In the third quarter, Trend Micro found 175,000 different malicious and suspicious packages specifically targeting the Android system. This is a five-fold increase over the previous quarter. This should cause enterprise security managers to sit up and pay attention. The threat is not as serious in the U.S. as it is in countries like Russia and China that use smart phones to pay for services. At this point, there is a massive increase in malware, but an infrequent rate of infection due partly to the problem that the attackers have in making money from the compromised smartphones and tablets. Premium SMS messages are not a popular way to pay for services in the U.S.
One survey found that the average mobile employee packs around three or more devices. At this time, the highest priority for the enterprise is still the data on the devices, contact lists, etc. So if the device is lost or stolen, so is the data. They also need to worry about the inevitable future where malware will succeed in the near future, likely in the next year. The mobile devices are carried in and out of many networks as employees travel through their day. Juniper Networks has developed software to help companies manage and secure their employees' smartphones. Each year, they detect 2 to 3 percent of a client company's smartphones to be infected with malware, usually in the form of spyware.
Expected types of malware would be scareware attempts that convince a victim to pay a fee to clean off their phone, bot-like programs that would turn the phone into a text message spammer, and bank trojans that attempt to steal login credentials to transfer funds.
As a security manager, the future of mobile device malware should definitely be in your line of sites as you plan the future of risk management for your company.
http://www.darkreading.com/advanced-threats/167901091/security/perimeter-security/240062687/companies-need-defenses-against-mobile-malware.html?cid=nl_DR_daily_2012-11-09_html&elq=4b4d20895e5c47ee858179f82fb72f95
Monday, November 12, 2012
Friday, November 2, 2012
Hack Back...Legally
David Willson, an attorney from Titan Info Security Group understands the frustration of spending $50,000 to $100,000 per week to battle a persistent threat. Nothing works, law enforcement is overwhelmed with too many cases and traditional approaches are failing. He believes the answer could be to hack back. But he cautions, this should never be the first line defense. In the case of a persistent attack, it may be the only option. He says the key is to stay within criminal law while you take your chances with civil law.
Security is poor on the corporate side, but it is also poor on the hacker side. An organization could place code on a bot that has infected their system. This code could eventually get back to the attacker's command-and-control server to block their communications route. This code could be viewed by courts as similar to cookies or adware and these are not illegal.
Honeypots are also an option. They are a legal way to collect information on their attackers and their trail.
US companies are governed by the federal Computer Fraud and Abuse Act. This states that any unauthorized access of another companies computers can be considered a crime. Many states have computer trespass laws and other countries have laws that can cause serious legal trouble, also.
My thoughts on this are frustration. I liken this to the homeowners dilemma in protecting their property. If someone comes to my house, jimmies the lock, comes in with a weapon, and I shoot them, I have to defend myself. In my humble opinion, the minute someone comes into my house unexpected and uninvited, especially armed, they deserve whatever I can dish out. They have NO business being here. I feel the same about my computer. I feel if hackers are getting into your system, you have documented it, and you have tried regular methods to eradicated their presence that have failed, then I think you should be able to "have at them." If they are in your business without cause and making problems, I believe if you can get back to them and mess up their systems, you should be able to do it. They invited the trouble. If they were not there, they would not bring trouble on themselves.
I understand there is are fine lines and they are there for reasons. but I get so frustrated when they seem to protect the bad guys more than the good guys.
http://www.darkreading.com/risk-management/167901115/security/security-management/240012675/companies-should-think-about-hacking-back-legally-attorney-says.html?cid=nl_DR_weekly_2012-11-01_html&elq=1a2a5e29b1f64afbb23aed6fd2323f2f
Friday, October 26, 2012
Network Monitoring As Security
Network monitoring can double as a security tool. Most organizations already have some itoring systems incorporated into their systems for generic IT management tasks. Some of these are service-level agreement-related tasks like capacity planning, performance uptime monitoring, and quality service. Companies that are not already using monitoring tools may be able to sell management on them because they can pull double duty.
Some security areas that can be helped with monitoring tools would be looking for denial of service conditions, system and asset inventory, investigations support, behavioral anomaly detection, and new and emerging value propositions like virtualized systems. Systems may already be in place that could be leveraged to forward the goals of security even if that was not the original intent when it was purchased.
