Posts Tagged ‘Security’
Monday, August 5th, 2013
This is scary, but it’s no wonder Chinese and other hackers are so successful at breaking and entering Enterprise networks.
Lancope, Inc., a leader in network visibility and security intelligence, has released a survey indicating that many enterprises possess an unrealistic confidence surrounding the security of their networks. According to the survey, more than 65 percent of IT/security professionals did not think, or were unsure whether, they had experienced any security incidents within the last 12-18 months.
While we can understand confidence if deserved, we question how much confidence they should have it they don’t know or are unsure if they have had a break-in.
According to Lancope’s director of security research, Tom Cross, such confidence is not likely. “Any system you connect to the Internet is going to be targeted by attackers very quickly thereafter,” he said. “I would assert that if you’re unsure whether or not your organization has had a security incident, the chances are very high that the answer is yes.”
A third think security violations did not affect them
The survey also revealed that 38 percent believe recent security incidents had no impact on their organization. According to Cross, “even the most basic malware infection has some financial cost to the organization, even if it’s just the cost to clean infected machines. Not to mention the additional serious consequences that can result from a breach, including data loss, customer distrust, regulatory fines and many others.”
We’ve had our own problems with the explosion of malware attacks at the TechJournal and controlled it only via continual pro-active effort. Those attacks can cripple your SEO and harm your reputation.
Nearly 18 percent of respondents did admit to recently suffering from malware, and 16 percent said they had been the victim of distributed denial-of-service (DDoS) attacks. It is possible that many of these organizations have also suffered from other, more stealthy attacks and are just not aware. Insider threats, for example, can be difficult to detect because attackers have authorized access to the data they are looking to steal. Advanced, external attackers can also fly under the radar by constructing attacks that are likely to evade commonplace network security solutions.
Organizations were more realistic when evaluating the potential risk of insider threats to their infrastructure, with 32 percent naming it as one of the greatest risks. However, this concern was far overshadowed by fears associated with BYOD and mobile devices, coming in at over 50 percent. Because traditional security strategies cannot be easily applied to employee-owned assets, enterprise security professionals suffer from a lack of network visibility when it comes to mobile devices. This blind spot is obvious; but what about the blind spots that organizations don’t realize they have?
Areas of blind spots within the typical enterprise are many, including applications, network traffic, network devices, user activity, virtualized appliances and data centers, to name a few. Lancope was encouraged to also see “lack of visibility” top the list of greatest risks identified by survey participants, as well as “monitoring user activity” designated as a key challenge. Technologies like NetFlow can provide the much-needed visibility that many organizations currently lack.
“Organizations need to make sure that, when faced with the inevitable, they can identify an incident as quickly as possible,” said Cross. “With new attacks making headlines on a nearly weekly basis, it’s time for organizations to take a more strategic, holistic approach when it comes to network security.”
To access the full Lancope survey, go to: http://www.lancope.com/files/documents/Industry-Reports/Lancope-Security-Report-2013.pdf.
Tuesday, July 2nd, 2013
UPDATED – The digital world is abuzz with the news that Cameron and Tyler Winklevoss, famous for their dispute over the creation of Facebook, have filed with the U.S. Securities and Exchange Commission to create an exchange-traded fund (ETF) that would let investors trade bitcoins like stock.
The Winklevoss twins, who spoke at one of TechMedia’s earliest Southeast Venture Conferences, have what the New York Times calls “sizeable bitcoin holdings,” and say their proposed $20 million bitcoin trust could thrust the virtual currency into the mainstream.
Created by anonymous hackers in 2009, bitcoin are entirely virtual, created by a network of users who use a complex mathematical method called “mining.” Some stores and web sites accept them as payment (BitPay processed 4,500 applications from merchants as of March).
Stephen Pair, co-founder of BitPay.
No personal or financial info required
Stephen Pair, co-founder and CTO of Bitpay, a leading bitcoin transaction processor, handled over $5.2 million in bitcoin transactions for its merchants during month of March. The Winklevoss filing notes that “The value of bitcoins is determined by the value that various market participants place on bitcoins through their transactions.”
Pair says, “Fundamentally, Bitcoin is newer and better software for conducting transactions. It doesn’t require providing any personal or financial information that’s so attractive to thieves online. There is no other method of payment over the Internet that doesn’t involve a bank, credit card or PayPal.” Pair spoke at TechMedia’s recent sold-out Digital Summit in Atlanta and discussed “What will make bitcoin succeed or fail” in an interview with the TechJournal.
We asked Pair for his outlook on the proposed ETF. He replied:
“A Bitcoin fund is a great way to allow people to invest and trade bitcoins without actually holding them and having to secure them. It makes a Bitcoin investment available to people through traditional and familiar brokerage services. I expect that there will be multiple Bitcoin ETF like products available in the future. Such funds will add liquidity to the Bitcoin market and open new avenues through which BitPay could manage its trading operations.”
Tyler Winklevoss told the Times the Winklevoss Trust “brings bitcoin to Main Street and mainstream investors to bitcoin.”
Both bitcoin and the proposed Winklevoss fund pose security and legal difficulties that Simone Foxman examines at Quartz.
