TechJournal South Header

Archive for the ‘Security’ Category

Heartbleed: is it really that bad? Does this have to keep happening?

Thursday, April 10th, 2014

By Allan Maurer

UPDATsecurityED!  ATLANTA – If you haven’t heard about the nasty Internet bug dubbed “Heartbleed” by now, you should immediately find out about it because you probably need to take action. So do IT administrators, likely in a time-consuming job that has to be done by hand, says , Adam Allred of the Georgia Tech Information Security Center (GTISC) in Atlanta.

In brief, a major security flaw in the way many web sites – including Gmail, Yahoo, Tumblr, and many others means hackers potentially had or have access to users personal information – which may include credit card numbers, log-in passwords, and more.

It also means you’ll probably have to change some passwords to be safe. Experts say change Yahoo right away, as well as gmail, although both have since patched the problem.

Amazon, Evernote, Microsoft, and others were not affected. Mashable published this “Heartbleed Hit List” of which sites were affected and which passwords you may need to change.

Reports this morning (Friday, 4/11/2014) say the bug is also in Cisco and Juniper Network routers, firewalls and networking equipment used by many businesses. The necessary fixes could be long and one source says, “A trip to the trash can and Best Buy.”

Allred says the question he’s been asked most today as a computer security expert is “How important is it really? Is it really that bad?” What makes it so important?

We’ve gotten used to these security breaches cropping up almost daily, but this one really is different, Allred tells the TechJournal. Why?

“Because,” he says, “It’s logistically difficult. People have to do more work by hand to get the problem solved, patching alone is not enough.”

Also, and probably the scary part, is that the flaw in the Open SSL security allows the theft of private keys, Allred says. They can be exposed anonymously with the user none the wiser until consequences show up. They can do this via just this one ezploit, which makes it worse, he adds.

“On many servers that used Open SSL today, if you can obtain the private key, you can use it to decrypt any information every encrypted on that server.” Yikes!

Does this have to keep going on? These terrible security breaches affecting not just millions of people but in this case, almost anyone using the Internet. There is security process that would prevent this particular sort of problem.

That’s “Perfect Forward Secrecy.” It uses a temporary set of keys for each user session. A hacker might conceivably obtain one key, but it wouldn’t work on every thing ever encrypted and would only affect one person, not everyone who came along in the past.

“It’s already found in many modern browsers. Firefox, Chrome and Explorer all have the capability. It’s relatively new in encryption and requires changes on the server side. But there are already concepts and ideas that would help. We just have to turn it on everywhere.”

In general, though, coming up with a “forever solution, and whoever is able to write that solution will be a very popular and rich person.”

Forbes had this to say on Heartbleed. “Avoiding Heartbleed Hype.”

If you want to avoid hype and hear the real deal from digital thought-leaders from brands including Google, Bing, Yahoo, and Huffington Post, but also tech icons such as Apple co-founder Steve Wozniak, check out the Digital Summit Atlanta, May 20-21.

A new cybercrime technique aims at businesses

Tuesday, August 6th, 2013

cyber security imageSo what’s next on the cybercrime front? Persistent speak phishing, say researchers.

The American public and businesses today are under a constant, ever-growing threat of attack from cybercriminals attacking  as many people and businesses as quickly as possible in order to access large amounts of sensitive information.

 In the first half of 2012 alone, there was an average of almost 33,000 phishing attacks per month, with an estimated worldwide loss of nearly $700,000,000 from phishing scams alone (1).  Internet security awareness training firm KnowBe4 has long spoken out about the rise of cybercrime, and is now predicting an unprecedented level of hacking—persistent spear phishing.

Usually conducted by criminals

Spear phishing consists of a phony, but authentic-looking, e-mail designed to target a particular individual or organization, in an attempt to fish” out valuable information for financial, business or military gain.

It differs from traditional phishing attacks in that it is not typically initiated by indiscriminate hackers, but rather is more likely to be conducted by criminals out for financial gain, trade secrets or military information.

Recent government inspired cyber attacks on US businesses, organizations and government entities reportedly used this technique successfully.

 KnowBe4 founder, Stu Sjouwerman, says that criminals are now becoming relentless in their attempts, and will continuously attack the same target until they get the information they seek, an act he has coined persistent spear phishing.  And these attacks, per Sjouwerman, leave both businesses and the general public at risk of being targeted:

  • 45% of banks have seen an increase in spear phishing attacks targeting employees over the last year;
  • Criminals target consumers by relying on personal information collected from public posts on social media sites and blogs, as well as with data collected from other breaches, to make the fraudulent e-mails appear legitimate.  They ultimately convince consumers to click links that take them to spoofed sites which contain malware, or to provide login usernames and passwords that allow the attackers to compromise online banking accounts (2).

Spear phishing creates a domino effect—once a business has been infiltrated, a hacker potentially has access to everything,said Sjouwerman.  At that point, all the company can do is attempt to halt the attack and recover any stolen information.  But the best bet is to prevent these incidents from occurring in the first place.”

Avoid Becoming a Spear Phishing Victim

Sjouwerman insists that businesses and the public can limit their risk of falling victim to persistent spear phishing attempts by remembering the following:

  • Be wary of e-mails that appear to be genuine but redirect to strange or unknown links.
  • Never click a link to a website contained within an e-mail—always enter the URL manually instead or through a bookmark.
  • Legitimate businesses will never request personal information via e-mail.  Never reply to an e-mail providing any sensitive information—if in doubt, contact the business directly using a verified telephone number.
  • Keep the Operating System, third party applications, firewalls and antivirus software constantly updated.  Many browsers come with phishing filters, and these should be enabled for better protection against attacks.

Employee awareness training may help

In addition to the above tactics, Sjouwerman suggests that business owners consider educational resources for employees.

For business owners looking to introduce security awareness training programs, engaging employees with an actual encounter of being spear-phished by sending out mock spear phishing e-mails is often an effective measure, said Sjouwerman.

Imitated persistent spear phishing e-mails present a memorable and highly relevant experience to employees, and also train them to properly react when a spear phishing attempt arrives in their inbox.  Employee education and heightened awareness are more important than ever.”

KnowBe4 provides an extensive collection of free cybercrime education resources so that executives and system administrators can arm themselves and their staff against cyberattacks.  The company also offers a free phishing security testto help business owners and managers determine what percentage of employees are Phish-prone™, or susceptible to phishing attacks.

For more information, visit KnowBe4 online

1.   “Phishing in Season:  A Look at Online Fraud in 2012.”  RSA FraudAction Research Labs, n.d.  Web.  19 Feb. 2013.

2.   Kitten, Tracey.  “FBI Warns of Spear-Phishing Attacks.”  Bank Info Security, 02 July 2013.  Web.  25 July 2013.

Enterprises over confident about the security of their networks

Monday, August 5th, 2013

keyThis is scary, but it’s no wonder Chinese and other hackers are so successful at breaking and entering Enterprise networks.

 Lancope, Inc., a leader in network visibility and security intelligence, has released a survey indicating that many enterprises possess an unrealistic confidence surrounding the security of their networks. According to the survey, more than 65 percent of IT/security professionals did not think, or were unsure whether, they had experienced any security incidents within the last 12-18 months.

While we can understand confidence if deserved, we question how much confidence they should have it they don’t know or are unsure if they have had a break-in.

