ARTICLE: Ten Back to School Security Tips for Administrators

With the start of school around the corner, many IT administrators have to prep their environments for the hordes of students that will insist on downloading the entirety of Internet. Interestingly enough, our employees sometimes feel that they should do the same.

While they may not necessarily be visiting unsavory sites, they are likely to visit a variety of other sites that will distract them from their learning or job responsibilities. So what are those things should be done in preparation for the start of the school year (many at little-to-no-cost), whether at the school or in the work environment?

1. Educate your users. This cannot be stressed enough. Even if the site is about flower arrangements, it may be enough to distract users and eat up precious resources. This means users should be reminded that the computer and the network that it uses are the property of the company or the school and should only be used explicitly for reasons related to that organization.

2. Remind users that all things may be public. Whether it’s their activities and where they surf, emails or IMs they send or receive, it is all fair game and that there is no expectation of privacy. Additionally, public social networking sites can be used to connect with colleagues outside of work but common sense about what can be posted on those sites should be used.

3. Ensure that there are firewalls in place not only to protect the corporate environment from attack (outside in) but also firewall rules to limit what exits your network (inside out). It may be an innocuous gaming site but there could be malicious scripts on it that piggyback on connections.

4. Anti-virus and malware detection tools are still tools that should be incorporated into any standard educational or corporate environment. Just because we haven’t heard of any latest attacks doesn’t mean that they don’t exist. New attacks are occurring and new attack vectors are being used. Take, for example, Facebook applications which often grab as much info about a user from their cookies as it can and there is no mechanism to check if it grabs other cookies as well.

5. Take the stance of “less is more” on user environments. In addition to firewalls, anti-virus and malware detection tools, the actual desktop should be hardened. NIST/NSA still provides free hardening guides on the majority of systems. Remove what is unnecessary and only add the minimum of what is needed. If a user needs more, they will ask.

6. For those users that are mobile or heavily connected (the Blackberry crowd), invest in some simple laptop locks, Blackberry protective cases (like those from Otter) or other mechanisms. The Otter, I found, is great for klutzes like me at protecting my Blackberry when I drop it. You can use Roblock to track down lost or stolen Blackberries.

7. Take an inventory. It’s amazing how many companies let their laptops, Blackberries and other devices become property of individual employees. Asset tags and a simple asset tag database can work wonders. It’s important to keep track of those items as lost or wayward devices can add up to additional costs for a company. MyAssetTag.com may be a good site to visit to get such tags and they even have some for PDA/Smartphones.

8. Laptops and desktop LCDs should, by default, come with security screen filters. Laptops in particular should be outfitted these. With researchers and executives on the road, it’s important to ensure that wandering eyes don’t steal proprietary intellectual property. Whenever a new laptop is issued, it should come with a decent security filter. (3M makes an excellent line of these). With a bit of searching you can find some privacy screen filters for Blackberries and other such devices.

9. VPN tokens and the usage of VPN in general for all communications can help ensure that all sessions are protected. This may seem odd for a school to use but when an organization like Blizzard introduces it to improve security on its popular World of Warcraft online game, it’s definitely time to have it as a regular part of school or large organizational life. At $6.50 each, this is a cheap option to ensure that a person is a legitimate member of the community they are supposed to be a part of.

10. Weekly notifications of viruses and ideas to protect the company. The more informed an end-user is, the better it is for your organization. These don’t have to be in-depth but it may be enough that when a user uses their home computer to access work (since many companies are trying to employ telecommuting or 4-day work week options to save money) they protect those machines as well.

Oh, look. We’ve ended back at education again.

More importantly, turn these into good habits and standardized processes. When you close the door to security threats, you get more done faster.

And that means less homework for everyone.

Donations???

So on a whim I decided to swallow my pride and try a donations button. I’m hoping that perhaps this might raise a bit of money to either pay off debt or fund top surgery. I figured even if it was a little, it’d be a little more than I had before. In some ways I feel really bad about doing this. I mean, it just highlights how gullible I can be about giving others money or spending a little too much on myself (recently, cigars). I’ve been trying to cut back on both these habits. My book spending is down since I found Paperbackswap.com. It’s a nice option where I can send my books that I won’t read again elsewhere and I can find other books of interest to me, without having to pay for them.

