In the third quarter, Trend Micro found 175,000 different malicious and suspicious packages specifically targeting the Android system. This is a five-fold increase over the previous quarter. This should cause enterprise security managers to sit up and pay attention. The threat is not as serious in the U.S. as it is in countries like Russia and China that use smart phones to pay for services. At this point, there is a massive increase in malware, but an infrequent rate of infection due partly to the problem that the attackers have in making money from the compromised smartphones and tablets. Premium SMS messages are not a popular way to pay for services in the U.S.
One survey found that the average mobile employee packs around three or more devices. At this time, the highest priority for the enterprise is still the data on the devices, contact lists, etc. So if the device is lost or stolen, so is the data. They also need to worry about the inevitable future where malware will succeed in the near future, likely in the next year. The mobile devices are carried in and out of many networks as employees travel through their day. Juniper Networks has developed software to help companies manage and secure their employees' smartphones. Each year, they detect 2 to 3 percent of a client company's smartphones to be infected with malware, usually in the form of spyware.
Expected types of malware would be scareware attempts that convince a victim to pay a fee to clean off their phone, bot-like programs that would turn the phone into a text message spammer, and bank trojans that attempt to steal login credentials to transfer funds.
As a security manager, the future of mobile device malware should definitely be in your line of sites as you plan the future of risk management for your company.
http://www.darkreading.com/advanced-threats/167901091/security/perimeter-security/240062687/companies-need-defenses-against-mobile-malware.html?cid=nl_DR_daily_2012-11-09_html&elq=4b4d20895e5c47ee858179f82fb72f95
Monday, November 12, 2012
Friday, November 2, 2012
Hack Back...Legally
David Willson, an attorney from Titan Info Security Group understands the frustration of spending $50,000 to $100,000 per week to battle a persistent threat. Nothing works, law enforcement is overwhelmed with too many cases and traditional approaches are failing. He believes the answer could be to hack back. But he cautions, this should never be the first line defense. In the case of a persistent attack, it may be the only option. He says the key is to stay within criminal law while you take your chances with civil law.
Security is poor on the corporate side, but it is also poor on the hacker side. An organization could place code on a bot that has infected their system. This code could eventually get back to the attacker's command-and-control server to block their communications route. This code could be viewed by courts as similar to cookies or adware and these are not illegal.
Honeypots are also an option. They are a legal way to collect information on their attackers and their trail.
US companies are governed by the federal Computer Fraud and Abuse Act. This states that any unauthorized access of another companies computers can be considered a crime. Many states have computer trespass laws and other countries have laws that can cause serious legal trouble, also.
My thoughts on this are frustration. I liken this to the homeowners dilemma in protecting their property. If someone comes to my house, jimmies the lock, comes in with a weapon, and I shoot them, I have to defend myself. In my humble opinion, the minute someone comes into my house unexpected and uninvited, especially armed, they deserve whatever I can dish out. They have NO business being here. I feel the same about my computer. I feel if hackers are getting into your system, you have documented it, and you have tried regular methods to eradicated their presence that have failed, then I think you should be able to "have at them." If they are in your business without cause and making problems, I believe if you can get back to them and mess up their systems, you should be able to do it. They invited the trouble. If they were not there, they would not bring trouble on themselves.
I understand there is are fine lines and they are there for reasons. but I get so frustrated when they seem to protect the bad guys more than the good guys.
http://www.darkreading.com/risk-management/167901115/security/security-management/240012675/companies-should-think-about-hacking-back-legally-attorney-says.html?cid=nl_DR_weekly_2012-11-01_html&elq=1a2a5e29b1f64afbb23aed6fd2323f2f
Friday, October 26, 2012
Network Monitoring As Security
Network monitoring can double as a security tool. Most organizations already have some itoring systems incorporated into their systems for generic IT management tasks. Some of these are service-level agreement-related tasks like capacity planning, performance uptime monitoring, and quality service. Companies that are not already using monitoring tools may be able to sell management on them because they can pull double duty.
Some security areas that can be helped with monitoring tools would be looking for denial of service conditions, system and asset inventory, investigations support, behavioral anomaly detection, and new and emerging value propositions like virtualized systems. Systems may already be in place that could be leveraged to forward the goals of security even if that was not the original intent when it was purchased.
