Monday, March 30, 2009

What's on the Minds of Security Professionals?

There are no surprises in this Information Week survey of 400 security professionals. The biggest driver of security is regulatory compliance, followed by prevention of unauthorized access as a close second.

But security professionals don't live by regulatory compliance and access management alone. Other top issues in the survey were cutting security costs and managing risk.

Along the same theme, here are four security holes in telecommuting from CSO Online, which I'm sure also keep IT security people in enterprises on their toes:

1) Careless use of Wifi and accessing unsecured networks
2) Letting family and friends use work-issued devices
3) Altering security settings to view Web sites that have been blocked by the company
4) Leaving a work-issued device in an unsecured place

Mainstream Media on Cybersecurity: 60 Minutes and Conficker

The popular news show 60 Minutes ran a story by Lesley Stahl about the recent Conficker infection, which also struck CBS News coincidentally, and the impact of cybersecurity on consumers, in general.

Though it's textbook media hype, it does cover the basic issues: Russian cybergangs openly distributing and selling malware, the growth of hacking as a business and the spread of malware infections to well-trafficked sites like social networking sites.

But Michael Horowitz on the Defensive Computing blog puts the issue into perspective and the essence of the story evaporates. Horowitz notes the Windows-centric nature of the story, such as the lack of balanced coverage emphasizing that Conficker attacks only Windows system and not Mac or Linux systems.

Another weakness in the story, which, to be fair, is unavoidable for a program aimed at a mass -- and non-technical -- audience, is that we really don't know the security settings on the computer of the woman whose bank account was filched twice. She claims to have had all her anti-viral, anti-spyware and firewall settings all up to snuff. But how many times have those of us heard this same claim in the field from customers only to find otherwise when testing systems?

The story was called "The Internet is Infected." A bit of old-fashioned FUD, isn't it?

White House Cybersecurity Drama Continues

A report currently being prepared on the state of federal cybersecurity may, or may not, call for the creation of a White House level cybersecurity director, Computer World recently reported. The report is being prepared for President Obama by Melissa Hathaway, acting senior cybersecurity director as part of a 60-day review of cybersecurity.

The issue has been a bone of contention among advocates of a cabinet-level cybersecurity czar and those who see the issue as part of the responsbilities of the NSA.

Tuesday, March 24, 2009

Phishers and Web Attacks: It's Not Getting Better

In two separate reports, one on web attacks and another on phishing, it looks like the attackers aren't letting up. A report recently published by Cenzic, an application security outfit, said 80 percent of all web attacks were due to known vulnerabilities in web applications in the second half of 2008.

The other report, covering the same period in 2008, by the Anti-Phishing Working Group, a phishing watchdog group, cited increases of 225% in the number of phishing sites peddling fake anti-malware and an astounding 827% jump in password stealing sites. Phishers are automating code attacks, increasing their number and magnitude.

The targets? The same as always: financial institutions with well-known and well-established brands.

Tips for Safe Browsing With Internet Explorer

Here are ten tips from CSO Online for safer surfing with Internet Explorer. IE takes it on the chin a lot, often deservedly so, for not being as secure as Firefox. But, either browser can be a magnet for attackers if not configured correctly.

1) Disable XPS documents
2) Disable font download
3) Disable inclusion of local file directory path when uploading files to a server
4) Disable prompting if you are prone to just clicking "yes"
5) Always prompt for username and password
6) Disable SSL 2.0 support
7) Enable TLS support
8) Disable searching from the URL bar
9) Disable unnecessary add-ons
10) Uninstall old Java installations

These tips will help block -- but not entirely prevent -- malware and accidently exposing your authentication credentials to unwanted outsiders. You'll also not there are "no obvious downsides" to most of these suggestions.

Saturday, March 14, 2009

Blocking Anonymous Web Proxies in Your Office

This is a big one for enterprises trying to control malware spread by reckless web surfing in the office. Many companies set up proxies with filters to control traffic, but there are still tools out there for circumventing proxies and bypassing web firewalls.

In this tip on TechTarget's SearchSecurity web site, John Strand provides some ways to prevent these practices. I had also written a tip for SearchSecurity on blocking web anonymizers in 2006.

Amazingly, little has changed since then. The basic defenses remain the same: a combination of web use policies (admittedly easily ignored but useful for HR), filtering traffic on known ports and IP addresses of proxy services and blocking downloads from the web.