I had also joined Cigarpass.com in hopes of trading some of my cigars with others (so I could try different ones) but haven’t been too successful. I’m limiting myself to buying small packs (known as samplers — they consist of 5 cigars) and ideally, no more than 1-2 packs in a week (1 if there is a two-for-one deal). But I have been making an even bigger effort at paying down credit cards. If I could halve those in about 2 years, I’d be happy. Ideally, I want the cards paid off in 5 years (no later) so I can put that money into a house. I really want to get rid of my cards except for one or two that would be used for items I cannot pay in cash with. And then the cards paid off immediately (as I do with my US Credit card). I may be able to get my top surgery covered under benefits but I’d rather not depend on that. Who knows? Either way, better to ask now and get turned down than not ask at all, eh?













Oh.. and only make a donation if you truly can afford to. I really don’t want others to end up where I am.

ARTICLE: Adding Voltage for Secure Databases

When I moved to the US to return to teaching, I knew that things worked a little different here. One of the things that surprised me was how often I was asked for my Social Security Number (SSN in the US; SIN in Canada). It wasn’t that hard to get one but it seems near impossible to keep secret.

Everyone – and I mean EVERYONE – wants it for one thing or another. How is an individual to keep it secret when everyone wants it? And if it’s hard for me, what about companies that have to store it in their credit card databases?

Most companies use a variety of methods that piece things together in hopes that what needs to remain secret does. And when it came to actually protecting the data itself, often a restructuring of the database environment is necessary. This means higher costs, more downtime, more potential for error as systems are transferred over and just general headaches for administrators.

Why can’t you encrypt the data without having to change the environment? We would no longer have to force the square block into the round hole. We can, instead, transform the square block so that it’s a round peg, but still contains square data – just encrypted.

Voltage has introduced FPE, or Format Preserving Encryption. Simply, it encrypts the data in the same length and character type as the original data. This means a database doesn’t need to be recreated to account for encrypted data and that makes it easier to incorporate into existing systems, even legacy systems.

Another plus is platform independence. And the ability to be called into a script or via command-line is a big plus in my book.

When you look at the alternatives, you really do realize that this is the way to go. Let’s consider our other options.

First, you could encrypt the whole database. Oh joy. Performance-wise, this ought to be fun when it comes to adding data regularly. As an administrator the last thing I want to deal with is a slow database. Because that means users get to call me when I’d rather be out playing WoW or golf or something else.

A second option is to encrypt at the column level, but this requires specific database types, removes separation of duty options and limits the amount of security in applications. This means I have to spend for a specific database type, not all my applications will be protected and I still get calls. Not a good thing. I really don’t like be limited to the database type I can have, not when I’m in a recession and trying to save money by using my legacy database as long as possible.

For a third option, I can encrypt from the application level down, but I have to plan for that first before implementing it because it means the database has to be designed for it. That’s great out of the starting gate, but what about those older applications with hundreds of gigs of data and a database schema I’m happy with? Planned downtime with a permanent coffee IV? I don’t think so.

And that is no better than doing a “look-aside” database where critical info is kept in an encrypted database that’s referenced by a key. We’d still have to re-engineer everything to account for it and take a performance hit while waiting for a search for data to return information that is encrypted into an unencrypted format.

Why would I go through any of these when I can use my existing database and encrypt the data so it’s the same length and format as the clear-text version of the data? I save myself so much time and effort that I can use doing other things.

With FPE (aka Voltage’s SecureData), we can avoid many of the above issues, plus: no need to hire experts; no lengthy install/integration into existing systems; can use existing legacy databases; can keep full separation of duties; very little overhead to existing queries (batch queries might experience a small performance hit). And, if you’re inclined, you can create our own applications that can tie into the existing toolkit (using Java or C code).

