Buyers of expensive IT security ask why they’re still insecure

April 15, 2013

We do a lot of work for IT security clients and the numbers they share with us about attacks and monetary losses numb the brain. The money spent by corporate America to maintain some semblance of protection and to fend off cyber attacks is astronomical. If you’re reading this, you know what we mean. Still, the attacks and the cost of defending yourself grow unabated. What’s going on here?

One of these clients who does big work for big brands told us recently that a perception of low return on their security dollar has created a growing, board-level frustration and alarm within these companies.  “They question the ROI on the hundreds of millions of dollars invested in IT defenses and they have every right to be pissed,” he said. Of course, our clients have a vested interest in encouraging the upgrade of aging defenses so easily overcome by wily, super-smart and well-financed cyber-criminals today.

Computer security is a multi-billion industry employing some of the most brilliant technologists in the world.  They labor relentlessly to stay a step ahead of the bad guys who, just like terrorists, only have to be successful once, while techno-sleuths and defenders must succeed 100% of the time.  Yet, even in the breaches that merit the bigget headlines, most of the time the crooks used ridiculously simple methods to break in.  In other words, many organizations are overlooking basic precautions even as their security systems grow more complex and expensive.  Just like street crime,  bad guys preyed on victims of opportunity.

Like muggers, Cyber-attackers scan for companies who may not be properly utilizing the defenses they have or whose passwords fail the tough-to-guess test. To us in the business of marketing some truly amazing preventive technology, this is an eye-opener.  Here’s hoping they can open more corporate-security eyes as well.  The chain around the company’s digital assets is only as strong as the weakest link. And the bad guys go straight to it.

Leave a Comment » | Application Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , | Permalink
Posted by david ricketts

IT Concerns About Targeted Malware Rising

April 4, 2013

When it comes to servers, IT and security professionals’ concerns about targeted malware and data breaches are escalating while their confidence in their ability to identify and stop advanced threats is on the decline, according to a new survey by security firm Bit9.

“Targeted malware was the top security concern for the second year in a row,” says Ilana Goddess, product marketing manager for Bit9, noting that 52.4 percent of survey respondents (up 15 percent from a year ago), cite targeted malware as their primary concern.

“The whole thing with targeted malware is that targeted threats are aimed at you,” says Goddess. “They are the most difficult to defend against because it’s like a virus that only affects you. And the attackers are not stopping. They’ll persist until they get in whether it takes months or years. Antivirus isn’t going to work because people haven’t seen the signatures before.”

In November and December of 2012, Bit9 polled 966 IT and security professionals worldwide for its second annual Server Security Survey. Most respondents (58 percent) administered up to 50 servers; 29 percent administered 100 to 500 servers; and 13 percent administered, on average, 2,000 servers. About one-half (51 percent) said they are running Windows as their primary platform (i.e., Windows comprises more than 75 percent of total servers); 12 percent said they are running Linux as their primary platform (up 13 percent from last year); 2 percent said they run Unix as their primary platform.

One-Quarter of Firms Have Been Victims of Targeted Malware

Goddess notes that it comes as no surprise that respondents again identified targeted malware and data breaches as a top server security concern, given the proliferation of such attacks in 2012. Attacks like Flame, Gauss, mini-Flame and the Flashback Trojan garnered significant media attention last year. Twenty-five percent of Bit9′s respondents say they had been the victims of advanced malware (up 8 percent since 2012), while 18 percent said they didn’t know whether they had been attacked (according to the F.B.I., two-thirds of breaches are detected by a third party). And according to security firm Mandiant, attackers have, on average, been in place for 416 days prior to detection.

At the same time, server data has become much more vulnerable to attack. Verizon’s 2012 Data Breach Investigations report found that 94 percent of all data compromised in 2012 involved servers (an increase of 18 percent from 2011). Goddess says IT and security professionals are losing confidence in their ability to identify and thwart these advanced threats: Only 18 percent of respondents said they were very confident in their ability to stop advanced malware; 59 percent said they were somewhat confident, 20 percent said they were not confident (up from 10 percent in 2011) and 4 percent said they were unsure.

Security Pros Mistakenly Believe Virtual Servers Are More Secure

In addition to an increase in the use of Linux as the primary server platform, companies are increasingly going virtual. One-third of survey respondents say that more than 50 percent of their servers are virtual. Also, half of the respondents said they had deployed virtual desktops, are in the process of rolling them out or have plans to do so.

