Posted by Mark Brousseau
As 2010 came to an end, it was no surprise that payments security was a top priority for financial institutions, credit card companies, merchants and consumers.
Progress in stopping attacks was achieved last year, resulting in many high-profile arrests. More than 50 individuals involved in the highly publicized Zeus gang were apprehended, and developers of the Mariposa botnet, which stole information from approximately 12.7 million users around the world, were arrested. Most recently, five arrests were made this year for taking part in a series of denial-of-service attacks against major websites as part of the group "Anonymous."
Despite these efforts, cyber fraud is far from being eliminated. In fact, it is evolving into groups (WikiLeaks), resulting in even more malicious and dangerous attacks on consumers and organizations in 2011.
Daniel McCann, president of NetSecure Technologies, a provider of online transaction security solutions, sees the following payments security trends and issues in 2011:
... The emergence of hacker groups
... An increase in mobile fraud as mobile commerce increases
... More attacks on Apple’s i-products as they continue to dominate the industry
... A significant increase in security spending, especially in new technologies like virtualization
What do you think?
Showing posts with label IT security. Show all posts
Showing posts with label IT security. Show all posts
Wednesday, February 2, 2011
Monday, December 20, 2010
Holiday Travel and IT Security Risks
Posted by Mark Brousseau
Tis the season to be jolly – and to leave sensitive corporate information behind at the airport!
According to telephone interviews with the lost property offices of 15 UK airports, including Heathrow and Luton, over 5,100 mobile phones and 3,844 laptops have been left behind so far this year; with the majority still unclaimed and many more expected to be left over the Christmas holiday peak season. This figure is likely to be just the tip of the iceberg as ABTA expect over 4 million people to be travelling over this period, and the overall figures do not take into account all those devices that were stolen, or kept by the ‘lucky’ finder.
The survey, carried out by Credant Technologies, also found that in the majority of cases, those devices that aren’t reclaimed are then either sold at auction or donated to charities. However the fact is that these devices may still contain information that could be available for the new owner. With ID theft from mobile phones and other lost devices at an all time high, users should really take special care this Christmas when travelling.
According to a representative at Luton Airport, the most common place devices are forgotten is at the security check point as it’s a very pressured environment with numerous distractions. Often, once the travelers have boarded the plane and left the country it’s just too expensive to return for the device, which in most instances will be covered by insurance, resulting in the majority going unclaimed.
But the device’s value is the last thing organisations should be worrying about, explains Seán Glynn, vice president at Credant Technologies, “What is much more concerning are the copious volumes of sensitive data these devices contain – often unsecured and easily accessed. Without protecting mobile phones, laptops and even USBs with something even as basic as a password, a malicious third party can have easy access to the corporate network, email accounts and all the files stored on the device including the contact lists. Users also store such things as passwords, bank details and other personal information on the device making it child’s play to impersonate the user and steal their identity – both personal and corporate.”
Credant Technologies provides the following eight tips to secure corporate information during holiday travel:
1. As you leave - whether it’s the check-in desk, security check point, or even the train station, make sure you take everything with you, including your mobile devices. A few seconds to check could potentially save you hours of frustration and embarrassment.
2. Protect your mobile device: with at least a password (and ensure that it is a strong one, containing letters, numbers and symbols). Better still, use an encryption solution so that even if your device is left behind, the data on it is not accessible to anyone who finds it.
3. Don’t elect to automatically complete online credentials, such as corporate network log in details, so that if you and your device should become separated, it cannot operate without you.
4. Back-up your device and remove any sensitive information that you do not need. If it’s not there it can’t be breached.
5. As in tip 4, remove SMS and emails that you don’t need anymore - you’d be surprised how many people keep their default password emails on their mobiles and other hugely sensitive information like PINs, bank account details or passwords!
6. Don't leave your mobile device open to access (e.g. leaving Bluetooth or WiFi turned on) somewhere visible and unsecured.
7. Include your name and contact details in the device so that, if it should be lost, it can easily be returned to you. Some operators have a registration service to facilitate this.
8. Finally, speak to your IT department before you leave the office this year – that’s what they’re there for. They’ll help make sure your device is better protected should it find itself languishing all alone at the airport.
What do you think?
Tis the season to be jolly – and to leave sensitive corporate information behind at the airport!
According to telephone interviews with the lost property offices of 15 UK airports, including Heathrow and Luton, over 5,100 mobile phones and 3,844 laptops have been left behind so far this year; with the majority still unclaimed and many more expected to be left over the Christmas holiday peak season. This figure is likely to be just the tip of the iceberg as ABTA expect over 4 million people to be travelling over this period, and the overall figures do not take into account all those devices that were stolen, or kept by the ‘lucky’ finder.