To further bolster this, FPE employs AES256, meaning that data can meet the rigorous encryption standards that are required for many applications and environments. And since we don’t have to redo our databases, FPE can scale well as a company grows over time.

“Per infrastructure” pricing starts at $35,000, according to the company.

This is all great stuff. The one downside is the inability to deal with things like audio and jpegs. But that’s OK in general. Most critical data is text based, representing the majority of what we want to protect (e.g., credit card numbers, SSNs).

I think that if I knew more organizations were using this to protect my SSN, I would not be as concerned about being asked for it so often.

ARTICLE: The Stewards of Online Reputation

Reputation.

We all base so many interactions on it, both personal and professional, but it remains an elusive concept for some. After all, what does it matter what others think about you, right?

People always make assumptions about others that are based on ignorance or rumor. Often, these can be dispelled, but when it comes to businesses, the same can’t be said.

How can a company ensure that its reputation is sound in an environment where anyone can be anybody?

The reputation that businesses often try to build and maintain can easily be damaged if they are associated with an attack against a third party, or worse, a competitor. So the challenge becomes, what if some other entity pretends to be me in the form of phishing or other kinds of activities rooted in malware? What if it’s used against a competitor and makes my company look like we’ve done something malicious? How can a company ensure that its reputation is sound in an environment where anyone can be anybody?

As many of you know, one of my biggest pet peeves is the sheer amount of phishing emails and spam today. We shouldn’t have to rely on perimeter security to address this. And how nice it would be to identify this stuff before it even reaches that perimeter?

Recently, Dr. Phyllis Schneck, Vice President of Research Integration for Secure Computing Corporation, walked me through the TrustedSource Portal and the entire TrustedSource concept. It was developed, in part, to help enterprises protect their reputation.

When companies earn reputations as being security risks or locations where bad emails originate, it can hurt business prospects in the long run. How can other companies and individuals be sure that emails are from the true source and can be trusted? Even more so, what about emails from unknown sources?

This is where the TrustedSource Portal comes into play.

How It Works

Imagine a credit score for an entire company, but instead of judging its financial smarts, TrustSource offers a glimpse at its approach to online security.

In essence, the TrustSource project gathers information from over 7,000 sensors in 68 countries (these results are from more than 110 billion messages per month and millions of URLs, tracked by the TrustedSource Portal). With this amount of data, it can help validate a company’s reputation online and prove whether they are trustworthy or not, as well as help companies keep their good reputations intact.

They can also learn whether they have potential avenues that can be used against them or others and then address those. And thanks to over 5 years of data collection, they are able to predict potential attacks and their sources. Criminals, it turns out, are often habitual types, repeating the same kinds of attacks from different locales.

One of the cornerstones of TrustedSource is its focused attention on security and reputation on the Internet as a whole. When we gain the ability to identify known, trusted sources versus malicious or criminal hotspots, then we can protect ourselves better.

Consider this: if an employee uses a Blackberry or other mobile device, they may have an avenue into the corporate environment that bypasses simple perimeter security. As a result, they end up spamming both internal and external sources. But if the network appliances are tied to the TrustSource portal, then they can detect the potential flood and stop it from making worse a situation that could ding a company’s reputation.

I like that companies are stepping up to the plate to finally address the concern over outside forces affecting the bottom line and the overwhelming amount of spam and other questionable content that chokes mail servers and inboxes. To have to deal with spam rates of over 90 percent (depending to whom you talk) isn’t acceptable. With TrustedSource I can at least verify where the email has come from and the likelihood of it originating from a valid and trustworthy source.

As an experiment I decided to check out Antionline.com and EnterpriseITPlanet.com as well as my personal site, http://www.msmittens.com at http://www.trustedsource.org. All these sites came back as neutral (meaning there were no bad messages nor known good activity from these sites – they just exist). Checking http://www.microsoft.com did earn a “Trusted” rating which means that anything that comes from Microsoft in the form of messages or emails should be trusted as being from that source.

And we’re not just talking domains here. It actually lists the IP addresses associated with that domain so I can further break it down as needed. I can check that the IP address is, in fact, a match.

