Meet the Bloggers Twitter BTSecureThinking YouTube Channel Blogroll About BT Looking for more?
BTSecureThinking Resources center

SecureThinking > SecureAlert

SecureAlert

Monday, January 9, 2012

Banks and Credit Unions Scramble to Meet 2012 Deadline on Layered Security

By Chris Pickles, Head of Industry Initiatives, BT Global Banking & Financial Markets

It’s been 7 years since the Federal Financial Institutes Examination Council has updated their guidelines on what security controls US banks and credit unions need to have in place in order to consider themselves adequately protected from security attacks. 

With the number of attacks that occurred in 2011 and an increasing number of issues arising over liability issues, these updated recommendations are long overdue.  The key recommendation for banks and credit unions is that they must have layered security – with at least 2 methods of authentication – in place by the end of 2012.

Given that most banks and credit unions have held off on spending with fear about on-going economic strife, most have a lot of work to do before they will be considered in compliance with the recommendations.

Guardian Analytics conducted a survey recently revealing just how far behind most banks and credit unions really are.  To read the article and results of the survey click here.

Posted at 11:43 AM | No Comments »
Tags: , , , , , ,

Bookmark and Share

Friday, January 6, 2012

California Expands Its Data Breach Notification Law

By Sushila Nair, Security specialist, BT

On January 1, 2012, California’s expanded version of its Identity Theft Law came into full effect.  SB 24, which had been signed into law by Governor Jerry Brown in 2011 established specific content for data breach notifications that must be sent to consumers. 

Previously when a breach occurred an organization was simply required to notify the consumer that indeed a breach had occurred.  Now, however, the notification letter must be far more specific and include information on the following:

  • A general description of the data breach
  • What type of personal information was subject to the breach
  • The date and time the breach occurred
  • Whether notification was delayed due to a law enforcement investigation
  • The toll-free telephone numbers and addresses of three credit bureaus, if the breach exposed social security numbers, driver’s licenses orCaliforniaidentification card numbers

In addition, entities that have been breached, must notify the California if more than 500 people are affected by the breach. 

With rules for data breaches constantly changing it demonstrates all too clearly just how important it is for all business to have a specific privacy and data breach plan.  While this definitely applies to companies headquartered in and operating in California, the state has demonstrated its ability to influence other legislatures in the past.

Posted at 1:00 PM | 1 Comment »
Tags: , , , ,

Bookmark and Share

Tuesday, January 3, 2012

The Most Influential Voices in Security

To start off the new year we’re taking a look back at some of our favorite moments from 2011.  One of these was Bruce Schneier’s nomination by SOA World Magazine as one of the most influential voices in the security field.

Below is a short excerpt from Viewpoint as to why Bruce is such an influence on this important field:

“He’s moving on from the ‘how’ of security and turning his attention to the ‘why’, and how a group can best provide security for individual members from other members of that group. Schneier calls this societal security and defines it as “where security really gets interesting”.

There will always be a dishonest minority and there will always be a need for security to protect the honest majority from the machinations of the dishonest. What Schneier is examining now is how the information age affects the security systems society puts in place and what changes will be needed in the future.”

To read the entire post click here.

Posted at 2:52 PM | No Comments »
Tags: , , ,

Bookmark and Share

Tuesday, December 27, 2011

Death by Thousand Clicks is Not Your Only Option

By Tara Savage, Senior Marketing Manager, BT Global Services

The thought of engaging in social media campaigns is enough to send many companies into a feverish fit.  You know your company needs to be online; to not participate in the social side of business is, as Jim Tiller, BT’s Global Practice Head of Security Services, puts it “death by a thousand clicks.”

But as Jim notes in his recent post on BT’s Viewpoint blog there are other options!  In Tiller’s opinion the first step to thriving online is to have a clearly codified plan and policies for data and brand protection.  The second step is to ensure that this plan is regularly tested to keep apace of where vulnerabilities may arise and to be able to mitigate them preemptively.

To read more of what Jim has to say about how ethical hacking and vulnerability testing can keep your company safe on line and in the good books with your customers click here.

