Tag: security

Office workers threaten businesses

old_officeA survey conducted by YouGov suggests the biggest security threat to business is the enemy within.

That’s the employees.

The survey, conducted on behalf of security as a service company Proofpoint shows that while pilfering stationery may be a thing of the past, office workers are endangering security.

A quarter of the 2,076 people surveyed sent work emails using their personal email account – especially if files are too large to send.  A fifth sent emails with confidential information including names, ages and home addresses.

And when working out of the office, 20 percent used a file transfer service like Dropbox to their personal email addresses.

And 45 percent of people received emails that weren’t meant to arrive in their inboxes.

Organisations can’t cope with the idiosyncratic nature of business, it appears. While 43 percent were trained on data and privacy, a third of them didn’t get any training.

Needless to say, Proofpoint has an axe to grind because it sells security as a service.

Microsoft shows clear signs of OS desperation

windowscomputexMost people were reasonably happy with Windows 7. For that matter, most people quite liked Windows XP. No one liked Vista.  And it’s pretty clear that Windows 8 has gone down with the most enormous thud.

Even Microsoft seems to acknowledge that – our sister publication TechEye is reporting that it is saying Windows 7 isn’t that secure.

Actually, it’s Microsoft that isn’t that secure. And its insecurity is linked to Intel’s insecurity too.  Microsoft, like Intel, was way too late to jump on the tablet bandwagon and its efforts to get into the smartphone market have been somewhat of a big fail too.

The truth is that it’s all about money and has very little to do with security. These endless patches from Microsoft for operating systems have always been a nuisance and demonstrate that on the OS front, at least, the software giant hasn’t really invented anything.  It’s all been borrowed or acquired.

You can’t get a new PC from a retailer now without it being installed with Windows 8.1. Want Windows 7? You’ll have to buy it separately. And if you believe Microsoft, it’s not that secure anyway.

At the launch of Windows XP in London all those years back, Steve Ballmer told us that it was the most secure version of Windows ever. Some of us remember what happened with that one.

I have a machine here that’s running Windows XP and there’s no way I’m “upgrading” it to Windows 8.1.  That will leave me insecure, according to Microsoft.  Insecure I will be, then. But I do get the definite feeling that I’m not alone in sticking with an OS I like and without the tablet feel I expect on a tablet, not on a PC.

BYOD: security, it’s heard of it

byodA survey by Context said that despite the prevalence of BYOD (bring your own device) in the work place, security cannot be guaranteed.

Context says there’s a clear trade off between convenience and security. It examined three products: Airwatch, Blackberry Universal Device Service and Good for Enterprise, in conjunction with IOS and Android devices.

While these products all provide good levels of BYOD security, Context found the underlying operating systems limits what they can achieve.

Alex Chapman, senior consultant at Context, said: “There is no realistic way to guarantee the security of a workable BYOD environment, but organisations can take significant steps towards mitigation of security risks if they combine technical security controls with clearly defined acceptable use policies. MDM…can only lock down mobile devices to the extent that underlying operating systems will permit and BYOD implementations can only lock down devices to a level that users are willing to accept.”

Mobile malware still ignored by most

stapSecurity software companies must try harder to take advantage of mobile malware misgivings and convince smartphone users to start parting with their cash.

This overwhelming preference among mobile users for free stuff needn’t be a barrier to new revenue streams for the security developers, according to a report out today from Juniper Research.

The 135 page report, which is called ‘Mobile Security: BYOD, mCommerce, Consumer & Enterprise 2013-2018’, takes a look at all the usual suspects in the security space and beyond – from AVG to ZyXel.

It concluded that 80 percent of smartphones are unprotected, mostly because of a lack of threat-savvy on the part of their owners. With such a significant majority of phones left unprotected because their owners can’t even be bothered with free software, getting people to cough up looks like it might be a tall order for the anti-malware brigade.

The report also highlights the predicted growth in mobile malware attacks, citing claims from Trend Micro that there would be “more than one million malwares in the market” by the end of the year. It doesn’t make clear whether that figure is a global prediction, however.

The report found that nearly 1.3 billion mobile devices including smartphones, featurephones and tablets are expected to have mobile security software installed by 2018, up from around 325 million this year.

The UK’s National Fraud Authority has also recently warned that mobile malware can be hard to spot with the naked eye, and is generally disguised as legitimate apps.

According to one of the other big noises in the security space, McAfee, 17,000 new forms of mobile malware targeting Android-based devices were identified in the second quarter of 2013. That’s 21% up on Q1 of this year.