Looking at an address like 65.78.169.170 (a known Storm infected site as of this writing) and we see it listed as malicious. Looking under Threats and Trends we can see where questionable activity is occurring and block those sites from affecting our networks—well before the perimeter if we want to.

Even if you don’t have TrustedSource appliances you can still take a look into the individual company search to see if they are trustworthy, or as an individual, use the toolbar option in Outlook to see if emails come from trusted sources. It’s very quick at identifying untrustworthy sources and that means that you can easily eliminate potential espionage or criminal activities before they even enter your environment.

The fact that TrustedSource can be and has been used as a way of limiting the effects of online organized crime means that we can reduce the viability and profitability of phishers and malware pushers.

In the end it comes down to this: Can I trust you? And how do I know I can trust you online when I’m not sure who you are? TrustedSource gives me a place to check and verify that your source is a trustworthy source.

Have you earned a reputation that I should be worried about?

ARTICLE: Smartphones: Pocketable Endpoints or Network Backdoor?

In today’s corporate environment, very few people are without some kind of cell phone. And many phones have more functions and options than the average user needs. For better or worse, they are a ubiquitous part of life, and for many, they are simply indispensable.

As a result these are becoming the backdoor into corporate networks.

Backdoors, in this context, describe non-obvious devices and technologies that can interface with a network and pry open an attack vector that most security mechanisms don’t account for. For example, unauthorized wireless access points can be considered backdoors. Software backdoors — and the paranoia surrounding them — is a topic for another site

This whole article came about when a friend asked about what items he should put on his new smartphone to protect his small business. It occurred to me that, in his scenario may not be all that unique. And, on a larger scale, corporations may be overlooking a glaring backdoor in their network security.

So what are the risks?

Many of the ones that we see for wireless and Bluetooth as well as existing desktop OS risks are the same ones that can affect phones. Many phones today are being bundled with Windows Mobile, Microsoft’s PDA/cell phone OS. This OS allows for greater interoperability with standard Windows applications and allows users to feel comfortable since they are already used to Windows on their desktop.

So, unsurprisingly, there exists malware and viruses for these tiny computers. Take a look at yours. Where’s the firewall to protect against intruders? No? What about encryption to protect those passwords you use to access email or your voice-mail? No? What about anti-virus and spyware detection? No?

It is becoming evident that as part of the cell phone package, providers may need to include these items, particularly for their corporate customers. There are a few ways infection can occur. The first is the standard and most obvious one: get the user to download something, preferably something they want. Say, for instance, a free Texas Hold ‘em Poker or Sudoku game for the phone.

Or perhaps something that “promises” ways to get more messages to and from friends. Whatever the program, it’s enticing; it’s important; it’s “needed”. Once the program is downloaded and run, the malware is launched.

This, in case you haven’t already noticed, is very similar to what happens in the desktop world.

An additional factor is ever-present, never-dying spam.

It is easier to fill a cell phone mailbox with spam than it is a modern computer. And yet, we have no filters for this. I personally experienced a mini-flood done by my personal cell phone provider when their email server began sending out things in triplicate.

It can be frustrating since there is no header info, no filter options for MMS and no mouse to easily select a bunch and just delete. While reports of this are sporadic, it will undoubtedly, climb since it’s not hard to generate phone lists.

The other two methods include MMS messages with attachments and the Bluetooth option.

The MMS option works very similar to that of email: double-click on the attachment and the virus/malware launches. The one that is most interesting is the use of Bluetooth as a vector of attack. Similar to wireless, Bluetooth is often used in cell phones and PCs, and used to allow communication between phones and PCs. If the phone is in discoverable mode (that is, it’s attempting to find a Bluetooth device nearby), then an attacker can connect and inject.

Find Me

The challenge is finding devices in discoverable mode. An application like Blooover II makes finding discoverable phone easier. Blooover is one of a few tools out there; others include Super Bluetooth Hack, BlueTest, BTCrack, T-Bear, Bluesnarfer and many others.