The survey, carried out by Credant Technologies, also found that in the majority of cases, those devices that aren’t reclaimed are then either sold at auction or donated to charities. However the fact is that these devices may still contain information that could be available for the new owner. With ID theft from mobile phones and other lost devices at an all time high, users should really take special care this Christmas when travelling.
According to a representative at Luton Airport, the most common place devices are forgotten is at the security check point as it’s a very pressured environment with numerous distractions. Often, once the travelers have boarded the plane and left the country it’s just too expensive to return for the device, which in most instances will be covered by insurance, resulting in the majority going unclaimed.
But the device’s value is the last thing organisations should be worrying about, explains Seán Glynn, vice president at Credant Technologies, “What is much more concerning are the copious volumes of sensitive data these devices contain – often unsecured and easily accessed. Without protecting mobile phones, laptops and even USBs with something even as basic as a password, a malicious third party can have easy access to the corporate network, email accounts and all the files stored on the device including the contact lists. Users also store such things as passwords, bank details and other personal information on the device making it child’s play to impersonate the user and steal their identity – both personal and corporate.”
Credant Technologies provides the following eight tips to secure corporate information during holiday travel:
1. As you leave - whether it’s the check-in desk, security check point, or even the train station, make sure you take everything with you, including your mobile devices. A few seconds to check could potentially save you hours of frustration and embarrassment.
2. Protect your mobile device: with at least a password (and ensure that it is a strong one, containing letters, numbers and symbols). Better still, use an encryption solution so that even if your device is left behind, the data on it is not accessible to anyone who finds it.
3. Don’t elect to automatically complete online credentials, such as corporate network log in details, so that if you and your device should become separated, it cannot operate without you.
4. Back-up your device and remove any sensitive information that you do not need. If it’s not there it can’t be breached.
5. As in tip 4, remove SMS and emails that you don’t need anymore - you’d be surprised how many people keep their default password emails on their mobiles and other hugely sensitive information like PINs, bank account details or passwords!
6. Don't leave your mobile device open to access (e.g. leaving Bluetooth or WiFi turned on) somewhere visible and unsecured.
7. Include your name and contact details in the device so that, if it should be lost, it can easily be returned to you. Some operators have a registration service to facilitate this.
8. Finally, speak to your IT department before you leave the office this year – that’s what they’re there for. They’ll help make sure your device is better protected should it find itself languishing all alone at the airport.
What do you think?
Monday, December 6, 2010
With economy improving, IT departments hit the ground running
Posted by Mark Brousseau
High performing information technology (IT) departments at large companies have hit the ground running following the recent economic downturn, recalibrating their efforts to drive more business value from IT, and leaving their less adroit counterparts playing catch-up, according to new research from Accenture.
While many companies slipped into stagnation mode during the downturn, cutting budgets and focusing primarily on maintenance, high-performing organizations viewed IT as a growth engine for their business and the economic conditions as an opportunity to build capability.
Accenture defines high performers in IT as those that achieve excellence in IT execution, IT agility and IT innovation together, balancing the constant and sometimes opposing demands placed on today’s IT function.
High performers in IT not only manage IT like a business, but run IT for the business and with the business. CIOs at these organizations are engaged in their company’s business strategies and are able to truly map out how IT supports those strategies.
“Our survey found that chief information officers (CIOs) of high performance IT organizations are deeply involved in business outcomes and closely attuned to business needs – current and future – across the enterprise,” said Gary Curtis, Accenture’s chief technology strategist. “They are successfully retiring their legacy systems and embracing newer technologies. They are adept at managing the balance between optimizing costs and ensuring that they have the budget, skills, and resources to help fuel business growth.”
The research also found that high performers don’t just do a few things well; they excel across the board when compared to lower performing IT departments. Some examples:
... They have web-enabled 42 percent more of their customer interactions and 93 percent more of their suppliers’ interactions ;
... They are 44 percent more likely to recognize the strategic role IT plays in increasing customer satisfaction;
... They are eight times more likely to measure the benefits realized from IT initiatives;
... They spend 29 percent more annually on developing and implementing new applications rather than on maintaining existing ones; and
... They are twice as likely to view workforce performance as a priority by addressing challenges such as an aging workforce and collaboration, as well as developing technical and soft skills (business knowledge, relationship management)
“High performing IT departments are powerful drivers of value for their organizations – not simply keeping the lights on, but promoting technology initiatives that power innovation and enable the IT organization to function as a business,” said Curtis.
What do you think?
High performing information technology (IT) departments at large companies have hit the ground running following the recent economic downturn, recalibrating their efforts to drive more business value from IT, and leaving their less adroit counterparts playing catch-up, according to new research from Accenture.
While many companies slipped into stagnation mode during the downturn, cutting budgets and focusing primarily on maintenance, high-performing organizations viewed IT as a growth engine for their business and the economic conditions as an opportunity to build capability.
