In an article I read recently it said this: “Whatever the reasoning and whatever the task, employers are less than pleased when their employees waste company time and money to do non-work related tasks online. Most people would feel the same way if they were a business owner, but business values aside, sometimes the temptation to surf is too great to resist. As a result, a vast number of employers have turned to surveillance technology to monitor their employees’ Internet usage at work.”

As it says, many employers have already turned to surveillance technology to monitor employees. While some employees are outraged, if they were in the employers shoes, they might not be as angry. I am a big proponent of employee monitoring. Certainly a company should tell employees they are doing it. Internet use and other things should be clearly set out in policy and procedural documents that the employees have read and understand. But once the legalities are taken care of, employees not only have the right to know what the employees are doing, but need this technology to keep their organizations safe.

The 1 to 2 hours spent by employees on personal web surfing each day is the time when they are most likely to compromise their system by falling prey to phishing, pharming, social engineering, or other attacks. Beyond that, shouldn’t they be working! Monitoring employees dramatically reduces wasted time. This results in the need for fewer employees or just an overall increased work volume. Either way, monitoring software more than pays for itself. In fact, the cost of monitoring software becomes a small fraction of the money saved. I really can’t imagine any company that would not want this kind of software on every one of their employees workstations…including remote works, travelers, and telecommuters.

Some employers say that the management of software like this is overwhelming and why they don’t do it. There are software packages available today that do a great job of centrally managing ALL workstations and giving you a complete view into your employees productivity.

Employers should be worried about how much time employees are spending on social networking sites like Facebook. While there are lots of solutions out there that allow employers to see where employees are going on the Internet, many lack the details and overall context needed to really understand the waste of productivity this is. One tool that I have seen that is really good at giving employers a complete picture is one from Awareness Technologies. It seems far superior than traditional web content filtering solutions. Plus it looks like the agent can do a bunch more stuff to help increase productivity and decrease the risk of an information security breach.

This is an EXTREEMLY low figure to settle a class-action case. This really goes to show that Heartland proved well that they had followed stipulations outlined in the Payment Card Industry Data Security Standard. So while they were still breached, they had followed protocol even though they could have done some simple things to prevent the exploit. Compare this to the Veterans Administration case a couple of years ago where a laptop was stolen that had 26.5 million records on it (1/5 of the Heartland case), they got the laptop back, no fraud was ever reported, and they still had to settle a class-action lawsuit for 20 million dollars. Endpoint security is critical today and will only become more so in the future.

http://www.computerworld.com/s/article/9176431/Court_gives_preliminary_OK_to_4M_consumer_settlement_in_Heartland_case?taxonomyId=84

http://www.bankinfosecurity.com/articles.php?art_id=2498

Organisations are typically over-investing in some areas, while neglecting other parts that would yield significant gains, said Peter Tippett, vice-president of technology and innovation at Verizon Business.

– TRUE – This is especially true because organizations don’t stop and look at the current threat landscape and evaluate if their existing technologies are best to mitigate the current risk. Usually they just stick with what they currently have.

“Up to 40% of money spent on IT security is wasted,” he told Computer Weekly.

– I would tend to agree with this. That 40% could be spent on effective solutions that truly reduce the organizations risk.

Many organisations are increasingly spending money on insider threats, but in reality only 11% of successfully exploited data breaches in the past five years have been internal parties alone, according to the latest Verizon Business Data Breach Investigations Report.

– I question this statement and here is why. Verizon Business usually bases these reports on their caseload, which means only the companies that have called them to do forensic analysis are the ones in the study. Well not every company that has a breach calls Verizon. In fact, stop and think for a minute. If you have an insider breach, usually you know about it. Usually it is low tech. Usually you don’t need Verizon for that type of case. Also, companies do not like to disclose insider breach cases. If a hacker gets them, most people say “boy those hackers are really smart” but if an insider gets away with a bunch of stuff people say “what kind of company hires a person like that” or “what lousy policies and procedures that company must have to have that incident occur.” An insider breach is the companies fault (at least that is the perception).