A simple search for “Bluetooth hack” will generate enough results to keep someone busy for a little while (most of these will require installation on a phone with Jave ME to work). The biggest impact made by these tools, like their predecessors in the wired world like ettercap, is that they make it easier to get into systems with little to no knowledge.

In essence, these tools allow for an attacker to sniff a Bluetooth stream for info or to inject nastiness.

In addition, they can also find Bluetooth devices that are discoverable and, if encryption is used, crack it. Of course, for any of these attacks to prove successful, proximity is critical (10m/30ft but some devices have a range of roughly 100m/300ft). But when the financial institutions of the world are close to each other and everyone goes for lunch to the same deli or sushi place, it shouldn’t be too hard to do.

With all these threats are there steps that can be taken at the enterprise level to address this? You could invest in existing technologies that address cell phone issues such as McAfee’s Total Protection or Sophos Endpoint Security and Control. But in addition to this, education remains the primary method of addressing cell phone security. Users should be reminded of the following:

  • Work cell phones are corporate property. No unauthorized applications should be installed
  • Personal cell phones should be disabled at work and/or the Bluetooth discoverable feature disabled.
  • Bluetooth discoverable should only be used with encryption and only for specific devices (that is, set the discovery for manual pick up rather than automatic).
  • Set a boot password and a main phone password. This helps secure the phone even when lost.
  • Remind users that work phones are NOT to be unlocked (this avoids someone bypassing security measures that may be tied to a SIM).

Even though Cabir, the first mobile phone virus, is a toddler of sorts now that it’s 4 years old, it’s not the last virus or malware attack we’ll see for the mobile. The rest are just over the horizon.

Are you ready?

Saying goodbye to Mittens

I can’t believe I’m doing this but today I’m booking an appointment to say goodbye to my namesake, Mittens (the appointment is this Tuesday). After 15 years of life, she developed cancer of the mouth. It’s gotten so bad recently that she’s not eating, not grooming and blood is coming out of her mouth. This has been the hardest decision I’ve ever had to do because sometimes one wonders whether it’s time. I do know it is because well, she’s not happy no matter how much she tries. It always amazes me as to how much animal companions give to us without asking much in return — and give it totally without judgement or much complaining.

But as hard as this decision is, I know it is the right decision for her. So I say goodbye to the kitten who was given to me to help me deal with my mom’s murder and ask nothing more of me than to be loved. Good bye, little mittens.

IT Belt Tightening? Don’t Let Security Suffer

So as the year trudges forward and the ominous threat of recession looms, thoughts of implementing and enhancing security seem moot. As often happens, security is viewed as a cost center, even more so during times of financial belt tightening.

But is now really the time?

This is the time to implement security or add those final pieces of the puzzle that have been missing from your environment. While it may seem daunting at first, corporations are continually weaving security into their environments pieces, particularly now that security software makers have made it easier to integrate those products.

But more money for anti-everything and the security appliances just isn’t in the cards. Then consider better and more consistent security practices and procedures. While it is still a cost center for a company, it is an easier one to swallow. And these practices will help save your organization from the jaws of pesky online threats no matter how little technology you have to throw at them.

What pests am I talking about? Let’s explore…

Spam = Wasted Bandwidth

Of the major security issues and annoyances that plague businesses today, one of the biggest is spam. Spam, depending on whom you ask, accounts for about 70-90 percent of all email. Regardless of the amount, it still remains an undisputed bandwidth waster. Further, this spam often includes links to questionable sites that employees may think are legitimate, and can, when clicked on or visited, inadvertently invite malware into the corporate environment.

Quite a few good tools exist to tackle spam at the end-user level, or even at the portal of a corporate network. However, there often needs to be better controls at the internetwork level to prevent the wasted bandwidth.

But the sad truth is that unlike many sneakier threats to security, spam is usually easily identifiable. Seriously, how many pills does one need to enlarge various body parts?

Here is where the “it’s not my problem” mindset rears its ugly head. Since the internetworks of the Internet are shared between major ISPs, it is everyone’s problem and no one organization can convince them to work together to eliminate this. How about some cooperation then?