Cyber criminals are after your wonga. The security software firms wouldn’t object to having some of it too.

You pays your money, you takes your choice.

 

SANS: Businesses get security analytics wrong

datacentrebatteriesAlthough analytics software is a necessary trend for many businesses, companies who’ve splashed out aren’t putting the tools to use properly, according to a survey.

The SANS Institute asked 647 respondents, in collaboration with Guidance Software, HP, Hexis Cyber Solutions, LogRhythm and SolarWinds, about analytics habits within their companies.

Just 10 percent of those surveyed were confident their company could use data sets to analyse security trends, despite as many as 77 percent collecting and monitoring information logs.

Most companies are still relying on log management – at 49 percent – or SIEM platforms – at 47 percent. As few as 17 percent are making use of advanced threat intelligence, according to the report.

Senior SANS analyst and report author Dave Shackleford said there are emerging challenges that traditional SIEM or log management don’t necessarily address. “More scalable and flexible analytics platforms are gaining interest and attention from the security community, and will likely continue to do so, given the threats and attacks we face today,” Shackleford said.

 

One in five Brits would sell their own data for £5,000

visa-epayLack of trust has been plaguing online businesses for years. Many people simply feel uneasy about sharing their data online, although ATMs and cashiers aren’t much more reliable or safe than online services.

However, there are quite a few people who don’t mind sharing their information. According to a new survey published by Interxion and OnePoll, a whopping 17.5 percent of Britons would sell their own personal data for £5,000. Interestingly, 91 percent of women said they would never sell their data, which means men are just greedier. We don’t need a scientific survey to know that.

Most people believe their most precious bit of financial data is their PIN number, but four in ten have already shared their PIN with partners, friends and family. On the whole, 68 percent said the financial services is the “most trusted” sector when it comes to personal information, while retail and charity got 15 and 9 percent respectively.

The most trusted peer to share personal information is the partner, at 51 percent. Best friends come in second with 39 percent, while parents rank third with 26 percent.

As for ethics, 11 percent of 18- to 24-year-olds say they would happily sell off their passport details for £5,000.

IT departments nervous about BYOD

threeiphonesMost IT departments are not certain their mobile policies are compliant with both corporate policy and government regulation, according to a report.

Bring Your Own Device means staff are increasingly taking their smartphones into work. Despite this, according to research commissioned by Accellion, an enterprise security company, just 30 percent of organisations have an approved BYOD policy.

70 percent of respondents admitted to being “concerned” and a further 20 percent “extremely concerned” about mobile file sharing.

Additionally, 63 percent of those surveyed want to clamp down on VPN use, and about two thirds have or plan to allow official enterprise content management accross mobile devices. Of course, this means making sure the infrastructure is in place to secure those devices – especially running on sensitive networks.

There was a consensus on limiting or controlling with sites or folders are accessible to staff on mobile, for example, making sales documents available on mobile but blocking access to human resources.

14 percent of respondents were in the process of developing their own corporate app store, with another 14 percent already having one.

Guidance Software picks Wick Hill as UK distie

truckDistie Wick Hill has got the UK contract for US-based forensics, analytics, and incident response company Guidance Software.

Guidance Software can claim over half of Fortune 100 companies as clients. The company offers EnCase Analytics, which promises to find and treat otherwise hard to detect threats. This technology uses data from every endpoint at a kernel level instead of trusting a compromised OS.

The EnCase Cybersecurity product peers into endpoint activity across a network after a hacking attempt, specifically when threats have been suspected but aren’t identified, or if it’s necessary to snip out sensitive data from unauthorised locations.

EnCase Enterprise, Guardian boasts, is forensic level enterprise investigation, which can cut down on massive costs and regulatory risks typically associated with investigations in the enterprise. Guardian says it can quickly and accurately detect policy violations, including employee fraud and intellectual property theft.

Ian Kilpatrick, chairman at Wick Hill group, said Guidan can give the channel an answer to maintaining security across network infrastructure, which increasingly has more endpoints and generating more data.

“Guidance provides exceptional visibility into endpoint activity across the network, as well as sophisticated forensic tools, which include the ability to preserve forensic evidence post-incident,” Kilpatrick said.

Guidance’s veep of sales for EMA and APAC, Sam Maccherola, said Wick Hill was the right distie because of its existing experience in IT security and the major markets Guidance operates in.

Most CIOs coming round to BYOD

smartphones-genericMost CIOs are happy to let employees bring their own devices to work as the BYOD trend shows no sign of slowing.