Accenture defines high performers in IT as those that achieve excellence in IT execution, IT agility and IT innovation together, balancing the constant and sometimes opposing demands placed on today’s IT function.
High performers in IT not only manage IT like a business, but run IT for the business and with the business. CIOs at these organizations are engaged in their company’s business strategies and are able to truly map out how IT supports those strategies.
“Our survey found that chief information officers (CIOs) of high performance IT organizations are deeply involved in business outcomes and closely attuned to business needs – current and future – across the enterprise,” said Gary Curtis, Accenture’s chief technology strategist. “They are successfully retiring their legacy systems and embracing newer technologies. They are adept at managing the balance between optimizing costs and ensuring that they have the budget, skills, and resources to help fuel business growth.”
The research also found that high performers don’t just do a few things well; they excel across the board when compared to lower performing IT departments. Some examples:
... They have web-enabled 42 percent more of their customer interactions and 93 percent more of their suppliers’ interactions ;
... They are 44 percent more likely to recognize the strategic role IT plays in increasing customer satisfaction;
... They are eight times more likely to measure the benefits realized from IT initiatives;
... They spend 29 percent more annually on developing and implementing new applications rather than on maintaining existing ones; and
... They are twice as likely to view workforce performance as a priority by addressing challenges such as an aging workforce and collaboration, as well as developing technical and soft skills (business knowledge, relationship management)
“High performing IT departments are powerful drivers of value for their organizations – not simply keeping the lights on, but promoting technology initiatives that power innovation and enable the IT organization to function as a business,” said Curtis.
What do you think?
Monday, November 29, 2010
There’s a Bounty on your Applications
By Anthony Haywood of Idappcom
In the last year there have been a number of organizations offering rewards, or ‘bounty’ programs, for discovering and reporting bugs in applications. Mozilla currently offers up to $3,000 for crucial or high bug identification, Google pays out $1,337 for flaws in its software and Deutsche Post is currently sifting through applications from ‘ethical’ hackers to approve teams who will go head to head and compete for its Security Cup in October. The winning team can hold aloft the trophy if they find vulnerabilities in its new online secure messaging service – that’s comforting to current users. So, are these incentives the best way to make sure your applications are secure?
At Idappcom, we’d argue that these sorts of schemes are nothing short of a publicity stunt and, in fact, can be potentially dangerous to an end user's security.
One concern is that, by inviting hackers to trawl all over a new application prior to its launch, just grants them more time to interrogate it and identify weaknesses which they may decide is more valuable if kept to themselves. Once the first big announcement is made detailing who has purchased the application, with where and when the product is to go live, the hacker can use this insight to breach the system and steal the corporate jewels.
A further worry is that, while on the surface it may seem that these companies are being open and honest, if a serious security flaw were identified would they raise the alarm and warn people? It’s my belief that they’d fix it quietly, release a patch and hope no-one hears about it. The hacker would happily claim the reward, promise a vow of silence and then ‘sell’ the details on the black market leaving any user, while the patch is being developed or if they fail to install the update, with a great big security void in their defences just waiting to be exploited.
Sometimes it’s not even a flaw in the software that can cause problems. If an attack is launched against the application, causing it to fail and reboot, then this denial of service (DOS) attack can be just as costly to your organisation as if the application were breached and data stolen.
A final word of warning is that, even if the application isn’t hacked today, it doesn’t mean that tomorrow they’re not going to be able to breach it. Windows Vista is one such example. Microsoft originally hailed it as ‘it’s most secure operating system they’d ever made’ and we all know what happened next.
A proactive approach to security
IT’s never infallible and for this reason penetration testing is often heralded as the hero of the hour. That said technology has moved on and, while still valid in certain circumstances, historical penetration testing techniques are often limited in their effectiveness. Let me explain - a traditional test is executed from outside the network perimeter with the tester seeking applications to attack. However, as these assaults are all from a single IP address, intelligent security software will recognize this behavior as the IP doesn’t change. Within the first two or three attempts the source address is blacklisted or fire walled and all subsequent traffic is immaterial as all activities are seen and treated as malicious.
An intelligent proactive approach to security
There isn’t one single piece of advice that is the answer to all your prayers. Instead you need two and both need to be conducted simultaneously if your network’s to perform in perfect harmony: application testing combined with intrusion detection.
The reason I advocate application testing is, if you have an application that’s public facing, and it were compromised the financial impact to the organization could potentially be fatal. There are technologies available that can test your device or application with a barrage of millions upon millions of iterations, using different broken or mutated protocols and techniques, in an effort to crash the system. If a hacker were to do this, and caused it to fall over or reboot, this denial of service could be at best embarrassing but at worst detrimental to your organization.
