System News for Sun Users

9 Tips, Tricks and Must-Haves for Security Awareness Programs

2013-06-14T16:00:00+01:00

"What are the essential ingredients for making a security awareness program successful?" asks Joan Goodchild in "Network World".

"Check out these 9 tips from CSO contributors on how to make awareness work in your organization:"

Metrics
Flexibility
Some allowance of rule breaking
A challenging new approach
C-Level support
Partnering with key departments
Creativity
An effective time frame
A multimedia approach

Read on for details.

Is Security Professional Development Too Expensive?

2013-06-14T16:00:00+01:00

"Paid trainings and certificates serve vital role, but open-source-style security education offerings could make the entire security education field more complete and affordable," comments Ericka Chickowski in "Dark Reading".

"As the security industry continues to grapple with a shortage in skilled professionals, particularly within very specific niches like application security, the state of security professional development continues to keep the industry locked up in a number of hotly contested debates. Beyond the most obvious argument over the value of security certifications, some security pundits have stepped up to argue about a more fundamental impediment to rising the tide for all boats in the industry: the cost of paid training..."

Rogue Employees, Malware Exploits and Unauthorized Software

2013-06-14T16:00:00+01:00

"While IT security professionals recognize the threat posed by unwitting employees, many still admit to allowing administrative privileges to go unmanaged, making organizations increasingly vulnerable to malware exploits and unauthorized software, according to Avecto," writes HelpNet Security.

"The study, conducted at Infosecurity Europe in London, UK, surveyed more than 500 decision-making information security professionals. It reveals the extent to which organizations allow employees full control over their desktops, without implementing adequate controls to defend against accidental or deliberate misuse of privileges..."

3 Lessons from Layered Defense's Missed Attacks

2013-06-08T16:00:00+01:00

"Layering security measures typically protects systems better: Research (PDF) by three University of Michigan graduate students in 2008, for example, found that using multiple antivirus engines result in much better protection than using a single program", reports Robert Lemos in "Dark Reading".

"Yet recent analysis by NSS Labs highlights that layering security devices rarely catches all attacks, and the attacks that manage to dodge defenses do so with regularity. The analysis -- a survey of the company's past tests of next-generation firewalls, intrusion prevention systems, and endpoint protection software -- found that the tested products tended to fail in similar ways. While two products always performed better together than individually, their combined performances varied tremendously..."

How to Secure USB Drives and Other Portable Storage Devices

2013-06-08T16:00:00+01:00

"As individuals and organizations digitize more data, they become more susceptible to major data breaches," comments Paul Mah in "IT World".

"Though convenient, inexpensive USB flash memory sticks and other portable storage devices certainly don't help the cause, beacuse workers use them transport databases and other confidential information. On top of the real danger of misused data, major data breaches also cause damaging negative publicity.

It may seem inherently complex, but securing portable storage devices is within reach for small businesses. Here's what organizations can do to secure their data..."

Security Pros Fail In Business Lingo

2013-06-08T16:00:00+01:00

Kelly Jackson Higgins writes in "Dark Reading", "Non-executive-level security professionals just aren't communicating well or coherently with senior executives, a new survey shows.

That's in contrast to their superiors on the executive side of the security house, who appear to have somewhat hacked the proper business language and perspective: While about 38 percent of non-exec security pros say they use business-oriented language when they communicate with corporate execs, nearly half of exec-level security pros say they do..."

University Fined $400,000 After Disabled Firewall Put Medical Records at Risk

2013-06-08T16:00:00+01:00

"A medical facility run by Idaho State University (ISU) has been fined $400,000 after thousands of patient records were left in an unprotected state when firewall monitoring was disabled," reports John E Dunn in "TechWorld"].

"According to the medical information commissioner, the US Department of Health Human Services (HHS), the records of 17,500 patients at the University's 29 Pocatello Family Medicine Clinics were left unsecured for 10 months..."

Why We Won't Get International Cyberwarfare Standards

2013-06-08T16:00:00+01:00

"ASA Risk Consultants added its voice this week to the slowly growing chorus of voices demanding a coordinated international response to cyberattacks. In a research note circulated by IDG, ASA asserts that 'nations will need to come to an agreement on how cyber warfare should be handled," reports Kim Davis in "Internet Evolution".

