Company News
In The News
- Don't Panic Over the Latest Mac Malware StoryMay 19, 2011
Don't Panic Over the Latest Mac Malware Story
Reposted from SecurityWeek
By Andrew Jaquith, CTO, Perimeter E-Security
William Safire, the late pugilistic pundit and language maven for the New York Times, had as much fun with the English language as a person could have. His On Language column anchored the weekend New York Times Magazine for 30 years, and his bi-weekly observations on the Washington political scene were legend. He wrote with great wit and style. One of my favorite musings of his was his last posting, "How to Read a Column." In it, he instructs readers how to read "between the lines" of opinion and editorial pieces. Among other advice, he exhorted savvy readers to 1) look for insights halfway down the column, rather than in the headline or lede; 2) question motives by asking yourself "who benefits from the story?" and 3) watch out for too-cute writing that tries too hard to be unpredictable or deliberately controversial.
I mention Safire because I suspect he would be amused to read about the recent wave of attacks on the Mac, or perhaps I should say, the current wave of predictions about attacks on the Mac. Longtime Microsoft columnist Ed Bott made national news on May 2nd, when he asserted categorically that "serious malware is coming soon to a Mac near you." As evidence, Ed pointed to a video made by a Danish IT security company named the CSIS eCrime Unit, a company I have never heard of. That video describes a "crimeware" program that can build Mac-compatible Trojan-horse programs for capturing keystrokes and passwords. To lure customers into installing the Trojan, customers that visit poisoned websites are shown native-looking dialogs that try to scare them into downloading fake security software. Ed has since followed up his initial column with four more posts on the same subject. The most recent one describes a large increase in customers who are complaining about malware in Apple support forums. All of these posts are meant to persuade readers that, indeed, the Mac is becoming just like Windows: malware-laden and dangerous.
As with most stories Mac-related, the malware-is-finally-coming story attracted a lot of press. It made the rounds on Techmeme, started a huge flame war on Slashdot, and set Twitter afire. As a former analyst and full-time professional pundit, whenever I see a memes like this one racing around The Interwebs, my ears perk up. And in a manner that Bill Safire would likely approve of, in my perked-up state I ask four questions:
• Who benefits from the story?
• Why should we care?
• If we do care, what do we do about it?
• What else should we be thinking about?
First, let's start with the question of who benefits. As mentioned above, Ed Bott incited the most recent round of Mac malware stories. No doubt, the increased page-views for his recent columns and attention from readers benefits him and his publisher. But speaking as a fellow writer and geek, his motives clearly flow from a desire to alert consumers and enterprises about a trend he feels is important to discuss, and not from a desire to make news for its own sake.
The second beneficiaries of Mac scareware stories are the incumbent security vendors that sell anti-virus products. These companies are predisposed to predicting things that validate their business models. As early as 2005, companies ranging from Symantec, McAfee and Trend Micro to Kaspersky and Sophos have all erroneously predicted the rise of Mac malware. Conveniently, these firms also sell subscription medicine that makes these future ailments go away. John Gruber, author of the popular Mac-centric blog Daring Fireball, assembled some of the choicest predictions in a post called "Wolf!", which I recommend you read as entertainment. The security firms may yet be proved right, but to date they have been flat wrong - wrong enough to be called scaremongers. (Which I did, in print, five years ago.)
An important - but unstated - beneficiary of this latest apocalyptic Mac prediction is a cadre of IT professional who seems to derive a perverse pleasure from the prospect of seeing Mac customers deal with the same daily security annoyances they have been putting up with for years. The Germans have a word for this, schadenfreude, which means "taking delight in the suffering of others." Note to readers: whenever you see or hear an author voicing contempt for customers by calling them arrogant, smug, complacent, oblivious, shiny-shiny obsessed members of a cabal, "living in a false paradise," or "fanboys" (with or without the i-for-y substitution), take a whiff of the air nearby. You'll sniff the sickly sweet smell of schadenfreude wafting in from the general vicinity of the speaker. The condescension doesn't persuade customers to take security any more seriously, but it probably makes the speaker feel better, right?
Now that we've established who benefits from Mac malware predictions - security companies and a certain type of IT professional - the second question is, do we care about the prediction that "serious" malware is coming to Macs? Only a little. It is true that Macs aren't dusted with some sort of magic unicorn Unix-y pixie powder that makes it less vulnerable to security flaws than Windows. But it is equally true that the Mac remains a less risky platform than Windows because of the fewer strains of malware written for OS X. By "fewer" I mean 99% fewer: a hundred malware samples versus 50 million. The Mac also has a much less evolved malware supply chain. By "less evolved" I mean "nonexistent," this one example notwithstanding.