Most breaches involve multiple sources, but even then research shows that only 20% overall involved internal parties.

– I don’t agree with this either. This is a fundamental problem with the way people look at breaches. If a hacker exploits a vulnerability on a web server and gets access to internal systems and downloads a database of sensitive information, everyone blames the hacker 100%. Isn’t there some responsibility on the internal IT person that didn’t patch the system? Couldn’t we blame the IT person for misconfiguring the web server to allow the hacker in? When looked at in this way, insider play a much larger role in information security breaches than many might think.

The research shows that being able to patch systems faster will reduce enterprise security risk by about 2%.
I agree with this. Verizon in a separate report several months ago showed how infrequent hackers are using 0-Day exploits. In nearly all cases were hackers using old, established, well known vulnerabilities and exploits. It isn’t about patching faster, it is about patching and patching consistently.
“But by simply eliminating systems with default passwords that are easy to guess will cut risk by at least 25%, 10 times more than patching faster,” said Tippett.

– I agree with this as well. Default passwords and easily guessable credentials are one of the top ways external breaches occur.

“An organisation can reduce its risk by 85% simply by finding out where all its servers are, where all its data is stored and what connections there are to it,” he said.

– I 100% agree with this. Most organizations that go through a system and data discovery can’t believe all the places that sensitive data resides.

Even though bigger companies tend to look for default passwords, they look only at critical systems and tend to ignore those that have nothing to do with the business, but this is another mistake, said Tippett.

– This is a big mistake because “less important systems” are often used by individuals who have access to the mission critical systems and once you compromise one system, you can have access to anything that system has access to.

“Hackers don’t care what is critical and what is not – they just use their tools to find the things that are easiest to get into, and once they are in, they move from there.”

– True, although I think is changing a little bit when hackers are getting better at analyzing the systems they compromise for potential value.

“Discover is the most important thing you can do. It is the first step in every risk-management programme. Yet it is the thing almost everyone ignores.”

– Certainly one of the most important things you can do.

lastly…. Verizon Business needs to learn how to spell OrganiZation!

