SecureAlert « Secure Thinking

Friday, December 23, 2011

It’s Time to Find Out Who’s Naughty and Nice

By Tara Savage, Senior Marketing Manager, BT Global Services

Now that you know a few of our favorite things over at SecureThinking, it’s time we worked out who was naughty and who was nice in the IT security world this year. It goes without saying that all of our bloggers made the nice list, but what about everyone else?

First up, the naughty list:

At the top of our list is everyone and everything connected to cybersecurity! 2011 was the worst year on record of cyber attacks against major companies, both in terms of number of attacks and amount of data compromised. But who’s to blame? Is the security side of the equation not making products that are effective and not innovating or is the ‘consumer’ side of the house not implementing a comprehensive security plan? Given that the security forecast looks just as bleak for 2012, the key question is what will help?
Companies that don’t embrace cybersecurity proactively. Based on the naughty list’s first place holder, this is serious issue for most companies. Given how much we reveal and store about ourselves on line, that we entrust so much information to anonymous ‘others’ as well as the fact that we want to access our socially networked lives within the corporate network it is something we all need to address, and quickly, too. Time and time again our experts stress a combination of policy and user education.
Risk Assessments. Technically, the jury’s still out on this one as our experts continue to debate the merits, but clearly there’s time for some reassessment in this vital endeavor. So far the use of risk maps seems less popular than it once was and dividing up the idea of risk into normal risk vs. exceptional risk is helping to guide more people’s decision making. We’ve had some interesting feedback from our readers as well…so much so that we’ve got a second installment of the debate planned for the new year.

And now for the nice list!

Secure mobile working. At BT we’re huge fans of mobile working, when it’s done right. But what exactly does ‘done right’ mean? From our perspective it certainly doesn’t mean a fear-based response where the subject is avoided and employees are chained (metaphorically, of course) to their desks. So how do you enable workers to work securely while on the go? Jill Knesek, BT’s CSO says it all comes down to user education. Empower your users through education, training, and reinforcement and you’ll be rewarded with a more responsive workforce and more satisfied customers.
As I said at the start, our bloggers deserve a mention on the nice list. Not only do our they produce interesting content (with great titles!) but they contribute to the security industry through service on special interest groups, in industry associations, and thought leadership. Be sure to look out for Bruce Schneier’s new book Liars and Outliers in 2012.
Next Generation Firewalls. We’ve blogged about them before but next generation firewalls are a security innovation really worth considering. It is a technology that addresses the stagnation in technology development. Next-generation firewalls put application visibility and control back into the firewall, removing the need for the deployment of additional filtering technology. This approach has brought the enforcement of security policy back to the firewall, where it belongs. In doing so, proxy & filtering solutions can be utilized for what they were designed to do: acceleration and bandwidth management.

Tell us, who do you think should have received a lump of coal in their stocking this year, or a few extra chocolate coins?

Friday, December 23, 2011

A Few of my Favorite Things

By Tara Savage, Senior Marketing Manager, BT Global Services

Raindrops on roses and whiskers on kittens
Bright copper kettles and warm woolen mittens
Brown paper packages tied up with strings
These are a few of my favorite things…

But it doesn’t just stop there… this past year, we’ve had many favorite things on our SecureThinking list. In fact, we thought that now would be the perfect time to recap our ten most popular posts from 2011, just in case you missed them the first time around.

Healthcare Security Breaches Can Cause Millions in Fines, Jim Tiller discusses the cost of security and why compliance costs are less than a third of the cost of non-compliance.
Mobile App developers make same mistake, from our Ethical Hacking group, Konstantinos Karagiannis blogs on how old development mistakes can plague even the most cutting edge applications or devices.
Does PCI apply to VoIP, the PCI Council released several guidance documents this past year and our in-house security expert, Sushila Nair provided insight on how these changes were impacted by new technologies.
Security Around the World Series, This past year, we featured the regional CSOs from EMEA, Latin America,India to discuss the challenges they each faced in their side of the world.
Assessing risk in a mobile world, Jill Knesek addresses a challenge that is top of mind of most global CSOs: mobile security.
Cloud Security Q&A, with many organizations considering moving to the cloud and creating strategies to secure, this blog addresses initial cloud security challenges across three platforms.
Evil Dad and the Internet, a whole new generation is rising with technology an integral part of the culture. How do we ensure that this generation understands security from the start? Martin Brown explains in this post.
Are Risk Assessments Outdated? Several of our bloggers debate the latest in security best practices. Have an opinion? Join in on the debate and leave your comments.
Xtranormal Security, It time old question whether you should manage your own security or outsource it is addressed in this interesting video blog.
Staying out of the Headlines, Jeff Schmidt, our new Global Head of Business Continuity, discusses how organization can take steps to avoid the security breaches that have filled media headlines as of late.