In fact, the Times points out that it isn’t even certain securities regulators will approve the Winklevoss proposal. The proposal itself includes 18 pages of risk factors, including the relatively small use of bitcoins in the market compared to that of speculators, and the uncertain regulatory environment, among others.
Also, over at TechCrunch, you can read about This ATM machine turns bitcoins into cash.
Thursday, June 6th, 2013
The majority of businesses (79%) had a mobile security incident in the past year, and the costs are substantial. The new report found mobile security incidents tallied up to over six figures for 42 percent of businesses, including 16 percent who put the cost at more than $500,000.
From smartphones to tablets, mobile devices continue to cause ongoing concern for IT teams responsible for information security. Sensitive corporate information can be easily transported, leaked, or lost while the Bring Your Own Device (BYOD) movement has dramatically increased the number of expensive security incidents.
Even so, corporate information, including sensitive customer information, are increasingly stored on personal mobile devices and not managed by corporate IT.
Based on a survey of nearly 800 IT professionals, the report quantifies the dramatic growth of BYOD, exposes the frequency and cost of mobile security incidents, and identifies the main challenges faced by businesses of all sizes.
Key findings include:
- Surge in Personal Mobile Devices Connecting to the Corporate Network - Among companies that allow personal mobile devices, 96 percent say the number of personal devices connecting to their corporate networks is growing, and 45 percent have more than five times as many personal mobile devices as they had two years ago.
- Mobile Security Incidents Common and Costly for Businesses Large and Small - More than half (52%) of large businesses report mobile security incidents have amounted to more than $500,000 in the past year. Even for 45 percent of SMBs with less than 1000 employees, mobile security incidents exceeded $100,000 in the past year.
- Mobile Platform with the Greatest Perceived Security Risks - Android was cited by 49 percent of businesses as the platform with greatest perceived security risk (up from 30 percent last year), compared to Apple, Windows Mobile, and Blackberry
- Corporate Information Not Managed on Mobile Devices - Despite costly mobile incidents, 63 percent of businesses do not manage corporate information on personal devices, and 93 percent face challenges adopting BYOD policies.
- More Mobile Devices Store Sensitive Customer Information - More than half (53%) of all businesses surveyed report there is sensitive customer information on mobile devices, up from 47 percent last year.
“Without question, the explosion of BYOD, mobile apps, and cloud services, has created a herculean task to protect corporate information for businesses both large and small,” said Tomer Teller, security evangelist and researcher at Check Point Software Technologies.
“An effective mobile security strategy will focus on protecting corporate information on the multitude of devices and implementing proper secure access controls to information and applications on the go. Equally important is educating employees about best practices as majority of businesses are more concerned with careless employees than cybercriminals.”
For a full copy of the new report, The Impact of Mobile Devices on Information Security, please visit:
Friday, May 31st, 2013
Risky applications and business applications are being used side-by-side on devices owned by employees that are used for work, according to a survey on Mobile Application Security conducted during April and May 2013 by the SANS Institute and sponsored by Box, SAP and Veracode.
Nearly 80% of the 600 survey respondents who completed the substantive sections of the survey allowed communications and collaborative apps on personal mobile devices, nearly 60% of which also have general Internet apps (such as web browsing and media file sharing), while another 44% allow VPN access from BYOD and 26% allow access directly to business systems.
Four percent of the respondents answered that personal mobile devices are also accessing control system applications, while another 8 percent are allowing access to field service applications.
Here at the TechJournal, we see a new report looking at the Bring Your Own Device problems companies are experiencing just about daily.
BYOD should raise huge red flags
“Personal mobile device access to critical business and infrastructure systems should raise huge red flags to organizations thinking that their only concern will be e-mail on employee-owned smartphones, pads and tablets,” says Deb Radcliff , chief of the SANS Analyst Program, which developed the report. “Meanwhile, the means to protect access, applications and data are more difficult to develop and unify in mobile BYOD computing.”
For example, providing a unified identity management framework was both the least practiced and the most difficult to achieve, according to respondents. They are also trying to discern which tools and techniques make the best sense in protecting their networks and data from BYOD risks.
Securing devices and the mobile platforms was the top method of protection being implemented by 66% of respondents, with application lifecycle management being practiced by only 36% of organizations.
Repeating past mistakes
“Mobile application development seems to be repeating many of the mistakes from the past,” says Kevin Johnson , SANS Analyst and author of the report. “And these weaknesses need to be resolved due to the sensitive nature of the data on the devices.”
Of those 253 survey takers that also develop applications, the majority are web-based, with 32% of developers saying they also developed line of business applications. The good news that nearly 60% of them indicated they had application security lifecycle processes embedded in their development and testing cycles.
“The prominent use of mobile devices together with cloud computing have even greater potential to expose critical information than in the past,” adds Barbara Filkins , SANS Analyst consulting on this survey. “Mobile application development can no longer afford to ignore security best practices.”
Full results will be shared during a June 6 webcast at 1 PM EDT, sponsored by Box, SAP and Veracode, and hosted by SANS atwww.sans.org/info/124512. Those who register for the webcast will also receive access to the published results paper developed by SANS Analyst and mobility expert, Kevin Johnson .
Thursday, May 30th, 2013
It doesn’t matter if you’re a man or a woman: The way people use (or misuse) their mobile phones can really grate on your nerves.