Posted at 1:53 PM | No Comments »
Tags: , , , , , ,

Bookmark and Share

Friday, December 23, 2011

It’s Time to Find Out Who’s Naughty and Nice

By Tara Savage, Senior Marketing Manager, BT Global Services

Now that you know a few of our favorite things over at SecureThinking, it’s time we worked out who was naughty and who was nice in the IT security world this year.  It goes without saying that all of our bloggers made the nice list, but what about everyone else?

First up, the naughty list:

  1. At the top of our list is everyone and everything connected to cybersecurity!  2011 was the worst year on record of cyber attacks against major companies, both in terms of number of attacks and amount of data compromised.  But who’s to blame?  Is the security side of the equation not making products that are effective and not innovating or is the ‘consumer’ side of the house not implementing a comprehensive security plan? Given that the security forecast looks just as bleak for 2012, the key question is what will help?
  2. Companies that don’t embrace cybersecurity proactively.  Based on the naughty list’s first place holder, this is serious issue for most companies.  Given how much we reveal and store about ourselves on line, that we entrust so much information to anonymous ‘others’  as well as the fact that we want to access our socially networked lives within the corporate network it is something we all need to address, and quickly, too.  Time and time again our experts stress a combination of policy and user education.
  3. Risk Assessments.  Technically, the jury’s still out on this one as our experts continue to debate the merits, but clearly there’s time for some reassessment in this vital endeavor. So far the use of risk maps seems less popular than it once was and dividing up the idea of risk into normal risk vs. exceptional risk is helping to guide more people’s decision making. We’ve had some interesting feedback from our readers as well…so much so that we’ve got a second installment of the debate planned for the new year. 

And now for the nice list!

  1. Secure mobile working.  At BT we’re huge fans of mobile working, when it’s done right.  But what exactly does ‘done right’ mean?  From our perspective it certainly doesn’t mean a fear-based response where the subject is avoided and employees are chained (metaphorically, of course) to their desks.  So how do you enable workers to work securely while on the go?  Jill Knesek, BT’s CSO says it all comes down to user education.  Empower your users through education, training, and reinforcement and you’ll be rewarded with a more responsive workforce and more satisfied customers.
  2. As I said at the start, our bloggers deserve a mention on the nice list.  Not only do our they produce interesting content (with great titles!) but they contribute to the security industry through service on special interest groups, in industry associations, and thought leadership.  Be sure to look out for Bruce Schneier’s new book Liars and Outliers in 2012. 
  3. Next Generation Firewalls.  We’ve blogged about them before but next generation firewalls are a security innovation really worth considering.  It is a technology that addresses the stagnation in technology development.  Next-generation firewalls put application visibility and control back into the firewall, removing the need for the deployment of additional filtering technology.  This approach has brought the enforcement of security policy back to the firewall, where it belongs.  In doing so, proxy & filtering solutions can be utilized for what they were designed to do: acceleration and bandwidth management.

 Tell us, who do you think should have received a lump of coal in their stocking this year, or a few extra chocolate coins?

 

Posted at 9:39 PM | No Comments »
Tags: , , , , , , , , , , , ,

Bookmark and Share

Friday, December 23, 2011

A Few of my Favorite Things

By Tara Savage, Senior Marketing Manager, BT Global Services

Raindrops on roses and whiskers on kittens
Bright copper kettles and warm woolen mittens
Brown paper packages tied up with strings
These are a few of my favorite things…

But it doesn’t just stop there… this past year, we’ve had many favorite things on our SecureThinking list.  In fact, we thought that now would be the perfect time to recap our ten most popular posts from 2011, just in case you missed them the first time around.