Managers may be able to do more with less, as is so often necessary, by looking at increasing the usage of their monitoring systems. Using the systems to their full potential and ability could add a another great layer of protection to their security framework.
http://twimgs.com/darkreading/securitymonitoring/S5991012netmonitoring.pdf?cid=nl_DR_weekly_2012-10-25_html_wp_top&elq=e0fdd256c3f94f07b39e89ea62644e68
Monday, October 15, 2012
Turn the Tables
Thirty years of best practices and millions of dollars spent in defense and defense-in-depth really has not made much of a dent in the fight against hackers. It is a never ending battle. We get better, they get better. Since follow-through on punishment is difficult if not impossible once hackers are identified and found, due to them being in another country, what recourse is left? Dmitri Alperovitch, co-founder and CTO of CrowdStrike believes it is necessary to find out who is benefitting from the stolen information. If you pinpoint a state-owned oil company that is better able to compete in the marketplace because of the information that they acquire, then you can sue them. You pick a jurisdiction because many are multinational in scope.
You can also use deception. If you know information is being stolen, plant phony data to derail their plot. If you can get a photo of the hacker and his identity, publicize it. If they are all over the media, it should cause concern for whoever is employing them. Make it more difficult, expensive and painful for them to work. Tom Kellermann, vp of cybersecurity at Trend Micro says most hackers have known cyber kill-chains that they are partial to, they do not vary much. The more you can profile and understand how they move laterally within your system, and what IPs and URLs they prefer and the command-and-control is located...you can make it very uncomfortable and more difficult for them.
Pressure can also be placed on the infrastructure suppliers to the attackers, the ones that house their servers, and the money-laundering channels that they use. By causing them damage in their own house that they need to control, they can be put on the defensive.
http://www.darkreading.com/security/news/240008322/turning-tables-id-ing-the-hacker-behind-the-keyboard.html?
Thursday, October 11, 2012
CIO's better up their game - by Teddi Moon
There seems to be a disconnect in the perceived value of the CIO in an organization. The 60% of CIOs in general think they add strong value, however, 35% of their C-suite peers would back that up. CIO's appear to lack the business expertise to demonstrate their worth to the executive team even though IT is involved in almost all areas of business these days.
Maureen Osborne, Global CIO of Ernst & Young said: "In order to stay relevant in a rapidly evolving technological landscape, CIOs will need to break out of their comfort zones within the data centre. Those who don't, will run the risk of being further relegated down the corporate hierarchy, or sidelined altogether."
Lack of support is a common complaint from the executive level among IT leaders. Engaging CEO and other business leaders can be easier said than done. To get their attention, CIOs must become experts in all major areas of the business says an executive recruitment specialist. Actions are louder than words and CIOs need to look for opportunities to support some form of major projects for the organization that can make an effect on the business operation.
To be seen, heard, valued, and taken seriously, CIOs are going to have to step up their game. This is part of the security puzzle. It can be difficult to sell security to management, there is no clear return on investment. With a lack of track record for being useful, it compounds the problem of achieving approval to implement security measures.
"Once business leaders start to recognize an IT leader as someone who can transform the way they operate their business, perceptions can quickly start to shift. This will be especially clear if the resultant changes in the business operating model impacts top lop revenue growth."
I thought this was relevant for us as we travel our career paths. As we move forward, it is wise to keep in mind the challenges that we will face as we help to change the face of the IT industry.