Goddess says many IT and security professionals believe that their virtual servers are more secure than their physical servers, despite a 2012 Gartner study that found 60 percent of virtualized servers were less secure than the physical servers they replaced.

“People think their virtual servers are more secure than their physical servers, but that’s just not the case,” Goddess says. “They’re really the same vulnerabilities that you find elsewhere in physical servers, but somehow they think of virtual servers as not being as much on the frontline.”

For instance, she says, many professionals think the frequent re-imaging of virtual servers protects them from advanced threats. However, she notes, these threats frequently get in and do their damage within 15 minutes, moving on to other areas quickly.

In fact, when asked to rank types of servers according to the risk they represent, only 6 percent of respondents considered virtual servers to be high risk. Most respondents (66 percent) felt Web servers were the most high risk; 38 percent felt file servers were high risk; 34 percent pointed to email servers; 26 percent cited domain controllers; 14 percent labeled application servers high risk; and 11 percent ranked databases as high risk.

Goddess says that may indicate that IT and security professionals are looking in the wrong direction. After all, the most valuable enterprise information is found on file servers (e.g., intellectual property), databases (e.g., customer information) and especially domain controllers (e.g., passwords, administrative rights).

IT and security professionals are also concerned about the administrative effort required by security solutions. When asked to rank their top concerns about server security, nearly 12 percent cited “too much administrative effort on security solution” as a top concern, ranking it even higher than an actual attack.

“These results highlight the need for greater control in identifying and stopping advanced attacks on valuable server resources-before they execute-while decreasing the security-related administrative workloads of IT and security professionals,” said Brian Hazzard, vice president of product management for Bit9. “The key to securing enterprise servers-both physical and virtual-is to allow only trusted software to execute and prevent all other files from running.”

via IT Concerns About Targeted Malware Rising – Network World.

Leave a Comment » | Application Hosting, Managed Service Hosting, Retail IT Solutions, Tier 4 Hosting | Tagged: , , , , , , , , , | Permalink
Posted by david ricketts

Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines

March 26, 2013

The Twenty Critical Security Controls have already begun to transform security in government agencies and other large enterprises by focusing their spending on the key controls that block known attacks and find the ones that get through. With the change in FISMA reporting implemented on June 1, the 20 Critical Controls become the centerpiece of effective security programs across government These controls allow those responsible for compliance and those responsible for security to agree, for the first time, on what needs to be done to make systems safer. No development in security is having a more profound and far reaching impact.

These Top 20 Controls were agreed upon by a powerful consortium brought together by John Gilligan (previously CIO of the US Department of Energy and the US Air Force) under the auspices of the Center for Strategic and International Studies. Members of the Consortium include NSA, US Cert, DoD JTF-GNO, the Department of Energy Nuclear Laboratories, Department of State, DoD Cyber Crime Center plus the top commercial forensics experts and pen testers that serve the banking and critical infrastructure communities.

The automation of these Top 20 Controls will radically lower the cost of security while improving its effectiveness. The US State Department, under CISO John Streufert, has already demonstrated more than 94% reduction in “measured” security risk through the rigorous automation and measurement of the Top 20 Controls.

A Brief History Of The 20 Critical Security Controls >>

20 Critical Security Controls – Version 4.1

Leave a Comment » | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , , , | Permalink
Posted by david ricketts

Report Highlights Costs of Mitigating Top Cyber Threats

March 18, 2013

Organizations can spend as much as $6,500 an hour to recover from distributed denial of service (DDoS) attacks and $3,000 a day recovering from malware infections, according to a new report from Solutionary.
In its 2013 Global Threat Intelligence Report, Solutionary identified sophisticated malware, DDoS attacks, the bring-your-own-device (BYOD) trend, and Web application security, as the top four security issues and threats organizations are concerned about. However, the report didn’t stop with just identifying the threats. It also attempted to quantify the costs for mitigating these four threats.

Solutionary also attempted to quantify the costs to mitigate the four top threats identified in the report. What was clear from the report was that there were significant costs associated with not having, updating, or testing a proper incident response plan.

“Cyber criminals are targeting organizations with advanced threats and attacks designed to siphon off valuable corporate IP and regulated information, deny online services to millions of users and damage brand reputation,” Don Gray, chief security strategist for Solutionary, said in a statement.