According to Lancope’s director of security research, Tom Cross, such confidence is not likely. “Any system you connect to the Internet is going to be targeted by attackers very quickly thereafter,” he said. “I would assert that if you’re unsure whether or not your organization has had a security incident, the chances are very high that the answer is yes.”

A third think security violations did not affect them

The survey also revealed that 38 percent believe recent security incidents had no impact on their organization. According to Cross, “even the most basic malware infection has some financial cost to the organization, even if it’s just the cost to clean infected machines. Not to mention the additional serious consequences that can result from a breach, including data loss, customer distrust, regulatory fines and many others.”

We’ve had our own problems with the explosion of malware attacks at the TechJournal and controlled it only via continual pro-active effort. Those attacks can cripple your SEO and harm your reputation.

Nearly 18 percent of respondents did admit to recently suffering from malware, and 16 percent said they had been the victim of distributed denial-of-service (DDoS) attacks. It is possible that many of these organizations have also suffered from other, more stealthy attacks and are just not aware. Insider threats, for example, can be difficult to detect because attackers have authorized access to the data they are looking to steal. Advanced, external attackers can also fly under the radar by constructing attacks that are likely to evade commonplace network security solutions.

lockOrganizations were more realistic when evaluating the potential risk of insider threats to their infrastructure, with 32 percent naming it as one of the greatest risks. However, this concern was far overshadowed by fears associated with BYOD and mobile devices, coming in at over 50 percent. Because traditional security strategies cannot be easily applied to employee-owned assets, enterprise security professionals suffer from a lack of network visibility when it comes to mobile devices. This blind spot is obvious; but what about the blind spots that organizations don’t realize they have?

Areas of blind spots within the typical enterprise are many, including applications, network traffic, network devices, user activity, virtualized appliances and data centers, to name a few. Lancope was encouraged to also see “lack of visibility” top the list of greatest risks identified by survey participants, as well as “monitoring user activity” designated as a key challenge. Technologies like NetFlow can provide the much-needed visibility that many organizations currently lack.

“Organizations need to make sure that, when faced with the inevitable, they can identify an incident as quickly as possible,” said Cross. “With new attacks making headlines on a nearly weekly basis, it’s time for organizations to take a more strategic, holistic approach when it comes to network security.”

To access the full Lancope survey, go to:

Managing app connectivity the top firewall challenge

Wednesday, June 12th, 2013

firewallManaging application connectivity has become the number one firewall management challenge, according to a Tufin Technologies  recent survey.

This survey, conducted in April at InfoSecurity, was designed to get a better understanding of the problem. 105 IT professionals, ranging from network administrators to CIOs, reported that network security teams deploy applications based on incomplete or inaccurate connectivity data, resulting in delays, downtime, and unnecessary risk and compliance exposure.

Application Connectivity Challenges:  A Quick Overview

  • 1/3 of the sample report their organization has more than 500 applications, 74% report they will be deploying up to 100 new applications this year.
  • There is little standardization as to how organizations structure Application Connectivity processes.  Network Operations teams work mainly with Application Owners (30%), but other Application Connectivity stakeholders include App Developers (26%), other network engineers (16%), or any variety of other parties such as a consultant,  a VAR, the application vendor or an MSP (29%).
  • When it comes to determining connectivity requirements, 72% report they are given a list of ports to open. 19% look it up on the Internet, 13% look at logs, and 9% rely on trial and error.

Impact on Business Agility

  • 55% report that applications are not deployed correctly the first time, mainly (67%) due to incorrect or missing connectivity data.
  • 1/3 report the Service level Agreement (SLA) for application-related firewall changes is a week or more; 81% believe it should be between 1-3 days.
  • When asked what would enable a faster SLA, 1/3 cited more accurate information from application owners, 26% said knowing what ports to open, and 24% said faster risk/compliance approvals.


Impact on Security and Compliance

  • Administrators often have no insight into why a rule was created.  41% either use the (limited) firewall comments field or rule base sections to document the business justification for a rule.  13% don’t document at all.
  • 40% are not notified when an application is decommissioned.
  • 30% take a “best effort” approach to remove unneeded connections when an application is decommissioned.  1/6 of respondents do nothing to decommission applications.

“This survey highlights the fact that security engineers are having to adopt new processes on the fly – processes that require them to interact with a new set of stakeholders,” said Reuven Harrison, CTO, Tufin.

“As a result they are not just changing who they work with but how they work. Anyone who has experienced this kind of change knows it is not easy.”

Free app helps protect mobile devices against loss or theft

Tuesday, June 11th, 2013

smartphonesPeople have said they would rather give up sex than lose their smartphone and we know folks equally attached to a tablet computer. So a new app from McAfee and Intel that offers protection against lost or theft of mobile devices may do well.

The app, called Smart Perimeter, thwarts this activity by creating a perimeter that allows devices to track each other and alerts the user immediately when their Android smartphone or tablet moves out of the pre-defined range created among devices.*

The Smart Perimeter feature, created jointly by Intel and McAfee, solves challenges associated with multi-device growth.

The McAfee Mobile Innovations app is a free application that is available today in the Google Play marketplace

According to recent research, 60% of US consumers own a smartphone and 39% own a tablet, and half of consumers say they would rather lose their purse or wallet than their smartphone. Despite that fact, a mere 20% of multiple device owners have security software on their smartphones and even fewer (13%) have security on their tablet.

“The McAfee Mobile Innovations app will help us to obtain users’ input on device and web security, as well as strengthen anti-theft and privacy measures to protect personal data,” said Lianne Caetano, director of consumer mobile product marketing at McAfee.

The suite of capabilities in McAfee Mobile Innovations app today addresses a variety of threats to users on mobile devices. Features include:

  • Smart Perimeter – Prevents theft or loss of consumer devices by creating a perimeter that can enable devices to track each other and alerts the user immediately. By linking multiple devices together, users are alerted when they are separated by more than 30 feet via an alarm helping consumers to quickly identify and recover their devices.
  • Safe QR Code Reader – Ensures QR codes are safe for browsing and alerts users of malicious codes at the point of scanning.
  • Data Vault – PIN protects private photos, videos and documents from prying eyes, locally on devices (Note: The app user will be prompted to download McAfee Mobile Security — to use the data vault feature – no purchase is required).

The McAfee Mobile Innovations features are currently in public beta in English and will allow users to test and provide feedback via email or community forum to the McAfee Mobile Security team in order to shape and enhance future versions of the app.

Most businesses had a costly mobile security incident

Thursday, June 6th, 2013

mobile devicesThe majority of businesses (79%) had a mobile security incident in the past year, and the costs are substantial. The new report found mobile security incidents tallied up to over six figures for 42 percent of businesses, including 16 percent who put the cost at more than $500,000.

From smartphones to tablets, mobile devices continue to cause ongoing concern for IT teams responsible for information security. Sensitive corporate information can be easily transported, leaked, or lost while the Bring Your Own Device (BYOD) movement has dramatically increased the number of expensive security incidents.

Even so, corporate information, including sensitive customer information, are increasingly stored on personal mobile devices and not managed by corporate IT.

Based on a survey of nearly 800 IT professionals, the report quantifies the dramatic growth of BYOD, exposes the frequency and cost of mobile security incidents, and identifies the main challenges faced by businesses of all sizes.