http://www.techrepublic.com/blog/cio-insights/who-thinks-the-cio-is-important-the-cio-but-hardly-anyone-else/39749498?tag=nl.e076&s_cid=e076
Monday, October 8, 2012
Well I started out with one thing in mind, but. . . by Teddi Moon
I began looking for articles for this post that gave some comparison information on different countries and where they were in their level of information security maturity. I had a difficult time finding any information describing what I was looking for. However, I did find a 'book' online that I quite enjoyed while I skimmed through it. It is actually kind of old, 2001, but the authors, I believe were ahead of the game in getting their 'sermon' out in that year. I mean think about it, that was 11 years ago. As far as technology goes, things move fast. But this book is talking about cyber-terrorism, cyber-threats, cyber-war, and all of the topics we have been discussing in this class. I have to tell you, many people I talk to today give me a blank look and say, 'cyber - who???' So I think these authors were pretty darn insightful for that year. They pose the question, "Do we need a full-scale information security disaster for this subject to be given the attention it requires? "
I like this book because it does not read like a dry textbook. The language is professional, but engaging. I think this book would be ideal for the general public to read to become more familiar with this topic. It is easy to read and concepts and definitions are explained well and very understandable. Those of us that know people that are a little interested in the topic and want to learn more could really find the book enjoyable as well as informative, (and likely disturbing.) It could be a good book to have in the break room for employees to read a paragraph or two while eating lunch. Maybe it is just my inner geek, but I think the book draws you in and holds your interest. Even though I have studied these topics and read texts on the same topics, I still wanted to keep reading this book. I really like the name, too. Information Insecurity, A survival guide to the uncharted territories of cyber-threats and cyber-security by Eduardo Gelbstein and Ahmad Kamal. It can be found at this link: http://www.itu.int/wsis/docs/background/themes/security/information_insecurity_2ed.pdf
I like this book because it does not read like a dry textbook. The language is professional, but engaging. I think this book would be ideal for the general public to read to become more familiar with this topic. It is easy to read and concepts and definitions are explained well and very understandable. Those of us that know people that are a little interested in the topic and want to learn more could really find the book enjoyable as well as informative, (and likely disturbing.) It could be a good book to have in the break room for employees to read a paragraph or two while eating lunch. Maybe it is just my inner geek, but I think the book draws you in and holds your interest. Even though I have studied these topics and read texts on the same topics, I still wanted to keep reading this book. I really like the name, too. Information Insecurity, A survival guide to the uncharted territories of cyber-threats and cyber-security by Eduardo Gelbstein and Ahmad Kamal. It can be found at this link: http://www.itu.int/wsis/docs/background/themes/security/information_insecurity_2ed.pdf
Monday, October 1, 2012
Chrome the most secure browser, ... or is it?
Well, to be fair, I better discuss an article I found in Dark Reading that has some information on the very topic I wrote about last week. I made the statement that my preference for browser was Chrome and that I was delighted to read about some of the security measures Chrome has in place. Then I find this article that has some pretty impressive statistics that in NSS Labs browser tests, IE is better at stopping malware than Chrome, Firefox, or Safari. Check out these statistics!
The tests were to determine how the browsers defended against malware associated with bank fraud, stealing of log in credentials, phony antivirus, and click fraud. The were conducted from 12/2/11 to 5/25/12 on identical virtual machines running Windows 7
Blocked by percentage
in general for click fraud
IE 9 95 96.6
Chrome 15 - 19 33 1.6
Firefox 7 - 13 < 6 0.8
Safari 5 < 6 0.7
NSS Labs says to expect a big increase in click fraud in 2013. They also recommend that users of the increasingly popular Chrome apply pressure to Google to juice up their protection features in Chrome and it's API against click fraud.
Some interesting features of click fraud; the average life span of the URL is 32 hours. More than half die off within 54 hours. Mostly, ad buyers are affected by click fraud, however those infected also get infected with other malware.
You may read the source article at:
http://www.darkreading.com/risk-management/167901115/security/client-security/240008100/internet-explorer-blocks-more-malware-than-firefox-chrome-safari.html?cid=nl_DR_daily_2012-09-28_html&elq=4789eee338c641d4b5be29768e5692e3
The tests were to determine how the browsers defended against malware associated with bank fraud, stealing of log in credentials, phony antivirus, and click fraud. The were conducted from 12/2/11 to 5/25/12 on identical virtual machines running Windows 7
Blocked by percentage
in general for click fraud
IE 9 95 96.6
Chrome 15 - 19 33 1.6
Firefox 7 - 13 < 6 0.8
Safari 5 < 6 0.7
NSS Labs says to expect a big increase in click fraud in 2013. They also recommend that users of the increasingly popular Chrome apply pressure to Google to juice up their protection features in Chrome and it's API against click fraud.