Organizations that take the time to have a proper incident response plan are more likely to spend less money on incident response when the unthinkable happens, Rob Kraus, director of research at Solutionary, told SecurityWeek.
Solutionary’s report is based on real-world cases from its global customer base and reflects actual incidents and expenses, Kraus. The costs of incident response include hiring third-party consultants and incident response teams, beefing up staff after an attack, and buying new mitigation technologies.

Other figures relating to lost productivity, downtime in the event of a DDoS attack, and lost revenue were not included in the numbers, which means organizations would likely incur even higher costs after a security incident to mitigate the threats.

In the report, Solutionary found that 54 percent of malware samples can get past antivirus and endpoint security tools, and 44 percent of all phishing emails have banking themes. Nearly 45 percent of malware attack attempts target financial customers and 35 percent go after retail customers, Solutionary said. Most of the attacks take the form of phishing emails with malicious links and attachments.

Solutionary also examined the most targeted applications, and concluded Java now surpassed Adobe PDF as the one under heaviest attack. Nearly 40 percent of all exploits analyzed by Solutionary’s team of researchers were based on Java vulnerabilities, Gray told SecurityWeek.

The report also found that United States organizations actually are at greater risk from domestic threats than they are from foreign threats. In fact, 83 percent of attacks against US organizations came from US-based IP addresses, the report found. Around 23 percent of US organizations attacked via US IP addresses were government agencies, the report said.

The shift away from the nation-state narrative runs counter to a lot of the hysteria surrounding Mandiant’s report last month detailing attack strategies employed by a group based in China, and allegedly associated with the Chinese military.

To be fair, the second largest source of attacks in Solutionary’s report was China, but the country accounts for a mere 6 percent of attacks against US businesses.

The heavy concentration of U.S. based attack IP addresses may also be tied to the high number of machines infected and unknowingly recruited into a botnet.

Another interesting finding showed that attackers from different countries tended to focus on different industry verticals. Most, or 90 percent, of China-based activity targeted the business services, technology, and financial sectors, while 85 percent of Japan-based attacks was focused on the manufacturing industry, Solutionary found.
Attacks targeting the financial sector appear originated “fairly evenly from attackers in many countries across the world,” the company said. Attack techniques also varied by country, with Chinese attackers taking advantage of already-compromised devices, and Japanese and Canadian attackers focused on exploiting Web applications. Attacks from Germany generally involved more botnets and command-and-control activity. “The Solutionary GTIR provides actionable intelligence and strategic recommendations that will allow readers to make smart decisions, strengthen their organizations’ cyber defenses and maximize the value of their security programs,” Gray said.
The report also offers a Security Self-Assessment, which allows security and risk professionals to rank their cyber-security posture based on multiple criteria. They can use the rankings to determine strengths and weaknesses in the organization’s security posture.

A section on “The Future” offers in-depth insights into the global threat landscape and a predictive look at how things will change. This may cover how malware authors will continue to evade anti-virus software, and how exploit kits will evolve.

The “Getting the Most from Threat Intelligence” section arms organizations with details on how to use threat intelligence to make decisions and take actions that will reduce overall security risks.

Thanks to the threatvector

Leave a Comment » | Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , , , , , , | Permalink
Posted by david ricketts

The Fallacy of the Security No-Man’s Land

March 5, 2013

Mike Rothman of Dark Reading wrote an interesting piece, which Bruce Schneier echoed last week, arguing that security vendors are focused on the top 1,000 enterprises, leaving the meager mid-sized businesses that live beneath the Security Poverty Line to fend for themselves.  Rothman:

“These folks have a couple hundred to a couple thousand employees. That’s big enough to have real data interesting to attackers, but not big enough to have a dedicated security staff and the resources they need to really protect anything.”

I feel this argument is a tad overstated.  Think about what the No-Man’s Land theory says about the business models of security vendors—that they’re collectively and deliberately ignoring an entire forest full of deer and rabbits with hopes of nabbing a few elephants?  Sounds like a surefire way to starve to death.  (My apologies, vegetarians.)

Rothman really nails it on the head here, though:

“What folks in security no-man’s land need most of all is a security program. They need an adviser to guide them through the program. They need someone to help them prioritize what they need to do right now. ”

YES!  This is the secret sauce. But what makes this exclusive to large enterprises?  Despite not having bespoke security, it’s hard to excuse mid-market companies that don’t go after the low-hanging fruit (sorry, carnivores).

Rothman continues:

“They don’t want or need someone to do everything for them. And they certainly don’t need a shiny object to stop the attack du jour. “

The “blocking and tackling” Rothman calls for something every organization can start doing—large or small.  For unstructured data, Varonis has an entire blog series detailing precisely how companies can implement a security action plan, and Varonis will custom-tailor every step around the resources available.