The business of malware, in the Windows world, is a lot like the fast food industry, with results almost as toxic. Crime syndicates sell dozens of exploit kits, readily available from purchase or rental on underground forums. It's a super-sized supply chain operation with raw materials manufacturers (who turn exploits into weapons), assemblers (who make the exploit kits), distributors (forums), franchisees (who run botnets) and customers (victims).
It has taken the Windows malware supply chain twenty years to evolve to its current level of stratification and sophistication. It stands to reason that supply chain won't be replicated overnight for the Mac. Charlie Miller, a noted security researcher with serious OS X and iOS creds, calls the Mac "safer, but less secure... Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town." Could that change? Yes, although crime syndicates have a larger "addressable market" in at least one mobile operating system, and are much more likely to seek to replicate their business models there first. (More on that in a minute.) In the meantime, the Mac was a relatively low-risk computing platform last month, and will continue to be one next month, too.
Third, let's assume we do care about this, perhaps a bit more than previous predictions of Mac malware epidemics. What do we do about it? As with malware on Windows, remedies include both technical fixes and policy recommendations. If you are a home or small business Mac customer, you should take sensible technical precautions. For example, you should reduce the likelihood that the most popular target for attackers - the browser - will be compromised, by turning off defaults settings that OS X foolishly ships with. Switch off the Java plugin and turn off the setting that causes Safari to open "safe" files after downloading, such as less-safe-than-they-used-to-be PDF files. Use a Flash blocker such as ClickToFlash to prevent another potential point of compromise. Turn on your Mac's application firewall. If you are highly security-conscious, you may also want to encrypt your home directory using FileVault, protect access to your computer's firmware with a password, use a password wallet such as 1Password, or consider using an outbound firewall such as Little Snitch . Whether you feel you need a Mac anti-virus program is a judgment call; personally, I feel that it is still overkill. If you work in a large enterprise that uses Apple Remote Desktop or a cross-platform desktop management tool, your admins can implement these technical precautions in an automated way.
From the policy perspective, this current round of Mac malware predictions gives employers a good excuse to reinforce existing policies about social engineering and fake-antivirus scams. Bott's recent posts describe how many Mac customers apparently fell for the fake anti-virus scam that led them to unwittingly download the Mac Defender Trojan horse. Fake AV is not a uniquely Mac problem; just the other day, for example, a family member using a Windows laptop nearly fell for a similar scam. And in 2006, a Harvard study called "Why Phishing Works" showed that the best phishing websites fooled 90% of participants. Both of these examples show that susceptibility to trickery is a platform-independent problem.
Companies should take the opportunity to train and test employees about spotting scams wherever they are encountered: on Windows, on a Mac, or on a mobile device. They should also reiterate and enforce policies about how software is officially distributed and installed for each platform IT supports, such as through an in-house software distribution service or an online app store.
Lastly, as we consider what the current debate about Mac security means, we need to ask: what else are we missing that we should be thinking about? Let's assume for sake of argument that the Mac security landscape is a little more dangerous today than it was yesterday. Let's assume also that this discussion gives consumers and corporate security teams the excuse they need to reinforce existing controls and policies. So, what's next? Here are the two things I am thinking about:
The desktop Mac OS might not be attractive to attackers as you might think.
Security researcher (and friend) Adam O'Donnell released an influential presentation in 2008 that used game theory to predict that malware on Macs would increase dramatically once Apple's PC market share reached 5-10%. Essentially, he argued that the larger desktop OS share would provide a critical mass of targets for attackers to exploit. Ed Bott cites this study as an explanation for the malware wave he is predicting. Adam's presentation makes a good point, but it didn't consider the Mac in the context of the larger computing market. By focusing on PC operating systems only, he excludes from the analysis the largest growing segment of computing: Post-PC devices such as smartphones and tablets. According to Apple, the Mac installed base is approximately 50 million users. But according to Gartner, the number of Android handsets sold in 2010 alone exceeded 67 million units, giving it an installed base that is larger, and growing much faster, than the Mac base. If large numbers of eyeballs is indeed the lure that causes criminals to write malware for a given operating system, surely Android is a more tempting target than Mac OS. Judging from the recent stories about Android malware such as DroidDream, it appears that attackers agree.
Over time, the Mac App Store will increase customer security.