Managers may be able to do more with less, as is so often necessary, by looking at increasing the usage of their monitoring systems. Using the systems to their full potential and ability could add a another great layer of protection to their security framework.
http://twimgs.com/darkreading/securitymonitoring/S5991012netmonitoring.pdf?cid=nl_DR_weekly_2012-10-25_html_wp_top&elq=e0fdd256c3f94f07b39e89ea62644e68
Monday, October 15, 2012
Turn the Tables
Thirty years of best practices and millions of dollars spent in defense and defense-in-depth really has not made much of a dent in the fight against hackers. It is a never ending battle. We get better, they get better. Since follow-through on punishment is difficult if not impossible once hackers are identified and found, due to them being in another country, what recourse is left? Dmitri Alperovitch, co-founder and CTO of CrowdStrike believes it is necessary to find out who is benefitting from the stolen information. If you pinpoint a state-owned oil company that is better able to compete in the marketplace because of the information that they acquire, then you can sue them. You pick a jurisdiction because many are multinational in scope.
You can also use deception. If you know information is being stolen, plant phony data to derail their plot. If you can get a photo of the hacker and his identity, publicize it. If they are all over the media, it should cause concern for whoever is employing them. Make it more difficult, expensive and painful for them to work. Tom Kellermann, vp of cybersecurity at Trend Micro says most hackers have known cyber kill-chains that they are partial to, they do not vary much. The more you can profile and understand how they move laterally within your system, and what IPs and URLs they prefer and the command-and-control is located...you can make it very uncomfortable and more difficult for them.
Pressure can also be placed on the infrastructure suppliers to the attackers, the ones that house their servers, and the money-laundering channels that they use. By causing them damage in their own house that they need to control, they can be put on the defensive.
http://www.darkreading.com/security/news/240008322/turning-tables-id-ing-the-hacker-behind-the-keyboard.html?
Thursday, October 11, 2012
CIO's better up their game - by Teddi Moon
There seems to be a disconnect in the perceived value of the CIO in an organization. The 60% of CIOs in general think they add strong value, however, 35% of their C-suite peers would back that up. CIO's appear to lack the business expertise to demonstrate their worth to the executive team even though IT is involved in almost all areas of business these days.
Maureen Osborne, Global CIO of Ernst & Young said: "In order to stay relevant in a rapidly evolving technological landscape, CIOs will need to break out of their comfort zones within the data centre. Those who don't, will run the risk of being further relegated down the corporate hierarchy, or sidelined altogether."
Lack of support is a common complaint from the executive level among IT leaders. Engaging CEO and other business leaders can be easier said than done. To get their attention, CIOs must become experts in all major areas of the business says an executive recruitment specialist. Actions are louder than words and CIOs need to look for opportunities to support some form of major projects for the organization that can make an effect on the business operation.
To be seen, heard, valued, and taken seriously, CIOs are going to have to step up their game. This is part of the security puzzle. It can be difficult to sell security to management, there is no clear return on investment. With a lack of track record for being useful, it compounds the problem of achieving approval to implement security measures.
"Once business leaders start to recognize an IT leader as someone who can transform the way they operate their business, perceptions can quickly start to shift. This will be especially clear if the resultant changes in the business operating model impacts top lop revenue growth."
I thought this was relevant for us as we travel our career paths. As we move forward, it is wise to keep in mind the challenges that we will face as we help to change the face of the IT industry.