Kevin Prince is chief technology officer of Perimeter E-Security.
The views expressed are his own. –
Social Networks have grown out of control. Literally. Today, neither users nor social networking companies can control the monsters they have created. Think Jurassic Park: where John Hammond wanted to build something no one else had ever done, a fun theme park combined with a zoo of cloned dinosaurs. He built what he thought would be adequate security, but in reality, didn’t understand nearly enough about the environment he was trying to control. People naturally trusted that proper security was in place and that they would of course be safe. Quickly things spiral out of control, and nearly everyone gets eaten by the end of the movie.
The creators of social networking sites — yes all of them — are just like John Hammond. Their unique ideas caught on in such a viral way that just keeping up with the bandwidth, processing power, storage, development, and everything else required to keep the system online is an amazingly complex, never-ending task. For most of these sites, security is – and has always been – an afterthought. Some of them try, but it’s a bit like closing the amusement park gates after the Tyrannosaurus has bolted.
The users of social networking sites also contribute to the problem. Most are absolutely reckless when it comes to behavior on the sites. A while ago, I ran a social networking experiment on Facebook. I created a new user profile based on a free Google mail account. I chose the name Rebecca Johnson, made her 26, and used a profile picture of a three-year-old girl in a dress that I snagged from a department store website. No other information was in the profile. I wanted to see what would happen when I invited random strangers to be friends with this fictitious person.
Lucky for me, Facebook presents you with people it thinks you might know. Due to a lack of information in my profile, Facebook presented me with people of all ages that live in my county (obviously they were looking at my IP address and correlating that with my city). I of course knew none of these people but went ahead and invited them and others. In all, I invited 250 totally random people to be my friends. The only criteria I used: they had to have profile pictures. My logic: if you don’t have a profile picture, you’re probably not a serious or frequent user. Here’s a timetable of what happened next.
8:00am – Invite Friends
8:02am – My first friend accepts the invitation
9:00am – 6 Friends
10:00am – 12 Friends
3:00pm – 28 Friends
After one week, I had 140 friends. Forty-seven people ignored my request; three questioned me via email saying, “I am kind of embarrassed, how do I know you again?”; I had 60 “pending” requests; and one friend invitation with an email saying, “Hey, I must know you because we know three of the same people.”
If you remove the pending requests, nearly 75 percent of requests ended in the person accepting me as a friend. And it got worse: after one month, I had 187 friends out of that initial 250 friend requests. In other words: A staggering percentage of people will accept a friend request from someone they don’t know.
So, does that really matter? What harm can come from it, right? Well, let me tell you: Rebecca Johnson now has an intimate knowledge of her 187 friends’ lives:
Most have posted recent photos of themselves and their loved ones. One took pictures of every room in her house after a recent remodel and then began “a much needed vacation” to California and announced she wouldn’t be back for two weeks.
Several were young kids still in high school. Facebook is a cyber-stalker’s dream come true. For many friends, you can know their every move. For others, you know the major events in their lives. Even a mildly creative person can come up with hundreds of ways this information could be exploited. Think of the information that most of us have entered into Facebook.
Name, sex, birthday, relationship status and interests, political views, religious views, email address, schools, employment, location, other friends, photos, videos, not to mention whatever comes into our heads and gets posted on our walls. Rebecca Johnson knows when people are coming, when they are going, who they will be with, and much, much more.
Another huge problem is passwords. All-to-often people use simple passwords that are either easy to guess, short, or they use the same password on many different systems. Further, the processes that protect these systems are often flawed. For example, to do a password reset you might have to answer some questions about yourself that you entered when initially registering (like your fathers middle name, or what elementary school you attended). Today, most of these questions are not difficult to discover when combining social networking sites and other Internet resources. This is how Sarah Palin’s email was breached during her campaign.
So it’s no surprise that naive, trusting, apathetic, and unsuspecting users, who don’t think about security, are often the same that become victims of identity fraud.
But there’s another culprit: “cloud computing” providers. Last summer, a hacker broke into the personal Google Mail account of the spouse of an executive at Twitter. And because that account was linked to shared documents in Google Apps (a cloud computing system), hundreds of sensitive company documents were exposed. Is the user to blame or the cloud based services? In the aftermath of the breach, fingers were pointed at a lack of policies and procedures prohibiting links of personal email to corporate resources, the cloud computing service, and everything in between.
And Twitter is not alone: Monster.com, Lexis-Nexis, Facebook, MySpace, and many others have all been compromised at some point. That’s because social network sites make it easy to register, login, remember your login credentials, and even reset your password. They also make it very easy to spoof other users, install malware, send SPAM, or conduct any number of other nefarious acts. Plus, these sites have a growing number of third-party applications and service providers that interact with these services – with little in the way of what most security professionals would consider adequate security.
The combination of weak security procedures, third-party interactions, a user culture of “ease of use” trumping security, and the blending of corporate and personal lives is a formula for disaster. And although social networks have one of the biggest targets on their back, they’re just one type of cloud computing service.
The harsh reality: Cloud-based application providers think application first, and somewhere down on the list is security.
So what can be done?
First, cloud computing services need a ground-up overhaul of their security. They need to build their systems with security and privacy as the top priority rather than an afterthought. They need to stop blaming the “other guy” and shore up their own code and networks. They need to protect themselves from unauthorized access, data manipulation, data exposure, and a myriad of other threats.
Meanwhile, users need to take responsibility for their own identities and information and stop flaunting it on the Internet. They need to assume that if they post something on the Internet, everyone in the world can see it. They shouldn’t connect personal accounts to corporate resources. They need to use strong (long and complex) passwords that change periodically and are different for each service they use. There are many secure applications for smart phones that can store credentials.
Anything less and the risk of identity theft and fraud will only escalate.