I predict that the increase in perceived risks to Mac customers will give Apple the excuse it needs to increase its control over the Mac software ecosystem, by moving ISVs to the Mac App Store. It is no accident that the theme of the upcoming Lion desktop operating system is "Back to the Mac": taking concepts that Apple employed successfully with the mobile version of OS X (iOS) and back-porting them to the desktop OS. One of those features is the introduction of the Mac App Store, an Apple-controlled storefront for selling and distributing applications. As with the iPhone/iPad App Store, Apple screens and signs all apps sold through the Mac App Store. This provides buyers some assurance that their apps are from known points of origin and that they don't contain malware, such as the Mac Defender Trojan horse. I predict that once the two 500 pound gorilla ISVs - Microsoft and Adobe - distribute apps through the Mac App Store, Apple will announce that this will be the only mainstream way to install applications on Macs. Apple will do this because the Mac App Store makes it easier to discover and buy applications, and because it makes them money. But as a side effect, cutting down the number of ways that foreign code can be installed should, over time, vastly reduce the (already low) risk Mac customers face from malware.
Neither of these two considerations will change the relative levels of risk Mac customers face in the near term. Although the Mac Defender Trojan horse gives Neither of these two considerations will change the relative levels of risk Mac customers face in the near term. Although the Mac Defender Trojan horse gives customers more things to worry about, the Mac remains the safest mainstream desktop operating system, albeit one that is increasing in importance relative to Windows but declining in importance relative to Android and iOS. It's no time to be complacent (there's that word again), but also: no need to panic. The one thing we can predict with absolute assurance is that Mac malware stories will keep making the rounds, and that I'll have plenty to write about in the years ahead.
- Is Google’s Chromebook The Death Knell For Antivirus?May 12, 2011By Andy GreenbergForbesMay 12, 2011The antivirus industry likely let out a collective groan when Google first made a familiar-sounding boast Wednesday: that the just-launched laptops it’s calling Chromebooks have “security built-in so there is no anti-virus software to buy and maintain.” Similar claims from Apple (that its computers are safe “right out of the box“) or from Oracle (that its machines are “unbreakable“) have only been invitations to the security industry to prove otherwise. But this time is different: Google may have built something so simple that it renders security add-ons–and the industry that sells them–irrelevant.Chromebooks are built to run nothing but a browser–unless they’re jailbroken, no executable files can be installed, neither antivirus software, nor the malicious software it’s meant to protect against. And if that web-only strategy catches on–still a big if, admittedly–it could spell real trouble for the antivirus companies like McAfee, Symantec, Kaspersky and Trend Micro.Charlie Miller, a researcher for Independent Security Evaluators who has made a career out of disproving Apple’s security claims, has owned a Chromebook since February, when the machines were sent as freebies to winners of the Pwn2Own hacking competition in Vancouver. He hasn’t dug deeply into the device’s security, but he says the Web-only security model works in theory. While a hacker might exploit bugs in the Chrome browser to run code on a user’s machine, that exploit would only allow the attacker for a single session, and would disappear the moment the browser closed. “The way you stay persistent [as a hacker] is by installing software,” says Miller. “This is designed not to allow any persistence. You turn it off and on and you’re good to go.”That means the antivirus industry faces a new kind of PC more similar to the iPhone than a netbook, argues Perimeter E-Security chief technology officer Andrew Jaquith: a limited device with security inherent in its restrictions . When Jaquith was still an analyst for Forrester Research last August, he wrote a widely-read post arguing the folly of Intel’s McAfee acquisition. One point in that argument was that McAfee is less relevant than ever before, as the burden for security in post-PC devices like tablets and smartphones shifts to the vendor–Apple, Google or RIM–instead of the security industry.The Chromebook contributes to that larger post-PC problem McAfee and its ilk, Jaquith argues. He points to data from Gartner Research that predicts sales of 1.4 billion post-PC devices (a category that he construes as including the Chromebook) by 2015 compared with 540 million traditional PCs. “Very few of these will need AV. That’s terrible news for security vendors because three-quarters of the market for their traditional products is about to go away,” says Jaquith. “That’s what happens when you build security in, instead of relying on the market to bolt it on. It’s great for customers, and terrible for the security aftermarket.”When I asked McAfee chief executive David DeWalt about the problem that the security faces with regard to restricted devices like smartphones last month, he pointed out that McAfee has an opportunity to help businesses integrate those post-PC devices securely and that McAfee’s mobile software can help consumers track lost phones and back up their data, as well as protect them from malware. He also pointed to a string of rogue apps that recently appeared in Google’s Android market as evidence of the need for post-PC security.But integrating Chromebooks into an organization is easy enough–they don’t store any data locally, so they pose little data breach risk. Tracking lost phones and performing backups is hardly enough to sustain antivirus operations like McAfee and Symantec. And in that Android outbreak, Google flipped its remote kill switch, remotely wiping the offending apps without any security company’s intervention–hardly a demonstration of McAfee’s relevance in mobile.The Chromebook is locked down even tighter than Android, and reduces antivirus’s from slim to near-zero. The ultra-simple devices may catch on, or not. But either way, they’re a reminder that the PC world is facing an incursion by post-PC devices, and that those devices will be post-antivirus, too.