By focusing on the fundamentals, we’ve seen some mid-market businesses with a few ultra-bright security and operations folks implement more comprehensive and successful IT security programs than Fortune 100s with ostensibly limitless budget and staff.

3 Comments | Application Hosting, Marketing | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Cybersecurity Now Top of Mind Around the World and Network Security is Taking Center Stage

February 26, 2013

It’s no surprise that in the wake of the rapid increase in cyber attacks, governments around the world are moving towards strengthening their cyber security, and even taking steps to mandate better collaboration on security issues between the private and public sectors. Here is a sample of the most recent initiatives:

  • US – Feb-2013: Obama Orders Cybersecurity Standards for Infrastructure
  • European Union – Feb-2013: EU Unveils New Cybersecurity Policy
  • Italy – Jan-2013: Italian Government Approves Cybersecurity Measures to beef up strengthen online security and protect critical infrastructure from increasing cyber assaults
  • India – Jan-2013: India Developing National Cybersecurity Architecture. India is in the midst of developing a national cybersecurity architecture aimed at preventing sabotage and espionage of its core IT systems and networks
  • Australia – Jan-2013: Australia toughens stance on cybersecurity
  • Russia – Jan-2013: The Russian Federal Security Service gets empowered to create a state system for the detection, prevention and liquidation of the effects of computer attacks on the information resources of the Russian Federation

There are important common factors in all the above:

First, a global appeal for stronger collaboration between the public and private sectors to share intelligence on cyber attacks. Under existing EU rules, telecommunication companies are already required to report significant security incidents. Wade Williamson, one of our in-house experts on cyber threats recently wrote in this blog about “Combating Emerging Threats Through Security Collaboration”

Secondly, a shared understanding that the global economy is highly dependent on critical infrastructure that might not be as secure as initially thought. For example, the U.S. executive order specifically mentions power grids, pipelines and water systems.

Finally, full awareness that much of the critical infrastructure supporting a thriving, modern economy relies on a set of interconnected networks and systems that must be closely monitored and protected. The proposed European directive calls out the need for resilient, safe, and stable networks and systems.

One takeaway for our customers is that network security is being more systematically called out in cybersecurity discussions worldwide and is even taking center stage. Some analysts have commented that network security will remain the largest cybersecurity submarket for the next 10 years.

Why? Even as SaaS applications, social networking, mobile devices, or cloud-based computing become mainstream and push the limit of the traditional enterprise perimeter, the network and the firewalls remain the one place where organizations in both the public and private sectors can see all traffic and actually enforce security policy.

via cybersecurity, cyber security, network securityPalo Alto Networks Blog.

Thanks to http://www.thethreatvector.wordpress.com

1 Comment | Managed Service Hosting, Marketing | Tagged: , , , , , , , , , , , , | Permalink
Posted by david ricketts

Impact of cybercrime underestimated as most crimes go unreported|Network security

May 4, 2012

For a cyber crime to count as a statistic, the crime has to be reported. Has your company ever been the target of a phishing attack and not reported it? Because cybercriminals can launch coordinated attacks from all over the world catching them becomes more difficult as cyber crime continues to grow. Does a company have a legal obligation to come forward about cybercrime? Some consider that companies have ethical, civic and legal obligations to report cyber threats to authorities.

Many cyber attacks go unreported

In 2010, there were over 303,000 complaints filed with the Internet Crime Complaint Center (IC3), a partnership between the FBI and the National White Collar Crime Center (NW3C). Its purpose is to receive Internet related criminal complaints and to further research, develop, and refer the criminal complaints to federal, international law enforcement or regulatory agencies for appropriate investigation . Since its inception, the IC3 has received complaints in relation to a variety of threat and cybercrimes including online fraud , hacking, Online Extortion, Identity Theft and every other internet crime imaginable.

Many police departments are now training computer crime units where people can contact for information and assistance. These units come under the umbrella of law enforcement and the main role is investigative in tracking down cyber criminals.

