admini – Page 126 – CyberSecurity Institute

Symantec Chief Says Cloud Security the Next Step

Posted on March 3, 2010December 30, 2021 by admini

Cyber attacks are shifting from being broad-based to being very targeted, Salem said.

Symantec’s 2010 State of Enterprise Security survey spoke with 2,100 CIOs and IT/security executives, and found 75 percent had been attacked in the last six months — and all of those had suffered some kind of data loss; it may have been intellectual property, financial or credit card data or the personal information of a customer.

Salem said that in 2008, Symantec added 1.6 million signatures to its antimalware software, more than it had in the prior 16 years combined.

Instead of efforts, such as signature-based malware detection, he talked up the concept of reputation-based security, an approach that leverages the knowledge of users around the world. Since adding reputation-based security to Norton 2009, Symantec has collected one billion reputation ratings and taken 177 billion reputation queries in the last six months.

http://www.esecurityplanet.com/features/article.php/3868161/Symantec-Chief-Says-Cloud-Security-the-Next-Step.htm

Crackdown on Mariposa: Botnet Infected 13 Million PCs

Posted on March 3, 2010December 30, 2021 by admini

Though security experts described the hacking trio as “relatively unskilled cyber criminals,” they managed to use Mariposa — the Spanish word for butterfly — to steal account login information for social media sites, online e-mail services, user names and passwords to banking accounts and credit card data by infiltrating more than 12.7 million compromised personal, corporate and government IP addresses in more than 190 countries.

Email Article Print Article Comment on this article Share Articles Digg del.icio.us Newsvine Facebook Google LinkedIn MySpace Reddit Slashdot StumbleUpon Technorati Twitter Windows Live YahooBuzz FriendFeed “Our preliminary analysis indicates that the botmasters did not have advanced hacking skills,” Pedro Bustamante, Panda Security’s senior research advisor, said in a blog posting detailing the attacks and subsequent investigation.

Related Articles Database Security Lacking at Financial Services Firms McAfee Fingers Microsoft IE Flaw in Google Attack Kneber Botnet Pierces 2,500 Organizations McAfee Finds Spike In Malware From China Investigators said the hackers attacked vulnerabilities in Microsoft’s Internet Explorer browser software to infect machines with the Mariposa bot client.

http://www.esecurityplanet.com/features/article.php/3868436/Crackdown-on-Mariposa-Botnet-Infected-13-Million-PCs.htm

State Of Application Security: Nearly 60 Percent Of Apps Fail First Security Test

Posted on March 2, 2010December 30, 2021 by admini

“The degree of failure to meet acceptable standards on first submission is astounding — and this is coming from folks who care enough to submit their software to our [application security testing] services,” says Roger Oberg, senior vice president of marketing for Veracode.

The data for Veracode’s State of Software Security Report comes from a combination of static, dynamic, and manual testing of all types of software across multiple programming languages — everything from non-Web and Web applications to components and shared libraries. Veracode tests commercial, internally developed, open-source, and outsourced applications, all of which were represented in its findings.

And nearly 90 percent of internally developed applications contained vulnerabilities in the SANS Top 25 and OWASP Top 10 lists of most common programming errors and flaws in the first round of tests, Oberg says.

Despite the relatively gloomy picture of developers still missing the mark initially on security, there were some bright spots in the report: Open-source software isn’t as risky as you’d think, and financial services organizations and government agencies tend to have more secure applications from the get-go; more than half of their apps passed as acceptable in the first submission to testing, according to Veracode’s report.

And it was the quickest to remediate any flaws: “It took about 30 days to remediate open-source software, and much longer for commercial and internal projects,” he says.

“There’s been intense focus on cross-site scripting, and there are lots of different libraries and utilities available to eliminate it, but it’s still extremely prevalent,” says Chris Eng, director of security research for Veracode. Eng says it’s likely due to a lack of education on how to quell XSS, plus it’s not uncommon to find 100 XSS bugs in one application.

http://www.darkreading.com/vulnerability_management/security/app-security/showArticle.jhtml?articleID=223100875&cid=RSSfeed

Verizon Offers Up Its Data Breach Framework

Posted on March 2, 2010December 30, 2021 by admini

“When our investigators are conducting a forensics investigation, they use this tool to collect, aggregate, analyze, and report… It becomes our data breach investigation report,” says Wade Baker, director of risk intelligence for Verizon Business.

Aside from offering a common format for reporting and sharing that data, the hope is that such a framework will facilitate and help organizations share breach information so investigators can find common threads among attacks and attackers, for instance.

VerIS — which is available today via a free download — can be used to supplement an organization’s existing methods for collecting attack data and analysis, or as a replacement.

Verizon’s Baker says half of all incidents his firm has investigated during the past couple of years have been related in some way.

http://www.darkreading.com/insiderthreat/security/attacks/showArticle.jhtml?articleID=223100886&cid=RSSfeed

Most Enterprises Worldwide Hit by Cyber Attack in 2009

Posted on February 24, 2010December 30, 2021 by admini

Respondents on average said they were exploring 19 different IT standards or frameworks to protect their networks and were currently employing at least eight of them.

But IT managers said they are understaffed in key areas, with network security (44 percent), messaging security (39 percent) identified as groups that remain woefully understaffed.

Hacker countermeasures Last week, NetWitness, a Virginia-based computer security firm, disclosed that organized hackers had broken into the computers of 2,411 companies and government agencies over the past 18 months.

In January, senior executives at Exxon Mobile (NYSE: XOM), ConocoPhillips (NYSE: COP) and Marathon Oil (NYSE: MRO) confirmed that they were targeted by an extremely aggressive malware campaign attack in 2008 designed to steal key proprietary data — including multi-million-dollar research to locate the next great oil or natural gas discovery.

http://www.esecurityplanet.com/features/article.php/3866866/Most-Enterprises-Worldwide-Hit-by-Cyber-Attack-in-2009.htm

FTC warns 100 organisations over leaked P2P data

Posted on February 23, 2010December 30, 2021 by admini

The leaked data — including customer and employee personal information — was left open to download after workers in the affected organisations decided to download content at work without really understanding what they were doing.

The offending organisations included schools, local governments, private corporations and small businesses.

The FTC issued a statement on this action, which is hopes will act as a wider warning against a real risk.

http://www.theregister.co.uk/2010/02/23/p2p_data_leak_warning/