- New Mobile Threats A Certainty, But Origin Of Threats Less CertainMay 9, 2011
New Mobile Threats A Certainty, But Origin Of Threats Less Certain
By Aaron Passman
Credit Union Journal
May 9, 2011
MILFORD, Conn.-As mobile devices gradually eclipse desktops when it comes to members connecting with their financial data, experts agree that new and different kinds of security threats will arise. But they disagree on where those threats originate.
Andrew Jaquith, chief technology officer for Perimeter E-Security, notes that while PCs have a high likelihood of compromise due to malware and viruses, human error may be the biggest threat to a mobile device.
During a recent webinar on the issue of security, Jaquith and others suggested that loss and theft contribute as significant a security risk as any to mobile banking. But, he said, the development of remote wipe technology-which uses e-mail to issue a "kill command" erasing all sensitive content-will help mitigate risk when a device is lost.
Outside threats are still worthy of concern with mobile devices, continued Jaquith, but smartphones and tablets have their own built-in safety enhancements, and anyone attempting to hack into them would need to get around multiple levels of encryption, including password protections. Relatively simple tools-such as six-character alphanumeric passwords (or eight-digit numeric passwords)-are more secure than shorter, simpler PINs, and automatic lockout features can be enabled if an inaccurate code is entered too many times. Six- or eight-character passcodes, said Jaquith, gives would-be hackers approximately a one-in-1,000 chance of gaining entry into the device.
Remote Wipe Is Just the Beginning
Similarly, Khoi Nguyen, group product manager for mobile management and security products at Symantec, noted that technology such as remote wipe is "just the beginning," and that security for mobile devices is changing as quickly as the devices themselves. Nguyen posited the possibility that financial institutions could issue tablets to front office staff, allowing employees to move more freely about the branch, allowing staff to provide help without teller lines.
Many interviewed for these stories noted that one of the best ways to spur member adoption of mobile banking technology is for CU staff to use it and push members to do the same. But Perimeter's Jaquith suggested that that there must be a trade-off between employee access to such devices - both for personal and professional use.
"The deal is that employees can connect their own devices to the security network if the device they bring in supports your data encryption and employees accept that you have a responsibility to protect your data on those devices," he said.
As mobile banking gradually evolves into an entire mobile wallet, Symantec's Nguyen noted that security enhancements at both the application and device level will help keep consumers safe, yet he also cautioned that "there are always gaps between design and implementation. An app may be designed to be very secure, but there are always flaws in the implementation that require updates to the app and the operating system, so we also recommend to customers and users that they're always up to date on these patches."
- RSA, Epsilon Breaches Show Fraud Trends Pointing to Online and Mobile ChannelsApril 27, 2011
RSA, Epsilon Breaches Show Fraud Trends Pointing to Online and Mobile Channels
Recent Attacks Include Massive Email Theft, Hacking of Widely Used Two-Factor Authentication System
By Natasha Chilingerian
Credit Union Times
April 27, 2011
Fraud is inevitable for financial institutions, even when diligent precautions are taken. As Kelly Dowell, executive director of the Credit Union Information Security Professionals Association, puts it, "Even with all prevention mechanisms, accidents still happen."
Recent accidents include an attack on security giant RSA, which involved a possible compromise of its two-factor authentication system used by millions of end users, including credit union members, and a security breach at marketing firm Epsilon, in which millions of client customer names and email addresses were stolen.
Some credit unions have even been the direct targets of fraudsters. In January, a security breach at the $15 billion Pentagon Federal Credit Union may have put its members at risk of identity theft, and in May 2010, the $889 million Los Angeles Fireman's Credit Union announced that private member information may have been compromised.
While security experts say fraudsters' techniques change as banking technology evolves, their end goal has always been the same: steal funds by getting a mass quantity of sensitive customer information such as account numbers. "As far as trends are concerned, whatever they are, the result is money leaving your account," Dowell said.
The newest trends include the use of social media websites and mobile banking channels to commit fraud, said Andrew Jaquith, chief technology officer for Connecticut-based information security vendor Perimeter E-Security. Jaquith said credit union employees can put themselves at risk by exposing private information on social networking sites, and fraudsters can potentially access sensitive data that's stored on mobile devices used for banking.
