Posts Tagged ‘it security’

Bit9 released its annual ranking of popular consumer applications with known security vulnerabilities. The list reveals ‘The Dirty Dozen’ – the most-used applications on Windows that are the most vulnerable to security flaws that could compromise systems and/or private data.

All of the programs considered a security risk in this listing are Windows-based, well-known, and not classified as malicious by IT organizations. However, these programs will have at least one critical vulnerability identified in 2008 or registered with a high security rating. These programs will also rely on end-users to upgrade software, not having the ability to run on centralized enterprise update tools.

In addition to requiring end-users to take responsibility for security updates, the list includes programs that often run outside control or knowledge of IT, resulting in compliance issues and breaches that could lead to heavy fines and losses. However, the list is a little biased, since it is not clear if they are more or less secure than the applications that can be centrally updated. For example, Internet Explorer can be centrally updated, but it is not necessarily more secure than Firefox, which tops the list of the ‘Dirty Dozen’.

The ‘Dirty Dozen’, as ordered by number of vulnerabilities, are as follows:

1. Mozilla Firefox 3.x, 2.x
2. Adobe Flash & Acrobat Flash: 10.0- 10.0.12.36 and 9.0- 9.0.151.0 Acrobat: 8.1.2, 8.1.1
3. EMC VMware Player, Workstation and other products ESXi 3.5 or earlier Workstation 5.5.x Player 2.0.x & 1.0.x ACE 2.0.x & 1.0.x
4. Sun Java Runtime Environment (JRE) Version 6 Update 6
5. Apple Quicktime, Safari & iTunes Quicktime: 7.5.5 Safari: 6.0.5.20B iTunes: 3.2, 3.1.2
6. Symantec Norton products 2.7.0.1
7. Trend Micro OfficeScan 8.0 SP1 before build 2439 8.0 SP1 Patch 1 before build 3087
8. Citrix Deterministic Network Enhancer (DNE), Access Gateway, Presentation Server DNE 2.21.7.233- 3.21.7.17464 Access Gateway 4.5.7 Presentation Server 4.5
9. Aurigma Image Uploader, Lycos FileUploader 4.6.17.0, 4.5.70.0, 4.5.126.0
10. Skype 3.6.0.248
11. Yahoo! Assistant 3.6
12. Microsoft Window Live Messenger 4.7 & 5.1

There has been considerable evidence that requiring end users to make security decisions has led to security incidents, due to lack of knowledge and/or understanding, so in the enterprise setting a centralized approach to IT asset management has often been the norm. The problem with this approach is incorporating the applications that users want and need and figuring out how to manage those appropriately.

Download the report here.

Via Internet News

Employees continue to ignore security policies, notes another survey from RSA. Over 50% of employees work around existing IT security policies in order to get their work done.

The insider threat survey, conducted among 417 industry event attendees by RSA, polled workers across a range of industries, heavier in financial and technology sectors. Nearly half of respondents worked in IT. The survey indicates that, despite awareness of IT policies, convenience trumps security.

Highlights from the survey:

• 94% are familiar with their organizations’ IT security policies
• 53% have felt the need to work around IT security policies in order to get their work done
• 64% frequently or sometimes send work documents to their personal email address in order to access and work on them from home.
• 15% have held a door open for someone at work that they did not recognize
• 89% frequently or sometimes conduct business remotely over a virtual private network (VPN) or webmail
• 58% frequently or sometimes access their work email via a public computer / 65% via a public wireless hotspot
• One in 10 has lost a laptop, smartphone and/or USB flash drive with corporate information on it
• 79% frequently or sometimes leave their workplace carrying a data device containing sensitive information related to their jobs
• 43% had switched jobs internally and still had access to accounts/resources which they no longer needed
• 37% have stumbled into an area of their corporate network to which they believe they should not have had access

As you can tell, may of the results mirror the study from Cisco that came out earlier in October. Basically, the lesson to take from this is to rethink the “insider threat” as not just malicious actions taken by employees, but also the “innocent” rule breaking that they do day-to-day in order to get stuff done.

This type of rule breaking is a little complex, as it may be due to a lack of clear instructions. Although employees may be familiar with IT security policies, those policies may be vague in some areas, or employees may receive mixed messages by overlapping policies or a mismatch of policy and procedures. For example, if certain programs and websites are, by policy, not allowed, they should be, by procedure, blocked. That’s not always the case.

As in many cases with security policies, it comes down to training and enforcement. Train all new employees well, but keep on training existing employees on an ongoing basis. Everyone could use the refresher. And enforce the rules – employees should know what the potential outcomes are of crossing the line at the corporate level (risk of data breach) and the personal level (being reprimanded for going against policy, regardless of outcome).