"Nations should establish lasting peace and end world poverty, too. There's always something new for the to-do list. Don't hold your breath on any of these..."

Experts Highlight Top Data Breach Vulnerabilities

2013-06-02T16:00:00+01:00

"Hidden vulnerabilities lie in everyday activities that can expose personal information and lead to data breach, including buying gas with a credit card or wearing a pacemaker," reports and article in "Help Net Security".

"Every transaction and health record is now collected, categorized, sorted, and analyzed�'and can be hacked. Microcomputers that control aspects of everyday life�'from heart rhythms and insulin levels, to the operation of manufacturing plants and data centers, to the use of electricity in homes and gasoline usage in cars�'are increasingly at risk for data breach and can threaten public safety.

Industry experts offer insights on top hidden vulnerabilities that can cause data breach:..."

Too Much Infosec Regulation Undermines Security, Warns NAB

2013-06-02T16:00:00+01:00

"More prescriptive regulation of the security posture in industry sectors like banking could have the paradoxical impact of reducing security, according to Andrew Dell, head of IT security services at the National Australia Bank," reports Richard Chirgwin in "The Register".

"'We have to become much more agile and proactive �- how we look at, how we react to cybercrime. Our posture is changing from 'observe and analyse' to 'detect and respond',' Dell told the 2013 Trend Micro Evolve Security Conference..."

10 Reasons SQL Injection Still Works

2013-05-19T16:00:00+01:00

"After all of these years, SQL injection vulnerabilities still stand as an old reliable for attackers seeking to break into corporate databases," writes Ericka Chickowski in "Dark Reading".

"Beyond the obvious "hackers do what works" explanation, there are additional dynamics at play that keep SQL injection in the limelight. Among the top 10 most impactful reasons why SQL injection persists, experts named technical missteps, business process issues, and attack environment factors. Here's how they broke things down..."

We're Maintaining Juicy Targets
At Least Go Least Privilege
SQLi: Attacker's "Easy Button"
Insecure Development Architecture
Trusting Input
Agnosticism At All Costs
Legacy Code
Code Samples Outdated
Flaws Easy To Fall Through Cracks
Budget Shortfalls

Read on for details.

6 Steps for a Successful Data Security Control Implementation

2013-05-19T16:00:00+01:00

Neil Thacker, writing for "Information Week"], reports, "It's time to move from infrastructure-only security to infrastructure and data security control, asserts Neil Thacker, Security and Strategy officer, Websense. He shares six steps for a successful data security control implementation..."

Calculate the value of your data
Make your ROI case
Monitor and log your data
Apply data security controls
Find your data
Implement proactive protection and up employee education

Read on for details.

What's The Secret to a Great Password?

2013-05-12T16:00:00+01:00

"As your neighbors leave their house one morning, you see them slip a spare house key from under their doormat, then set the key on top of the mat, where it glints in the sun. That's essentially the same as scrawling a username and password on a bright Post-it note, then sticking it on the computer monitor," opines Erin Delaney in an article for "Yahoo Small Advisor."

"If the Post-it password seems foolish, it's also revealing. With every new login a person creates, the person is forced to balance competing agendas of efficiency, security and human memory..."

Employees Still Use Online File Sharing, Even If Companies Prohibit Its Use

2013-04-22T16:00:00+01:00

"More than 75% of corporations have policies that prohibit the use of consumer online file sharing and collaboration tools, yet employee use of the services is still rampant, according to an Enterprise Strategy Group survey. reports Lucas Mearian in "ComputerWorld."

"The thing is, IT had control of the data in the past. Now, it has only been three years since this (OFS) market has taken off and now data is everywhere," said Terri McClure, who spoke at SNW here Tuesday..."

Making Security Simple

2013-04-22T16:00:00+01:00

"Conventional wisdom says that simple security is an oxymoron. Good security is complex, while uncomplicated security is weak," writes Stefan Hammond in "CSO Online"].

Whenever security is discussed, I think of Bruce Schneier. The US-based security guru describes crime and prevention forcefully. What's YOUR security profile?

Much of our everyday security practices are unconscious, notes Schneier. We do them out of habit, and don't recognize them as strategic security decisions..."