Some interesting features of click fraud; the average life span of the URL is 32 hours. More than half die off within 54 hours. Mostly, ad buyers are affected by click fraud, however those infected also get infected with other malware.
You may read the source article at:
http://www.darkreading.com/risk-management/167901115/security/client-security/240008100/internet-explorer-blocks-more-malware-than-firefox-chrome-safari.html?cid=nl_DR_daily_2012-09-28_html&elq=4789eee338c641d4b5be29768e5692e3
Thursday, September 20, 2012
Which browser??? I like Chrome! by Teddi Moon
For a while, Internet Explorer was the be all and end all. It is still pervasive and what (I believe) most businesses are still using. Then Mozilla Firefox was all the rage. I switched and I liked Firefox better. I found IE to be 'glitchy.' I have not used it regularly now for years. The only time I resort to it is when I have to for a class due to interface issues. Then I began to hear about how great Chrome was and that there were some security issues with Firefox add-ons. So I added Chrome to my tray. I have not looked back. I have not had any issues with Chrome and as I was reading various IT articles, I came across some information that made me like Chrome even more.
In 2011, Chrome was the only browser to show solid growth. Depending on where you look, StatCounter for instance, shows Chrome is now the most used browser in the world. That is debatable, depending on what the numbers are based. Net Applications places Chrome in second position behind IE. Popularity vs penetration however, impressive for Chrome to be in that ball park! Regardless of the actual numbers, the trend is this, IE experience the greatest decline and Chrome the greatest growth since the beginning of the year. Here are some reasons why.
Chrome offers built in-security practices. Google automatically updates their browsers whenever a new version is available. This shows that users, home and enterprise, are giving up control to the greater benefit of lower cost, convenience, and better security. Google often is quicker at getting a patch out than Adobe can release one for the same vulnerability in its built in Flash player and PDF reader.
Chrome also offers group policy compatibility to allow administrators to enforce certain features on supporting products. Chrome also utilizes sandbox technology to thwart attackers. Sandboxing is not a cure all, but it sure makes it more difficult to exploit the browser.
If you are still using IE or Firefox, I recommend you try Chrome. I think you will like it!
http://mashable.com/2012/07/02/chrome-vs-firefox/
http://twimgs.com/darkreading/securityservices/VRSN_NIA_iDefense_2012Trends_WhitePaper_20120127.pdf pg 16.
In 2011, Chrome was the only browser to show solid growth. Depending on where you look, StatCounter for instance, shows Chrome is now the most used browser in the world. That is debatable, depending on what the numbers are based. Net Applications places Chrome in second position behind IE. Popularity vs penetration however, impressive for Chrome to be in that ball park! Regardless of the actual numbers, the trend is this, IE experience the greatest decline and Chrome the greatest growth since the beginning of the year. Here are some reasons why.
Chrome offers built in-security practices. Google automatically updates their browsers whenever a new version is available. This shows that users, home and enterprise, are giving up control to the greater benefit of lower cost, convenience, and better security. Google often is quicker at getting a patch out than Adobe can release one for the same vulnerability in its built in Flash player and PDF reader.
Chrome also offers group policy compatibility to allow administrators to enforce certain features on supporting products. Chrome also utilizes sandbox technology to thwart attackers. Sandboxing is not a cure all, but it sure makes it more difficult to exploit the browser.
If you are still using IE or Firefox, I recommend you try Chrome. I think you will like it!
http://mashable.com/2012/07/02/chrome-vs-firefox/
http://twimgs.com/darkreading/securityservices/VRSN_NIA_iDefense_2012Trends_WhitePaper_20120127.pdf pg 16.
Saturday, September 15, 2012
Patches by Teddi Moon
One of the biggest challenges IT
faces is trying to keep up with patching applications and operating systems. The stream of patches that need to be tested
and applied is overwhelming. Many times,
patches may not be accurate and may have to be rolled back.
The half-life of a vulnerability is
defined as the, ”time it takes to fix a flaw on half the instances of an application”. In 2009, the half life for many companies was
30 days to fix a vulnerability on half of its computers. In 2012, the number increased to 35
days. Java and Flash have terrible
half-life times. Internet Explorer and
Micorsoft Office have improved to about 15 days.