Intrusion detection, capable of spotting zero day exploits, must be deployed to audit and test the recognition and response capabilities of your corporate security defences. It will substantiate that, not only is the network security deployed and configured correctly, but that it’s capable of protecting the application that you’re about to make live or have already launched irrespective of what the service it supports is – be it email, a web service, anything. The device looks for characteristics in behavior to determine if an incoming request to the product or service is likely to be good and valid or if it’s indicative of malicious behavior. This provides not only reassurance, but all important proof, that the network security is capable of identifying and mitigating the latest threats and security evasion techniques.
While we wait with baited breath to see who will lift Deutsche Post’s Security Cup we must not lose sight of our own challenges. My best advice would be that, instead of waiting for the outcome and relying on others to keep you informed of vulnerabilities in your applications, you must regularly inspect your defences to make sure they’re standing strong with no chinks. If you don’t the bounty may as well be on your head.
What do you think?
In the last year there have been a number of organizations offering rewards, or ‘bounty’ programs, for discovering and reporting bugs in applications. Mozilla currently offers up to $3,000 for crucial or high bug identification, Google pays out $1,337 for flaws in its software and Deutsche Post is currently sifting through applications from ‘ethical’ hackers to approve teams who will go head to head and compete for its Security Cup in October. The winning team can hold aloft the trophy if they find vulnerabilities in its new online secure messaging service – that’s comforting to current users. So, are these incentives the best way to make sure your applications are secure?
At Idappcom, we’d argue that these sorts of schemes are nothing short of a publicity stunt and, in fact, can be potentially dangerous to an end user's security.
One concern is that, by inviting hackers to trawl all over a new application prior to its launch, just grants them more time to interrogate it and identify weaknesses which they may decide is more valuable if kept to themselves. Once the first big announcement is made detailing who has purchased the application, with where and when the product is to go live, the hacker can use this insight to breach the system and steal the corporate jewels.
A further worry is that, while on the surface it may seem that these companies are being open and honest, if a serious security flaw were identified would they raise the alarm and warn people? It’s my belief that they’d fix it quietly, release a patch and hope no-one hears about it. The hacker would happily claim the reward, promise a vow of silence and then ‘sell’ the details on the black market leaving any user, while the patch is being developed or if they fail to install the update, with a great big security void in their defences just waiting to be exploited.
Sometimes it’s not even a flaw in the software that can cause problems. If an attack is launched against the application, causing it to fail and reboot, then this denial of service (DOS) attack can be just as costly to your organisation as if the application were breached and data stolen.
A final word of warning is that, even if the application isn’t hacked today, it doesn’t mean that tomorrow they’re not going to be able to breach it. Windows Vista is one such example. Microsoft originally hailed it as ‘it’s most secure operating system they’d ever made’ and we all know what happened next.
A proactive approach to security
IT’s never infallible and for this reason penetration testing is often heralded as the hero of the hour. That said technology has moved on and, while still valid in certain circumstances, historical penetration testing techniques are often limited in their effectiveness. Let me explain - a traditional test is executed from outside the network perimeter with the tester seeking applications to attack. However, as these assaults are all from a single IP address, intelligent security software will recognize this behavior as the IP doesn’t change. Within the first two or three attempts the source address is blacklisted or fire walled and all subsequent traffic is immaterial as all activities are seen and treated as malicious.
An intelligent proactive approach to security
There isn’t one single piece of advice that is the answer to all your prayers. Instead you need two and both need to be conducted simultaneously if your network’s to perform in perfect harmony: application testing combined with intrusion detection.
The reason I advocate application testing is, if you have an application that’s public facing, and it were compromised the financial impact to the organization could potentially be fatal. There are technologies available that can test your device or application with a barrage of millions upon millions of iterations, using different broken or mutated protocols and techniques, in an effort to crash the system. If a hacker were to do this, and caused it to fall over or reboot, this denial of service could be at best embarrassing but at worst detrimental to your organization.
Intrusion detection, capable of spotting zero day exploits, must be deployed to audit and test the recognition and response capabilities of your corporate security defences. It will substantiate that, not only is the network security deployed and configured correctly, but that it’s capable of protecting the application that you’re about to make live or have already launched irrespective of what the service it supports is – be it email, a web service, anything. The device looks for characteristics in behavior to determine if an incoming request to the product or service is likely to be good and valid or if it’s indicative of malicious behavior. This provides not only reassurance, but all important proof, that the network security is capable of identifying and mitigating the latest threats and security evasion techniques.
While we wait with baited breath to see who will lift Deutsche Post’s Security Cup we must not lose sight of our own challenges. My best advice would be that, instead of waiting for the outcome and relying on others to keep you informed of vulnerabilities in your applications, you must regularly inspect your defences to make sure they’re standing strong with no chinks. If you don’t the bounty may as well be on your head.
What do you think?
Monday, October 25, 2010
Hey, America: TMI!