How Attackers Choose Which Vulnerabilities to Exploit

2013-04-22T16:00:00+01:00

"It's an old but true adage: To protect yourself against a criminal, you have to think like a criminal. This certainly applies to IT security professionals working to keep their organizations' systems and data safe: To protect against a cyber attacker, you have to think like a cyber attacker," writes Michael Cobb in "Dark Reading."

According to Verizon's 2012 Data Breach Investigations Report, 81% of data breaches utilized some form of hacking, and 94% of the attacks were not classified as difficult. Even those attacks that were more complex often used simple techniques to gain an initial foothold..."

Victim of $440K Wire Fraud Can't Blame Bank for Loss, Judge Rules

2013-04-22T16:00:00+01:00

"A federal court in Missouri has rejected an escrow firm's attempt to blame its bank for a $440,000 cyberheist in March 2010," reports Jaikumar Vijayan in "ComputerWorld."

"In a ruling last week, the U.S. District Court for the Western District of Missouri held that Choice Escrow and Title LLC had essentially failed to follow its bank's recommended security procedures and therefore had only itself to blame for the loss..."

15 Worst Data Breaches

2013-04-22T16:00:00+01:00

"Data security breaches happen daily in too many places at once to keep count. But what constitutes a huge breach versus a small one? For some perspective, we take a look at 15 of the biggest incidents in recent memory...", writes Taylor Armerding in "CSO."

Heartland Payment Systems
TJX
Epsilon
RSA
Stuxnet
Department of Veterans Affairs
Sony PlayStation Network
ESTsoft
Gawker Media
Google, etc.
VeriSign
CardSystems
AOL
Monster.com
Fidelity National Information Services

Read on for details.

Misconfigured, Open DNS Servers Used In Record-Breaking DDoS Attack

2013-04-22T16:00:00+01:00

"Biggest-ever distributed denial-of-service attack originally aimed at Spamhaus escalates and hits other corners of the Net", says Kelly Jackson Higgins in "Dark Reading."

"This was not your typical hacktivist DDoS attack: a massive, 300 gigabits-per-second traffic attack against volunteer spam filtering organization Spamhaus spread yesterday to multiple Internet exchanges and ultimately slowed traffic for users mainly in Europe..."

9 Classic Hacking, Phishing and Social Engineering Lies

2013-03-31T16:00:00+01:00

"In 9 dirty tricks: Social engineer's favorite pick up lines, Chris Nickerson, founder of Lares, a Colorado-based security consultancy, explains why this old social-engineering trick is often still successful. He should know, he uses it frequently as a pen tester," reports Joan Goodchild in InfoWorld

"Scammers often take advantage of a timely event, like a high-profile piece of malware that is infecting many computers. The average, non-computer savvy employee gets nervous with the technicality of what the "IT person" on the phone is telling them...

This is Bob from IT. Your computer is infected.
I�'m trapped in London! Help!
Can you hold the door for me?
Have you seen this blog about you?
Your account has been closed
Donate to the hurricane recovery efforts
I�'m late and in a hurry! Please just let me in!
Get a free Starbucks gift certificate!
#popefrancis

Read on for details.

Security Appliances Are Riddled With Serious Vulnerabilities, Researcher Says

2013-03-31T16:00:00+01:00

"The majority of email and Web gateways, firewalls, remote access servers, U (united threat management) systems and other security appliances have serious vulnerabilities, according to a security researcher who analyzed products from multiple vendors" reports Lucian Constantin in "PCWorld."]

"Most security appliances are poorly maintained Linux systems with insecure Web applications installed on them, according to Ben Williams, a penetration tester at NCC Group, who presented his findings Thursday at the Black Hat Europe 2013 security conference in Amsterdam. His talk was entitled, 'Ironic Exploitation of Security Products'..."

Shifting from Compliance-Based IT Security to a Risk-Based Model

2013-03-31T16:00:00+01:00

Joel Griffin writes in "Security InfoWatch":

"In the ever evolving threat landscape that is IT security, some security executives have become so focused on taking an approach that meets compliance requirements that their attention has become diverted away from some of the actual risks facing their respective organizations. Obviously complying with rules and regulations set forth is important, but some organizations are making it the primary guiding principle of their security program..."

