Tag: security

Google: Pets are most popular passwords

google-ICGoogle commissioned a survey of 2,000 adults – and one in ten said they could accurately guess a colleague’s password. Probably because the most popular passwords are, according to the research, easy guesses.

Wedding anniversaries, birthdays and kids’ names were all top choices for passwords, while football teams and the word ‘password’ also appeared a fair few times. Indeed – ‘password’ was tenth most popular.

Shockingly, half of web users surveyed admitted to sharing their passwords with other people. Women, the survey found, were more likely than men to share their password, and twice as likely to share it with their children.

But the most chosen password was the name of a pet. Favourite holidays or place of birth were also frequently chosen – the kind of passwords that would also be answers to security questions.

Given that it is often social engineering tricks or the simple human gaffe that leads to compromised security, this is a security nightmare.

“People often leave their information open to online security breaches without even realising it,” director of security for Google Apps, Eran Feigenbaum, told the Telegraph. “Lax attitudes to online security can lead to serious consequences
if strangers access your information.”

Speaking with ChannelEye, security expert Graham Cluley said it’d sadly be no surprise if the research was accurate.

“It never ceases to amaze me how – despite all the high profile hacks and data breaches – people still haven’t learnt the most basic lesson about passwords,” Cluley said. “Of if they have, they’ve decided to ignore it because it’s ‘too difficult’ to remember tricky passwords, let alone different passwords for different websites”.

As with other calls from the UK’s security pundits, companies, consumer action groups, and Cluley himself, he said it’s easy to imagine the positive impact  of a public education campaign.

It could explain that “password management software exists, often for free, which will remember all your passwords for you, and generate new, complex passwords so you don’t end up using ‘Tiddles’ over and over again,” Cluley said.

Trend Micro shuffles channel approach

tmicroSecurity company Trend Micro is reshuffling its channel program with a view to boosting access to its cloud and Data Centre Security offerings.

Updates to Deep Security are included in deal registration and specialisation programs, plus an on demand marketing platform that opens up assets for partners. Deep Security offers enterprise class protection to the mid market specifically to prevent data breaches and other possible business disruptions in physical and cloud servers.

It’s an all in one that brings anti malware, web reputation and firewall together, as well as intrusion prevention, integrity monitoring and log inspection. It lets companies virtually patch their critical systems and cut out vulnerabilities before they wreak havoc, as well as helping business make sure they’re up to speed with regulatory requirements such as HIPAA and NERC.

Now, partners will be able to use the deal registration program to simplify their margin structure and make registration easier. The specialisation program will open up additional revenue streams for specialising in specific areas.

The on demand marketing program makes more marketing content available to customers through a dashboard platform, giving them access to co-branded emails and web content.

Veep of US channel sales, Partha Panda, said that there is a lot of money to be made from mid market companies. They “present a tremendous business opportunity for our channel partners and we want to support them with one of the most reliable security solutions available,” Panda said.

Execs don’t get security metrics

riskitalySenior executives are struggling to take security metrics into account for their risk based security programmes, a report has said.

Most organisations rely on taking security metrics into account to improve operations, but non-technical business executives struggle to understand the value. IT professionals find it tough to communicate properly with senior execs, because metrics are difficult to properly explain to people with non-technical backgrounds.

A Ponemon Institute and Tripwire survey said 35 percent of IT staff find it takes too much time and resources to properly prepare and report these metrics to senior executives, and worryingly, 13 percent thought the management was simply not interested in the information. Other more pressing problems are often the priority.

Chief Information Security Officers, or CISOs, do often talk up the importance of using these metrics in line with business goals and building risk management best practice, but it is difficult to produce meaningful metrics, while those that are used rarely match business strategy, Tripwire’s Rekha Shenoy said.

A large majority of respondents with risk management background do agree that studying and using these metrics are important for a risk-based approach to security. But half of respondents said they are unsure that these metrics are used in line with business objectives.

Meanwhile, 49 percent of respondents didn’t believe or were unsure the metrics “adequately convey the effectiveness of security risk management” to senior execs.

The report concludes the onus is on IT security and risk professionals to improve the ways they communicate security metrics, if there is to be broader adoption of risk based security.