http://www.techrepublic.com/blog/cio-insights/who-thinks-the-cio-is-important-the-cio-but-hardly-anyone-else/39749498?tag=nl.e076&s_cid=e076
Monday, October 8, 2012
Well I started out with one thing in mind, but. . . by Teddi Moon
I began looking for articles for this post that gave some comparison information on different countries and where they were in their level of information security maturity. I had a difficult time finding any information describing what I was looking for. However, I did find a 'book' online that I quite enjoyed while I skimmed through it. It is actually kind of old, 2001, but the authors, I believe were ahead of the game in getting their 'sermon' out in that year. I mean think about it, that was 11 years ago. As far as technology goes, things move fast. But this book is talking about cyber-terrorism, cyber-threats, cyber-war, and all of the topics we have been discussing in this class. I have to tell you, many people I talk to today give me a blank look and say, 'cyber - who???' So I think these authors were pretty darn insightful for that year. They pose the question, "Do we need a full-scale information security disaster for this subject to be given the attention it requires? "
I like this book because it does not read like a dry textbook. The language is professional, but engaging. I think this book would be ideal for the general public to read to become more familiar with this topic. It is easy to read and concepts and definitions are explained well and very understandable. Those of us that know people that are a little interested in the topic and want to learn more could really find the book enjoyable as well as informative, (and likely disturbing.) It could be a good book to have in the break room for employees to read a paragraph or two while eating lunch. Maybe it is just my inner geek, but I think the book draws you in and holds your interest. Even though I have studied these topics and read texts on the same topics, I still wanted to keep reading this book. I really like the name, too. Information Insecurity, A survival guide to the uncharted territories of cyber-threats and cyber-security by Eduardo Gelbstein and Ahmad Kamal. It can be found at this link: http://www.itu.int/wsis/docs/background/themes/security/information_insecurity_2ed.pdf
I like this book because it does not read like a dry textbook. The language is professional, but engaging. I think this book would be ideal for the general public to read to become more familiar with this topic. It is easy to read and concepts and definitions are explained well and very understandable. Those of us that know people that are a little interested in the topic and want to learn more could really find the book enjoyable as well as informative, (and likely disturbing.) It could be a good book to have in the break room for employees to read a paragraph or two while eating lunch. Maybe it is just my inner geek, but I think the book draws you in and holds your interest. Even though I have studied these topics and read texts on the same topics, I still wanted to keep reading this book. I really like the name, too. Information Insecurity, A survival guide to the uncharted territories of cyber-threats and cyber-security by Eduardo Gelbstein and Ahmad Kamal. It can be found at this link: http://www.itu.int/wsis/docs/background/themes/security/information_insecurity_2ed.pdf
Monday, October 1, 2012
Chrome the most secure browser, ... or is it?
Well, to be fair, I better discuss an article I found in Dark Reading that has some information on the very topic I wrote about last week. I made the statement that my preference for browser was Chrome and that I was delighted to read about some of the security measures Chrome has in place. Then I find this article that has some pretty impressive statistics that in NSS Labs browser tests, IE is better at stopping malware than Chrome, Firefox, or Safari. Check out these statistics!
The tests were to determine how the browsers defended against malware associated with bank fraud, stealing of log in credentials, phony antivirus, and click fraud. The were conducted from 12/2/11 to 5/25/12 on identical virtual machines running Windows 7
Blocked by percentage
in general for click fraud
IE 9 95 96.6
Chrome 15 - 19 33 1.6
Firefox 7 - 13 < 6 0.8
Safari 5 < 6 0.7
NSS Labs says to expect a big increase in click fraud in 2013. They also recommend that users of the increasingly popular Chrome apply pressure to Google to juice up their protection features in Chrome and it's API against click fraud.
Some interesting features of click fraud; the average life span of the URL is 32 hours. More than half die off within 54 hours. Mostly, ad buyers are affected by click fraud, however those infected also get infected with other malware.
You may read the source article at:
http://www.darkreading.com/risk-management/167901115/security/client-security/240008100/internet-explorer-blocks-more-malware-than-firefox-chrome-safari.html?cid=nl_DR_daily_2012-09-28_html&elq=4789eee338c641d4b5be29768e5692e3
The tests were to determine how the browsers defended against malware associated with bank fraud, stealing of log in credentials, phony antivirus, and click fraud. The were conducted from 12/2/11 to 5/25/12 on identical virtual machines running Windows 7
Blocked by percentage
in general for click fraud
IE 9 95 96.6
Chrome 15 - 19 33 1.6
Firefox 7 - 13 < 6 0.8
Safari 5 < 6 0.7
NSS Labs says to expect a big increase in click fraud in 2013. They also recommend that users of the increasingly popular Chrome apply pressure to Google to juice up their protection features in Chrome and it's API against click fraud.
Some interesting features of click fraud; the average life span of the URL is 32 hours. More than half die off within 54 hours. Mostly, ad buyers are affected by click fraud, however those infected also get infected with other malware.
You may read the source article at:
http://www.darkreading.com/risk-management/167901115/security/client-security/240008100/internet-explorer-blocks-more-malware-than-firefox-chrome-safari.html?cid=nl_DR_daily_2012-09-28_html&elq=4789eee338c641d4b5be29768e5692e3
Subscribe to:
Comments (Atom)