Dowell agrees that the Web is the hottest avenue used for attacks, stating that most fraud happens online, whether through a computer or mobile device. But he said he's seen few changes in attack methods in recent years, noting that the Epsilon breach is "more of the same."
"The trends are with corporate account hacking, manipulation of online banking and phishing," Dowell said. "The attack vectors are not really changing."
Online fraud trends aside, today's two most prominent breaching methods used against credit unions have been around for a long time, Jaquith said. These are tricking credit union employees to reveal sensitive information and directly obtaining the information by hacking into a credit union's website. "They're either going to infect the employee, or go to the front door and rattle the locks," he said.
Jaquith said fraudsters commonly send employees emails in an attempt to trick them into giving out financial account information. Once the employee clicks on a seemingly safe link in the email, his or her PC can become infected. In fact, Jaquith said one in 10 of Perimeter E-Security's banking clients report a monthly in-house infection. Sometimes, employees put sensitive information at risk without coercion from criminals. Dowell said he recently learned a bank employee knowingly sent out a customer's loan application user name and password in the text of an email.
Dowell said fraudsters target bank customers and credit union members more often than banks and credit unions themselves, typically by way of malware. "The common channel is exploiting the end-user from their home PC," he said.
Credit unions face many of the same security breach threats as banks do, but Jaquith noted that CUs may have more to worry about given their smaller average size.
"Credit unions have smaller staffs, so their capabilities aren't as advanced," he said. "They're disproportionately vulnerable to attacks. It comes down to being a small organization with limited resources, staff and time."
Jason Milletary, the technical director for malware analysis at information security provider Dell SecureWorks, said the two most threatening programs used to target credit unions are ZeuS Trojan, which hackers employed in a theft of about $70 million from business' bank accounts in 2010, and SpyEye, an attack kit that aims to obtain personal information such as credit card numbers from victims' computers. Milletary said criminals use these programs to "target credit unions through their members."
While some breaches may be unavoidable, security experts say there is plenty credit unions can do to combat fraud. Jaquith said to avoid hacks due to action taken by employees, credit unions should use Web content filters on their workplace PCs to reduce exposure to dangerous websites. He added that if a breach can't be prevented, credit unions should develop a plan to detect and eliminate infections as quickly as possible.
To prevent direct website hacks, Jaquith recommends credit unions utilize an SQL injection as a tool for exploiting security vulnerabilities and ensure that their websites are protected from the Open Web Application Security Project's Top 10 web application weaknesses.
Mobile banking security breaches can be avoided by never allowing sensitive data to be stored on the mobile devices, and social media will pose less of a threat if credit unions educate their employees about exercising privacy.
Dowell preaches education and diligence when it comes to fraud prevention. "Credit unions need to educate their employees about what types of fraud incidents are occurring and how to handle them if they occur," he said.
Milletary stressed the importance of forming partnerships with other credit unions to share information about fraud incidents and help one another handle the threats of malicious activity. He also recommended being aware of breaches that occur at other companies. "It's important to understand that breaches outside your network can affect your security," he said.
Dell SecureWorks offers a list of tips to clients that comprise the firm's recommended "layered approach to security." Build firewalls around your network and Web applications, implement an IPS/IDS intrusion prevention system or intrusion detection system as well as a host IPS intrusion prevention system, utilize vulnerability scanning, implement 24/7 log monitoring and Web application and network scanning, use human intelligence to combat the latest threats and employ encrypted email.
The security services provider also suggests how to keep mobile banking devices from becoming an avenue for fraud. These tips include physically securing devices by way of disk encryption, using a VPN when connecting to the Internet via a mobile banking application, solving patching problems by having a single company maintain its software and requiring certificates to stave off fraudulent emails.
Jaquith concluded that the best way for credit unions to handle the security challenges posed by their small size is to place their security in the hands of a trusted third-party vendor. "My advice is that they work with a specialist firm that can take care of all that," he said.
The newest trends include the use of social media websites and mobile banking channels to commit fraud, said Andrew Jaquith, chief technology officer for Connecticut-based information security vendor Perimeter E-Security. Jaquith said credit union employees can put themselves at risk by exposing private information on social networking sites, and fraudsters can potentially access sensitive data that's stored on mobile devices used for banking.
Dowell agrees that the Web is the hottest avenue used for attacks, stating that most fraud happens online, whether through a computer or mobile device. But he said he's seen few changes in attack methods in recent years, noting that the Epsilon breach is "more of the same."