One thing that might help is to require consumer ISPs to freeze Internet access for those where it’s determined that someone is sending spam and/or viruses. This can help reduce or eliminate the source of most of the spam. Certainly, some providers ensure that all mail relayed to a user is checked for malware before it hits the inbox, but the effect of this has yet to be seen and my not be quantifiable for a few years.

Another challenge that remains today is the set of vast email lists that are circulating among spammers. To this day, one specific email account that I have used for over 10 years receives spam email regularly, enough for me to finally disable it for the time being to see if it will settle down the volume to a dull roar.

No Thanks for All the Phish

Related to spam is my long-standing pet peeve: phishing.

It’s interesting to note that the Anti-Phishing Workgroup has indicated a bit of leveling out in regards to phishing attack activity, although September 2007 did show a record high of 38,514 phishing emails (PDF).

Attackers are also getting a little savvier and realizing that they cannot continually assume the same major corporate identities. I do recall receiving such phishing emails for Canadian banks such as Royal Bank of Canada and Bank of Montreal — unusual since prior to that my inbox was assaulted by fake versions of WaMu, CitiGroup and an assortment of larger US banks.

ARTICLE: CSI Survey 2007, Part 3: Tech and Tribulations

When it comes to employing security technologies, firewalls and antivirus are the main variants that everyone seems to use. The key, of course, is to ensure that these are configured properly and updated regularly to account for new attack types.

VPNs and spyware detection software come in at a distant third and fourth (VPNs were added to the list just this year). Most of the technologies were at the same usage levels as last year with one glaring exception: server-based access control lists dropped from 70% to 56%. This may be due to a tendency to rely on single-sign-on (SSO) methodologies as well as other forms of authentication and access. This likely reflects the evolution in how we communicate and network between organizations. And since we’re using all this technology, we need to verify that it’s being used accurately.

Companies are investing in internal audits primarily as a method to determine whether there are problems or not. While the figures suggest less than 65% are performing such audits, it is at least being done. It’s important to recognize that doing audits of the systems can be helpful at reducing internal issues and uncovering weaknesses and vulnerabilities.

Remember that an audit (which is an evaluation of a system) is different than a penetration test (actual planned and approved attack against a system) and for certain environments doing one of each can be helpful. Internal “pen testing” was the second most common method of evaluating security technologies. These kinds of testing, even if done by internal staff, is the additional factor to making security more robust as well as changing the nature of attacks that occur.

But in addition to technology, the individual must be trained to understand how security works and why it’s important to them. To this end, security awareness training is paramount.

I’m a firm believer that awareness training is actually one of the best forms of security you can have for an organization because it means everyone gets involved in security and you have far more eyes looking for breaches than just your own. So it is disconcerting that awareness training still is on the lower rung of importance for many companies.

Less than 20% of companies don’t have any training and an additional 35% don’t verify that their training was effective. Using anecdotal experiences or written/digital testing are not necessarily effective methods of determining the effectiveness of training. Written/digital tests are just methods of determining how well one tests or understands the questions of a test while verbal anecdotal are based on how our minds interpret particular situations.

Verifying how often or the types of support calls or types of incidents as well as doing social engineering testing are more valid methods of testing the effectiveness of training. Very similar to the situational testing undertaken by various response agencies to simulate disasters, this kind of testing is as close to real world without causing damage to the company. This also allows us to see how we react to situations and whether additional training or changing the existing training is necessary.

Awareness training is important to some but it may be targeted at specific individual types. Respondents to this year’s survey said that network security, security management and security policies were important for training. This kind of training is often done at a higher level than the average employee and there may be a gap in security as a result of this. Certainly the IT administrators and other IT staff are getting the necessary training but the bulk of the population in organizations may be missing out on something that is critical for the sake of company security.

Knowing, as they say, is half the battle. And many organizations aren’t that interested, it seems, in necessarily knowing or learning overall.