There is also the same 2 minute Varolo video posted to YouTube here, as well as a Varolo Sneak Preview video.

It is a great read!

I must commend Google on the way they handle the information security breach. They are forthright about it. See, Google understands that breaches happen. They also understand they are significant and must be addressed promptly. They utilize the resources to delve fully into them…which often uncover additional issues.

Howard (right) and Prince (below) say online peace can only come when corporations achieve “cyberbalance.” Photos: Perimeter

On the Internet, the good guys and the bad guys are inextricably connected. But what happens when one side gets the upper hand?

By Doug Howard, chief strategy officer, and Kevin Prince, chief technology officer, Perimeter E-Security

(The following is an edited excerpt of the forthcoming book, Security 2020, scheduled to be published next year.)

Since the inception of computers and more specifically, our global reliance upon them, the number, severity, complexity, and source of security threats have all increased exponentially many times over.

Why do threats emerge? Sometimes a developer wants notoriety (that was the primary motivation in the late 90’s and the first few years of the new millennium) but today the main force behind digital threats is the hope of monetary gain. Political and religious motivations are coming on strong, too.

At the same time, threat mitigation solutions and tactics constantly are developing to deal with these threats. These solutions evolve over time and balance out each each new threat. The problem comes when threats emerge faster than solutions, and companies lose their balance.

The “white hats” (the good guys that help develop and implement solutions) and “black hats” (cyber criminals) have a relationship not unlike yin yang in Chinese philosophy. Seemingly opposing forces are interconnected giving rise to each other in turn.

Yin and yang are thought to arise together from an initial quiescence or emptiness and continue to move in tandem until quiescence is reached again. For example, dropping a stone in a calm pool of water will simultaneously raise waves and lower troughs between them. This will radiate outward until the movement dissipates and the pool is calm once more.

According to Chinese philosophy, Yin and yang will always have the following characteristics (And so, too, do “white hats” and “black hats”:

* They are opposing. The good guys are always trying to stop the bad guys. The bad guys are always looking for the next way to outsmart the good guys.
* They are rooted together. For example, the discovery of a critical vulnerability will simultaneously start a flurry of development for patches and fixes by the good guys and malware and scripts to exploit it by the bad guys.
* They transform each other. New technologies and tactics are developed to counteract the effects of previous technologies and tactics.
* One cannot exist without the other. If all the cyber criminals disappeared tomorrow, you would have no need for security professionals. (Without cybercrooks, our firm, Perimter, and many others would be out of a job. )

But there is one characteristic of information security that is not always true. Yin and Yang are always balanced, but information security is sometimes out of balance.

What causes these forces to become out of balance? For starters, new threats can emerge and evolve so quickly that mitigation solutions are not available timely enough. Sometimes companies balk at spending money on new solutions, or they simply don’t have the expertise or understanding to deploy, manage, or monitor barriers to cybercrime.

Any of these elements individually can cause problems in the information security space. (When all of these elements are true at the same time, you have a perfect storm for massive, worldwide impact that causes catastrophic damages and enormous economic loss.)

It’s terrible to say, but sometimes it takes a cyberbreach of significant size to educate companies and consumers about the threats and to get them focused on solutions. After the first denial-of-service attacks (attacks that block legitimate users from accessing sites or applications) in 2001, a number of upstarts and existing security firms rushed to market with technologies to thwart so-called DOS attacks, and companies quickly moved to implement them.

Are we on the verge of a cybercatastrophe? Certainly the black hats are looking for new ways to cause chaos. With hard work, good cyberslething and a bit of luck companies like ours will keep pace with the bad guys’ attacks – but companies need to do their part and get smart about the potential threats. If not, that stone dropped in a pool of water could turn into a tsunami, and it will take a lot of technology, manpower and time to achieve digital quiescence.

Howard is chief strategy officer of Perimeter E-Security, a Milford, Conn.-based provider of information security systems to companies of all sizes. Prince is chief technology officer.

Also Posted Here