CyberSecurity Institute

“Our research indicates that the majority of organizations tend to think about security solely in terms of technological solutions and not procedure,” says Joe Greene, vice president of IDC Canada.

That’s perhaps a common enough refrain that enterprise network managers can say they’ve heard it all before. The problem is that, for all its repetition, the message doesn’t always seem to get through, and Greene says that’s probably because you can see and touch the results of capital expenditures. But things you can’t buy, like solid procedures, processes and good sense, are ultimately intangible.

“There’s got to be someone’s time involved, and in realistic terms that costs money,” Greene says, “But you see organizations that invest in an anti-virus solution and think ‘okay, we’re fine now.’ The investment itself won’t go very far unless you follow it up, not so much with further investments in products and solutions, but with procedures.”

Indeed, maintaining a safe network is as much a question of using existing assets as of acquiring new ones. And ensure you have the proper controls in place to make sure things are happening.”

Spyware and adware would not be so much of a problem if users could be made aware of the perils of clicking through the link on that tempting fishing message or downloading allegedly “free” software that, in fact, installs a battery of resource-hogging nasties on company systems.

For the IT department, eternal vigilance is the price of network security. Some of these things are no-brainers, particularly when it comes to defending against malicious network-borne code like viruses and worms.

On the other hand, it’s easy to slip into a complacent, false sense of security when there haven’t been recently any headline-grabbing worm and virus scares like Blaster and Slammer. However, the risks are so great and the costs so low that Greene says it’s important to institute processes that keep IT staff and the enterprise as a whole at a state of readiness.

“It requires constant vigilance to make sure that employees are aware of the dangers, and to be prepared to deal with problems as soon as they emerge,” he says. There are fewer no-brainers, but Greene says that the same vigilant mindset can go a long way to prevent the worst excesses of the on-line criminal element.

At the end of the day, the best security is a product of the kind of thing that money can’t buy: attention to detail, a willingness to keep systems maintained and a mindset that hopes for the best by preparing for the worst. It’s just common sense, Greene says, but the problem with that is that common sense isn’t always that common.

http://www.networkingpipeline.com/164300859

According to the Anti-Phishing Working Group (APWG), a collection of over 1,400 companies, banks, ISPs, and government agencies, April saw a large increase in the number of credit unions targets by phishers. Both relatively large regional credit unions to niche institutions that serve narrow groups of workers were targeted, said the APWG. “Hackers are modifying their attack methods by shifting away from attacking popular or large institutions,” said the APWG in its report.

Other trends in April, said the APWG, included a slight decline in the number of phishing e-mails — it dropped about 4 percent from March’s tally — and a 1.6 fall in the number of phishing Web sites.

There’s also evidence that phishers are cooperating, said the APWG, which noticed several occasions in April when multiple attacks were launched simultaneously at the same target.

“This points to a common root, or — at least — some interconnection and organization among phishers,” concluded the report.

April’s report can be downloaded in PDF format from the APWG Web site.

http://www.techweb.com/wire/security/164300203