Key findings include:

  • Surge in Personal Mobile Devices Connecting to the Corporate Network – Among companies that allow personal mobile devices, 96 percent say the number of personal devices connecting to their corporate networks is growing, and 45 percent have more than five times as many personal mobile devices as they had two years ago.
  • Mobile Security Incidents Common and Costly for Businesses Large and Small – More than half (52%) of large businesses report mobile security incidents have amounted to more than $500,000 in the past year. Even for 45 percent of SMBs with less than 1000 employees, mobile security incidents exceeded $100,000 in the past year.
  • Android logoMobile Platform with the Greatest Perceived Security Risks – Android was cited by 49 percent of businesses as the platform with greatest perceived security risk (up from 30 percent last year), compared to Apple, Windows Mobile, and Blackberry
  • Corporate Information Not Managed on Mobile Devices – Despite costly mobile incidents, 63 percent of businesses do not manage corporate information on personal devices, and 93 percent face challenges adopting BYOD policies.
  • More Mobile Devices Store Sensitive Customer Information – More than half (53%) of all businesses surveyed report there is sensitive customer information on mobile devices, up from 47 percent last year.

“Without question, the explosion of BYOD, mobile apps, and cloud services, has created a herculean task to protect corporate information for businesses both large and small,” said Tomer Teller, security evangelist and researcher at Check Point Software Technologies.

“An effective mobile security strategy will focus on protecting corporate information on the multitude of devices and implementing proper secure access controls to information and applications on the go. Equally important is educating employees about best practices as majority of businesses are more concerned with careless employees than cybercriminals.”

For a full copy of the new report, The Impact of Mobile Devices on Information Security, please visit:

Almost 90 percent of organizations worried about file sharing

Wednesday, June 5th, 2013

DropboxResearch shows widespread concern about how to maintain control of files as information security and privacy regulations tighten, fueling a rush to block access to consumer file sharing applications like Dropbox and YouSendIt, says  Intralinks Holdings Inc. (NYSE: IL), a global SaaS provider of content management and collaboration solutions.

The research was reviewed by Hurwitz & Associates and leveraged for the firm’s whitepaper titled, “Enterprise Collaboration: Avoiding the Productivity and Control Trade-Off.”

Marcia Kaufman , COO and Principal Analyst at Hurwitz and Associates, says, “There is widespread recognition that being able to collaborate effectively with partners and customers provides a competitive edge, but organizations are increasingly concerned about ensuring they also retain control over their data wherever it travels. Today, only 30% of organizations think they have adequate visibility and control over information shared outside their firewall.”

Key findings from the research include:

  • Employees are using consumer-grade file sharing without IT or business oversight. Many IT departments are not aware of the extent to which employees are sharing content using cloud tools designed for consumers. Across all the organizations included in one study, approximately 60% of employees are using consumer-grade tools for business, while 49% of organizations report attempting to block these services, clearly with limited success. This reality leaves organizations open to data leakage, inappropriate disclosures and regulatory risks.
  • The accidental mishandling of information and data happens every day. Most organizations focus on preventing malicious data theft and hacking. While this is critical, the reality is that the vast majority of data loss is the result of accidental mishandling and inappropriate sharing. For example, 80% of study participants reported receiving an email not intended for them, while 53% confess to making the same mistake. An astonishing 43% say these errors occur on a monthly basis.
  • Securing the perimeter and infrastructure does not ensure content security. Companies are moving to a more collaborative way of doing business, which results in an increased flow of data between parties both internal and external to an organization. Existing enterprise security strategies that provide security for data at rest are insufficient for sharing data that moves across corporate boundaries. Therefore, protection at the file level is needed in order to protect information wherever it travels.
  • Regulatory issues around content security are real and evolving. New, more onerous regulatory requirements are being introduced at increasing rates. With the proliferation of consumer-grade technologies entering enterprise environments, IT and compliance departments are having difficulty meeting these new requirements. Almost 90% of the organizations participating in the study expressed concerns about meeting future regulatory demands around information security in their industry, with 43% expecting they will need to change their existing policies.

How about you? Are you using consumer file-sharing tools such as Dropbox at work? What about other consumer tools such as Evernote? Both of those experienced serious data breaches once already, exposing personal passwords and potentially, the information in their files.

John Landy , CTO Intralinks, said, “We have invested a lot of time talking to global businesses about their enterprise collaboration needs and how they can safely share information. The reality is most organizations have limited insight into what content is being shared, where it is being shared and who is sharing it. Companies need to strike that fine balance between usability and diligent control when evaluating their collaboration strategies.

“Based on the intelligence collected through these studies, this research paper advises businesses on best practice guidelines for implementing collaboration tools to ensure regulators are appeased, corporate IP is protected and employees remain productive.”

You can download a full copy of the whitepaper here.

Americans worried about data breaches, split on info sharing

Tuesday, June 4th, 2013

keyA majority of Americans are concerned about data breaches involving large organizations, but are evenly mixed on whether legislation should require private businesses to share cyber attack information with the government, according to new research conducted by Unisys Corporation (NYSE: UIS).

Results from the Unisys Security Index, which regularly surveys more than 1,000 Americans on various areas of security concern, showed high levels of concern about data breaches among Americans.

Respondents to the survey said they were most worried about data breaches hitting their banks and financial institutions, with two-thirds (67 percent) reporting concern.

Here at the TechJournal, we see weekly reports of companies, agencies and organizations suffering serious cyber intrusions, the theft of personal information, and high costs of repairing their security. The old saying that an ounce of prevention is worth a pound of cure seems applicable here.

Split on federal legislation

A majority of Americans surveyed also reported concern about data breaches involving government agencies (62 percent), health organizations (60 percent) and telecommunications and Internet service providers (59 percent).

Findings released last month from the same survey also showed most Americans harbor some level of concern about identity theft (83 percent) and credit card fraud (82 percent), both of which can arise from breaches at large organizations.

Despite these concerns, Americans polled were split on whether federal legislation to strengthen the country’s cybersecurity defenses should require organizations like banks, utilities and healthcare organizations to disclose breaches to the government.

Roughly half (48 percent) of respondents said they do not believe private businesses should be forced to disclose and share cyber attack intelligence, but a similar proportion (46 percent) said they think Congress should pass cybersecurity legislation mandating that the private sector share cyber-attack information with the government.

You have to wonder why people worry about having these security breaches disclosed. What are they hiding besides lax security?

Cost of breaches outweigh those of prevention

The poll was undertaken in March, via 1,006 telephone interviews, approximately a month before the controversial Cyber Intelligence Sharing and Protection Act (CISPA) was passed by the United States House of Representatives. CISPA is not expected to be considered by the Senate this year, and many point to a lack of consensus on its information-sharing requirements as the reason.

“Americans clearly see a need for stronger methods to prevent cyberattacks, and many see a natural role for government in that process, but they differ on precisely how government and the private sector should interact in that regard,” said Steve Vinsik, vice president of enterprise security for Unisys.

“Regardless of where the legislation ends up, businesses and government agencies need to realize that the costs of breaches far outweigh those of prevention – and that Americans are paying close attention.”

They should be paying close attention. We don’t know anyone with digital segments in their business who has not had to deal with security problems and we know few private individuals who have not had to replace credit cards and change passwords due to these continuing security troubles.