Little Black Book Now Available at Left-Brain

My book, The Little Black Book of Computer Security, Second Edition, is now available at the Left-Brain Store, the new online bookstore for my publisher, Penton Media.

Of course, it's still available, as it's always been on Amazon.

Monday, March 09, 2009

New Charges Against Palin E-mail Attacker

A University of Tennesee student charged last year with breaking into then-vice presidential candidate Sarah Palin's e-mail account has been hit with additional felony charges by federal prosecutors.

Originally charged with unauthorized access to a protected computer, the new charges include fraud, unlawful electronic transmission of data outside Tennessee and attempting to conceal records to impede an FBI investigation.

The story received notoriety not just because the victim was a well-known personality, but because it also focused on the weakness of password reset systems for some e-mail accounts and the ease with which the alleged attacker was able to guess the answers to personal security questions based on publicly available information.

Federal Cybersecurity Shake Up

The director of the National Cyber Security Center (NCSC), Rod Beckstrom resigned suddenly last week in a turf battle over federal control of cybersecurity initiatives. Beckstrom had been appointed in March 2008 to the newly created NCSC post as part of the Department of Homeland Security (DHS), according to Computer World.

Beckstrom said in a letter to DHS head Janet Napolitano that he was concerned about the encroachment of the National Security Agency (NSA) into leading government cybersecurity efforts. He decried what he called the "intelligence culture" of the NSA as a poor strategy for cyberdefense, saying it was different than "a network operations or security culture."

Beckstrom had been a controversial appointment himself due to his lack of a background in security. With his departure, attention will now be focused on the 60-day review of federal cybersecurity by Melissa Hathaway, who was appointed by President Obama in February.

Thursday, March 05, 2009

Protecting Your Network During Layoffs

In tough economic times, like these, it's important for companies to get a handle on restricting system access to departing employees. Laid off employees are more likely to attempt to steal privileged company data or try to hack into IT systems later, according to Computer World.

In a 2008 study conducted by Cyber-Ark, 88 percent of IT administrators would consider taking valuable company with them, if they were to be laid off tomorrow.

Here are some security tips for protecting your network during layoffs:

* Clearly and completely document each worker's access to the network, applications, servers and the physical building.
* Shut down remote connections, including pcAnywhere systems and VPNs.
* Invalidate usernames and passwords.
* If the employee worked in IT, change root access and network access.
* Shut down external access to the telephone system.
* Make sure handhelds, smartphones and cell phones are turned in along with PCs and laptops.
* Collect ID cards.
* Use monitoring software to keep an eye on network traffic.

I also have more details in a chapter devoted to this topic in my book, The Little Black Book of Computer Security, Second Edition. Here's an excerpt from my first edition on termination procedures posted by TechTarget.

Tuesday, March 03, 2009

Implementing Single Sign-On on a Small Scale

This is an interesting case study from TechTarget's SearchCIO-Midmarket site of how a small community hospital in southern Indiana implemented single sign-on (SSO) on its network. The 247-bed Good Samaritan Hospital turned to a hardware solution from Imprivata, which specializes in SSO for SMBs.

While many SSO solutions require an enterprise to set up its own dedicated hardware and servers, and then configure them, Imprivata works almost right out of the box. This is fine for larger companies and organizations which can spare the equipment and staff. But for SMBs, this may not be realistics.

Imprivata is basically a standalone SSO server, or two for redundancy, which can hold authentication credentials for registered applications and can be remotely managed with a web-based interface.

Monday, March 02, 2009

The Dangerous Back Alleys of Outsourcing

In an interesting study done recently by The Brown-Wilson Group, popular and emerging outsourcing destinations are ranked based on their security. The study, 2009: The Year of Outsourcing Dangerously, ranks cites not just on their physical security, but on other tangible issues like political instability and levels of corruption.

The study ranks Singapore, Dublin, Santiago, Krakow/Warsaw, and Toronto/Montreal as the safest among its top 25, and Kolkata, Hyderabad, Bangalore, Hanoit and Chennai as the riskiest of the bottom 25. It's interesting to note that four of the five worst are in one country, India, which has been the darling of outsourcing for the better part of the decade.

The study, which was also reported in Computer World, says businesses are now looking not just at cost, but also at security, before running offshore for development projects.

Some ways to mitigate the risks, according to the study, include doing a thorough analysis of the proposed offshore location and putting together crisis and disaster recovery contingency plans -- just in case the worse happens.