  1. Healthcare Security Breaches Can Cause Millions in Fines, Jim Tiller discusses the cost of security and why compliance costs are less than a third of the cost of non-compliance.
  2. Mobile App developers make same mistake, from our Ethical Hacking group, Konstantinos Karagiannis blogs on how old development mistakes can plague even the most cutting edge applications or devices. 
  3. Does PCI apply to VoIP, the PCI Council released several guidance documents this past year and our in-house security expert, Sushila Nair provided insight on how these changes were impacted by new technologies. 
  4. Security Around the World Series, This past year, we featured the regional CSOs from EMEA, Latin America,India to discuss the challenges they each faced in their side of the world. 
  5. Assessing risk in a mobile world, Jill Knesek addresses a challenge that is top of mind of most global CSOs: mobile security.
  6. Cloud Security Q&A, with many organizations considering moving to the cloud and creating strategies to secure, this blog addresses initial cloud security challenges across three platforms. 
  7. Evil Dad and the Internet, a whole new generation is rising with technology an integral part of the culture.  How do we ensure that this generation understands security from the start? Martin Brown explains in this post. 
  8. Are Risk Assessments Outdated? Several of our bloggers debate the latest in security best practices.  Have an opinion?  Join in on the debate and leave your comments. 
  9. Xtranormal Security, It time old question whether you should manage your own security or outsource it is addressed in this interesting video blog. 
  10. Staying out of the Headlines, Jeff Schmidt, our new Global Head of Business Continuity, discusses how organization can take steps to avoid the security breaches that have filled media headlines as of late. 

Were there other posts that you enjoyed?  Let us know some of your favorites.

 

 

Posted at 2:48 PM | No Comments »
Tags: , , , , , , , , , ,

Bookmark and Share

Monday, December 19, 2011

Guest Post: 2012 Cyber Security Predictions from the Websense Security Labs

By Patrik Runald, Sr. Manager, Security Research, Websense

With all of the crazy 2011 security breaches, exploits and notorious hacks, what can we expect for 2012? Last year’s Websense Security Labs predictions were very accurate, so these predictions should provide very useful guidance for security professionals. Here are the top 5; the full report can be downloaded here.

1. Your social media identity may prove more valuable to cybercriminals than your credit cards. Bad guys will actively buy and sell social media credentials in online forums.

Trust is the basis of social networking, so if a bad guy compromises your social media log-ins, there is a good chance they can manipulate your friends. Which leads us to prediction #2.


2. The primary blended attack method used in the most advanced attacks will be to go through your social media “friends,” mobile devices and through the cloud.

We’ve already seen one APT attack that used the chat functionality of a compromised social network account to get to the right user. Expect this to be the primary vector, along with mobile and cloud exploits, in the most persistent and advanced attacks of 2012.


3. 1,000+ different mobile device attacks coming to a smartphone or tablet near you.

People have been predicting this for years, but in 2011 it actually started to happen. And watch out: the number of people who fall victim to believable social engineering scams will go through the roof if the bad guys find a way to use mobile location-based services to design hyperspecific geolocation social engineering attempts.


4. SSL/TLS will put net traffic into a corporate IT blind spot.

Two items are increasing traffic over SSL/TLS secure tunnels for privacy and protection. First is the disruptive growth of mobile and tablet devices. And second, many of the largest, most commonly used websites, like Google, Facebook, and Twitter are switching to https sessions by default, ostensibly a more secure transmission. But as more traffic moves through encrypted tunnels, many traditional enterprise security defences are going to be left looking for a threat needle in a haystack, since they cannot inspect the encoded traffic.


5. Containment is the new prevention.

For years, security defenses have focused on keeping cybercrime and malware out. Organizations on the leading edge will implement outbound inspection and will focus on adapting prevention technologies to be more about containment, severing communications, and data loss mitigation after an initial infection.

 

Posted at 11:40 AM | No Comments »
Tags: , , , , , , , , , ,

Bookmark and Share

Friday, December 16, 2011

That’s Dr. Bruce to You

By Tara Savage, Senior Marketing Manager, BT Global Services

We were delighted to learn that our very own CSTO and in-house security guru, Bruce Schneier, has been awarded an honorary doctorate from the University of Westminster’s School of Electronics and Computer Science.

Bruce was awarded the honor for his ‘hard work and contribution to industry and public life.’  We certainly know how hard he works for BT and its customers and are proud to see his accomplishments recognized by others. 