IT departments were forced to adapt when personal devices frequently had better compute power and more utility than company-issued Blackberrys. At the same time, there was a challenge in securing devices to make sure sensitive data did not fly off company networks. But when a CEO is wondering why he or she can’t use their iPad at work, and a user’s laptop is better than the company box, it saves cash for the company and keeps employees happy as long as IT can secure the tech.

A report claims over three quarters – 76 percent – of CIOs now let employee devices into the workplace. Understandably, IT managers are concerned about security.

The top BYOD devices are laptops, followed by smartphones, memory sticks, tablets, external hard drives, and iPods.

Managing director of Robert Half Technology, which conducted the survey, Phil Sheridan, said there are a number of factors leading to BYOD’s growth. “Consumer friendly technologies prompt employees to rely on a certain level of productivity at work as they have at home,” Sheridan said. “Only 24 percent of IT directors in our survey said that they do not currently allow employee owned devices into the workplace, so the tide has clearly turned in favour of BYOD”.

It is, however, still necessary for companies to consider their BYOD strategy to prevent any embarrassing data SNAFUs.

Additionally, there can be financial costs in upgrading infrastructure to properly manage employee owned devices, or to provide training. However, almost a third of those surveyed did report cost savings by adopting BYOD policy.

“Although CIOs have security concerns when considering BYOD policies, their teams are best placed to implement the correct infrastructure to support extra devices in a safe environment and to understand the impact of extra devices and apps on the network,” Sheridan said.

IBM to buy Trusteer

ibm-officeIBM has coughed up the readies to acquire IT security company Trusteer, which it hopes will help boost its portfolio in advanced threat management and application security.

Big Blue is putting together a cybersecurity software lab in Tel Aviv, Israel comprised of over 200 IBM and Trusteer researchers, in addition to the company’s existing R&D in Israel. Together, they will focus specifically on mobile and application security, advanced threat, counter fraud, malware, and financial crime.

IBM security will take advantage of Trusteer’s knowledge in security as a service through the cloud, as well as counter-fraud and advanced persistent threat protection. Additionally, Trusteer points out in a statement, that half of the top 25 US financial institutions offer mobile finance management, meaning advanced security needs to be in place to protect the institutions and their customers.

IBM wants to roll Trusteer’s expertise into its own range of software and services, such as QRadar, i2, SPSS, InfoSphere, and Enterprise Content Management.

In a statement, Trusteer’s CEO Mickey Boodaei said the way organisations are protecting data is quickly evolving. “As attacks become more sophisticated, traditional approaches to securing enterprise and mobile data are no longer valid,” Boodaei said, adding that Trusteer already has large banks as customers.

Google: Pets are most popular passwords

google-ICGoogle commissioned a survey of 2,000 adults – and one in ten said they could accurately guess a colleague’s password. Probably because the most popular passwords are, according to the research, easy guesses.

Wedding anniversaries, birthdays and kids’ names were all top choices for passwords, while football teams and the word ‘password’ also appeared a fair few times. Indeed – ‘password’ was tenth most popular.

Shockingly, half of web users surveyed admitted to sharing their passwords with other people. Women, the survey found, were more likely than men to share their password, and twice as likely to share it with their children.

But the most chosen password was the name of a pet. Favourite holidays or place of birth were also frequently chosen – the kind of passwords that would also be answers to security questions.

Given that it is often social engineering tricks or the simple human gaffe that leads to compromised security, this is a security nightmare.

“People often leave their information open to online security breaches without even realising it,” director of security for Google Apps, Eran Feigenbaum, told the Telegraph. “Lax attitudes to online security can lead to serious consequences
if strangers access your information.”

Speaking with ChannelEye, security expert Graham Cluley said it’d sadly be no surprise if the research was accurate.

“It never ceases to amaze me how – despite all the high profile hacks and data breaches – people still haven’t learnt the most basic lesson about passwords,” Cluley said. “Of if they have, they’ve decided to ignore it because it’s ‘too difficult’ to remember tricky passwords, let alone different passwords for different websites”.

As with other calls from the UK’s security pundits, companies, consumer action groups, and Cluley himself, he said it’s easy to imagine the positive impact  of a public education campaign.

It could explain that “password management software exists, often for free, which will remember all your passwords for you, and generate new, complex passwords so you don’t end up using ‘Tiddles’ over and over again,” Cluley said.

Trend Micro shuffles channel approach

tmicroSecurity company Trend Micro is reshuffling its channel program with a view to boosting access to its cloud and Data Centre Security offerings.