“Even though most organizations rely on metrics for operational improvement in IT,” Larry Ponemon, Ponemon’s chairman, said, “more than half of IT professionals appear to be concerned about their ability to use metrics to communicate effectively with senior executives about security”.

Logicalis scores Juniper Network Elite status

JuniperLogicalis has nabbed itself Elite Partner status for Advanced Security at Juniper Networks’ partner advantage programme, the top level for partners.

Logicalis has got itself Firewall/VPN & IDP and Policy and Access Control authorisations, which the company hopes will score it some more brownie points with companies thinking of hiring it.

MD at Logicalis UK, Mark Starkey, said the company had worked with Juniper Networks for quite some time, so getting the Elite status should help it sell itself to businesses concerned with advanced security in emerging trends like mobility and cloud.

“This accreditation provides us with access to the latest technologies and advanced training at Juniper,” Starkey said.

Darryl Brick, director of partners UK&I at Juniper, said that Logicalis is now offering advanced security from data centre through to small and medium enterprise, so customers can “take advantage of some of the most advanced security technology and services in the market”.

Phishing attempts triple

fishingEvery single day roughly 3,000 UK web users were sent a phishing attack between 2012 and 2013, triple the levels seen between 2011 and 2012.

That’s according to a new Kaspersky Lab’s report, “the evolution of phishing attacks”, revealing what was once a subset of spam has grown into its own category of cyber attack. The most targeted websites were Facebook, Yahoo, Google and Amazon, with Facebook and Yahoo overwhelmingly ahead as targeted sites.

Worldwide, attacks reached an average of 102,100 people each day, with the most common targets being web users in Russia, the United States, India, Vietnam and the UK. Most servers hosting the phishing pages were registered in the USA, the UK, Germany. Russia and India.

Kaspersky discovered that half of all identified attack sources came from only 10 countries, signifying there is quite a small number of preferred regions from which to launch the attacks.

20 percent of phishing attacks were set up to mimic banks or financial organisations.

Kaspersky’s deputy CTO for research, Nikiti Shvetsov, said the enormous increase shows that phishing is not just a subset for spammers. “These attacks are relatively simple to organise and are demonstrably effective, attracting an increasing number of cybercriminals,” Shvetsov said.

McAfee might miff Intel

mcafeeIntel might be a little cross that his royal weirdness John McAfee has created a fairly sleazy video explaining how to remove its security software from a PC.

According to the video, a drug taking McAfee is fed up with getting emails from people asking him how to get his software off their machines.

In a NSFW video he points out he flogged the company to Chipzilla ages ago, but gives are the instructions on how to get rid of the software.

In the video he is seen snorting certain substances and consorting with some very nice ladies in a state of undress.  McAfee, not the ladies.

Our thought is that while it is probably announced that McAfee is shafting his old brand, they are probably missing his presents at board meetings.    Er that should be presence.

Anyway it is clear that McAfee has not let his brush with the law get him down and is up to his old tricks now that he is back in the US.

Security resellers have golden opportunity

1-date-1805Resellers of security products have a golden opportunity to target the finance industry.

The Bank of England has warned that it is more concerned about hacking and other cyber attacks than it is about the Eurozone.

Andrew Haldane, the BoE’s director of financial stability, has met with five of Britain’s top banks six months ago and four told him that a cyber-attack was their biggest fear.

According to Reuters Haldane told the parliament’s Treasury Select Committee that the fifth bank did not have this on its top fear list until recently.

He said that the financial sector is a particularly good target for someone wanting to wreak havoc through the cyber route.

Earlier meetings with bank chiefs had pointed to the “usual suspects” of the euro zone crisis or a slump in the economy at the top risk, Haldane said.

But more now the financial industry thinks that economic worries have distracted attention from operational, and in particular cyber risks, at banks or in infrastructure like payment systems.

IT buyers out of touch with office needs

Canon logoCanon has commissioned a study which found those making buying decisions in the office are often out of touch with the needs of the actual user.

Canon Europe surveyed 1,671 end users and decision makers. It found that firms all over Europe are having a hard time bringing in technology to enable flexible working – with a real minority making sure employees had smartphones or tablet PCs. BYOD, then, is crucial at the moment, as those with these devices find they are crucial to their jobs.