A Microsoft Safer Online Facebook poll revealed that many smartphone users don’t mind their mobile manners — but men and women both find people who constantly check their mobile phones to be the most annoying.
Of course, the frustrations don’t stop there. The following are the agreed-upon top five pet peeves:
- Checking phones constantly
- Talking loudly
- Using or not silencing phones when appropriate
- Using phones during face-to-face conversation
- Delaying traffic by using phones
Other mobile annoyances included accidentally pocket-dialing someone and simply losing their phones, opening the door to potential digital damage.
Personally, we’re most annoyed by people talking on their phones while in traffic, often driving erratically because of it. We see that every single day despite warnings that it’s more dangerous than drunk driving.
The other habit we find most annoying is when people talk loudly on their phones on trains, planes, and in public places (restaurants, stores, events, movies).
Thirty-nine percent of respondents also agreed that they believe men and women equally practice mobile phone safety, but this may not be the reality.
“Although we’re all bothered by certain mobile phone behaviors, the more important point is knowing how to help protect one’s device and information from scammers, rogue software and the oversharing of digital details,” said Jacqueline Beauchere , chief online safety officer, Microsoft Corp. “We know from earlier research that men and women practice mobile safety very differently.”
So who does a better job protecting their personal information on mobile phones? According to the Microsoft Computing Safety Index (MCSI), men do a slightly better job using technical tools:
- Thirty-five percent use a PIN or password to lock their mobile device compared with 33 percent of women.
- Thirty-five percent use secured wireless networks versus 32 percent of women.
- Thirty-two percent keep their mobile devices up to date contrasted with 24 percent of women.
Yet, men seem to experience more mobile pitfalls, receiving more emails from strangers asking for personal information (70 percent versus 65 percent), more rogue antivirus popups (66 percent versus 58 percent), and more online impersonation experiences (31 percent versus 26 percent).
Women tend to be more protective of their online reputations, taking additional steps to limit personal information online (40 percent versus 37 percent) and what strangers can see on social networking sites (40 percent versus 32 percent), as well as being more selective about what they text (34 percent versus 31 percent).
As always, protecting yourself online is paramount in today’s online world.
Microsoft offers the following tips to help you stay safe when using your mobile devices — in turn, ensuring you don’t annoy your friends:
- Silence your mobile phone. Know when to put the phone away, and be present.
- Help protect your privacy online. Don’t overshare. Think before posting your whereabouts, and save vacation highlights and photos for your return.
- Use location-based services safely. Think carefully about turning on geotagging. Share your location only with people you trust. Pay attention to where and when you check in, and get permission before you check in your friends.
- Conduct financial transactions on a secure network. Don’t use “borrowed” or public Wi-Fi hotspots.
- Lock your mobile phone. Keep your info secret with a unique, four-digit PIN.
Take the Microsoft Safer Online Facebook poll, and find more information about the poll results and mobile phone safety athttp:/www.microsoft.com/security.
Thursday, May 23rd, 2013
A Harris Interactive survey shows that 85 percent of consumers know their mobile devices are very or somewhat vulnerable, 74 percent say keeping their devices secure is their responsibility, but many don’t take action.
However, consumers are more likely to be aware and protect themselves against a tangible threat, such as having a device stolen, than intangible threat such as malware or hacking.
The consumers whose devices were lost or stolen were more likely to use PINs or passwords than those who didn’t have their devices lost or stolen (69 percent versus 47 percent), but no more likely to take any other proactive actions, such as remote locking, tracking and/or erasing apps (45 percent versus 41 percent).
Editor’s note: The first thing we did after buying a new tablet computer was install anti-virus software, the same as we did with our mobile phone. But we’re in the minority.
Fewer than a third install anti-virus on mobile devices
Oddly, only one in five view smartphones as mini-computers, but more than half (53 percent) view cybersecurity the same way on mobile devices as they do on computers. Less than a third (31 percent) installed an anti-virus program on their smartphone, compared to 91 percent on a laptop.
Thankfully, consumers are nearly as likely to run updates on their smartphones (66 percent) as on their laptops (69 percent).
Disconnect on cybersecurity
Yet the survey clearly shows that there is a disconnect on cybersecurity between consumers awareness and their actions. However, consumers are beginning to take valuable steps to protecting themselves and their information.
A majority of consumers (66 percent) review their wireless bills for suspicious activity at least once a month. Of those who use their mobile devices for online banking, more than half (56 percent for tablets and 55 percent for smartphones) use encryption or security software.
When asked what would prompt them to add a password or install anti-virus software to their personal tablets or smartphones, 35 percent said having a friend or family member suffering a security break; 33 percent said an app that reminds them to update anti-malware software or to change the PIN; 32 percent said a tutorial that prompts them; 27 percent said a friend’s advice; 26 percent said advice from a device or network provider; and 23 percent said from the media stories that explains the benefits.
Of these same consumers surveyed, two thirds (67 percent) believe industry is better equipped to write cybersecurity regulations than the federal government.
“Cybersecurity is everyone’s responsibility, from the consumer to the app creator to operating system to the device manufacturer to carriers and everyone in between. Through our Cybersecurity Working Group, our members are working hard and being vigilant to protect their customers, but it’s great to see that end users recognize their vital role in preventing cyberthreats,” said Steve Largent , President and CEO of CTIA, which commissioned the survey.