Technology solutions like Absolute’s asset management software can help you identify if users are operating outside corporate policies.

Via CSO Online ; image: mconnors @morguefile

Cyber-Ark Software has released the results of a new survey indicating some disturbing facts about insider data breaches by exiting employees.

Cyber-Ark interviewed 300 IT security professionals for their annual survey. This year, 88% of respondents said that, “if laid off tomorrow, would take valuable and sensitive company information with them.” And that’s just counting the respondents who were honest enough to admit they’d act unethically!

When asked what information employees would take, the target information includes: CEO’s passwords, customer database, R&D plans, financial reports, M&A plans and a list of company passwords.

“Most company directors are blissfully unaware of the administrative or privileged passwords that their IT staff has access to which allows them to see everything that is going on within the company. These privileged identities, which lie on hundreds of servers and applications, very rarely get changed as it’s often considered too much hassle. When people leave the organization, they can often still access the network using these passwords to acquire highly sensitive data” – Udi Mokady – president and CEO of Cyber-Ark.

Most companies may be unaware of the full list of admin passwords that an IT employee has access to, and this could prove dangerous. Privileged passwords that access sensitive information should be secured and routinely changed, particularly when IT employees leave.

Other interesting survey results:

• One third of companies believe internal espionage and data leaking has resulted in data going to competitors or criminals
• One quarter have suffered data breaches by internal sabotage and/or IT security fraud
• 35% send sensitive or confidential information via email (an insecure medium, most of the time)
• One third of IT administrators admit to keeping passwords on post-it notes
• One third admit to snooping on the network to look at confidential information like salary details, personal emails, meeting minutes, etc

Via network world ; Clipart via Microsoft / Presentation Pro

Bruce Schneier has written a great article on the use of ROI (return on investment) in business security decision making. Following this, businesses would only invest in security solutions that had a positive ROI – that the ratio of money gained (realized or unrealized) be higher than the cost invested. When comparing options, a company would choose that which had the greatest return for the stockholders.

So the question remains – do ROI models accurately determine if a security investment is “worth it”? Bruce Schneier notes:

“‘ROI’ as used in a security context is inaccurate. Security is not an investment that provides a return, like a new factory or a financial instrument. It’s an expense that, hopefully, pays for itself in cost savings. Security is about loss prevention, not about earnings. The term just doesn’t make sense in this context.”

A data breach would have associated costs, so preventing one would have cost savings. This does impact the bottom line, although it’s an intangible figure.  As Schneier notes, though many security vendors provide an ROI model to meet the business demand for this measurement, the numbers cannot reflect accurate figures applied to your business.

So, how do you measure security investment?

• Don’t spend more on a security problem than it’s worth
• Don’t ignore security problems that cost money if cheaper mitigation alternatives are available

One option is to use annualized loss expectancy (ALE), a model that calculates the cost of a security incident (tangible & intangible) multiplied by the chance of that incident happening in a given year. This model will tell you what to spend to mitigate the risk. However, the model relies on good data, and it’s difficult to apply that to all areas of IT security. When it comes to cybersecurity, not enough data about crime or effectiveness of countermeasures exists to create an accurate model. The model also cannot anticipate large / expensive security issues.

So, the end result of all this is to trust your own analysis based on your own numbers and to use results as a general guideline only. Use your numbers along with sound risk management and compliance strategy when deciding on what security solutions you buy.

Image: Stockxpert.com

The IT Policy Compliance Group (IT PCG) has published its annual report on IT Governance, Risk and Compliance. The 2008 Report, which can only be downloaded by members, looks at research conducted with more than 2600 organizations.

According to the published brief, security and compliance spending can lead to higher profits, lower expenses and improved customer satisfaction. Although many companies dread spending on compliance and security, even with the risks associated with cost-cutting methodologies, the report indicates that companies that move up the IT governance, risk and compliance (IT GRC) maturity scale are seeing a high return on their efforts.

IT GRC encompasses practices to deliver greater business value from IT strategy, investment and alignment, as well as mitigating risk and conforming to compliance mandates. What the data shows us is that IT GRC mature companies enjoy higher revenues & profits while spending less on regulatory compliance. These best practices also lead to a reduced risk if a data loss were to occur – from .4% of revenue in mature organizations vs 9.6% for less mature companies.

Those companies considered most mature were not necessarily large business, but businesses that have effectively adapted security process frameworks to their businesses. Less-mature companies tend to over-focus on operational process frameworks.

You can continue reading about this report from Network world, where there’s a great overview.