One answer may be a service that
provides custom patches. Building a
patch internally can be quite expensive.
Services that provide custom patches can slow the patch cycle, but the quality
and consistency of the patches can be improved. Outsourcing this service can free up your IT
people for other tasks. It is still
recommended that patches be staged, testing it on less critical systems first.
Those of you with experience working
from the chair of the one doing the patching, do you think this is a viable
option? Would this be a good idea?
Saturday, September 8, 2012
Which password? ....Really??? by Teddi Moon
The most common first-line defense for computer security is the password. This begins at computer logon and continues to network, software, and website security. As we all know, people are our weakest security link and passwords are where we often fail. Complex passwords are difficult to remember. It is challenging to think of and remember good strong passwords. Of these next two examples, which would you believe to be the best option as a strong password? "J8$kl934" or "MySmartDogGypsy"
You may be surprised to find that the simpler, but longer option is harder to crack. It takes less than 4 hours for a modern brute-force password cracker to cycle through every combination of characters for an eight character string of random letters, numbers, and symbols. It would take 317 years to crack the plain English phrase of 12 characters. I don't know about you, but for me, this is actually good news. I have a better chance of remembering a meaningful, (but obscure to someone else) phrase than some random, complicated series of characters. I am also more likely to be better about using unique phrases for each site/software.
So pass this information on to your family and the users you provide IT services for. It may be helpful to get them started by having an exercise to think of creative passwords. Many people enjoy creating and guessing fun license plate 'codes'. If passwords can be made more 'fun', meaningful, and users can be educated as to what truly is a strong password, it may result in better compliance with strong password practice. An introduction and some training in the capabilities of another tool, a password manager such as LastPass, can be used to help with password management. By helping our users to do the right thing, we may strengthen the weakest link.
Thursday, August 30, 2012
Changing Careers
Changing careers
Well here I am 48 years old and trying to change careers. I sure picked a big field. So many facets of computing; programming, databases, network, security, operating systems, mobile devices. Each of these is a field unto itself. But of course I want to do cybersecurity, computer forensics and data recovery. I believe these pursuits require some solid knowledge of all aspects of computing. Did I bite off more than I can chew?
I feel as if I have been in classes for a very long time. People ask me when I will be done with school. I get the deer-in-the-headlights look because I cannot answer the question. Even when someone has been in the field for 20 years, they still must learn. Technology is ever changing, rapidly! Anyone wishing to do well in the field, or even stay in the field, must continue to study and learn. I used to joke about being a perpetual student. Seems I meant it. I will always strive to learn new pursuits all through my life. Maybe it will help to stave off Alzheimer's. So I then tell them I will never be done with school. After getting the MS degree, I will move on to acquiring certificates.
I am always looking for advice from those in the field. My immediate goal is to become useful in some facet so I can break into a position where I am actually working with IT personnel, getting my hands dirty with computers. What would be the best facet to focus on initially to become someone that would be hired in IT? . . programming, database administration?
Well here I am 48 years old and trying to change careers. I sure picked a big field. So many facets of computing; programming, databases, network, security, operating systems, mobile devices. Each of these is a field unto itself. But of course I want to do cybersecurity, computer forensics and data recovery. I believe these pursuits require some solid knowledge of all aspects of computing. Did I bite off more than I can chew?
I feel as if I have been in classes for a very long time. People ask me when I will be done with school. I get the deer-in-the-headlights look because I cannot answer the question. Even when someone has been in the field for 20 years, they still must learn. Technology is ever changing, rapidly! Anyone wishing to do well in the field, or even stay in the field, must continue to study and learn. I used to joke about being a perpetual student. Seems I meant it. I will always strive to learn new pursuits all through my life. Maybe it will help to stave off Alzheimer's. So I then tell them I will never be done with school. After getting the MS degree, I will move on to acquiring certificates.
I am always looking for advice from those in the field. My immediate goal is to become useful in some facet so I can break into a position where I am actually working with IT personnel, getting my hands dirty with computers. What would be the best facet to focus on initially to become someone that would be hired in IT? . . programming, database administration?
Subscribe to:
Comments (Atom)