“Yet there’s much to do, which is why CTIA and our members will continue to focus on consumer education so users know the wide variety of apps, tools and features available to help protect their information and their devices.”
The survey was conducted in November 2012 with more than 1,500 adults who own a cellphone or smartphone. The CTIA Cybersecurity Consumer Research survey by Harris Interactive presentation is available at: http://ctia.it/18Lzlv3 (PDF).
Wednesday, May 22nd, 2013
Cloud computing is exceeding expectations. According to The TechInsights Report 2013: Cloud Succeeds. Now What? commissioned by CA Technologies (NASDAQ:CA), respondents indicate the cloud has moved beyond adolescence and is on the path to maturity in the enterprise.
Survey participants—IT decision makers that have implemented cloud services for at least one year—reported they are achieving better results, faster deployments and lower costs than expected as a result of cloud computing implementations.
Luth Research and Vanson Bourne conducted the survey on behalf of CA Technologies to learn how cloud computing is being used, problems or successes encountered, and how its use changed as IT teams gained more experience.
The report confirms that cloud computing is not only delivering on its major promises of saving money and speeding time-to-market, but also exceeding expectations.
This somewhat contradicts some other reports we’ve seen at the TechJournal that suggest some firms are having troubles implementing cloud solutions – often due to lack of in-house expertise.
Meeting or exceeding expectations
The vast majority of respondents reported their cloud implementations met or exceeded expectations across service models including Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). Experienced cloud users also shed light on the evolving nature of the cloud, and how their objectives and requirements for success change as they advance along the cloud adoption curve.
“Going in, we expected the results to be much more balanced between successes and challenges across a variety of deployments and service models,” said John Michelsen, chief technology officer, CA Technologies. “Surprisingly, survey respondents were pleased with their cloud computing initiatives, which validates that the cloud is not just a fad, and instead they are focusing on making the most of it to drive innovation, speed and performance.”
Though the overall study results were generally consistent across US and Europe, the length of experience and overall intended objectives for cloud differ. The US leads Europe in terms of years of experience, with 55 percent reporting three or more years of cloud use, compared to only 20 percent of European respondents.
The majority (79 percent) of European IT decision makers have implemented cloud computing for one to two (41 percent) or two to three (38 percent) years.
In terms of intended benefits, while cost savings continues to be a priority, increased speed of innovation rose to the top for more experienced organizations. When asked to name their top three objectives across IaaS, PaaS and SaaS deployments, Europeans most often selected “reduced total costs,” while US respondents noted “increased speed of innovation” and “superior IT performance/scalability/resiliency.”
In fact, cost reduction did not even make the list of the top three objectives in the US. One cloud provider told the TechJournal that often costs go up with cloud use because companies use it more than they expected to.
“As enterprises advance in their adoption of cloud, the desired outcomes evolve, as well,” said Michelsen. “Cost is often considered an early benefit – or even a required result – in order for IT teams to justify moving in the direction of the cloud. Once they show that cloud computing improves the bottom line, they can shift their focus to innovation and other objectives, such as increased performance and enhanced security.”
Additional notable results include:
- Larger organizations are leading the way:
- They have been in the cloud longer (93 percent that report using cloud for four or more years have revenues of $1 billion or more), and;
- They are more likely to be using all three types of cloud services (79 percent of those using IaaS, PaaS and SaaS together in their organizations have revenues of $1 billion or more).
- Security remains a contradiction:
- Nearly all respondents (98 percent) agree that the cloud met or exceeded their expectations for security across IaaS, PaaS and SaaS.
- Nearly one-third indicated “security has been less of an issue than originally thought” when asked to share their primary reasons for success with cloud computing.
- Yet, security was cited as the number one reason that an application is not moved into the cloud by nearly half of respondents (46 percent).
- Cloud spending plans increase at a faster rate for IT decision makers with more experience:
- Companies using cloud computing for four or more years are almost six times more likely (34 percent compared to 6 percent) to report that they are increasing cloud spending by more than 30 percent in 2013.
- US respondents plan to increase spending on cloud at a higher rate than their European counterparts, with 48 percent planning to increase spending up to 30 percent, and 17 percent more than 30 percent; versus 42 percent and 4 percent for European respondents, respectively.
- Overall cloud spending is expected to stay about the same or increase for the majority of respondents (95 percent across US and Europe).
- Experienced cloud users recognize the need for IT management to ensure future success:
- Respondents that have been using cloud computing for longer, or have used multiple types of cloud, identified the following IT management capabilities as critical to their success:
- End-to-end service automation,
- Service-level management across both cloud and non-cloud environments, and,
- The ability to switch between cloud service providers.
Friday, May 10th, 2013
Reports of high profile cyber security breaches at major companies have become almost routine despite studies showing that they are extremely costly to the firms invovled.
In a recent survey, the majority of corporate risk managers and senior executives expressed concern about cyber risks. Yet many U.S. companies do not have a network security or privacy liability insurance program to protect themselves.
In other words, they feel vulnerable but aren’t sure what to do about it. A new report by Lockton illuminates the issue, along with the solution to managing cybersecurity in a world where business often depends on technology.