Were there other posts that you enjoyed? Let us know some of your favorites.

Monday, December 19, 2011

Guest Post: 2012 Cyber Security Predictions from the Websense Security Labs

By Patrik Runald, Sr. Manager, Security Research, Websense

With all of the crazy 2011 security breaches, exploits and notorious hacks, what can we expect for 2012? Last year’s Websense Security Labs predictions were very accurate, so these predictions should provide very useful guidance for security professionals. Here are the top 5; the full report can be downloaded here.

1. Your social media identity may prove more valuable to cybercriminals than your credit cards. Bad guys will actively buy and sell social media credentials in online forums.

Trust is the basis of social networking, so if a bad guy compromises your social media log-ins, there is a good chance they can manipulate your friends. Which leads us to prediction #2.

2. The primary blended attack method used in the most advanced attacks will be to go through your social media “friends,” mobile devices and through the cloud.

We’ve already seen one APT attack that used the chat functionality of a compromised social network account to get to the right user. Expect this to be the primary vector, along with mobile and cloud exploits, in the most persistent and advanced attacks of 2012.

3. 1,000+ different mobile device attacks coming to a smartphone or tablet near you.

People have been predicting this for years, but in 2011 it actually started to happen. And watch out: the number of people who fall victim to believable social engineering scams will go through the roof if the bad guys find a way to use mobile location-based services to design hyperspecific geolocation social engineering attempts.

4. SSL/TLS will put net traffic into a corporate IT blind spot.

Two items are increasing traffic over SSL/TLS secure tunnels for privacy and protection. First is the disruptive growth of mobile and tablet devices. And second, many of the largest, most commonly used websites, like Google, Facebook, and Twitter are switching to https sessions by default, ostensibly a more secure transmission. But as more traffic moves through encrypted tunnels, many traditional enterprise security defences are going to be left looking for a threat needle in a haystack, since they cannot inspect the encoded traffic.

5. Containment is the new prevention.

For years, security defenses have focused on keeping cybercrime and malware out. Organizations on the leading edge will implement outbound inspection and will focus on adapting prevention technologies to be more about containment, severing communications, and data loss mitigation after an initial infection.

Friday, December 16, 2011

That’s Dr. Bruce to You

By Tara Savage, Senior Marketing Manager, BT Global Services

We were delighted to learn that our very own CSTO and in-house security guru, Bruce Schneier, has been awarded an honorary doctorate from the University of Westminster’s School of Electronics and Computer Science.

Bruce was awarded the honor for his ‘hard work and contribution to industry and public life.’ We certainly know how hard he works for BT and its customers and are proud to see his accomplishments recognized by others.

Congratulations, Dr. Bruce!

This article appeared online in PC Advisor and on the University of Westminster’s web site.

Tuesday, November 22, 2011

Are Financial Institutions Feeling Stressed About More Than Cash Reserves?

by Chris Pickles, Head of Industry Initiatives, BT Global Banking and Financial Markets

Today there’s a “Market-Wide Exercise” taking place in the UK, organised by the UK Treasury, Bank of England and the FSA. Over 80 organizations are taking part in it, from national institutions that are fundamental to the operation of the financial sector through major banks and market infrastructures to smaller financial institutions.

It’s a stress test, particularly involving their telecommunications and internet services, to allow the organizations to see how well their systems would be equipped to deal with a potential problem in the outside world. Progress so far has been interesting. One of the things that you can look at in a test like this is what dependencies your firm has on external counterparties and service providers, not only making sure that your own internal systems will be OK but also making sure that their systems will be OK.

Interestingly, of the 80+ financial organizations taking part, only three have contacted us in advance of this test.

Reading through the scenario that they’ll be facing, it seems pretty likely that the participating organisations are going to find some areas of their systems that are going to make them stumble and trip up. Having your internal systems prepared is one thing, but organisations in the financial community depend on being able to communication securely and rapidly with lots of other organisations. It’s an inter-connected community, and not just a collection of separate firms.

BCP exercises are a great way to check your firm’s preparedness in a safe environment. You can’t know that your organisation is OK unless you talk with your suppliers to make sure that you will get from them what you need to get from them if things outside your firm stop being OK. As an old TV advert once said, “It’s good to talk”.

Friday, November 4, 2011

Guest Post: Social or Anti-Social?

By Terry Greer-King, Managing Director, UK, Check Point

We recently conducted a survey looking at the growing issue of social engineering, taking in the opinions of over 850 IT and security professionals worldwide. In it, we found that 42% of UK enterprises have been victims of social engineering attacks.