"The trends are with corporate account hacking, manipulation of online banking and phishing," Dowell said. "The attack vectors are not really changing."
Online fraud trends aside, today's two most prominent breaching methods used against credit unions have been around for a long time, Jaquith said. These are tricking credit union employees to reveal sensitive information and directly obtaining the information by hacking into a credit union's website. "They're either going to infect the employee, or go to the front door and rattle the locks," he said.
Jaquith said fraudsters commonly send employees emails in an attempt to trick them into giving out financial account information. Once the employee clicks on a seemingly safe link in the email, his or her PC can become infected. In fact, Jaquith said one in 10 of Perimeter E-Security's banking clients report a monthly in-house infection. Sometimes, employees put sensitive information at risk without coercion from criminals. Dowell said he recently learned a bank employee knowingly sent out a customer's loan application user name and password in the text of an email.
Dowell said fraudsters target bank customers and credit union members more often than banks and credit unions themselves, typically by way of malware. "The common channel is exploiting the end-user from their home PC," he said.
Credit unions face many of the same security breach threats as banks do, but Jaquith noted that CUs may have more to worry about given their smaller average size.
"Credit unions have smaller staffs, so their capabilities aren't as advanced," he said. "They're disproportionately vulnerable to attacks. It comes down to being a small organization with limited resources, staff and time."
Jason Milletary, the technical director for malware analysis at information security provider Dell SecureWorks, said the two most threatening programs used to target credit unions are ZeuS Trojan, which hackers employed in a theft of about $70 million from business' bank accounts in 2010, and SpyEye, an attack kit that aims to obtain personal information such as credit card numbers from victims' computers. Milletary said criminals use these programs to "target credit unions through their members."
While some breaches may be unavoidable, security experts say there is plenty credit unions can do to combat fraud. Jaquith said to avoid hacks due to action taken by employees, credit unions should use Web content filters on their workplace PCs to reduce exposure to dangerous websites. He added that if a breach can't be prevented, credit unions should develop a plan to detect and eliminate infections as quickly as possible.
To prevent direct website hacks, Jaquith recommends credit unions utilize an SQL injection as a tool for exploiting security vulnerabilities and ensure that their websites are protected from the Open Web Application Security Project's Top 10 web application weaknesses.
Mobile banking security breaches can be avoided by never allowing sensitive data to be stored on the mobile devices, and social media will pose less of a threat if credit unions educate their employees about exercising privacy.
Dowell preaches education and diligence when it comes to fraud prevention. "Credit unions need to educate their employees about what types of fraud incidents are occurring and how to handle them if they occur," he said.
Milletary stressed the importance of forming partnerships with other credit unions to share information about fraud incidents and help one another handle the threats of malicious activity. He also recommended being aware of breaches that occur at other companies. "It's important to understand that breaches outside your network can affect your security," he said.
Dell SecureWorks offers a list of tips to clients that comprise the firm's recommended "layered approach to security." Build firewalls around your network and Web applications, implement an IPS/IDS intrusion prevention system or intrusion detection system as well as a host IPS intrusion prevention system, utilize vulnerability scanning, implement 24/7 log monitoring and Web application and network scanning, use human intelligence to combat the latest threats and employ encrypted email.
The security services provider also suggests how to keep mobile banking devices from becoming an avenue for fraud. These tips include physically securing devices by way of disk encryption, using a VPN when connecting to the Internet via a mobile banking application, solving patching problems by having a single company maintain its software and requiring certificates to stave off fraudulent emails.
Jaquith concluded that the best way for credit unions to handle the security challenges posed by their small size is to place their security in the hands of a trusted third-party vendor. "My advice is that they work with a specialist firm that can take care of all that," he said. - Malicious programmers targeting smartphones and tabletsApril 25, 2011
Malicious programmers targeting smartphones and tablets
By Brandon Bailey
04/25/2011 05:11:57 AM PDT
San Jose Mercury News
Malicious programmers are always looking for new targets.
While smartphones and tablets replace PCs as the gadgets we use for messaging, Web surfing and even doing business, some shady characters are starting to target these devices with new forms of viruses, Trojans and spyware.
Researchers at several security software companies say that in recent months they've identified a handful of malicious programs hidden in seemingly innocuous apps, including games and video players, that could make Android phones send information and receive commands without the owners' knowledge.
In some cases the purpose was unclear. But one app used a phone's locating software to transmit the owners' whereabouts without permission. Another was designed to quietly send repeated text messages, while charging hefty fees to the owner's wireless account.
