriented architecture changes the security equation by introducing a greater reliance on third parties for application development and operation.  But according to Ray Wagner, managing vice president of information security and privacy at Gartner, this is a matter of degree rather than an introduction of a totally new security exposure.  For instance, an SOA application may depend on a web-based third-party service to provide vital functionality, with obvious security implications.


Sunday, April 08, 2007

Boffins working on RFID super-shield

A group of Dutch researchers at Vrije Universiteit in Amsterdam, led by PhD student Melanie Rieback, is building RFID Guardian, a personal RFID firewall to allow individuals to monitor and control access to RFID tags.  When it’s finished, RFID Guardian is intended to be a portable, battery-operated device incorporating an RFID reader that will tell users when new RFID tags appear (for example, when you buy a tagged item), when they’re being read, and who owns them.


Thursday, April 05, 2007

SecureRF Intros Secure RFID Tag

This battery-assisted passive tag uses SecureRF’s breakthrough in security technology that authenticates and encrypts data communications on the tag itself-an industry first.


Wednesday, April 04, 2007

Hackers now offer subscription services, support for their malware

A list of options at top of the home page allows visitors to transact business in Russian or in English, offers an FAQ section, spells out the terms and conditions for software use and provides details on payment forms that are supported.  The site offers malicious code that webmasters with criminal intent can use to infect visitors to their sites with a spyware Trojan horse.  In return for downloading the malware to their sites, Web site owners are promised at least ¬50—about $66 (U.S.)—every Monday, with the potential for even more for “clean installs” of the malicious code on end user systems.  As organized gangs increasingly turn to cybercrime, sites like the one described are coming to represent the new face of malware development and distribution, according to security researchers.  Unlike malicious code writers of the past who tended to distribute their code to a tight group of insiders or in underground newsgroups, the new breed is far more professional about how it hawks, plies and prices its wares, they said.  “We’ve been seeing a growth of highly organized managed exploit providers in non-extradition countries” over the past year or so, said Gunter Ollmann, director of security strategies at IBM’s Internet Security Systems X-Force team.  For subscriptions starting as low as $20 per month, such enterprises sell “fully managed exploit engines” that spyware distributors and spammers can use to infiltrate systems worldwide, he said.


Skype and Corporate Network Security

VoIP (Voice over Internet Protocol) technology is developing rapidly, and Skype is the most popular VoIP product on the market.  Skype allows users to reduce telephone charges significantly compared to traditional telephone networks, with no loss of connection quality.  A second advantage is ease of use.  Users worldwide are up and running in seconds: Simply install Skype and plug in a microphone.  That done, one can talk, exchange files, text messages and so on.  However, Skype take-up has gone beyond domestic users—it is also used on corporate networks.  This is not surprising when one considers how it significantly reduces the cost of long-distance and international calls and simplifies inter-office and person-to-person communications.  On top of that, the utility requires no administrator privileges to set up and use.  Employees can download Skype from the Internet for free and simply install it on their corporate workstations.  This gives rise to a new problem: The increased Information Security (IS) risk of Skype use in the corporate environment.  The issue of Skype and network security is pressing.  It is a widespread program which attracts the attention of both insiders and hackers alike.


Monday, April 02, 2007

IBM Internet Security Systems Extends Industry-Leading Preemptive Protection to Remote Segments of t

IBM announced it will extend its Internet Security Systems (ISS) intrusion prevention technology to remote segments of the network by adding a new, lower-cost product to the IBM Proventia® Network Intrusion Prevention System (IPS) family.  Through the addition of Proventia Network IPS GX3002, IBM will offer comprehensive, ahead-of-the-threat protection for a new layer of the enterprise network.


Sunday, April 01, 2007

VoIP Offers Cost Savings But Also Presents Security Risks

Banks are attracted to Voice over Internet protocol (VoIP) as an alternative to traditional telephone networks because of the potential cost savings, including elimination of long distance charges and the need for only one network to manage both voice and data.  According to the FDIC, VoIP is susceptible to the same risks as data networks that use the Internet, such as exposure to viruses, worms, Trojans and man-in-the-middle attacks.