Posted by Mark Brousseau
A new national survey reveals half of Americans who use social networking sites have seen people divulge too much personal information, yet more than a quarter of Americans (28 percent) who use these sites admit that they rarely think about what could happen if they share too much personal information online.
Additionally, more than four in ten Americans (44 percent) are concerned that the personal information they share online is being used against them, and more than one in five (21 percent) Americans who use social networking sites believe that their personal information has been accessed by people who take advantage of weak privacy settings on social networking sites.
That's according to the 2010 Lawyers.com Social Networking Survey.
“The Lawyers.com Social Networking Survey reveals a clear disconnect between the privacy concerns of users and their actual behaviors and disclosures on social networking sites,” said Carol Eversen, vice president of Marketing at LexisNexis. “Nearly every week we hear about the negative consequences resulting from inappropriate disclosures and uses of personal information on social networking sites, however the data suggests that Americans are not taking the necessary steps to protect themselves.”
More than half of Americans who use social networking sites have seen people divulge too much personal information online. In fact, the majority of Americans who use social networking sites admit that they have posted their first and last name (69 percent), photos of themselves (67 percent), or an email address (51 percent) on a social networking site. In addition, survey respondents have also shared the following details on a social networking site:
•Travel plans (16 percent)
•Cell phone numbers (7 percent)
•Home address (4 percent)
Determining how much is too much is still a struggle for many people. Nearly half of Americans (46 percent) agree that sometimes it is hard to figure out what information to share and what to keep private.
As many Americans struggle with what type of personal information to post online and keep private, they also seldom think about the consequences of sharing personal information online. More than a quarter of Americans (28 percent) admit they rarely think about what could happen if they shared too much personal information online.
A quarter of Americans (25 percent) who use social networking sites say that they have seen people “misrepresent” themselves (e.g., posted incorrect information and created fake profiles) and alarmingly, more than one in ten Americans (14 percent) who use social networking sites say that they have received communication from strangers as a result of sharing information on a social networking site.
Other backlash from using social networking sites includes:
•Someone posting unflattering pictures of them (11 percent)
•Having personal relationships with family or friends affected from revealing too much information (7 percent)
•Being scolded or yelled at for information they’ve posted (6 percent)
Surprisingly, 38 percent of Americans agree that people who share too much of their personal information online deserve to have their information used inappropriately.
Three-quarters of Americans (76 percent) worry that the privacy settings on social networking sites are not adequately protecting their personal information. In addition, more than four in ten Americans (43 percent) admit that they typically just click “agree” without reading the entire terms and conditions on social networking sites.
Meanwhile, many believe that their personal information may already be in the wrong hands. More than four in ten Americans (44 percent) are concerned that the personal information they share online is being used against them, and one in five Americans (21 percent) who use social networking sites believe that their personal information has been accessed by people who take advantage of weak privacy settings on social networking sites.
What do you think?
A new national survey reveals half of Americans who use social networking sites have seen people divulge too much personal information, yet more than a quarter of Americans (28 percent) who use these sites admit that they rarely think about what could happen if they share too much personal information online.
Additionally, more than four in ten Americans (44 percent) are concerned that the personal information they share online is being used against them, and more than one in five (21 percent) Americans who use social networking sites believe that their personal information has been accessed by people who take advantage of weak privacy settings on social networking sites.
That's according to the 2010 Lawyers.com Social Networking Survey.
“The Lawyers.com Social Networking Survey reveals a clear disconnect between the privacy concerns of users and their actual behaviors and disclosures on social networking sites,” said Carol Eversen, vice president of Marketing at LexisNexis. “Nearly every week we hear about the negative consequences resulting from inappropriate disclosures and uses of personal information on social networking sites, however the data suggests that Americans are not taking the necessary steps to protect themselves.”
More than half of Americans who use social networking sites have seen people divulge too much personal information online. In fact, the majority of Americans who use social networking sites admit that they have posted their first and last name (69 percent), photos of themselves (67 percent), or an email address (51 percent) on a social networking site. In addition, survey respondents have also shared the following details on a social networking site:
•Travel plans (16 percent)
•Cell phone numbers (7 percent)
•Home address (4 percent)
Determining how much is too much is still a struggle for many people. Nearly half of Americans (46 percent) agree that sometimes it is hard to figure out what information to share and what to keep private.
As many Americans struggle with what type of personal information to post online and keep private, they also seldom think about the consequences of sharing personal information online. More than a quarter of Americans (28 percent) admit they rarely think about what could happen if they shared too much personal information online.
A quarter of Americans (25 percent) who use social networking sites say that they have seen people “misrepresent” themselves (e.g., posted incorrect information and created fake profiles) and alarmingly, more than one in ten Americans (14 percent) who use social networking sites say that they have received communication from strangers as a result of sharing information on a social networking site.
