Archive for the ‘Business Security’ Category

According to a 3-month study of 600 botnets which have infiltrated enterprise networks, bot infections are on the rise in the corporate environment. The research, done by Damballa, indicates that it is small botnets, not large ones, that are the most prevalent in the enterprise environment:

As you can see from the graph above, 57% of the botnets infecting enterprises are considered “small”, which is defined as a botnet with 1-100 active members. However, despite being less well-known, these botnets are potentially more dangerous:

While many people focus on the biggest botnets circulating around the Internet, it appears that the smaller botnets are not only more prevalent within real-life enterprise environments, but that they’re also doing different things. And, in most cases, those “different things” are more dangerous since they’re more specific to the enterprise environment they’re operating within.

The study indicates that many of these small botnets have been created with low-cost or free DIY kits that can be downloaded from the Internet. In most cases, these small botnets are described as “highly-targeted at particular enterprises”, sometimes requiring a degree of familiarity of the breached enterprise. This could indicate an insider threat issue that we previously haven’t seen or talked about. The target data in these small botnets is often professionally managed with financial controller authentication details (for money transfers), customer database and source code being the top targets.

The problem with these small botnets, aside from their very targeted attacks, is that they often evade detection. Though they are small, these botnets are very dangerous! Damballa puts out a product to detect botnets, but I know very little about it. You can do some independent research on your own to determine how your enterprise will try to detect such intrusions.

Via dark reading

The SANS Institute has just released the results of a comprehensive study on the topic of cyber security risks. The study is based upon prevention systems in 6,000 organizations and vulnerability data from 9 million systems. The study indicates that there are two major risks out there to organizations, both of which could be mitigated.

Cyber attacks are a growing issue to organizations of all sorts, with new and sophisticated attacks being created every day. Though organizations may have difficulty keeping up with the threat landscape, this study found that organizations are not doing what they could to mitigate the two largest risk areas. Specifically, client-side software is remaining un-patched and websites are not being scanned for common flaws that criminals use to exploit visitors to those sites.

Waves of targeted email attacks, often called spear phishing, are exploiting client-side vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office. This is currently the primary initial infection vector used to compromise computers that have Internet access.

The ultimate goal of attackers is to steal information and to install “back doors” so that the attacker can return to further exploit organizational systems. The study found that major organizations take at least twice as long to patch client-side vulnerabilities as they do to patch operating system vulnerabilities. Addressing this single issue could drastically reduce your risk of being exploited. What this also means is that the question of Mac vs PC is not going to be your solution to mitigating risk, as these risks come from cross-platform applications and from the Internet.

The report, which is available here, targets major organizations who want to ensure their defenses are up to date. The report shows some interesting patterns to data and includes a tutorial on how some of the most damaging attacks actually work. You may find it handy to print this report off to study the graphs in detail.

PGP has released a new business guide entitled “Five Truths About Enterprise Data Protection” which talks about how to secure all your data devices – your laptops, USB drives, remote logins, phones and more. The five “truths” are basic statements about data and business, skewed towards the security offerings at PGP, including:

1. Business data is everywhere – and it’s on the move
2. Exposed data carries high costs & consequences
3. Only encryption can secure all your data, wherever it is
4. An enterprise-wide data encryption strategy reduces the risk of data breaches
5. Enterprise data protection liberates your business

As we’ve said before, encryption is only one piece of the data security puzzle and is not the only solution to all your security needs. For example, Absolute Software’s Computrace Complete can provide additional security in the form of IT Asset Management & Data & Device Security, such as tracking and remotely wiping missing devices. A comprehensive security policy will do a risk assessment and decide on which security tools are important to your corporate needs.

My favorite section in the brochure deals with the 5th Truth, and how a comprehensive security system will enable a business to protect all its data, all the time, wherever it is stored and however it travels. You can get the guide here.

We talk a lot about travel and laptop security here on the blog, but one thing we’ve never discussed is safe in-flight laptop practices. And by “safe” I refer to not just data security, but to keeping your laptop from being damaged in any way during flight.