The report, co-authored by Lockton’s Michael Schmitt and Lisa Phillips , is entitled “Cybersecurity: Most Companies Know Enough to Worry, But Not Enough to Take Action.”
“How an organization responds to a data breach can either cause or prevent lost customers, regulatory fines and investigations,” Schmitt said.
Preparation and testing essential
Phillips added that preparation and testing are essential for any responsible organization. She writes that it starts with an assessment of the type of data held, including where it is stored, who has access to it and whether there are proper security measures in place to protect it.
After analyzing risk and implementing security measures, the next step is to create and test a data breach response plan with participation from IT, Legal, HR, Risk Management, Finance and Customer Service. Lockton also suggests involving data breach experts outside the company who can provide insight and guidance.
If a breach does occur, the data breach response team must be ready to move quickly to verify, investigate and communicate internally – and with customers, as appropriate.
The Lockton experts also recommend speaking with an insurance professional about what may be covered and what breach response services may be available through an insurance policy.
Thursday, May 2nd, 2013
Now here’s a paradox – while most industries saw fewer security vulnerabilities in 2012, IT web sites actually had the highest number ov vulnerabilities per site. You would think that IT would be on the forefront of best practices, but that doesn’t appear to be so.
That’s according to WhiteHat Security, the Web security company, in the 2013 edition of the WhiteHat Security Website Security Statistics Report.
“Website security is an ever-moving target, and organizations need to better understand how various parts of the SDLC affect the introduction of vulnerabilities, which leave the door open to breaches,” said Jeremiah Grossman , co-founder and CTO of WhiteHat Security.
“This report – comprising survey and website vulnerability data – is the first time we can correlate various software security controls and SDLC behaviors to vulnerability outcomes and breaches. The results are both insightful and complex.”
The Current State of Website Security
In 2012, the average number of serious* vulnerabilities per website continued to decline, going from 79 in 2011 down to 56 in 2012. Despite this, 86 percent of all websites tested were found to have at least one serious vulnerability exposed to attack every single day of 2012.
Of the serious vulnerabilities found, on average 61 percent were resolved and only 18 percent of websites were vulnerable for fewer than 30 days in 2012. On average, resolving these vulnerabilities took 193 days from the first notification.
WhiteHat Security designated each tested site by industry, and a closer look revealed that:
- With the exception of sites in the IT and energy sectors, all industries found fewer vulnerabilities in 2012 than in past years.
- The IT industry experienced the highest number of vulnerabilities per website at 114.
- Government websites had the fewest serious vulnerabilities with eight detected on average per website, followed by banking websites with 11 on average per website.
- Entertainment and media websites had the highest remediation rate (the average percentage of serious vulnerabilities resolved) at 81 percent.
- In years past, the banking industry had the fewest vulnerabilities and fixed the most vulnerabilities of any industry. This year, banking came in second with 11 average serious vulnerabilities found per website and a below average remediation rate of 54 percent (average is 61 percent across all industries).
Top Ten Vulnerability Classes
The two most prevalent vulnerability classes in 2012 were Information Leakage and Cross-Site Scripting, identified in 55 percent and 53 percent of websites respectively.
The next eight most prevalent include: Content Spoofing – 33 percent; Cross-site Request Forgery – 26 percent; Brute Force – 26 percent; Fingerprinting – 23 percent; Insufficient Transport Layer Protection – 22 percent; Session Fixation – 14 percent; URL Redirector Abuse – 13 percent; Insufficient Authorization – 11 percent.
SQL Injection continued its downward slide from 11 percent in 2011 to 7 percent in 2012, no longer making the Top 10.
Best Practices May Not Result in Better Security
In correlating the survey results with vulnerability data, WhiteHat Security could see how software security controls, or “best practices” impacted the actual security of organizations. Some of the findings include:
- 57 percent of organizations surveyed provide some amount of instructor-led or computer-based software security training for their programmers. These organizations experienced 40 percent fewer vulnerabilities, resolved them 59 percent faster, but exhibited a 12 percent lower remediation rate.
- 39 percent of organizations said they perform some amount of Static Code Analysis on their websites underlying applications. These organizations experienced 15 percent more vulnerabilities, resolved them 26 percent slower, and had a 4 percent lower remediation rate.
- 55 percent of organizations said they have a Web Application Firewall (WAF) in some state of deployment. These organizations experienced 11 percent more vulnerabilities, resolved them 8 percent slower, and had a 7 percent lower remediation rate.
Best practices may not be enough
Some of this data implies that best practices such as software security training are effective, yet some of the statistics clearly show that following best practices does not necessarily lead to better security.
The correlated data revealed that compliance is the primary driver for organizations to resolve vulnerabilities, but also the number one reason organizations do not resolve vulnerabilities. In other words, vulnerabilities are fixed if required by compliance mandates; however, if compliance does not require a fix, the vulnerability remains, despite possible implications to the overall security posture of the site.
“This collective data has shown that many organizations do not yet consider they need to proactively do something about software security. It is apparent that these organizations take the approach of ‘wait-until-something-goes-wrong’ before kicking into gear unless there is some sense of accountability,” said Grossman.
“This needs to change, and we believe there is now an opportunity for a new generation of security leaders to emerge and distinguish themselves with an understanding of real business and security challenges. Our hope is that they will address these issues we have identified and base their decisions on a foundation of data to improve the state of Web security over time.”