Most respondents said they need advice and support from their IT departments if they’re to properly reach their working potential, whether in the office or on the go. Just one quarter knew the office technology inside out, and the report highlights many workers feel they are excluded when it comes to picking technology they feel would be right for their companies.

Canon also found that, while the majority of respondents work with sensitive documents, they are being allowed onto insecure devices on insecure networks. Many end users believe that their organisation is managing document security – when that isn’t a case at all, with under five percent of IT buyers indicating that as a concern in printing, copying or scanning.

The company’s European and UK marketing manager, Matt Wrighton, said the gap between staff and decision makers is obvious. “It’s clear to see how the division within organisations between the two key parties, decision makers and employees, will, if not already, prove harmful to productivity in the workplace,” Wrighton said.

PCKeeper lets customers pick their own price

buckguardA software outfit called PCKeeper has come up with a novel way of flogging its product.

It’s not setting a sale price – instead letting the customer decide what they want to pay.

The company said that it is experimenting with the same idea which allows for musicians and artists to allow their fans to pay what they want for music or art.

It is a radical concept for software because companies usually fear not getting their development costs back.

In this case it took a team of nearly 150 people almost two years to create and support the program so they want to make their money back.

The software normally has a retail price of $39.99 but will be available to customers for as low as $1.00. The idea is being tested out between June and July and it is not clear if it is just a marketing gimmick or if the company really is serious about it as a long term option.

PCKeeper’s communications manager, Ilias Melikov, said that letting people choose their own price is an interesting way to open up the product to consumers who price shop and also build trust with those customers once they use the software and see just how useful it is.

Still, even if the idea is canned after a month it could create regular users.

Resellers need wider mobility portfolios

DominicWordsworth_newResellers must begin to start building wider mobility portfolios and get cosy with disties in a bid to exploit the latest opportunities within the market, Computerlinks has said.

The company, which earlier this week announced an agreement in the UK and Germany with MobileIron, said the recent BYOD trend had been  good for starting conversations about mobility strategies organisations.

However, Dominic Wordsworth, product group manager at the company pointed out that the industry was now moving beyond just securing devices to considering how they can make staff not only mobile but also productive.

“MDM was the ‘knee jerk’ reaction by many to BYOD (both vendors and end-users) – securing the devise is an important start, but enabling and managing applications is the real challenge,” he told ChannelEye.

He pointed out that the companies with insight who initiated pilot mobility projects were now starting to move into company-wide rollouts.

“[This gives] the channel plenty of opportunities to get involved as businesses need to evaluate what applications are needed, who needs them and why. Vanity projects such as handing out iPads to executives are becoming more scarce, as organisations are becoming to demand real value from all of their devices,” he added.

Many channel partners are offering mobility products which allow IT departments to manage devices, however, Wordsworth claimed it was becoming clear that security was not the only factor at play here.

“To exploit the latest opportunities in the market, resellers should be building wider mobility portfolios around devices, applications and content. Focusing on one aspect of the mobility pitch won’t bring in those high-value contracts as organisations will generally be looking for the whole package rather than just a point solution.

“One way resellers can get ahead of the competition is by working with distributors that can offer extra services to help companies get mobile more easily, such as pre-sales support which can gives them access to current market expertise and knowledge,” he said.

Computerlinks claims that its new partnership with MobileIron will further continue to help resellers to drive their customers to deliver useful business applications to users over enhanced mobile networks to a secure endpoint, whatever the device.

It has also promised training for its channel partners around the new announcement, as well as helping them take advantage of its highly qualified pre and post sales consultants to support their own teams.

Dell attacks Cisco in mid-market

mikedellcloseupDell is talking big about taking on network behemoth Cisco, announcing its SonicWall NSA firewalls that it believes will disrupt the market.

Dell is promising protection for mid-sized organisations with its latest firewalls, promising customers that the SonicWall NSA software will assure “optimal network performance and total cost of ownership”, going on to say that its technology will even “render competitors’ traditional firewalls obsolete”.

Using a patented single pass, low latency Reassembly Free Deep Packet Inspection, or RFDPI engine, this kit, Dell claims, has enough power to take note of all network traffic, no matter the port or protocol, and can block threats before they worm their way into the network.