Social media worm returns, spam rises dramatically

Monday, June 3rd, 2013

lockA significant spike in instances of the Koobface social networking worm and a dramatic increase in spam, among other security threats are reported in the McAfee Threats Report: First Quarter 2013,

McAfee Labs also saw continued increases in the number and complexity of targeted threats, including information-gathering Trojans and threats targeting systems’ master boot records (MBRs).

McAfee Labs found almost three times as many samples of Koobface as were seen in the previous quarter, which is a high point for the social networking worm that targets Facebook, Twitter and other social networking service users. After three years of stagnation, spam email volume rose dramatically.

Stock pump and dump campaigns

One significant element behind this growth in North America was the return of “pump and dump” spam campaigns, which targeted would-be investors hoping to capitalize on all-time equity market highs. The McAfee Labs report showed the continued increases in Android malware, malicious web URLs and overall malware samples.

But the increase in the number and sophistication of targeted advanced persistent threats (APTs) represented the most notable evolution in the threat landscape, as information becomes as valuable as money on the cybercrime landscape.

The report found a 30 percent increase in MBR-related malware and new instances of password-stealing Trojans being repurposed to capture information on individuals and organizations beyond the financial services industry.

“Cybercriminals have come to appreciate that sensitive personal and organizational information are the currency of their ‘hacker economy,’” said Vincent Weafer, senior vice president, McAfee Labs.

Koolface return

social media“The resurrection of Koobface reminds us that social networks continue to present a substantial opportunity for intercepting personal information. Within the enterprise, we see password-stealing Trojans evolving to become information-gathering tools for cyber-espionage attacks. Whether they target login credentials or intellectual property and trade secrets, highly-targeted attacks are achieving new levels of sophistication.”

Each quarter, the McAfee Labs team of more than 500 multidisciplinary researchers in 30 countries monitors the global threat landscape, identifying application vulnerabilities, analyzing and correlating risks, and enabling instant remediation to protect enterprises and the public. This quarter, McAfee Labs identified the following developments:

  • Koobface Trojan. Koobface, a worm first discovered in 2008, had been relatively flat for the last year yet it tripled in the first quarter of 2013 to levels never previously seen. The resurgence demonstrates that the cybercriminal community believes that social network users constitute a very target-rich environment of potential victims.
  • Spam Volume. McAfee Labs found the first increase in global spam volume in more than three years. In addition to popular “pump and dump” scams, a surge in growth hormone offers and an escalation of spam campaigns in emerging markets accounted for category growth.
  • Targeted Espionage. McAfee’s latest analysis of the Citadel Trojan found that criminals have re-purposed the bank account threat to steal personal information from narrowly targeted victims within organizations beyond financial services. The industry should expect to see more instances of banking malware used for cyber-espionage operations within non-financial and government organizations.
  • MBR Attacks. The 30 percent increase in Q1 MBR-related threats included instances of StealthMBR, TDSS, Cidox, and Shamoon malware. Key to performing startup operations, MBRs offer an attacker a wide variety of system control, persistence, and deep penetration capabilities. The category has set record highs over the last two quarters.
  • Malicious URLs. The number of suspicious URLs increased 12 percent as cybercriminals continued their movement away from botnets as the primary distribution mechanism for malware. Malicious websites launching “drive-by downloads” have the notable advantage of being more nimble and less susceptible to law enforcement takedowns.
  • Mobile Malware. While the growth of mobile malware declined slightly during the quarter, Android malware still managed to increase by 40 percent.
  • PC Malware. New PC malware samples increased 28 percent, adding 14 million new samples to McAfee’s malware “zoo” of more than 120 million unique malware threats.

To read the full McAfee Threats Report: First Quarter 2013, please visit

Mobile app developers can no longer ignore security

Friday, May 31st, 2013

mobile devicesRisky applications and business applications are being used side-by-side on devices owned by employees that are used for work, according to a survey on Mobile Application Security conducted during April and May 2013 by the SANS Institute and sponsored by Box, SAP and Veracode.

Nearly 80% of the 600 survey respondents who completed the substantive sections of the survey allowed communications and collaborative apps on personal mobile devices, nearly 60% of which also have general Internet apps (such as web browsing and media file sharing), while another 44% allow VPN access from BYOD and 26% allow access directly to business systems.

Four percent of the respondents answered that personal mobile devices are also accessing control system applications, while another 8 percent are allowing access to field service applications.

Here at the TechJournal, we see a new report looking at the Bring Your Own Device problems companies are experiencing just about daily.

BYOD should raise huge red flags

“Personal mobile device access to critical business and infrastructure systems should raise huge red flags to organizations thinking that their only concern will be e-mail on employee-owned smartphones, pads and tablets,” says Deb Radcliff , chief of the SANS Analyst Program, which developed the report. “Meanwhile, the means to protect access, applications and data are more difficult to develop and unify in mobile BYOD computing.”

For example, providing a unified identity management framework was both the least practiced and the most difficult to achieve, according to respondents. They are also trying to discern which tools and techniques make the best sense in protecting their networks and data from BYOD risks.

Securing devices and the mobile platforms was the top method of protection being implemented by 66% of respondents, with application lifecycle management being practiced by only 36% of organizations.

Repeating past mistakes

“Mobile application development seems to be repeating many of the mistakes from the past,” says Kevin Johnson , SANS Analyst and author of the report.  “And these weaknesses need to be resolved due to the sensitive nature of the data on the devices.”

Of those 253 survey takers that also develop applications, the majority are web-based, with 32% of developers saying they also developed line of business applications. The good news that nearly 60% of them indicated they had application security lifecycle processes embedded in their development and testing cycles.

“The prominent use of mobile devices together with cloud computing have even greater potential to expose critical information than in the past,” adds Barbara Filkins , SANS Analyst consulting on this survey. “Mobile application development can no longer afford to ignore security best practices.”

Full results will be shared during a June 6 webcast at 1 PM EDT, sponsored by Box, SAP and Veracode, and hosted by SANS Those who register for the webcast will also receive access to the published results paper developed by SANS Analyst and mobility expert, Kevin Johnson .

Packet capture tech helps networks detect hacker tracks

Thursday, May 30th, 2013

lockChinese hackers steal US trade secrets; organized cybercriminals empty bank accounts; government agencies, medical institutions and businesses are routinely breached. IPCopper, manufacturer of network security hardware, finds that, by and large, US businesses do not take cybersecurity seriously enough to innovate out of the complacent mindset that has allowed a multitude of vulnerabilities to form in US technology infrastructure and business systems.

Not surprisingly, many lack the packet capture data necessary to figure out what happened when the inevitable breach occurs.

Cyber attacks unfold through sequences of bits and bytes that command the victim’s computer to, for example, send out or delete data. One sequence may constitute computer commands for one computer / OS, while appearing as gibberish to another. Whether those commands are malicious is another question.

Cybersecurity, by its nature, is reactionary, and much of today’s network security equipment is predicated on catching already-known malware signatures – of little use against current threats, in the face of the infinite combinations of code possible.

In an attempt to root out malicious communications, organizations with deeper pockets often use SIEMs to analyze netflow, which represents only a fraction of network data – much like guessing a letter’s contents from the address label.

cyber security imageAccepted security practices remain rooted in the technology of the 90s, when networks were slower, the internet smaller and malware exotic.