Also, it appears that they are tight lipped as well. 50% said that they do not belong to an information sharing organization. I find this rather disturbing, as sharing information about attack types and detected vulnerabilities is critical. I’ve long been an advocate of full disclosure and believe it’s even more important now as systems become even more complex than they were even 5 years ago.

While some may infer that exploits only occur when a patch is released, the reality is that exploits are constantly being created and explored. They become more numerous after patches, certainly, but creating patches can take time and if we know about the vulnerability beforehand we may be able to put in place stopgap measures that minimize the impact. This would help reduce any potential bad publicity that might occur should a system be compromised prior to a patch release.

In fact, negative publicity still likely remains the main reason as to why few companies go to law enforcement or get legal advice after an incident. The mainstream media doesn’t truly understand security and when a breach happens, they only publish the details that will attract eyeballs rather than facts that explain how to properly deal with the issue or that the company did all necessary due diligence possible.

The last portion of the survey covered the effects of Sarbanes-Oxley, or rather, the perceived effects. While most feel it has been effective there are is large chunk — about 25% — that feels it hasn’t. While SOX was meant to encourage more of a corporate policy or adherence to security, it may not be as effective as planned. It may also be due to a lack of understanding as to why it would be helpful. This would tie into security training again, specifically non-technical training along the lines of awareness and understanding of the impact of security in general.

All public companies need to comply with SOX and the rules it sets forth help to encourage effective processes. In fact, these processes can streamline security and make it easier to detect flaws in systems.

One of the newer items was an open-ended question as to what is the major security issue that an organization will face over the next couple of years. Not surprisingly, most of the responses centered on data protection and legal issues and compliance. Without a doubt data protection is critical as is ensuring that we meet or exceed any new laws. Dealing with both of these requires non-technical solutions and more of a managerial bent. I wonder if most of the respondents to this open-ended question were from managerial positions.

As with previous years, the CSI survey is invaluable to the IT security industry at giving us a peek into how we tick. Robert Richardson and his crew do an excellent job at providing us the glimpse we need to better understand our own nature. While there are always more questions and more input we would want in the survey, without it we wouldn’t have an idea as to how security is truly viewed by those in the industry.

And as I’ve said repeatedly, knowing is half the battle.

More updating

Well, I have finally moved to the US. It is a challenging process, particularly given the current climate of things and in some ways understandable. But at the same time I wonder if the over-indulgence of security by the US is more detrimental than helpful. Because of the extreme strictness that the US CIS agents take when applying for a visa, many legitimate individuals are rejected depending on the mood of the agent rather than on the legitimacy of the claim. As a result, many businesses are losing money because of this stance. I am very lucky to have a company that supports me and has helped me to obtain the necessary documentation to exist and work here legitimately. I have a few plans for the future as a result. <br />
<br />
I am contemplating taking (online through DeVry) a bachelor/master's degree in computer forensics, ideally seeing if I can tie it with virtualization (there is little to no work on how the legal process will accept or not accept incidents on a virtualized platform). Additionally, once my "stuff" is moved down here (I'm in NYC now), I should be able to get back on my bike. I will be going back to working out and such probably come January (too many trips in Dec to justify getting the membership just yet at the local gym). With life being settled and returning to a routine I expect I'll be able to focus once again on security and cycling. <br />
<br />
There's hope for me yet, eh? <img src="http://www.msmittens.com/serendipity_archive/templates/default/img/emoticons/wink.png" alt=";-)" style="display: inline; vertical-align: bottom;" class="emoticon" />