Dell boasts that the RFDPI engine has the twin benefit of combining a firewall with an intrusion protection system, and the software sports features like 10GbE SPF+ interfaces and high performance SSL decryption. Medium sized organisations will be able to use the kit to take advantage of security usually only afforded for enterprise grade network security, Dell claims.

Dell exec director in product management, Patrick Sweeney, said the company believes these “products are game-changers as we take on Cisco in the critical mid-market”.

As web threats get more sophisticated, penny pinching mid sized organisations swamped by economic stagnation need excellent security to make sure they are not even more vulnerable than they already are. Problems with funding staff training or specialisation are common, too, so Dell thinks its latest product can help.

McAfee, Stonesoft merger bad news for channel

Intel-logoCompetition in the security market is increasing, meaning businesses and consumers could eventually end up paying higher prices to keep their PCs protected, resellers have warned.

The comments come as it was announced that Intel’s McAfee was splashing $389 million on the purchase of Stonesoft a security company that delivers software-based customer-driven cyber security products to secure information flow and simplify security management.

McAfee said Stonesoft’s product portfolio of next-generation firewalls would help it “extend its leadership position in network security.” It said it planned to integrate Stonesoft’s offerings with other McAfee products such as its cloud-based Global Threat Intelligence services.

However, resellers aren’t convinced the company is doing it to perfect the security world, claiming the buyout will stifle competition and keep customers “over barrels.”

“Intel and other big vendors are gobbling up smaller companies, closing the competition,” one told ChannelEye.

“This means that eventually we’ll be left offering clients only a few security software options at higher prices for the vendors but lower margins for us as we try and compensate for their greed.”

Another agreed, claiming companies were using the fact that everyone needed security to rake in the cash.

“The security world has gone mad. But then big security companies can afford to splash the cash. Not only do they charge extortionate amounts for security but have many over a barrel. It’s like car insurance,” he told ChannelEye.

“Everyone needs it to be safe but no one wants to pay the premiums for it.”

Others also pointed out that although it was a good time to be in security, resellers rarely benefited.

“It’s big money in the security software market if you’re at the top, as this proposed buyout has shown,” he said.

“However resellers like us rarely see the fruits of the profits. Our clients are often quite au fait with security and buy off the shelf, or won’t spend the money we require to see rewards.”

‘BadNews’ malware family infiltrates Google Play Store

dandroidLookout has unearthed a new family of malware it is dubbing BadNews – which has emerged in the Google Play Store for Android devices.

According to Lookout’s research, BadNews poses as an aggressive ad network – however, it floods the user with application install prompts and brings up fake news, all with the agenda of pushing more malware and affiliated apps.

In its early days, Android in particular was dismissed by critics as being unreliable on the security front thanks to the open access nature of the OS. The Play Store, or Android Market as it was known, did occasionally sport dodgy applications that would mimic other popular apps but were anything but.

BadNews, Lookout says, is significant because it has managed to distribute itself so far and wide – using a server to delay malicious behaviour. The security company has let Google know about the malware, and all developer accounts associated with BadNews have been suspended and are being investigated.

BadNews and its affiliated could have been downloaded as many as 9 million times. Not all apps that have been compromised had malicious code in them, but BadNews, LookOut says, puts a “significant number” of users at risk.

The malware also threatens to leak sensitive information such as phone numbers and IMEI codes.

It is a reminder that as smart device use becomes more widespread, so will malicious coders targeting these devices. While at one time mobile security features were panned by some corners, it can’t hurt to have a legitimate piece of antivirus software installed on your phone and to only download trusted applications, as malicious coders will increasingly target the etailing and digital services space.

Gartner consults crystal ball about cloud

crystalAround 10 percent of IT security enterprise products will be delivered through the cloud by 2015, Gartner has said.

Gazing into its crystal ball, the analyst house has also said that these services will also drive changes in the market landscape, particularly around a number of key security technology areas, such as secure email and secure Web gateways, remote vulnerability assessment, and Identity and Access Management (IAM).

It said as a result it expected the cloud-based security services market to reach $4.2 billion by 2016.

Eric Ahlm, research director at Gartner said demand remained high from buyers looking to cloud-based security services to address a lack of staff or skills, reduce costs, or comply with security regulations quickly.