What’s more, UK businesses said they had experienced 25 or more such attacks in the past two years, at an average cost of over £15,000 per incident. Internationally, the figure is even worse, with 48% of businesses registering social engineering attacks.

The most common attack vectors were phishing emails (47%) and social networking sites (39%), with new employees (52%) and contractors (44%) being cited as the most susceptible to social engineering techniques.

I believe this highlights two key issues. Firstly, attackers have switched targets. Instead of trying to hack directly into systems, they’re now hacking people in order to gain access to corporate resources. And inevitably, hackers are targeting the members of staff that they suspect are the weakest security links in organisations. They’re using social networking applications to gather personal and professional information on employees to mount focused, ‘spear phishing’ attacks with the aim of getting the employee to click a plausible-looking link or download a file containing the trojan or malware that will give them access to resources.

So what’s the solution? Organisations can’t ban email, and although some try and bar access to social networking sites like LinkedIn, certain functions such as sales, marketing or recruitment need access – which means a ban isn’t practical.

The survey data did point towards a key issue that could offer a solution, however: 34% of global respondents, and 44% of UK respondents, said they did not have any employee training or security policies in place to prevent social engineering techniques.

If organisations aren’t making employees aware of the issue, much less introducing it into their security policies, it’s no surprise that so many firms have been successfully targeted by social engineering techniques.

By involving users in the security process, and ensuring they are aware of risks such as spear-phishing attacks, they can become the first line of defence against social engineering threats. A combination of ongoing education and reminders of corporate policies on these types of threats – especially at the point where users are about to access social networking sites – could well diminish mitigate the social engineering risk to organisations.

Access the full survey report here: http://www.checkpoint.com/press/downloads/social-engineering-survey.pdf

Thursday, October 20, 2011

WHEN GOOD ADS TURN BAD: THE NEW THREAT FROM MALVERTISING

By Dave Ewart, Director, Product Marketing for Blue Coat

Online advertising is a huge multi-billion dollar business, supported by large multi-layer ad network infrastructure. And it is effective not only for legitimate advertisers, but also for cyber criminals. Indeed, in our latest 2011 Web Threat Report, malvertising (as in Malicious Advertising) has come from nowhere to arrive at the number three position in their “top ten” methods for web attack in 2010. Let’s look at how this new phenomenon works, and draw some conclusions about how best to confront it.

Ad networks operate on an Affiliate Marketing model, where advertisers place campaigns with a large number of publishers – large and small — that are paid media fees by referral on some measurable action that tracks traffic to the advertiser. With many degrees of separation and automation between the merchant placing the ad and the space where the ad ends up being placed, reputations and trust are often assumed or inherited through the layers of the affiliate network.

Cyber crime loves to leverage other people’s trust and reputation — as well as their infrastructure — to deliver malicious software to as many people as possible. Injecting a malicious ad into a legitimate ad network enables the cyber criminal to cast a very large net without necessarily making a splash that can be detected.

Like a sleeper cell in a spy novel, patience then pays. Taking time to develop clean reputations within ad networks, and passing multiple sweeps for malware, cyber crime develops valuable and trusted positions within Web advertising structures before launching attacks, leading to a very successful campaign. When the sleeper awakes, routing behind the ad is transformed to take the view or the click-through to a malware host, and the malware connections are able to do their worst in their targeted campaign. Then the next day, they’re gone.

When faced with malvertising, your security systems can’t rely on reputation to decide which ads to block. Instead, we need to look to advanced security systems that rate web properties and the ads they depend on in real-time. Cyber crime’s malvertising tactics tend to launch attacks over the weekend when IT resources are low, defense updates are waiting to be applied and an attack is less likely to be noticed. Remember, classic web defenses are geared towards updates – a new database has to be applied before the security systems can act on the new threat.

Similarly, we can’t rely on waiting for a “security update” to be applied to the user’s computer. It’s probably going to be too late. If your security system has any kind of regular “Click here to update definitions file” requirement, it will likely fail to protect your users, especially on the weekend.

Protecting users at home or on the road — or even at the office – has to be provided on-demand, and you should look to security systems that are based on some kind of cloud-based security model that offers pre-emptive awareness of modern malware techniques like malvertising, and offers on-demand protection against attacks.

Do you have the proper protection in place?

Friday, October 7, 2011

You Love His Blogs, Now See Him Live! Martin Brown at RSA Europe

by Tara Savage, Senior Marketing Manager, BT Global Services

Martin Brown is one of our newest bloggers on SecureThinking, but he’s already garnered a large and loyal following. If you’re in London next week you’ll have the opportunity to see Evil Dad in person and wearing his workday hat as General Manager of Security Technology and Strategy at BT.