Other backlash from using social networking sites includes:
•Someone posting unflattering pictures of them (11 percent)
•Having personal relationships with family or friends affected from revealing too much information (7 percent)
•Being scolded or yelled at for information they’ve posted (6 percent)
Surprisingly, 38 percent of Americans agree that people who share too much of their personal information online deserve to have their information used inappropriately.
Three-quarters of Americans (76 percent) worry that the privacy settings on social networking sites are not adequately protecting their personal information. In addition, more than four in ten Americans (43 percent) admit that they typically just click “agree” without reading the entire terms and conditions on social networking sites.
Meanwhile, many believe that their personal information may already be in the wrong hands. More than four in ten Americans (44 percent) are concerned that the personal information they share online is being used against them, and one in five Americans (21 percent) who use social networking sites believe that their personal information has been accessed by people who take advantage of weak privacy settings on social networking sites.
What do you think?
Friday, September 3, 2010
The buck stops here: the role of CEOs in data security
Ray Bryant, CEO of idappcom explains why the big chair in most organizations can carry a lot more responsibility than you might think:
You would never consider purchasing an inferior accounting system that opens your organization up to financial loss through bad record keeping - potentially putting it out of business and generating the wrath of shareholders and other stakeholders this would cause.
Yet many managers will cheerfully purchase an inferior, but lower-cost, IT security defense system for their company, and later regret that purchase when hackers successfully compromise their firm's data, ruining the firm's reputation and opening it up to financial penalties that could well put it out of business.
Welcome to the business horror that is a data breach.
As with all technology-driven issues, to make a decision on which IT security system to go with, the CEO (and his team) must first understand where the problem is - in this case, where a data breach originates.
While the popular media perception is that IT security defenses are there to protect an organization's digital assets from external attack, the reality is that a large number of incidents are the result of internal threats compromising the firm's data. However, a quick scan through the constant stream of media reports about the unfortunate companies - and their equally unfortunate senior managers - who are put through the data breach wringer, will frequently reveal that the data breach was due to an internal hack.
Beware, internal does NOT always mean the person is physically in your premises. It just means they are internal to your systems. More and more cases revolve around a hacker gaining entry through ‘back doors’ into your computer, they could be anywhere on the net certainly outside your jurisdiction even if you ‘caught’ them.
But it gets worse, as an increasingly common hacker methodology is to crack the security of one company and use that system as a launch pad to hack into other systems. Ever had an email returned “undeliverable” and you did not send it? You’ve been hacked and probably been sending emails with attacks/backdoors in them to your entire contact list, and a list the attacker wanted to send to. You may now be a spammer as well.
The liability for all attacks including ‘secondary’ attacks lies with the CEO who has allowed - either directly or indirectly - his/her company systems to be misused in this manner.
The problem of inter-linked computer systems is a growing one, as the larger the company, the more reliance it places on computers and connections. These connections are the lifeblood of the cybercriminals, who tap into the fact that the privilege levels of user IDs that interconnect with third-party systems invariably tend to be higher than direct external accounts. Put simply, this means that an internal account from company A will have a much greater degree of access to company B's computer systems than an individual’s external account to company B's systems.
It's all about trust - as today's IT professionals will confirm, the interconnectivity between companies is now so pervasive it increases the risk profile of inter-system IDs to much higher levels than most people are aware of. This is the stuff that lawsuits are made of and can you guess who carries the can for these problems? That's right - the CEO and his/her senior management.
In many `hacked' systems, a risk analysis/penetration test - no matter what the size of company concerned - would normally have revealed the weaknesses in its security that the hacker(s) exploited. Questions that are asked by a risk assessor include what are the system's entry points and what data is accessible, and, of course, whether fraudulent transactions can be originated.
Issues addressed by the risk assessor include whether the data is classified, and what levels of protection are used in which areas of the system. Other topics up for discussion include whether the organisation has the level of expertise available, internally or externally, that understands the security requirements, and whether the security devices are configured to meet the organizational needs.
We often find that following a data breach, it becomes apparent that not only was the organisation's security lacking and poorly configured, but there is often a lack of understanding amongst senior management as to what the role of IT security is within the business. This brings us back to the popular misconception that IT security systems are there to protect the company IT resources against external attacks, ranging from fraudsters all the way to cybercriminal phishing attack vectors.
The reality, as our research team has discovered, is that fraud normally comes from the inside - either a rogue employee generates the fraud or, increasingly, a hacker who has got through a security device and installed a backdoor on the system that now allows them to freely move around, monitor and appear to be an internal person. You don’t know they are there until it’s too late.