To view the complete report, visit https://www.whitehatsec.com/resource/stats.html.
Wednesday, May 1st, 2013
A smart phone can contain a lot of information that its owner would rather keep private. But 39 percent of the more than 100 million American adult smart phone owners fail to take even minimal security measures, such as using a screen-lock, backing up data, or installing an app to locate a missing phone or remotely wipe its data, according to Consumer Reports’ Annual State of the Net survey.
At least 7.1 million smart phones were irreparably damaged, lost, or stolen and not recovered last year, Consumer Reports projects. Yet 69 percent of smart phone users hadn’t backed up their data, including photos and contacts. Just 22 percent had installed software that could locate their lost phone.
“When you take your smart phone into your confidence, so to speak, you’re also taking in a host of parties, including app developers, your wireless carrier and phone manufacturer, mobile advertisers, and the maker of your phone’s operating system,” said Jeff Fox , Technology Editor, Consumer Reports.
Take basic precautions
“We recommend that all smart phone users take the basic precautions we outline in this report to ensure that their phones are secure from wireless threats.”
The full report can be found in the June 2013 issue of Consumer Reports and online at ConsumerReports.org.
The report revealed that though most smart-phone users haven’t suffered serious losses because of their phone, there are wireless threats that merit concern.
Among them: malicious software. Last year, 5.6 million smart-phone users experienced undesired behavior on their phones such as the sending of unauthorized text messages or the accessing of accounts without their permission, CR projects. Those symptoms are indicative of the presence of malicious software.
Location tracking can lead to trouble
The location tracking feature that all smart phones have can also leave users vulnerable to wireless threats. One percent of smart phone users told Consumer Reports that they or a person in their household had been harassed or harmed after someone used such location tracking to pinpoint their phone.
CR also projects that at least 5.1 million preteens use their own smart phones. In doing so, they may unwittingly disclose personal information or risk their safety.
A smart phone can be quite secure if users take a few basic precautions, Consumer Reports found. Those precautions include:
- Using a strong pass code. A four-digit one, which 23 percent of users told CR that they used, is better than nothing. But on Android phones and iPhones earlier than the iPhone 5, a thief using the right software can crack such a code in 20 minutes, according to Charlie Miller , security engineer for Twitter. A longer code that includes letters and symbols is far stronger.
- Install apps cautiously. Malicious apps may not lurk around every corner, but they’re out there and can be tricky to spot. For example, CR projects that 1.6 million users had been fooled into installing what seemed to be a well-known brand-name app but was actually a malicious imposter.
- Turn off location tracking. Disable it except when it’s needed, such as for driving directions. Only one in three smart phone owners surveyed by CR had turned it off at times during the previous year.
Tuesday, April 23rd, 2013
According to Trend Micro’s (TYO: 4704; TSE: 4704) Q1 2013 Security Roundup Report, the company’s researchers raised the alarm about zero-day vulnerabilities in addition to concerns about the recent concentrated attack in South Korea.
Collectively, these events demonstrate that zero-day vulnerabilities remain a threat while attack innovations are growing in sophistication, intensity and severity.
Trend Micro’s synopsis of prominent Q1 threats, includes:
New attacks against Oracle’s Java and Adobe’s Flash Player, Acrobat and Reader reveal that vulnerabilities are emerging faster than they can be patched and are quickly being incorporated into professional attack kits such as the “Black Hole Exploit Kit.”
“Of course Java is cross-platform and that is somewhat attractive to criminals, but what is really attractive is its vulnerabilities and its ubiquity,” said Rik Ferguson , Trend Micro’s VP, Security Research.
“This definitely won’t be the last zero-day vulnerability in Java and it won’t be the end of the vast attack surface that it currently offers to criminals.”
It’s still a good idea to disable Java in your browsers, security experts say. If you don’t actually need it, you may want to uninstall it from your devices entirely.
Attacks on South Korea
The high-profile attacks executed in South Korea this March reinforce that theft is no longer the sole focus of hacking efforts, but rather these breaches are also designed to cripple critical networks via innovative techniques including:
- Multiplatform focus such as UNIX and LINUX
- Specific countermeasures for installed security software
- Hijacking of patch management systems
“Given the capability of what took place in South Korea, it is likely that increasingly destructive attacks will continue to be a threat,” said Tom Kellermann , VP, Cyber Security. “With each quarter, attacks are becoming bolder and more targeted, pointing to concerns far beyond the compromise of personal data.”
For the complete report, please visit: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt-zero-days-hit-users-hard-at-the-start-of-the-year.pdf.
Wednesday, April 17th, 2013
As competition for talent heats up in the US and confidence levels among American workers continues to climb, new research conducted by Randstad US will arm employers with the insights they need to cultivate and optimize their employer brand – everything from their carefully crafted value proposition to the public’s perception.
“An employer brand is a billboard for the organization, and the importance of this public sentiment goes beyond recruitment efforts,” said Jim Link , managing director of human resources for Randstad US.
“Clearly, company reputation impacts attractiveness among potential candidates. It is also clear a strong employer brand will further drive bottom-line results by creating a stable workforce, increasing productivity, and engaging key stakeholders. This affects all aspects of the organization, and when managed effectively, can elevate leadership and visibility within the company’s industry.”