The cyber-threat landscape now, however, is scarier and more complex: breaches occur every day, malware is increasing exponentially and the old standbys (antivirus, firewalls, IDSs and IPSs) are failing to keep up. As last year’s breach in South Carolina shows, at today’s speeds attackers can steal 15 years of tax records for a whole state in hours.

One approach we think has considerable promise is to sandbox incoming data in an appliance that keeps hackers from ever getting to your primary equipment. Herdon, VA-based InZero has created one such system we’ve covered here at the TechJournal (there are others). InZero had enviable success in preventing hackers from breaching its system.

In an environment where computer breaches are as sure as death and taxes, the cybersecurity winners are those who react the quickest.

Given the high volumes of data on today’s networks and the subtle and insidious ways that hackers get in and hide their tracks, quick incident response times are dependent on surveillance: recording and timestamping every packet, in every corner of the corporate network. Since surveillance is all about coverage, installing multiple packet capture appliances at key network locations is crucial says IPCopper.

Visit to learn more.

Despite breaches, cyber crime fight on right track, PandaLabs says

Friday, May 24th, 2013

Panda SecurityDespite the numerous security incidents that took place during the first quarter of the year, the fight against cyber-crime is on the right track, says security firm PandaLabs.

Though there is still a long way to go, international co-operation among security agencies is paying off and criminals around the world are being brought to justice. The quarterly report is available here and on the PandaLabs blog.

“The start of the year has been witness to serious cyber-attacks, including the hacking of the Twitter accounts of major organizations such as the BBC or Burger King, and one of the biggest attacks ever, targeting some of the world’s leading technology companies: Apple, Facebook, Microsoft and Twitter. But there have been victories for security forces as well, including the arrest of a group of hackers accused of extortion using the infamous ‘Police Virus’,” said Luis Corrons , technical director of PandaLabs.

Police Virus Scams

cyber security imageOne of the most infamous cases of malware in the last year was the ‘Police Virus,’ but in February, this virus once again hit the headlines, but for a very different reason. The Technological Investigation Brigade of Spain’s National Police, together with Europol and Interpol, dismantled the cyber-crime ring responsible for the Police Virus.

“The news mentioned the arrest of ‘the gang’ of cyber-criminals, yet the information we have at PandaLabs points to the existence of several gangs responsible for these attacks. We reached this conclusion after analyzing numerous variants of the malware over time, and observing significant differences between them. In short, we are afraid the Police Virus is not likely to go away anytime soon and users shouldn’t lower their guards,” said Corrons.

Social Media Attacks

Twitter birdDuring Q1, various Twitter accounts were also hacked, including celebrities and companies, one of the most notable was Burger King. The attackers managed to work out the account password and take control of the account. They changed the background image to that of McDonald’s and claimed that the company had been taken over by its main rival.

The Twitter account of car company Jeep was also the victim of a similar attack, in this case stating that the company had been bought out by Cadillac. Other attacks on Twitter accounts had a more political slant.

A group of cyber-crooks calling themselves the “Syrian Electronic Army” managed to hack accounts belonging to several organizations. Phishing attacks were first launched to get the passwords and then the accounts were hijacked. Their victims included Human Rights Watch, the French news channel France 24 and the BBC weather service.

Android, Top Target for Mobile Malware

smartphonesNearly all news regarding malware attacks on mobile platforms involved the Android operating system, which has the largest share of this market. In addition to the usual attacks, this quarter saw new techniques that deserve mention. A strain of Android malware – hidden inside Google Play – not only infected cell phones but could also infect computers via smartphones and tablets.

According to Corrons, cyber-war and espionage is becoming more interesting. “Many countries are looking suspiciously at Chinaregarding its suspected involvement in attacks on large organizations and public institutions around the world, and this could lead to real world consequences. There are those who argue for international agreements, a type of Geneva Convention, to attempt to establish limits to these activities,” he said.

For more detailed information on malware activity and trends in the first quarter of 2013, you can access the full report here and on the PandaLabs blog.

Many consumers failing to secure their mobile devices

Thursday, May 23rd, 2013

mobile devicesA Harris Interactive survey shows that 85 percent of consumers know their mobile devices are very or somewhat vulnerable, 74 percent say keeping their devices secure is their responsibility, but many don’t take action.

However, consumers are more likely to be aware and protect themselves against a tangible threat, such as having a device stolen, than intangible threat such as malware or hacking.

The consumers whose devices were lost or stolen were more likely to use PINs or passwords than those who didn’t have their devices lost or stolen (69 percent versus 47 percent), but no more likely to take any other proactive actions, such as remote locking, tracking and/or erasing apps (45 percent versus 41 percent).

Editor’s note: The first thing we did after buying a new tablet computer was install anti-virus software, the same as we did with our mobile phone. But we’re in the minority.

Fewer than a third install anti-virus on mobile devices

Oddly, only one in five view smartphones as mini-computers, but more than half (53 percent) view cybersecurity the same way on mobile devices as they do on computers. Less than a third (31 percent) installed an anti-virus program on their smartphone, compared to 91 percent on a laptop.

Thankfully, consumers are nearly as likely to run updates on their smartphones (66 percent) as on their laptops (69 percent).

Disconnect on cybersecurity

Yet the survey clearly shows that there is a disconnect on cybersecurity between consumers awareness and their actions. However, consumers are beginning to take valuable steps to protecting themselves and their information.

A majority of consumers (66 percent) review their wireless bills for suspicious activity at least once a month. Of those who use their mobile devices for online banking, more than half (56 percent for tablets and 55 percent for smartphones) use encryption or security software.

Mobile devicesWhen asked what would prompt them to add a password or install anti-virus software to their personal tablets or smartphones, 35 percent said having a friend or family member suffering a security break; 33 percent said an app that reminds them to update anti-malware software or to change the PIN; 32 percent said a tutorial that prompts them; 27 percent said a friend’s advice; 26 percent said advice from a device or network provider; and 23 percent said from the media stories that explains the benefits.

Of these same consumers surveyed, two thirds (67 percent) believe industry is better equipped to write cybersecurity regulations than the federal government.

CTIA“Cybersecurity is everyone’s responsibility, from the consumer to the app creator to operating system to the device manufacturer to carriers and everyone in between. Through our Cybersecurity Working Group, our members are working hard and being vigilant to protect their customers, but it’s great to see that end users recognize their vital role in preventing cyberthreats,” said Steve Largent , President and CEO of CTIA, which commissioned the survey.

“Yet there’s much to do, which is why CTIA and our members will continue to focus on consumer education so users know the wide variety of apps, tools and features available to help protect their information and their devices.”

The survey was conducted in November 2012 with more than 1,500 adults who own a cellphone or smartphone. The CTIA Cybersecurity Consumer Research survey by Harris Interactive presentation is available at: (PDF).

How contact centers can reduce credit card fraud

Thursday, May 23rd, 2013

credit cardsEvery credit card transaction conducted over the Internet introduces a security risk for the cardholder. Data stores can be hacked, card numbers overheard, data streams might be vulnerable to interception; even contact center agent integrity is not beyond question.

That sort of concern, backed up by the many high profile data breaches at companies large and small over the last few years, is one reason some people are still wary of using credit cards to shop online. It’s also a motivator to use alternative currencies such as bitcoin.

 To increase controls around cardholder data and reduce credit card fraud, the industry-wide Payment Card Industry Security Standards Council first defined its Data Security Standard (PCI DSS) in 2004 and updated it in October 2010 to current version 2.0.