One of the most interesting aspects of dissecting a given security breach is how often, apart from the breach itself, the hacker has been able to get inside the company's IT systems. This has the potential to be even more damaging than it may at first appear because in the build up to the fraud and subsequent data breach, most cybercriminals operate in `stealth mode' and can therefore milk the company's finances for a lengthy period before they are rumbled by conventional IT audit methodologies. This means that, for almost all organizations, enhancing the IT security of the company - by ensuring it is maintained as up to date as automatically possible - is an absolute necessity, and not the IT luxury that many senior managers perceive it to be.
Put simply, this means that spending hundreds of thousands of dollars, pounds or Euros on a security system, plugging it in and switching it on - then presuming your company is secure - is a totally inadequate approach, because it usually results in relatively poor levels of protection for your organisation as the threats from criminals are constantly changing. Configuration, constant evaluation and constant updating of security rules are essential to the IT security of a business. Of course, the degree to which protection is needed is a matter of balancing risk and cost, and this equation is a unique business decision as with any other senior management process.
Assuming that the ROI charts have been prepared and the risk analysis process completed, the next step on the road to deploying effective IT security is to ensure it is working properly, and stays that way. This is a stumbling block that many companies fall at, as frequent verification checks on the efficiency - and efficacy - of an IT security platform need to be made. Whatever the system - and whatever the smoke and mirrors from the 'theory' sellers - there is only one way to validate against KNOWN threats, and that is to play those threats in a controlled way, through the company's actual live prevention set-up. Test, review, and test again - not in the lab, but in a real business environment, where actual threats exist and can be tested against. It's my supposition that a good CEO should also look for the IT teams ability to not only define the threat but also have a solution that can be deployed to meet that threat in as short a timeframe as possible.
Our own tests suggest, in fact, that one of the most popular (free) security systems will spot very few threats without the necessary configuration, and new security rules issued by the vendor each month represent about 10% of the actual new, very relevant, threats that appear each month. This issue arises because configuration needs a method of evaluation to ensure its efficacy and, in the event that faults are discovered during the review process, to allow the configuration to be revised and new rules introduced to remediate the problem; immediately not months later.
In an ideal world, it would be possible to remediate all threats, but in the real world, this would significantly slow the IT system down, meaning that a compromise between threat checking and system performance is usually required. By using an optimum configuration validation system, you can get the best of both worlds. The amount of IT security your organisation actually needs can only be judged by an effective risk analysis process, followed by a cost/benefit exercise.
It's also worth noting that in most countries - particularly the US and member states of Europe - there is now clear legislation and/or good corporate governance requirements that make the CEO clearly responsible for any security breaches.
CEOs are not only responsible for the effect of attacks to their own IT systems, but they are responsible for hackers who use their system to attack others. The growing trend for major corporations systems - particularly in manufacturing and distribution - to link their computers together using electronic data interchange (EDI) systems, with very little manual intervention, opens yet another `backdoor' for hackers to spread their activities. As with any pain, it comes after the attack. Your defences need to be up at all times, not just when audited or it will be the audit that shows you where you may have been slowly bleeding to death.
What do you think?
You would never consider purchasing an inferior accounting system that opens your organization up to financial loss through bad record keeping - potentially putting it out of business and generating the wrath of shareholders and other stakeholders this would cause.
Yet many managers will cheerfully purchase an inferior, but lower-cost, IT security defense system for their company, and later regret that purchase when hackers successfully compromise their firm's data, ruining the firm's reputation and opening it up to financial penalties that could well put it out of business.
Welcome to the business horror that is a data breach.
As with all technology-driven issues, to make a decision on which IT security system to go with, the CEO (and his team) must first understand where the problem is - in this case, where a data breach originates.
While the popular media perception is that IT security defenses are there to protect an organization's digital assets from external attack, the reality is that a large number of incidents are the result of internal threats compromising the firm's data. However, a quick scan through the constant stream of media reports about the unfortunate companies - and their equally unfortunate senior managers - who are put through the data breach wringer, will frequently reveal that the data breach was due to an internal hack.
Beware, internal does NOT always mean the person is physically in your premises. It just means they are internal to your systems. More and more cases revolve around a hacker gaining entry through ‘back doors’ into your computer, they could be anywhere on the net certainly outside your jurisdiction even if you ‘caught’ them.
But it gets worse, as an increasingly common hacker methodology is to crack the security of one company and use that system as a launch pad to hack into other systems. Ever had an email returned “undeliverable” and you did not send it? You’ve been hacked and probably been sending emails with attacks/backdoors in them to your entire contact list, and a list the attacker wanted to send to. You may now be a spammer as well.
The liability for all attacks including ‘secondary’ attacks lies with the CEO who has allowed - either directly or indirectly - his/her company systems to be misused in this manner.