Updates to Deep Security are included in deal registration and specialisation programs, plus an on demand marketing platform that opens up assets for partners. Deep Security offers enterprise class protection to the mid market specifically to prevent data breaches and other possible business disruptions in physical and cloud servers.

It’s an all in one that brings anti malware, web reputation and firewall together, as well as intrusion prevention, integrity monitoring and log inspection. It lets companies virtually patch their critical systems and cut out vulnerabilities before they wreak havoc, as well as helping business make sure they’re up to speed with regulatory requirements such as HIPAA and NERC.

Now, partners will be able to use the deal registration program to simplify their margin structure and make registration easier. The specialisation program will open up additional revenue streams for specialising in specific areas.

The on demand marketing program makes more marketing content available to customers through a dashboard platform, giving them access to co-branded emails and web content.

Veep of US channel sales, Partha Panda, said that there is a lot of money to be made from mid market companies. They “present a tremendous business opportunity for our channel partners and we want to support them with one of the most reliable security solutions available,” Panda said.

Execs don’t get security metrics

riskitalySenior executives are struggling to take security metrics into account for their risk based security programmes, a report has said.

Most organisations rely on taking security metrics into account to improve operations, but non-technical business executives struggle to understand the value. IT professionals find it tough to communicate properly with senior execs, because metrics are difficult to properly explain to people with non-technical backgrounds.

A Ponemon Institute and Tripwire survey said 35 percent of IT staff find it takes too much time and resources to properly prepare and report these metrics to senior executives, and worryingly, 13 percent thought the management was simply not interested in the information. Other more pressing problems are often the priority.

Chief Information Security Officers, or CISOs, do often talk up the importance of using these metrics in line with business goals and building risk management best practice, but it is difficult to produce meaningful metrics, while those that are used rarely match business strategy, Tripwire’s Rekha Shenoy said.

A large majority of respondents with risk management background do agree that studying and using these metrics are important for a risk-based approach to security. But half of respondents said they are unsure that these metrics are used in line with business objectives.

Meanwhile, 49 percent of respondents didn’t believe or were unsure the metrics “adequately convey the effectiveness of security risk management” to senior execs.

The report concludes the onus is on IT security and risk professionals to improve the ways they communicate security metrics, if there is to be broader adoption of risk based security.

“Even though most organizations rely on metrics for operational improvement in IT,” Larry Ponemon, Ponemon’s chairman, said, “more than half of IT professionals appear to be concerned about their ability to use metrics to communicate effectively with senior executives about security”.

Logicalis scores Juniper Network Elite status

JuniperLogicalis has nabbed itself Elite Partner status for Advanced Security at Juniper Networks’ partner advantage programme, the top level for partners.

Logicalis has got itself Firewall/VPN & IDP and Policy and Access Control authorisations, which the company hopes will score it some more brownie points with companies thinking of hiring it.

MD at Logicalis UK, Mark Starkey, said the company had worked with Juniper Networks for quite some time, so getting the Elite status should help it sell itself to businesses concerned with advanced security in emerging trends like mobility and cloud.

“This accreditation provides us with access to the latest technologies and advanced training at Juniper,” Starkey said.

Darryl Brick, director of partners UK&I at Juniper, said that Logicalis is now offering advanced security from data centre through to small and medium enterprise, so customers can “take advantage of some of the most advanced security technology and services in the market”.

Phishing attempts triple

fishingEvery single day roughly 3,000 UK web users were sent a phishing attack between 2012 and 2013, triple the levels seen between 2011 and 2012.

That’s according to a new Kaspersky Lab’s report, “the evolution of phishing attacks”, revealing what was once a subset of spam has grown into its own category of cyber attack. The most targeted websites were Facebook, Yahoo, Google and Amazon, with Facebook and Yahoo overwhelmingly ahead as targeted sites.

Worldwide, attacks reached an average of 102,100 people each day, with the most common targets being web users in Russia, the United States, India, Vietnam and the UK. Most servers hosting the phishing pages were registered in the USA, the UK, Germany. Russia and India.

Kaspersky discovered that half of all identified attack sources came from only 10 countries, signifying there is quite a small number of preferred regions from which to launch the attacks.

20 percent of phishing attacks were set up to mimic banks or financial organisations.

Kaspersky’s deputy CTO for research, Nikiti Shvetsov, said the enormous increase shows that phishing is not just a subset for spammers. “These attacks are relatively simple to organise and are demonstrably effective, attracting an increasing number of cybercriminals,” Shvetsov said.