Frost & Sullivan‘s white paper, Protect Customers with PCI Compliance, analyzes the risks for data breaches and theft in the contact center, and helps contact center managers understand the actions that can be taken to increase agent vigilance and data security.

Rigorous, multilayered response needed

Taking steps to identify and prevent cybercrime in customer contact channels involves a rigorous multilayered response.  This includes meeting and complying with the PCI DSS standard by submitting to and passing periodical comprehensive scoping, assessment, validation, and reporting requirements, and by meeting the standard between assessments.

“Compliance with data standards like PCI DSS is entwined with preventing data theft.  To manage both issues often requires expert advice and recommendations from experienced companies like SPS,” said Frost & Sullivan Industry Analyst Brendan Read .

Strategic Products and Services (SPS) offers PCI DSS compliance consulting and advice.  SPS also supplies a wide range of other services that support PCI DSS compliance including interactive voice response (IVR) and call recording solution selection and implementation.

Successful social media customer care

“PCI considerations come up in many parts of a contact center’s business processes, many of which have implications on technology choices for encryption, recording, data storage and retrieval,” said SPS Chief Technology Officer, Mike Taylor .

“Requirements differ, based on the customer’s industry and size of the data center operation.  SPS provides guidance to ensure that customer data management is PCI-compliant, especially in the areas of IVR systems and call recording. We tell them what is required and what is possible for an operation in their industry and size.”

social mediaFrost & Sullivan also released a white paper titled: Enabling Successful Social Media Customer Care, which is another goal for many contact centers that are engaging with customers through social media channels.

Customers are already using social media to voice issues, obtain information and support, and to collaborate and network with other customers. Contact centers that successfully monitor and engage with these channels gain an opportunity to display highly proactive customer service.

But integrating contact-center systems with social media channels introduces new business challenges and opportunities, along with the significant IT integration requirements.  Security concerns, confidence scams, and even implications for PCI compliance over social media can raise additional requirements.

Click HERE to access the white papers and videos related to this release .

“Social media is fundamentally different from all other customer engagement channels in that it transmits public conversations one-to-many rather than private ones one-to-one. This factor, above all, makes providing effective and secure customer care over the social channel challenging,” said Read.

Create a single department

To be successful with social media, Frost & Sullivan recommends that firms create a single department responsible for customer engagement strategy across all media – one that has ongoing participation by other departments, including Corporate Communications, Marketing, and Legal.

Making use of customer social media usage requires advance planning, supported with the right blend of social monitoring software.

Using such systems, customers are associated with targeted “social profiles” which enable the firm to pursue a strategic and customized social strategy that correctly targets individual customer contacts.  Policies must also be put in place to govern what content may be published to social media channels by contact-center agents.

“Blending social media into the wider picture of the total customer experience requires a thorough approach, combining business process consulting and communications technology,” said Taylor.  “A strategic communications partner like SPS can help you understand what’s possible, develop and prioritize your plan of action, and provide a single point of accountability through implementation.”

Increasing cyber attacks giving intrusion protection a boost

Wednesday, May 22nd, 2013

lockThe rising frequency and complexity of attacks that are far more effective at breaching enterprise networks’ security detection systems have lent momentum to the global intrusion prevention system (IPS) market.

The development of next-generation IPS (NGIPS) products with advanced protection capabilities has further spurred adoption.

New analysis from Frost & Sullivan Analysis of the Global Intrusion Prevention System (IPS) Market, finds that the market earned revenues of more than $1.21 billion in 2012 and estimates this to reach $2.44 billion in 2017.

NGIPS gaining acceptance

The growth in long-term, targeted advanced persistent threats (APTs) indicates that hackers are now well-organized and highly-skilled, and are most likely funded by nation-states or large criminal organizations. Hence, while enterprises continue to install IPS to detect traditional malware, the increase in APTs primarily compels customers to upgrade to IPS.

“NGIPS solutions are gaining acceptance owing to their ability to inspect traffic based on detailed contextual data such as application type and user identity, as well detecting malware for which there are no signatures or other detection methods available,” said Frost & Sullivan Network Security Industry Analyst Chris Rodriguez . “Optionally, many IPS products can provide basic web application firewall capabilities, data loss prevention, botnet detection, or distributed denial-of-service prevention services.”

IPS products are popular as they also offer performance and scalability not provided in other low-cost, multi-function security products. The availability of purpose-built hardware to better defend against polymorphic threats, along with investments in research and development to improve the products’ security efficacy has boosted IPS vendors’ margins.

High costs deter some businesses

However, the high costs of these IPS solutions, which on average are more expensive than firewalls and unified threat management (UTM) systems, deter businesses already wary of large capital investments during a weak global economy.

Here at the TechJournal, we’ve long said that the cost of serious data breaches at companies is, in the end, far more expensive than preventing those breaches in the first place. The resources state inspired cyber espionage and large criminal organizations bring to bear to break in have to be matched by equally strong preventative measures. Even then, it may be an ongoing battle.

The integration of IPS with multi-function security devices and firewalls gives rise to UTM products with lower costs of ownership, and thereby affects the market’s overall value. The expertise required for IPS’ optimal performance adds to the total cost of ownership.

“Creating awareness on the benefits of next-generation solutions, which can fulfill customers’ security, networking, and compliance requirements, will be crucial to accelerate uptake,” noted Rodriguez. “Vendors must also build solutions that support network throughput speeds, and develop comprehensive strategies that will secure virtualization and cloud computing environments.”

Large-scale cyber espionage attacks coming from India

Monday, May 20th, 2013

lockA large and sophisticated cyber-attack infrastructure appears to have originated from India, says a new report from Norman Shark, the global security leader in malware analysis solutions for enterprises, service providers and government.

The attacks, conducted by private threat actors over a period of three years and still ongoing, showed no evidence of state-sponsorship but the primary purpose of the global command-and-control network appears to be intelligence gathering from a combination of national security targets and private sector companies.

“The data we have appears to indicate that a group of attackers based in India may have employed multiple developers tasked with delivering specific malware,” commented Snorre Fagerland, head of research for Norman Shark labs in Oslo, Norway.

Extreme diversity of sectors targeted

“The organization appears to have the resources and the relationships in India to make surveillance attacks possible anywhere in the world. What is surprising is the extreme diversity of the sectors targeted, including natural resources, telecommunications, law, food and restaurants, and manufacturing. It is highly unlikely that this organization of hackers would be conducting industrial espionage for just its own purposes—which makes this of considerable concern.”

While it’s probably unrelated, here at the TechJournal, we had to block India’s access due to continued and repeated attacks on our WordPress blog (that you’re reading right now). We regret that, because we also received legitimate traffic from India. We also had to block China, Hong Kong and Russia. Anyone else finding continual attacks from these countries?

The investigation revealed evidence of professional project management practices used to design frameworks, modules, and subcomponents. It seems that individual malware authors were assigned certain tasks, and components were “outsourced” to what appear to be freelance programmers. “Something like this has never been documented before,” Fagerland added.

The discovery is currently under investigation by national and international authorities.

The discovery began on March 17th when a Norwegian newspaper reported that Telenor, one of the world’s largest mobile phone operators, a member of the world’s top 500 companies, and Norway’s major telecommunications company, had filed a criminal police case for an unlawful computer intrusion. Spear phishing emails targeting upper management appeared to be the source of the infection.