The number of threats is tiny compared with the vast array of malware targeting PCs. And at this stage, some experts say it's more important for smartphone users to follow common-sense precautions than to purchase one of the commercial antivirus products now offered for mobile devices. But even though the most popular smartphone operating systems may be less vulnerable than PCs, experts say the growing popularity of mobile gadgets means malicious coders will inevitably target them more often in the future.
"There hasn't been an example of malware affecting thousands or millions of devices yet, but that doesn't mean it's not possible or it won't happen," said analyst Chris Hazelton, who tracks mobile technology for the 451 Group, a tech research firm.
"We don't want to be the scaremongers," added Lyle Frink, a spokesman for security software company Avast. "But the development curve for these things is accelerating."
Researchers at another security company, McAfee, say the bulk of the smartphone malware they detected last year was written to target the Symbian operating software used by Nokia, long an international leader in the smartphone industry. But they and other experts have noted an uptick in malicious applications written for Google's (GOOG) Android, which late last year overtook Symbian as the most popular smartphone operating system, according to Canalys, a tech research firm.
"There's a growing installed base of Android users. And it's a very open platform -- you can do a lot of good things with it, but if you want, you can also be more nefarious," said Mark Kanok, a spokesman for security software maker Symantec.
Historically, smartphones have used a variety of operating systems. And since a virus written for one platform wouldn't necessarily work on another, the pool of potential targets for any particular virus was small. Also, operating systems and mobile Web browsers have technical features that make it difficult to transfer files or data onto a device without the user's permission.
"They're much more locked down," said Andrew Jaquith, a former mobile industry analyst who is now chief technology officer at Perimeter E-Security.
But as smartphones become ubiquitous, the Android platform has become a prominent target. And experts say another reason they're seeing more Android malware is because Google, seeking to encourage independent developers, makes it relatively easy for anyone to offer an app through the official Android Market.
While Apple (AAPL) is known for closely screening every program offered through its App Store, analysts say Google does virtually no pre-testing or screening of apps in the Android Market. And Android apps can be downloaded from a variety of other sites, which increases the opportunity for bad guys to create a seemingly harmless appthat contains malicious code, and then distribute it to an unwitting pool of Android device users.
A Google spokesman declined to comment on the issue of pre-screening apps, but the company said in a statement that it takes security very seriously and has numerous safeguards.
Android's design includes a "sandboxing" feature that prevents individual applications from reading or changing information in other applications or the underlying operating system, without first getting permission. That's why users who download an Android app typically get a message asking permission to access other services or software on the device.
Experts say smartphone users should not agree to anything that seems suspicious, although less savvy users may not understand what they're allowing.
The Android Market also displays user ratings and reviews, and Google encourages users to consider those before downloading any app. When the company has learned of a problem, it has yanked apps from the Android Market. And twice in the last year, Google has used its ability to remotely remove certain apps from any device that had downloaded them, under the "terms of service" that Android Market users agree to accept.
In the most recent incident, Google disclosed last month that it had remotely killed several malicious apps that were transmitting information about the host device and its location. The company also used its ability to automatically install a security update on the affected devices to prevent further unauthorized transmissions.
"We are adding a number of measures" that would prevent similar apps from being distributed in the future, the company said in a blog post.
While crediting Google with reacting quickly, Hazelton noted that Google only learned of the malware from an independent developer after it had been downloaded an estimated 250,000 times. And as more users download more kinds of apps from a variety of sources, he said there's an increasing risk of malware getting past the security safeguards.
"We're seeing these things come almost in development cycles, where people are putting out different versions, testing their capabilities and incorporating new methodologies," added Symantec's Kanok.
Symantec, McAfee and several other software companies sell products that combine mobile antivirus software with features that allow consumers to back up their data, locate a missing phone and lock or "wipe" personal data if the device gets lost or stolen. Experts say these can be useful, but several said the most important thing owners can do is lock their device with a password.
While not every smartphone user currently needs antivirus software, Hazelton said the need likely will increase as banks and financial institutions offer more apps and online services for mobile devices.
"It comes down to each user and what they do with that device," he added. - Q&A: Andrew Jaquith of Perimeter E-Security Discusses Epsilon BreachApril 21, 2011
Q&A: Andrew Jaquith of Perimeter E-Security Discusses Epsilon Breach
By Liam Eagle
Web Host Industry Review
April 21, 2011
A few weeks ago, the database of online marketing firm Epsilon (www.epsilon.com) suffered a breach that exposed the names and email addresses of thousands of retail customers.
The attack was considered particularly disconcerting by some because it could potentially lead to "spear phishing" attacks, focused-phishing efforts in which hackers target email addresses associated with a specific individual or organization.