The problem of inter-linked computer systems is a growing one, as the larger the company, the more reliance it places on computers and connections. These connections are the lifeblood of the cybercriminals, who tap into the fact that the privilege levels of user IDs that interconnect with third-party systems invariably tend to be higher than direct external accounts. Put simply, this means that an internal account from company A will have a much greater degree of access to company B's computer systems than an individual’s external account to company B's systems.
It's all about trust - as today's IT professionals will confirm, the interconnectivity between companies is now so pervasive it increases the risk profile of inter-system IDs to much higher levels than most people are aware of. This is the stuff that lawsuits are made of and can you guess who carries the can for these problems? That's right - the CEO and his/her senior management.
In many `hacked' systems, a risk analysis/penetration test - no matter what the size of company concerned - would normally have revealed the weaknesses in its security that the hacker(s) exploited. Questions that are asked by a risk assessor include what are the system's entry points and what data is accessible, and, of course, whether fraudulent transactions can be originated.
Issues addressed by the risk assessor include whether the data is classified, and what levels of protection are used in which areas of the system. Other topics up for discussion include whether the organisation has the level of expertise available, internally or externally, that understands the security requirements, and whether the security devices are configured to meet the organizational needs.
We often find that following a data breach, it becomes apparent that not only was the organisation's security lacking and poorly configured, but there is often a lack of understanding amongst senior management as to what the role of IT security is within the business. This brings us back to the popular misconception that IT security systems are there to protect the company IT resources against external attacks, ranging from fraudsters all the way to cybercriminal phishing attack vectors.
The reality, as our research team has discovered, is that fraud normally comes from the inside - either a rogue employee generates the fraud or, increasingly, a hacker who has got through a security device and installed a backdoor on the system that now allows them to freely move around, monitor and appear to be an internal person. You don’t know they are there until it’s too late.
One of the most interesting aspects of dissecting a given security breach is how often, apart from the breach itself, the hacker has been able to get inside the company's IT systems. This has the potential to be even more damaging than it may at first appear because in the build up to the fraud and subsequent data breach, most cybercriminals operate in `stealth mode' and can therefore milk the company's finances for a lengthy period before they are rumbled by conventional IT audit methodologies. This means that, for almost all organizations, enhancing the IT security of the company - by ensuring it is maintained as up to date as automatically possible - is an absolute necessity, and not the IT luxury that many senior managers perceive it to be.
Put simply, this means that spending hundreds of thousands of dollars, pounds or Euros on a security system, plugging it in and switching it on - then presuming your company is secure - is a totally inadequate approach, because it usually results in relatively poor levels of protection for your organisation as the threats from criminals are constantly changing. Configuration, constant evaluation and constant updating of security rules are essential to the IT security of a business. Of course, the degree to which protection is needed is a matter of balancing risk and cost, and this equation is a unique business decision as with any other senior management process.
Assuming that the ROI charts have been prepared and the risk analysis process completed, the next step on the road to deploying effective IT security is to ensure it is working properly, and stays that way. This is a stumbling block that many companies fall at, as frequent verification checks on the efficiency - and efficacy - of an IT security platform need to be made. Whatever the system - and whatever the smoke and mirrors from the 'theory' sellers - there is only one way to validate against KNOWN threats, and that is to play those threats in a controlled way, through the company's actual live prevention set-up. Test, review, and test again - not in the lab, but in a real business environment, where actual threats exist and can be tested against. It's my supposition that a good CEO should also look for the IT teams ability to not only define the threat but also have a solution that can be deployed to meet that threat in as short a timeframe as possible.
Our own tests suggest, in fact, that one of the most popular (free) security systems will spot very few threats without the necessary configuration, and new security rules issued by the vendor each month represent about 10% of the actual new, very relevant, threats that appear each month. This issue arises because configuration needs a method of evaluation to ensure its efficacy and, in the event that faults are discovered during the review process, to allow the configuration to be revised and new rules introduced to remediate the problem; immediately not months later.
In an ideal world, it would be possible to remediate all threats, but in the real world, this would significantly slow the IT system down, meaning that a compromise between threat checking and system performance is usually required. By using an optimum configuration validation system, you can get the best of both worlds. The amount of IT security your organisation actually needs can only be judged by an effective risk analysis process, followed by a cost/benefit exercise.
It's also worth noting that in most countries - particularly the US and member states of Europe - there is now clear legislation and/or good corporate governance requirements that make the CEO clearly responsible for any security breaches.
CEOs are not only responsible for the effect of attacks to their own IT systems, but they are responsible for hackers who use their system to attack others. The growing trend for major corporations systems - particularly in manufacturing and distribution - to link their computers together using electronic data interchange (EDI) systems, with very little manual intervention, opens yet another `backdoor' for hackers to spread their activities. As with any pain, it comes after the attack. Your defences need to be up at all times, not just when audited or it will be the audit that shows you where you may have been slowly bleeding to death.
What do you think?
Subscribe to:
Posts (Atom)