In order to help employers learn how to develop and deliver on this brand promise, Randstad took a closer look at what workers expect and want from a prospective employer. Key findings include:
Show Me The Money…And, Give Me Security And A Nice Working Environment
Top Three Factors in Choosing a New Employer
- Competitive salary and benefits
- Long-term job security
- Pleasant work atmosphere
Over the last several years, many Americans have witnessed or personally experienced salary freezes, temporary furloughs, layoffs, and even long periods of unemployment.
Given these recent strains, along with continued unease around the state of the economy, it may come as no surprise that US workers seek financial security first and foremost. Even so, money isn’t everything. A pleasant work atmosphere follows closely as one of the top factors in choosing a new employer.
It’s All About R-E-S-P-E-C-T
- A majority of workers want recognition for their good work (52 percent)
- Around half of employees tout the importance of open and honest communication (51 percent)
- Forty-nine percent of America’s workforce wants the respect of their colleagues
A pleasant work atmosphere is linked closely with job recognition, open communication, respect, and even fun and friendship. A good first step in building and sustaining an employer brand is to craft a culture that values employees, recognizes their contributions, and celebrates successes. Encouraging social connections among workers will not only nurture a sense of team spirit, it will also strengthen and solidify a feeling of shared commitment and accountability.
Pique the Interest of Peak Talent
- Just over half of workers find a job interesting when it makes good use of their existing skills
- Even so, 43 percent of employees are interested in the acquisition of new skills
- For 39 percent of US workers, a job is considered “interesting” when new ideas are valued
People seek employers that offer the opportunity to acquire new skills while making use of their existing capabilities. In order to attract and retain top talent, companies must provide an avenue for continued learning, whether through traditional training channels or participation in cross-functional teams and activities.
Supporting professional development initiatives and fostering career advancement will go a long way in retaining talent and maintaining a high performing workforce.
Spread the Word
Employers should research what people are already saying about the company when drafting a blueprint for their employer brand.
In a social media age, word of mouth communication is both accelerated and amplified. Company decision makers should use these digital conversations as an informal focus group and consider what’s being said online as a benchmark for their brand value.
Employers can facilitate positive social mentions by encouraging current employees to serve as brand ambassadors. Additionally, engaging in dialogue with potential candidates will create an online talent community, which will establish a pre-employment connection with prospective employees.
A strong employer brand not only attracts high performing talent, but it also promotes retention, creates a stable workforce, and increases organizational success. Moreover, high retention rates reduce search and selection costs and help employers more effectively manage their cost structure, driving the company’s bottom-line.
With a strong employer brand that clearly defines and delivers on its promise, organizations can attract and retain great talent, enhance productivity, and elevate market leadership.
Monday, April 1st, 2013
A new study of over 1,400 consumers, from market research firm Chadwick Martin Bailey, finds that while one-half of smartphone owners are familiar with mobile wallets; many who are familiar have reservations about adopting.
The research also reveals that beyond allaying security concerns, mobile wallet providers must do more to articulate the advantages of the technology over more traditional forms of payment. Additional insights include:
Mobile wallet providers who guarantee fraud and theft protection are well positioned to drive adoption among mainstream consumers—Concerns over security remain a significant barrier to adoption, but the promise of 100% fraud protection substantially increases willingness to adopt.
Notably, these security-conscious smartphone users are the most likely to identify banks and credit card companies as their preferred mobile wallet provider.
Ways to gain an advantage
Customers find the benefits of location-based services appealing, but privacy and battery life remain concerns. Respondents indicate location-based services that facilitate information gathering, like showrooming, drive adoption, but too many alerts and offers are unappealing. Providers willing to allow users to customize the number and type of offers they receive may have an advantage.
While banks and credit card companies are the clear choice for the security conscious, opportunities exist for other providers.
Convenience, features, and usability are compelling attributes for many current and prospective mobile wallet users; while banks win on security, the feature-conscious prefer tech giants—with Amazon and Google topping the list as their preferred mobile wallet provider. For those who value convenience, credit card companies hold the advantage.
“These findings reveal that consumers are still in the early stages of understanding the uses and benefits of mobile wallets—there remain many elements (players, features, positioning, etc.) that will evolve over the next 12 to 18 months,” says Jim Garrity, SVP of Chadwick Martin Bailey’s Financial Services practice.
“With security concerns a key hurdle to adoption, banks are well-positioned as trusted providers of secure financial services, but this window of opportunity won’t remain open for very long. Consumers already have the technology at their fingertips; and as familiarity increases, other entrants are proving that they are secure, reliable, and offer clear advantages that drive adoption.”
Wednesday, March 27th, 2013
More than 80% of IT security professionals believe that corporate employees deliberately ignore security rules issued by the IT department.
The survey, which looked at the attitudes of nearly 250 IT security professionals, also discovered that more than half of those who think that workers deliberately ignore IT security directives do not believe end-users would listen more even if these mandates were issued by executive management.
These findings are despite the fact that more IT security professionals and vendors are insisting that in order to improve IT security within organizations, strategic guidance must be issued from the board level.