Mary Jo Manzanares, a flight attendant and travel writer, has put together a list of in-flight laptop precautions that will make you think twice about when – and how – you use your laptop on the airplane. The tips include:

• Don’t store your laptop in an overhead bin if it’s in a soft case
• Don’t angle your laptop into the aisle
• Close and put away your laptop during service periods, so there’s no risk of a beverage tipping onto it (yours or anyone elses)
• Keep your laptop within your own seat space
• If you leave your seat, close your laptop and put it away or leave it on the seat, not the tray

Other blog posts on travel & laptop security you may wish to read include:

• Tips for Laptops and International Travel
• Airport Laptop Security Tips
• Airport Security-Friendly Laptop Bags
• Airports a threat to laptop security
• Absolute Recovers Laptop After Flight Attendant Loses It En Route

Image: clipart

Business travelers are often putting their data at risk by using public Wi-Fi access points – wireless networks freely available to connect to. When you don’t have a wired network access point, connecting to a wireless network at random may not be your best alternative. It can open you to malicious attacks and to those who track your activities – including capturing private information like passwords.

In order to avoid the risks associated with unknown Wi-Fi networks, there are two solutions you can use.

USB Internet Stick

By connecting a special USB stick to your computer, you can have access to the web in the same way you would with an internet-enabled phone – via a cellular network. Most major cellular providers have one of these options, though they go by many names – in Canada, examples are the “Rogers Rocket Stick” or the “Bell Wireless USB Modem”.

Right now, Verizon is the only company offering a USB modem that will work in 175 countries (Windows only).

The upside: it is more secure than a Wi-Fi access point
The downside: no added security benefits, most USB sticks are often country-specific, making them impractical for International business travelers.

Virtual Private Network (VPN)

A VPN supplies connectivity to support remote access to the business network. You connect to the internet with whatever means you have available – wired or wireless – and connect to the VPN. VPN technologies use tunneling to create the connection to the business network and uses encryption protocols to provide you with private access both to the company network and through it. This means you can access company data as well as access the Internet through this more secure connection.

A VPN uses various security mechanisms to protect these private / virtual connections. There are lots of vendors out there for VPNs, including the Cisco Easy VPN.

The upside: you connect to a secure network, so outsiders can’t monitor your web use

The downside: there are many technologies involved in choosing the right VPN solution for you. For some tips on choosing, visit here and here.

Earlier this year, we posted about one of the largest data breaches to ever come to light: the Heartland Payment Systems breach that affected as many as 100 million and cost the company $12.6 million in legal costs and fines from MasterCard and Visa.

Heartland CEO, Robert Carr, is now opening up about the security breach, hoping other companies can learn from their experiences.

Carr believes that PCI compliance auditors failed the company, that they believe it was right to inform customers of the breach before the media, and how other companies can learn from all these issues.

Essentially, Carr says the QSA (Quality Security Assessor) audits of their systems were of no value, since they were unable to detect the security holes that were exploited.

“To the extent that they were telling us we were secure beforehand, that we were PCI compliant, was a major problem. The QSAs in our shop didn’t even know this was a common attack vector being used against other companies. We learned that 300 other companies had been attacked by the same malware.”

Carr was surprised to learn that others knew of this attack vector and that the information had not been shared. Carr says he now understands the “limitations of PCI” and the assessment process. The problem with any set of standards, in any industry, is that it can lead companies to a false sense of security, meeting those compliance measures, if those measures are not kept up to date. Heartland learned the hard way that “PCI compliance doesn’t mean secure.”

In the rest of the interview, Carr shares how Heartland has spent $32 million to upgrade their security at all levels, making sure that data is secure and encrypted wherever it resides. Heartland shares that their best advice to other companies experiencing a breach is to be up front with customers. After their breach, all Heartland employees were advised to tell customers what the breach meant for them, to be the point of contact for customers (vs the press). “Being candid has been key.”

Image: clipart

A guest author at InformIT has put together a list of 12 tips to consider when securing your small business wireless network. The list was put together by Eric Geier, author of WiFi Hotspots: Setting Up Public Wireless Internet Access, a book released as part of the Networking Technology Series from Cisco Press.

The recommended 12 steps to a secure small business wi-fi network are:

1. Use WPA Encryption — preferably WPA2
2. Use the Enterprise version of WPA/WPA2
3. Secure Ethernet Ports
4. Use Extra Encryption (VPNs)
5. Don’t Connect to Other Networks
6. Separate Traffic with VLANs
7. Secure Shared Folders and NAS Devices
8. Verify Firewalls
9. Use MAC Address Filtering
10. Disable SSID Broadcasting
11. Keep Hardware Updated
12. Keep Wi-Fi Signals Contained

Learn more about these 12 steps here

Normally we hear about the massive data breaches that happen due to some loss of electronic data – whether it’s a lost data storage device or laptop or from hacking. However, we can’t forget that paper too is at risk for breaching data. This week there were 4 reports of data breaches the result of incidents with paper.