He said the shift in buying behaviour from the more traditional on-premises equipment toward cloud-based delivery models offered “good opportunities for technology and service providers with cloud delivery capabilities.”

He warned that those without such capabilities needed to act quickly to adapt to this “competitive threat.”

Gartner referenced a security survey from January which  it said showed high demand from security buyers for cloud-based security service offerings. Security buyers from the US and Europe, representing a cross section of industries and company sizes, stated that they planned to increase the consumption of several common cloud services during the next 12 months.

The highest-consumed cloud-based security service is email security services, with 74 percent of respondents rating this as the top service.

Furthermore, 27 percent of the respondents indicated they were considering deploying tokenisation as a cloud service, while another area cited for growth was security information and event management (SIEM) as a service.

Gartner is now advising value-added resellers (VARs) to supplement product implementations with cloud-based alternatives that offer large customers reduced operational cost and thereby increase the likelihood of customer retention in this market segment. VARs that fail to offer cloud-based alternatives might experience a decline in implementation revenue from customers seeking cloud-based solutions in certain market segments.
Around 10 percent of IT security enterprise products will be delivered through the cloud by 2015, Gartner has said.

Rubbing its crystal ball the analyst house has also said that these services will also drive changes in the market landscape, particularly around a number of key security technology areas, such as secure email and secure Web gateways, remote vulnerability assessment, and Identity and Access Management (IAM).

It said as a result it expected the cloud-based security services market to reach $4.2 billion by 2016.

Eric Ahlm, research director at Gartner said demand remained high from buyers looking to cloud-based security services to address a lack of staff or skills, reduce costs, or comply with security regulations quickly.

He said the shift in buying behaviour from the more traditional on-premises equipment toward cloud-based delivery models offered “good opportunities for technology and service providers with cloud delivery capabilities.”

He warned that those without such capabilities needed to act quickly to adapt to this “competitive threat.”

Gartner referenced a security survey from January which  it said showed high demand from security buyers for cloud-based security service offerings. Security buyers from the US and Europe, representing a cross section of industries and company sizes, stated that they planned to increase the consumption of several common cloud services during the next 12 months.

The highest-consumed cloud-based security service is email security services, with 74 percent of respondents rating this as the top service.

Furthermore, 27 percent of the respondents indicated they were considering deploying tokenisation as a cloud service, while another area cited for growth was security information and event management (SIEM) as a service.

Gartner is now advising value-added resellers (VARs) to supplement product implementations with cloud-based alternatives that offer large customers reduced operational cost and thereby increase the likelihood of customer retention in this market segment. VARs that fail to offer cloud-based alternatives might experience a decline in implementation revenue from customers seeking cloud-based solutions in certain market segments.

Employers rely on staff not to snoop

snoopBusinesses are placing too much trust in their employees when it comes to safeguarding company data, a survey by LogRhythm has found.

However employees are pulling the wool over their bosses’ eyes.

Questioning 1,000 employers, the cyber threat defence, detection and response company found 80 percent do not believe any of their workers would view or steal confidential information, while three quarters admitted to having no enforceable systems in place to prevent unauthorised access to company data by employees.

And some seem to have all the faith in the world when it comes to their staff with a third claiming they don’t believe they need such systems at all.

In addition, around two thirds of companies surveyed  admitted to not regularly changing passwords to stop ex-employees being able to access sites or documents.

However, on the employees side, it seems not all is well. In a separate survey of 2,000 staff LogRhythm found that 23 percent had accessed or taken confidential data from their workplace, with one in 10 saying that they do it regularly.

The most accessed confidential data related to details of colleagues’ salaries,  with 38 percent of staff admitting to snooping around to find this out, while a further 23 percent said they looked for details of colleague bonus schemes.

A huge 94 percent of those who had accessed confidential information or stolen company data had never been caught.

When asked, more than a quarter of employers could not identify the biggest threats to their confidential data, while 14 percent did not even know whether employees have stolen data – even though they believe employees would do so.

Ross Brewer, vice president and managing director for international markets at LogRhythm, came to the groundbreaking conclusion that this showed there was a “clear gap between businesses’ internal security procedures and the harsh reality of employee behaviour”.