Commenting on the research, Philip Lieberman, CEO of Lieberman Software, said: “These figures highlight the fact that most end-users are still not taking IT security seriously and are unnecessarily putting corporate data — and potentially customer information — at risk.
And these behaviors are continuing even after it has been proven that human error is the leading cause of data breaches. Organizations need to implement better cyber security training that properly instructs staff about the consequences of data breaches.
“IT groups must also look beyond conventional security products and invest in technology like privileged identity management (PIM),” continued Lieberman. “PIM products ensure that powerful privileged accounts found throughout the enterprise in large organizations are available only to authorized IT personnel with limited-time, audited access. This ensures that end-users are not able to accidentally or maliciously change configuration settings, access systems with sensitive data, or perform other actions that are not required of their jobs.”
The survey was conducted in February at RSA Conference 2013 in San Francisco.
For more information on the survey, seewww.liebsoft.com/2013_information_security_survey.
Thursday, March 14th, 2013
In an era of frequent and seamless device upgrades, it’s easy to ditch an old handset and move on to the next. However, chances are the old device has personal information lingering on it, putting consumers at a greater risk of identity theft.
“Think about all the personal data stored on your phone: text messages, emails, even intimate photos of you or your significant other,” said Tony Anscombe, senior security evangelist at AVG.
“Consumers are now carrying more and more personal information on their devices, and AVG wants to ensure everyone is well equipped to wipe out that data when the time comes. Your identity is essentially yours to lose, so take every precaution possible to stay safe.”
While the factory reset button seems like the logical place to start, numerous industry and security experts report that even after consumers carry out this exercise, personal information often remains.
The following tips will help ensure private information is erased:
- Remove the memory and SIM cards. Both store personal data and are best kept safe in your possession or destroyed.
- Use a data removal application to ensure data really is deleted. Android users can use AVG AntiVirus Free, for example. For other platforms there is a list of apps available on the CTIA web site. Personally, we installed this on our Android tablet when we first fired it up and it seems to have been effective so far.
- Once the data is deleted, then run a factory reset. Instructions can be found on manufacturers’ or carriers’ websites.
- If you are going to simply throw away your mobile phone, older handsets can contain toxic materials. Consult your local authority or drop it off at a mobile phone retailer, where they will be able to dispose of it correctly. Additionally, there are specialist companies that will take it apart and recycle each component.
- Of course, recycling or handing it on for use is a good option; there are many charities and organizations that redistribute old phones and will even send you a pre-paid postage box to send it in. Just search on the Internet for the many options!
Thursday, March 7th, 2013
What will protect a company or other organization against state-sponsored cyber attacks? Not firewalls, intrusion detection systems, intrusion prevention systems and antivirus, according to an nCircle survey of security pros who attended the recent RSA conference in San Francisco.
Survey findings include:
- 59% of respondents say firewalls are no longer effective against state-sponsored cyber attacks
- 48% said antivirus software is no longer effective against state sponsored cyber attacks
- 39% said intrusion detection systems (IDS) and intrusion prevention systems (IPS) are no longer effective against state-sponsored cyber attacks
“Security professionals know we live in a world where state sponsored attacks are common and they also know that many legacy security systems that are updated after exploits or malware become public knowledge are no longer effective against these attacks,” noted Lamar Bailey, director of security research and development.
“Plugging in a firewall, IPS, or IDS and setting auto update doesn’t offer enough protection against sophisticated cyber attacks. IT security professionals know they can no longer sit passively on the sidelines and assume security technology will protect them.”
For more information about nCircle please visit www.ncircle.com.
Wednesday, March 6th, 2013
Although more than half the U.S. small businesses surveyed by the Ponemon Institute experienced at least one data breach, only a third notified individuals that their personal information had been exposed, it was reported today in a study conducted for The Hartford Steam Boiler Inspection and Insurance Company (HSB), part of Munich Re.
“Smaller companies are targeted by data thieves, but they often don’t know how to respond when sensitive information they keep on customers and employees is lost or stolen,” said Eric Cernak, vice president for Hartford Steam Boiler.
“Failing to act in a timely and effective way can harm the reputation of businesses and even risk legal penalties in many states.”
The Ponemon Institute survey of small businesses throughout the United States found that 55 percent of those responding have had a data breach, almost all involving electronic records, and 53 percent had multiple breaches.
Only a third notified those affected
Only 33 percent notified the people affected, even though 46 states require that individuals be contacted when their private information is exposed.
The primary causes of the data breaches were employee or contractor mistakes; lost or stolen laptops, smart phones and storage media; and procedural mistakes.
Sensitive information is more likely to be compromised when the data has been outsourced, 70 percent of the respondents believe, but 62 percent do not have contracts that require third parties to cover all the costs associated with a data breach.
Presonal ID most feared data loss
Seventy percent of small business owners said they would purchase insurance to help pay for the costs if data is breached.
At least 85 percent share customer and employee records with third parties such as those providing billing, payroll, employee benefits, web hosting and information technology services.
When asked which type of lost or stolen data was more likely to harm their business, 70 percent agreed the loss of personally identifying information was more damaging than confidential company data.
The Ponemon Institute surveyed small businesses with annual revenues of less than $10 million for Hartford Steam Boiler, which provides HSB Data Compromise insurance for small to mid-sized organizations.