Operation Hangover

The behavior pattern and file structure of malware files made it possible, for security analysts at Norman Shark, to search internal and public databases for similar cases utilizing Norman’s Malware Analyzer G2 automatic analysis systems.

The amount of malware found by Norman analysts and their partners was surprisingly large and it became clear the Telenor intrusion was not a single attack, but part of a continuous effort to compromise governments and corporations worldwide.

Norman Shark titled the report “Operation Hangover” after one of the cyber espionage malwares most frequently used in this case.

Victims in more than a dozen countries

Based on an analysis of IP addresses collected from criminal data stores discovered during the investigation, it appears that potential victims have been targeted in more than a dozen countries. Specific targets include government, military and business organizations.

Attribution to India was based on an extensive analysis of IP addresses, website domain registrations, and text-based identifiers contained within the malicious code itself.

Despite all of the recent media attention on so-called “zero day” exploits encompassing brand new attack methods, Operation Hangover appears to have relied on well-known, previously identified vulnerabilities in Java, Word documents, and web browsers.

“This type of activity has been associated primarily with China over the past several years but to our knowledge, this is the first time that evidence of cyber espionage has shown to be originating from India,” Fagerland concluded. “Our study, available on the Norman website ( provides assistance in what security teams need to look for.”

How to reduce the risk of cyber catastrophe

Friday, May 10th, 2013

lockReports of high profile cyber security breaches at major companies have become almost routine despite studies showing that they are extremely costly to the firms invovled.

In a recent survey, the majority of corporate risk managers and senior executives expressed concern about cyber risks. Yet many U.S. companies do not have a network security or privacy liability insurance program to protect themselves.

In other words, they feel vulnerable but aren’t sure what to do about it. A new report by Lockton illuminates the issue, along with the solution to managing cybersecurity in a world where business often depends on technology.

The report, co-authored by Lockton’s Michael Schmitt and Lisa Phillips , is entitled Cybersecurity: Most Companies Know Enough to Worry, But Not Enough to Take Action.”

“How an organization responds to a data breach can either cause or prevent lost customers, regulatory fines and investigations,” Schmitt said.

Preparation and testing essential

Phillips added that preparation and testing are essential for any responsible organization. She writes that it starts with an assessment of the type of data held, including where it is stored, who has access to it and whether there are proper security measures in place to protect it.

After analyzing risk and implementing security measures, the next step is to create and test a data breach response plan with participation from IT, Legal, HR, Risk Management, Finance and Customer Service. Lockton also suggests involving data breach experts outside the company who can provide insight and guidance.

If a breach does occur, the data breach response team must be ready to move quickly to verify, investigate and communicate internally – and with customers, as appropriate.

The Lockton experts also recommend speaking with an insurance professional about what may be covered and what breach response services may be available through an insurance policy.

Public cloud sprawl worries enterprise IT leaders

Tuesday, May 7th, 2013

skypeAre you using Dropbox, Evernote, Skype or other public cloud services at work? Many are and it worries some firms.

There is growing concern among Enterprise IT leaders over the unauthorized use of the public cloud by business units within the enterprise according to the 2013 PMG Cloud Sprawl Survey of 234 North American corporate IT professionals.

Unauthorized cloud services of most concern to business IT processionals include the use of public cloud storage (70 percent), cloud synchronization (68 percent) and cloud-based collaboration applications (53 percent).

The pattern of unauthorized usage of cloud services seems to be on the rise despite the fact that IT says the vast majority (89 percent) of employees understand the need for data security.

Many have a policy

Today, 54 percent of corporate IT professionals surveyed say their organizations have a policy in place regarding the use of public cloud storage services.

However, the plurality (43 percent) admit to being only “somewhat effective” in educating business users on the pitfalls of the public cloud. Twenty-eight percent of IT pros say they are not effective in educating business users on the downside of using public cloud solutions, 20 percent say they are effective and 10 percent are not sure how effective they are.

Complete findings from the 2013 PMG Cloud Sprawl Survey, a blind survey of 234 North American corporate IT professionals conducted in March of 2013, are available at

Cloud sprawl

The ever-growing use of public cloud services and apps by individuals or business units within a company, often without permission from IT, also known as cloud sprawl, is a trend most tech professionals see as negative.

A majority of IT pros (52 percent) say cloud sprawl will have a significant or somewhat negative impact on operations and resources, and 34 percent say they don’t yet know how it will impact IT.

“Cloud services will continue to expand within companies, in fact this study found 38 percent of IT respondents turn to the cloud because it offers faster deployment,” said Joe LeCompte , principal at PMG. “Savvy IT departments are focusing on finding better ways to offer enterprise-grade cloud services to internal users as a way to stem cloud sprawl and safeguard corporate information.”

Top Cloud Concerns

Security tops the list of the biggest issues associated with unauthorized cloud sprawl. When asked, here is how corporate IT ranks the following concerns:

  • 79 percent data security,
  • 57 percent compliance,
  • 55 percent network security,
  • 51 percent loss of control,
  • 48 percent unmanaged application.

DropboxSpecific cloud services or applications IT has prevented or limited enterprise access to include social media sites (66 percent), Skype (61 percent), Dropbox (59 percent) and Google Drive (40 percent). Sixty-four percent of those surveyed say much of the increased usage of cloud solutions has been driven by the Bring Your Own Device (BYOD) trend in today’s workplace.

Efforts To Make Cloud Procurement a Positive

When IT uncovers the deployment of public cloud solutions without IT’s assistance or knowledge, 65 percent say they evaluate the service and act accordingly (either approving or denying usage), only 15 percent immediately pull the plug and 11 percent say they don’t get involved in the deployment of department-level cloud solutions.

The strategies IT is using to better manage cloud sprawl within corporations are varied but include the following:

  • 48 percent assign an IT resource to work with business units/departments seeking cloud solutions,
  • 39 percent have developed internal cloud solutions for business units/departments to use,
  • 33 percent have developed and enforce a corporate-wide cloud services IT policy.

The silver lining in the cloud sprawl conundrum is that 72 percent of IT leaders say employees are willing to use corporate installed cloud solutions. This is good because 82 percent of IT respondents are predicting the volume of cloud service procurement by business users over the next 24 months to be greater than it is today.

Big Data


With 60 percent of those surveyed reporting big data is or will become vital in future enterprise cloud deployment, the ability to integrate data between cloud applications or cloud application and on-premise application is key.

To date, 46 percent have had incompatibility issues when trying to integrate data between cloud and on-premise applications. Forty-six percent surveyed say this is because of the use of unsanctioned cloud applications.

“At the end of the day, IT is not going to paint all public cloud solutions as ‘bad’,” said LeCompte. “In fact, 69 percent of IT executives say a hybrid cloud strategy using both private and public cloud offerings is the wave of the future inside the enterprise.

Containing cloud sprawl to protect corporate information and ensure security can be done by providing cloud services in a structured manner with a proper governance framework.”

Getting Personal with IT Professionals

On the strictly personal side, the survey found that most technology professionals had a split personality – when it comes to operating systems.

The vast majority (72 percent) prefer the Windows OS for personal computing (outside the work environment) compared to 25 percent that answered Apple and four percent that opt for Google.