Martin will be part of the panel of experts discussing their perspectives on advanced persistent threats (APT) at the RSA Advanced Persistent Threats Summit, on Monday, October 10^th 2011 at 1:50pm. The panel, “Critical Infrastructure: A View from APT’s Front Lines” showcases bellwether organizations and asks their experts how they’ve dealt with advance persistent threats and how we can adapt their prevention and mitigation strategies to our own business environments.

RSA Europe 2011 is being held at the Hilton London Metropole.

Thursday, August 25, 2011

Telcos at Risk Because of Cyber Skills Shortage

By Tara Savage, Senior Marketing Manager, BT Global Services

Cyberattacks are inevitable and most organizations know that one is coming. Yet, some are still caught off-guard. The truth is that knowing an attack is coming and protecting against that attack are not the same thing.

Our very own, Dr. Bob Nowill, Director of Cyber, Consulting and Information Assurance at BT, recently was featured in European Communications where he discussed the shortage of skilled workers in the cyber defense industry.

While the threat of cyber attacks is growing and costs governments, businesses and individuals combined billions of dollars a year to protect their personal and professional data from compromise, the SANS Institute reported in 2009 that 60 percent of UK cyber security employers were hoping to expand their security teams, but 90 percent had already experienced difficulty finding new recruits.

The telecom sector, in particular, is a prime target for attack. Hackers know that users are more networked than ever before and can open gateways to huge volumes of commercially valuable information. The shortage of cyber security professionals hits this industry the hardest and makes them even more vulnerable.

In an effort to bolster the potential population of talented cyber security defenders, BT works with the Institute of Information Security Professionals and recently its support for the Cyber Security Challenge – a U.K.-government backed initiative to find new cyber talent through a series of online games and competitions.

Creating a talented pool of future cyber defenders is imperative, because of the ever-escalating “arms race” between companies and attackers: Attackers only need to find one route in, but security must cover all of them all the time. Every advance in security and defense has been matched by those seeking to get round it; vice-versa, every new attack from the criminal world has been met by that insecurity. In addition, companies will need to create over-arching defense strategies that include technology and far-reaching defense policies that take into account the “human factor” of their customers and aimed at educating them to the dangers that they face in being too open on the network.

By supporting in the Cyber Security Challenge and other initiatives, we hope to see the recruitment of future cyber defense talent grow.

Tuesday, August 23, 2011

Is Internet Filtering Effective?

By Sushila Nair, Product Manager, BT Counterpane

Ubiquitous connectivity to the Internet has fast become an expectation. In Estonia, France, Spain, Finland and Greece Internet access has been made a human right. It is estimated that there are 360,985,492 Internet users, approximately 30% of the world’s population. Never before have we had the capability to reach so much of the world’s population.

It is a very exciting time but the Internet has exposed myriad of issues everything from copyright violations to work productivity. The question becomes, how we control who does what and when and determine the effectiveness of filtering. Does it work?

The OpenNet Initiative (ONI) announced that 25 countries around the world, out of 41 surveyed, block or filter Internet content, indicating a global trend towards Internet censorship.

In fact, the Australian Federal Government has announced its intention to introduce new legislation to compel Australian Internet Service Providers (ISPs) to filter all information transfer in Australia, with the intent of stopping the general public from accessing selected information.

Some of the other countries that implement filtering include China, Saudi Arabia and Burma, China, Iran, Pakistan and South Korea. Even the UK, as a result of the London riots, is exploring whether to turn off social networks or stop people texting during times of social unrest. David Cameron the UK prime minister said the intelligence services and the police were exploring whether it was “right and possible” to cut off those plotting violence. Just recently, the UK high court ruled that BT must block access to the site Newzbin which is seen as a land mark ruling for content providers and increases the likelihood of a growth of Internet filtering through ISPs.

The questions surrounding filtering are many. Beyond the ethics of filtering is how to implement filtering without it being easily defeated and does not create a bottleneck.

List based filtering schemes, which are built on reporting by the general public and auctioning by a government-nominated organization struggle to keep up with the pace and volume at which content is added to the Internet.

Static lists can only capture a small fraction of the material that would be classified as harmful. Dynamic content generation and the use of dynamic addressing adds further complexity. The ease at which a list-based filter can be defeated by using a proxy further limits the effectiveness of any such scheme.

There is no doubt that Internet regulation is only likely to grow, given the importance and far reaching capabilities of the medium. With this growth we’ll see new and more innovative trends in filtering where content producers may deny access to their material to specific geographic locales such as BBC Iplayer and more intelligent, automated methods exist for detecting content and building lists.

No doubt however encrypted traffic, proxy services and other methods for defeating filters will also grow in sophistication. And so the battle continues!