ARTICLE: CSI Survey 2007, Part 2: Meat and Potatoes

Let's start with the good news. When it comes to the percentage of companies that experienced an attack or security incident, the number continues to decline; 46 percent versus last year's 53 percent. And while you may have noticed that there are roughly 100 fewer respondents this time around, it is not likely enough to account for the decline percentage-wise.<br />
<br />
If one theme emerges from this year's survey, it is that the face of security is changing drastically after some hard lessons learned.<br />
<br />
Since it's now viewed as an integral part of what it means to setup an environment, administrators and other IT professionals are becoming savvier at ensuring security on a regular basis. The weak point, as is so often the case, remains the non-IT savvy individual.<br />
<br />
That said, one of the more disturbing revelations is the fact that the number of security incidents saw an unusual jump in the "more than 10" category, rising from 9 percent for last year to a whopping 26 percent this year. This increase means that quite a few companies were seeing "repeat business" from attacks. As to why, one can only guess as to the specifics.<br />
Fox in the Hen House?<br />
<br />
A few theories include internal espionage, not determining the true cause of attacks and not keeping antivirus and/or other detection tools current. Given that there was a 4 percent increase in the number of companies that thought insiders didn't account for any of their breaches, this particular aspect may be OK to eliminate. That, or insiders are getting better at covering their tracks. Additionally, the actual cost of insider attacks may not be as visible as other types since they often target intellectual property and private information such as blueprints, source code, customer databases and the like.<br />
<br />
Nonetheless, the insider threat can't be dismissed. Some attack types are on the wane — sabotage weighed in at 4 percent — while insider abuse of the Net access saw a sharp increase to 59 percent. Awareness programs are the ideal method to address this. Given the lack of training, however, it's not surprising to see this statistic rank rather high.<br />
<br />
Website defacements, virus attacks and DoS attacks, normally the things that make news, remain relatively low on the attack scale. The survey included new categories of attacks including phishing, DNS exploitation, sniffing, bots and theft of customer/employee data.<br />
<br />
As time progresses, the inclusion of newer attacks should help narrow down the prominence of certain attacks and the likelihood of others. I believe this will help security individuals determine where the greatest risk is for an attack or policy violation.<br />
<br />
One of the most interesting drops was in the percentage of website incidents. Last year over 59 percent experienced 10 incidents or more against their website. This year, that number plummeted down to 2 percent!<br />
<br />
This is a major achievement. Either we're getting better at securing our websites (this would include front-end as well as back-end) or they are losing their attack appeal. While I suspect both are part of the equation, I do believe that the front-door attack is starting to go by the wayside and we're seeing more sophisticated attacks against companies via social engineering and other stealthier methods.<br />
<br />
Additionally, these attacks were not specifically targeted or at least not believed to be so. When asked, the majority of respondents, 67 percent, simply didn't know, compared to the 28 percent that were aware. This is a figure to continue watching as attacks become more targeted.<br />
<br />
Your Business in the Crosshairs<br />
<br />
Malware developers are adding specificity to their efforts, increasingly opting to strike surgically than employ often fruitless shotgun approaches. Comparatively, mass attacks are not as effective and do not necessarily generate a specific financial gain. Attacks are no longer motivated by "because it was there" sort of ideals. Rather, today's attacker is more likely to think, "How much can I scam out of this?"<br />
<br />
So how much did these attacks cost companies? Unfortunately, we saw a jump and an interesting one at that.<br />
<br />
Last year, 313 respondents said that attacks costs them over $52 million. This year, 194 admitted that attacks cost them over $66 million.<br />
<br />
This would represent a substantial increase but given that the major security infraction was due to inappropriate Web surfing, it's likely that a lot of it was tied to loss of employee productivity and phishing/bot attacks.<br />
<br />
Yet the biggest chunk of attack costs was attributed to financial fraud. It would be interesting to see how much additional money was lost on an individual basis and study its impact on companies in terms of lost productivity due to employees dealing with personal issues.<br />
<br />
This was also the first year that viruses or other attacks weren't at the top of the pile. In fact, last year, financial fraud only accounted for $6 million in costs. That figured ballooned to $21 million this year, earning it the top spot.<br />
<br />
The fact that the virus was dethroned may also indicate that we're getting better at containing malware before it gets too far out of hand. Yes, we can all agree that virus infections can and will occur, but they do not have to deliver the network debilitating effects of the I Love You virus of 2000, for example. Even so, we are nowhere near the point where we can count viruses out, and so vigilance, as always, is recommended.<br />
<br />
Look out for Part 3 where we delve into how businesses are protecting their networks.