On the mobile side of things, a majority (53 percent) prefer the Apple mobile OS, 34 percent Android, 9 percent Windows and 4 percent BlackBerry.

BigBang Theory

The Big Bang Theory pokes fun at super smart “geeks” who love science, comic books and the girl next door.

When asked what fictional TV character most represents today’s IT professionals, the “wicked smart” Dr. Gregory House from House M.D. got 27 percent of the vote, followed by the “lovable geek” Sheldon Cooper , Ph. D. from The Big Bang Theory with 21 percent of the vote, and Sherlock Holmes from Elementary cited by 19 percent.

We’re not sure about those choices. While Cooper is certainly a geek, his TV friend Wollowitz is really the computer nerd.

The bottom of the list included Tony Soprano (8 percent), Homer Simpson (6 percent) and Elmo from Sesame Street (1 percent).

For in-depth survey findings from the 2013 PMG Cloud Sprawl Survey visit

Data security, compliance top concerns of cloud adopters

Tuesday, May 7th, 2013

cloud computingA cloud security survey by NetQ commissioned through IDG Connect, revealing that while companies have become increasingly comfortable with the security of third-party cloud service providers, data security – particularly at the end user level – as well as concerns over meeting compliance requirements, remain top-of-mind among cloud adopters.

Fifty-one percent of IT executives surveyed believe that the cloud increases data security overall. However, almost 70 percent of respondents indicated that consumer cloud services pose a risk to sensitive data in their organizations and 45 percent are not fully confident that their cloud provider’s security processes and programs meet their data security requirements.

Additional findings found a mix of concern and confidence in cloud security:

  • Forty-five percent do not have full visibility and control of their cloud-based data when users sign up on their own.
  • Only 46 percent train end users on how they should securely access data in the cloud.
  • Forty-two percent of organizations are not fully confident that they demonstrate regulatory compliance concerning sensitive information/assets in the cloud.
  • Fifty-nine percent are very confident in their ability to control and manage access from mobile devices to cloud services.

“These survey findings demonstrate that IT executives are feeling more confident in the execution of their cloud security strategies and programs. However, this confidence may be at odds with the concerns security teams have while addressing an ever-increasing number of threats to corporate information,” said Geoff Webb , director, Solution Strategy at NetIQ.

“Data-centric security programs remain the most targeted and effective way to build security programs ready to embrace the complexities inherent in adopting cloud. Identifying sensitive data, applying appropriate layers of protection around that data, and tracking who is accessing it remain the best ways to respond to threats, meet regulatory requirements and minimize organizational risk.”

This survey was conducted on behalf of NetIQ by IDG Connect to understand perceptions about cloud security worldwide. Researchers interviewed IT executives at companies with 500 or more employees. Sixty-one percent of respondents occupied director-level or higher roles within their organization.

The overall number of respondents was split between those from North America(36 percent), EMEA (36 percent) and APAC (28 percent). Full survey results are available at

IT and energy sites rack up most security holes

Thursday, May 2nd, 2013

lockNow here’s a paradox – while most industries saw fewer security vulnerabilities in 2012, IT web sites actually had the highest number ov vulnerabilities per site. You would think that IT would be on the forefront of best practices, but that doesn’t appear to be so.

That’s according to  WhiteHat Security, the Web security company, in the 2013 edition of the WhiteHat Security Website Security Statistics Report.

“Website security is an ever-moving target, and organizations need to better understand how various parts of the SDLC affect the introduction of vulnerabilities, which leave the door open to breaches,” said Jeremiah Grossman , co-founder and CTO of WhiteHat Security.

“This report – comprising survey and website vulnerability data – is the first time we can correlate various software security controls and SDLC behaviors to vulnerability outcomes and breaches. The results are both insightful and complex.”

The Current State of Website Security

In 2012, the average number of serious* vulnerabilities per website continued to decline, going from 79 in 2011 down to 56 in 2012. Despite this, 86 percent of all websites tested were found to have at least one serious vulnerability exposed to attack every single day of 2012.

Of the serious vulnerabilities found, on average 61 percent were resolved and only 18 percent of websites were vulnerable for fewer than 30 days in 2012. On average, resolving these vulnerabilities took 193 days from the first notification.

WhiteHat Security designated each tested site by industry, and a closer look revealed that:

  • With the exception of sites in the IT and energy sectors, all industries found fewer vulnerabilities in 2012 than in past years.
  • The IT industry experienced the highest number of vulnerabilities per website at 114.
  • Government websites had the fewest serious vulnerabilities with eight detected on average per website, followed by banking websites with 11 on average per website.
  • Entertainment and media websites had the highest remediation rate (the average percentage of serious vulnerabilities resolved) at 81 percent.
  •  In years past, the banking industry had the fewest vulnerabilities and fixed the most vulnerabilities of any industry. This year, banking came in second with 11 average serious vulnerabilities found per website and a below average remediation rate of 54 percent (average is 61 percent across all industries).

Top Ten Vulnerability Classes

The two most prevalent vulnerability classes in 2012 were Information Leakage and Cross-Site Scripting, identified in 55 percent and 53 percent of websites respectively.

The next eight most prevalent include: Content Spoofing – 33 percent; Cross-site Request Forgery – 26 percent; Brute Force – 26 percent; Fingerprinting – 23 percent; Insufficient Transport Layer Protection – 22 percent; Session Fixation – 14 percent; URL Redirector Abuse – 13 percent; Insufficient Authorization – 11 percent.

SQL Injection continued its downward slide from 11 percent in 2011 to 7 percent in 2012, no longer making the Top 10.

Best Practices May Not Result in Better Security

In correlating the survey results with vulnerability data, WhiteHat Security could see how software security controls, or “best practices” impacted the actual security of organizations. Some of the findings include:

  • 57 percent of organizations surveyed provide some amount of instructor-led or computer-based software security training for their programmers. These organizations experienced 40 percent fewer vulnerabilities, resolved them 59 percent faster, but exhibited a 12 percent lower remediation rate.
  • 39 percent of organizations said they perform some amount of Static Code Analysis on their websites underlying applications. These organizations experienced 15 percent more vulnerabilities, resolved them 26 percent slower, and had a 4 percent lower remediation rate.
  • 55 percent of organizations said they have a Web Application Firewall (WAF) in some state of deployment. These organizations experienced 11 percent more vulnerabilities, resolved them 8 percent slower, and had a 7 percent lower remediation rate.

Best practices may not be enough

Some of this data implies that best practices such as software security training are effective, yet some of the statistics clearly show that following best practices does not necessarily lead to better security.

The correlated data revealed that compliance is the primary driver for organizations to resolve vulnerabilities, but also the number one reason organizations do not resolve vulnerabilities. In other words, vulnerabilities are fixed if required by compliance mandates; however, if compliance does not require a fix, the vulnerability remains, despite possible implications to the overall security posture of the site.

“This collective data has shown that many organizations do not yet consider they need to proactively do something about software security. It is apparent that these organizations take the approach of ‘wait-until-something-goes-wrong’ before kicking into gear unless there is some sense of accountability,” said Grossman.

“This needs to change, and we believe there is now an opportunity for a new generation of security leaders to emerge and distinguish themselves with an understanding of real business and security challenges. Our hope is that they will address these issues we have identified and base their decisions on a foundation of data to improve the state of Web security over time.”

To view the complete report, visit