1. Dozens of files with Social Security Numbers for public housing residents were dumped on the street in New York. People were seen picking up the loose papers, raising concerns of identity theft. The New York Housing Authority has policies to shred documents for disposal, but that policy was overlooked. [read more]
2. Medical records were found discarded in a trash bin at a convenience store in Shreveport; Social Security Numbers were included. A Doctor has admitted to his mistake in improperly disposing of the files. [read more]
3. Files about seriously ill patients at a New York hospital were found 2 miles away on the pavement. The files contained name, age and medical history, breaching confidentiality though not risking identity theft. [read more]
4. A Dallas man found a box of medical records, including Social Security Numbers, the the parking lot at a storage business. The storage unit belonging to a doctor was broken into and the records left out. [read more]

I think we can learn some important things from these breaches of trust and data. Most indicate a lack of awareness about the data and how it should be treated for storage and disposal. Policies to restrict how data moves about – whether paper or electronic – should be considered. The data retention policy should define how information is disposed of, which can include policies on shredding or purging electronic devices. In terms of data storage for physical papers, standard consumer storage facilities may not have enough security; try looking for companies that specialize in business data storage.

As we shared in a report earlier this month, data breaches at small companies often go unreported. There’s a great deal of education that needs to be done to small business owners – including those practicing in the medical fields – about how to securely handle confidential data in all stages of its life cycle.

Hat tip to databreaches.net ; image: clarita @morguefile

Cisco recently released a whitepaper about data leakage and insider threats. Several predictions for 2009 have indicated that, particularly with the uncertain economic climate, insider data breaches would become more of an issue. With 88% of respondents admitting they’d take sensitive information if they were laid off, this is a clear and present threat to data security.

In 2008, insider theft accounted for 15.7% of data breaches and that 43% of surveyed companies had experienced fraud, theft or losses as a direct result of employees with access to sensitive data.

Bruce Schneier recently addressed the issue of insiders, which he points out are a perennial problem for organizations. Insiders have the means and opportunity to breach data – intentionally or not. The issues coming up lately refer to an increase in intentional data theft or fraud.

“With 1.5 million predicted job losses in the US alone, there’s an increased risk and exposure to these attacks. This is one of the most significant threats companies face” – Microsoft’s Doug Leland

So, given that you need to trust your employees in order to keep your company running, how do you go about addressing the problem of inside threats? Schneier recommends 5 basic techniques, many of which we’ve talked about here on the Absolute blog:

1. Limit the number of trusted people
2. Ensure that trusted people are also trustworthy
3. Limit the amount of trust each person has
4. Give people overlapping spheres of trust
5. Detect breaches of trust after the fact and prosecute the guilty

You can read these recommendations in detail here. Hopefully it will give you some ideas about how to prepare for insider issues. Just like with all security planning, it’s about being prepared and about having multiple layers of security in place.

—-

In other news, there have been a high number of data breaches thus far in February (see latest incidents). One getting a lot of attention is from the Federal Aviation Administration (FAA) that affects 45,000 FAA employees.

Image anitapatterson @morguefile

The Federal Trade Commission (FTC) has released a report on Social Security Numbers (SSNs) and their correlation with Identity Theft. The report, which can be downloaded here [PDF], is a follow-up to a 2007 workshop on the same topic and the continued work of the President’s Identity Theft Task Force that was established in May 2006.

In the report, the FTC makes 5 recommendations to reduce the role of SSNs in identity theft. One of the recommendations is that Congress take action to strengthen procedures that private-sector organizations use to authenticate identities; they are pushing for nationwide standards in authentication. The task force believes that stronger authenticaton would make it more difficult for criminals to use stolen information, SSNs included, to impersonate consumers. As the report notes:

“Identity theft continues to be a major problem in this country, with victims numbering in the millions each year and out-of-pocket losses (primarily to businesses) in the billions of dollars.”

The Commission’s five recommendations are:

• Improve consumer authentication
• Restrict the public display and the transmission of SSNs
• Establish national standards for data protection and breach notification
• Conduct outreach to businesses and consumers
• Promote coordination and information sharing on use of SSNs

The task force believes that better authentication will make it more difficult to use SSNs to open new accounts or access existing accounts or services. They hope that this will, in turn, limit the demand for SSNs by criminals. Currently financial institutions that are federally regulated by banking agencies are the only private companies subjected to nationwide authentication standards.

You can continue reading more about that here, or read the more comprehensive Task Force Report here [PDF].

Via data breach watch