Punishment for cyber crime is growing in severity

Different countries have different laws that cover cyber crimes and as the level of cyber crime increased the punishments dished out are growing in severity. Here are some examples of the punishments handing down in the U.S (from Carnegie Cyber Academy) :

  • Hacking – Hacking is covered under a Federal law. Punishments range from paying a large fine to going to jail for up to 20 years, depending on the seriousness of the crime and how much damage the hacker has done.
  • Spamming – Spamming is covered under the CAN-SPAM Act and the minimum punishment is a fine of up to $11,000. Additional fines are added if the spammer violated policies or used automated bots to collect email addresses. Spammers can be sent to jail if they used false information or a computer they weren’t allowed to use.
  • Identity Theft – The laws covering identity theft were enhanced in 2004, requiring tougher punishments to match the seriousness of the crime. Identity thieves can go to jail for up to five years. There are also increased punishments for identity theft used to commit terrorist acts and for people who abuse their position for identity theft.

Many high profile companies have suffered serious data breaches; possibly the biggest data breach in US history was the Epsilon attack last year. Epsilon a global provider of marketing services had their IT system hacked and the criminals gained access to the names and email addresses on their customer database which included some of the worlds largest companies across a variety of sectors. This successful attack gave criminals access to large amounts of information about individuals in these companies, details which will allow them to more effectively target each company more specifically. For a company this can have far reaching and costly consequences.

According to the FBI, worldwide cybercriminals earn over $100 billion per year through their increasingly sophisticated cyber attacks. SMBs are frequently more exposed to risk from cybercriminals than larger companies.

Security Challenges SMBs face :

  • Inadequate security awareness among employee
  • No Dedicated IT security professional
  • Limited IT security budget
  • Lack of IT security policies

Big company thinking is often about maximising the IT security budget, whereas SMEs are much more frugal and need to think about the customer. SMEs require fast, cost-effective and easy to manage solutions. Small businesses are faced with many of the same risks as larger firms but without the same level of resources. In this senario planning for security is an imperative.

1 Comment | Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , | Permalink
Posted by david ricketts

Booz Allen Reports Top Ten Cyber Security Trends for Financial Services in 2012

December 15, 2011

The following list was developed from research by Booz Allen, which has years of experience in financial services consulting for federal, nonprofit and commercial clients:

Top 10 Financial Services Cyber Security Trends for 2012:
1.The exponential growth of mobile devices drives an exponential growth in security risks. Every new smart phone, tablet or other mobile device, opens another window for a cyber attack, as each creates another vulnerable access point to networks.
2.Increased C-suite targeting. Senior executives are no longer invisible online. Firms should assume that hackers already have a complete profile of their executive suite and the junior staff members who have access to them.
3.Growing use of social media will contribute to personal cyber threats. A profile or comment on a social media platform – even by the CEO’s son or sister — can help hackers build an information portfolio that could be used for a future attack.
4.Your company is already infected, and you’ll have to learn to live with it – under control. Security should remain a priority, but today’s risks and threats are so widespread that it will become impossible to have complete protection – the focus of cyber security tactics increasingly must be to analyze, detect and expunge threats inside your system.
5.Everything physical can be digital. The written notes on a piece of paper, the report binder and even the pictures on the wall can be copied in digital format and gleaned for the tools to allow a hacktivist-type of security violation, and increasingly this will be a problem.
6.More firms will use cloud computing. The significant cost savings and efficiencies of cloud computing are compelling companies to migrate to the cloud. A well designed architecture and operational security planning will enable organizations to effectively manage the risks of cloud computing.
7.Global systemic risk will include cyber risk. As banks and investment firms continue on the path to globalization, they will become increasingly inter-connected. A security breach at one firm can create negative ripple effects that greatly impact systemic risk in financial markets.
8.Zero-day malware (malicious software) and organized attacks will continue to increase. Like a vicious, insidious virus that mutates, the tools of cyber criminals adapt and change constantly, rendering the latest defenses useless. Firms need to be prepared to adapt quickly as well to zero-day malware and the tactics of organized crime and foreign adversaries that are increasingly used today.
9.Insider threats are real. The accidental insider breach will continue to be the primary source of compromise for the Advanced Persistent Threat (APT) and other attacks. Organizations need to focus on security awareness training and internal monitoring to detect intentional and accidental insider access.
10.Increased regulatory scrutiny. Recently, the Securities and Exchange Commission introduced guidelines that require companies to report incidents that result, or could possibly result in, cyber theft or a risk of compromised data considered material.

Further information at http://www.boozallen.com/media-center/press-releases/48399320/cyber-top-ten-2012

 

3 Comments | Application Hosting, Managed Service Hosting | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Follow

Get every new post delivered to your Inbox.

Join 752 other followers