Congratulations, Dr. Bruce!

This article appeared online in PC Advisor and on the University of Westminster’s web site.

Posted at 11:31 AM | No Comments »
Tags: , , , , , , ,

Bookmark and Share

Tuesday, November 22, 2011

Are Financial Institutions Feeling Stressed About More Than Cash Reserves?

by Chris Pickles, Head of Industry Initiatives, BT Global Banking and Financial Markets

Today there’s a “Market-Wide Exercise” taking place in the UK, organised by the UK Treasury, Bank of England and the FSA.  Over 80 organizations are taking part in it, from national institutions that are fundamental to the operation of the financial sector through major banks and market infrastructures to smaller financial institutions.

It’s a stress test, particularly involving their telecommunications and internet services, to allow the organizations to see how well their systems would be equipped to deal with a potential problem in the outside world.  Progress so far has been interesting.  One of the things that you can look at in a test like this is what dependencies your firm has on external counterparties and service providers, not only making sure that your own internal systems will be OK but also making sure that their systems will be OK.

Interestingly, of the 80+ financial organizations taking part, only three have contacted us in advance of this test.

Reading through the scenario that they’ll be facing, it seems pretty likely that the participating organisations are going to find some areas of their systems that are going to make them stumble and trip up.  Having your internal systems prepared is one thing, but organisations in the financial community depend on being able to communication securely and rapidly with lots of other organisations.  It’s an inter-connected community, and not just a collection of separate firms.

BCP exercises are a great way to check your firm’s preparedness in a safe environment.  You can’t know that your organisation is OK unless you talk with your suppliers to make sure that you will get from them what you need to get from them if things outside your firm stop being OK.  As an old TV advert once said, “It’s good to talk”.

 

Posted at 5:14 PM | No Comments »
Tags: , , ,

Bookmark and Share

Friday, November 4, 2011

Guest Post: Social or Anti-Social?

By Terry Greer-King, Managing Director, UK,  Check Point

We recently conducted a survey looking at the growing issue of social engineering, taking in the opinions of over 850 IT and security professionals worldwide.  In it, we found that 42% of UK enterprises have been victims of social engineering attacks.

What’s more, UK businesses said they had experienced 25 or more such attacks in the past two years, at an average cost of over £15,000 per incident.  Internationally, the figure is even worse, with 48% of businesses registering social engineering attacks.

The most common attack vectors were phishing emails (47%) and social networking sites (39%), with new employees (52%) and contractors (44%) being cited as the most susceptible to social engineering techniques.

I believe this highlights two key issues.  Firstly, attackers have switched targets.  Instead of trying to hack directly into systems, they’re now hacking people in order to gain access to corporate resources.  And inevitably, hackers are targeting the members of staff that they suspect are the weakest security links in organisations.  They’re using social networking applications to gather personal and professional information on employees to mount focused, ‘spear phishing’ attacks with the aim of getting the employee to click a plausible-looking link or download a file containing the trojan or malware that will give them access to resources.

So what’s the solution?  Organisations can’t ban email, and although some try and bar access to social networking sites like LinkedIn, certain functions such as sales, marketing or recruitment need access – which means a ban isn’t practical.

The survey data did point towards a key issue that could offer a solution, however:  34% of global respondents, and 44% of UK respondents, said they did not have any employee training or security policies in place to prevent social engineering techniques.

If organisations aren’t making employees aware of the issue, much less introducing it into their security policies, it’s no surprise that so many firms have been successfully targeted by social engineering techniques.

By involving users in the security process, and ensuring they are aware of risks such as spear-phishing attacks, they can become the first line of defence against social engineering threats.  A combination of ongoing education and reminders of corporate policies on these types of threats – especially at the point where users are about to access social networking sites – could well diminish mitigate the social engineering risk to organisations.

Access the full survey report here:  http://www.checkpoint.com/press/downloads/social-engineering-survey.pdf

Posted at 10:56 AM | No Comments »
Tags: , , , , , ,

Bookmark and Share
« Older Entries