99 Percent Of Tested Applications Are Vulnerable To Attacks

2013-03-24T16:00:00+01:00

An article in dark Reading states that "Cenzic Inc., the leading provider of application security intelligence to reduce security risks, today released the Cenzic Trends Report for 2012. The report demonstrates that the overwhelming presence of web application vulnerabilities remains a constant problem, with an astounding 99% of applications tested revealing security risks, while additionally shedding light on pressing vulnerabilities within mobile application security.

Gathered during the Cenzic Managed Security team's analysis of applications in production, the report reveals the massive number of vulnerabilities prevalent in web and mobile applications today. The report highlights the type, frequency and severity of vulnerabilities found and predicts which vulnerabilities will pose the greatest risk in web and mobile applications in production throughout 2013..."

Identity fraud is up, but banks are up to the security challenge

2013-03-24T16:00:00+01:00

"In 2012, the total losses resulting from account takeover and new account fraud each rose by approximately 50% over the previous year," reports Help Net Security.

These two fraud types impact consumers most severely, and are historically more difficult for FIs to prevent and detect than any other major fraud type.

Today, Javelin Strategy & Research releases the firm's 2013 Banking Identity Safety Scorecard..."

Demand for IT Security Experts Outstrips Supply

2013-03-17T16:00:00+01:00

"Demand for information security experts in the United States is outstripping the available supply by a widening margin, according to a pair of recently released reports," reports Jaikumar Vijayan in "Computerworld."

"A report from Burning Glass Technologies, which develops technologies designed to match people with jobs, shows that demand for cybersecurity professionals over the past five years grew 3.5 times faster than demand for other IT jobs and about 12 times faster than for all other jobs..."

5 Most Dangerous New Hacking Techniques

2013-03-17T16:00:00+01:00

"The rise of Stuxnet, Flame, Gause, the Olympic Games operations and Shamoon have all shed light on the issue of nation-state driven cyberwarfare and cyberespionage activities. Now that we are in cyberspace, we have another domain for humans to occupy and dominate, according to Ed Skoudis, founder of Counter Hack Challenges," reports Robert Westervelt in "CRN".

"Skoudis told RSA Conference 2013 attendees that he worries about some of the risks of taking action over the Internet..."

The Time for Sharing Cyber-Threat Data is Now

2013-03-17T16:00:00+01:00

"While controversy has long swirled around the proposed Cyber Intelligence Sharing and Information Act that was recently re-introduced in Congress, the information security community has no doubts that the time to share information on cyber-threats is here," observes Tony Kontzer in "CIO Insight."

"During a panel discussion at the RSA Conference at San Francisco's Moscone Center last Wednesday, top security executives agreed that corporations, which have largely shied away from sharing any information about their vulnerabilities, need to open up as never before. And, they said, it�'s not going to be easy to make it happen..."

Risk Vs Innovation: 5 Steps To Finding the Right Balance

2013-03-09T17:00:00+01:00

"In today's ultra-competitive, fast-moving environment, only the most agile and innovative financial firms can thrive," comments Melanie Rodier in "Wall Street and Technology."

"But with budgets still tight and investors' appetite for risk at an all-time low, firms who want to keep staying ahead of the game need to strike the right balance between risk and innovation..."

Evaluate whether you will gain a competitive advantage
Do a PoC.
Find a business case for it.
Decide how you are going to build a competitive edge
Analyze risk at every point.

Read on for details.

Watch a Chinese Military Hacker Launch a Successful Attack

2013-03-09T17:00:00+01:00

"Thanks to cybersecurity firm Mandiant, we now have a video of a hacker believed to be linked to the Chinese military infiltrating and stealing files from unidentified English language targets," reports Colin Neagle in "Network World."

"The video comes as part of Mandiant's 60-page report, first reported by the New York Times, that claims China's military is responsible for cyberattacks on more than 140 foreign businesses, many of which are in the United States..."

5 Lessons from The FBI Insider Threat Program

2013-03-09T17:00:00+01:00

"Insider threats may not have garnered the same sexy headlines that APTs did at this year's RSA Conference, writes Ericka Chickowski in "Dark Reading."

"But two presenters with the Federal Bureau of Investigation (FBI) swung the spotlight back onto insiders during a session this week that offered enterprise security practitioners some lessons learned at the agency after more than a decade of fine-tuning its efforts to sniff out malicious insiders following the fallout from the disastrous Robert Hanssen espionage case..."