When Perimeter E-Security (www.perimeterusa.com) CTO Andrew Jaquith (http://perimeterusa.com/blog) learned about the attack from an email he received from McKinsey Quarterly, he made two observations: first, that the incident was a huge embarrassment for Epsilon; and second, the attack will be of no consequence to the majority of the people affected.
In an email interview with the WHIR, Jaquith discussed the Epsilon email breach, the common nature of spear phishing, and how this attack should really serve as more of a cautionary tale for companies to increase their security measures.
WHIR: You've suggested that the Epsilon email breach might not be as serious as people are making it out to be. Can you explain that in a bit of detail?
Andrew Jaquith: There isn't any more information that's out there that these bad guys didn't have yesterday. All that were disclosed were email addresses, first and last names. If you do business on the Internet or are subscribed to newsletters, your email address is being sought and sold already. It's not a mystery. The bad guys don't have much more information than what they have had.
WHIR: The thing that people seem to be focusing on is that because there is some personal or company info connected to the email addresses, there's a threat of really targeted "spear phishing" attacks. Do you think there's an uncommon threat here?
AJ: No, it's pretty common. If you look at the people who were receiving the Nigerian 419 money scam for years, often times, they're getting it because research has already been done about them before. If you look at that scam, you think this isn't really plausible and would delete the email. These targeted emails have been happening for years. If you're gullible to it before, you'll be gullible again.
WHIR: Would you say that the seriousness of this attack then has to do more with the volume of data (email addresses) exposed, rather than the sensitivity of the data?
AJ: The reason this has become a story is because of the brands involved and in this case, many were top-shelf brands. Because so many of these companies are doing businesses with people every day, it obviously hits close to home. Representative Mary Bono Mack who brought us the Mickey Mouse copyright law is threatening to convene congressional hearings about this. It suggests that this is an overreaction. Maybe she buys a lot of Hollywood movies from Best Buy and has gotten an email from them.
WHIR: Does the take-away from this event have less to do with preparing for an impending attack, and more to do with treating it as a warning that maybe you're not doing enough to secure your customers' information?
AJ: I think it's just more of a warning. The information wasn't particularly sensitive, but it's just a sign that although the information wasn't sensitive, you can still run an insecure network or have employees who are easily tricked by suspicious links or attachments.
WHIR: Do you have any insight into the nature of this Epsilon breach? What kind of security measures can service providers take to ensure they don't face the same exposure, or a similar problem?
AJ: If the report is true and these phishing emails were sent out to email operating teams - which the report implies - the take-away message here is that your IT operations team that's responsible for processing large volumes of customer information, sensitive or not, needs to be extra careful. If data thieves want large quantities of customer information, whether it's email addresses or credit card numbers, they want it in bulk. And they're looking for the weakest link. Sometimes that weak link is a website because you haven't hardened your web applications. Could be someone who trusts strangers when they shouldn't. Regardless, this is an opportunity to think carefully about your security policies and procedures. - Epsilon Breach Probe Under Way; Credit Unions Warn Against PhishingApril 8, 2011
Epsilon Breach Probe Under Way; Credit Unions Warn Against Phishing
Credit Union Times
By Natasha Chilingerian
April 8, 2011
Epsilon is working with federal authorities and outside forensics experts to investigate the marketing firm's recent e-mail address security breach, Epsilon parent company Alliance Data Systems Corp. said in a statement this week.
Approximately 2% percent of Epsilon's clients were affected by last week's breach, which involved an unauthorized entry into its e-mail system and the compromising of millions of clients' customer names and e-mail addresses, Alliance Data said.
Epsilon manages customer e-mail databases for more than 2,500 clients including large financial institutions and retailers.
Alliance Data confirms that based on "rigorous internal and external reviews," the compromised data is strictly limited to customer names and e-mail addresses. Since the breach, access to Epsilon's e-mail system has been restricted further and its security protocols have been under review, the statement read.
"While we can't reverse what has already happened, we are taking every measure necessary to protect our clients and their most valuable assets - their customers," Alliance Data CEO Ed Heffernan said in the statement. "Once detected, we took immediate action to implement additional safeguards and launched a full investigation. We will leave no stone unturned and are dealing with this malicious act by highly sophisticated cyber-thieves with the greatest sense of urgency."
Alliance Data also said the company's biggest concern following the breach is a potential client loss. Epsilon's e-mail marketing campaigns have resumed and e-mail volumes are not expected to be significantly impacted, the company said.
While credit unions are not amongst the reported Epsilon clients affected by the breach, several CUs are warning their members against phishing scams in response to the incident.
Credit unions including the $1.9 billion HarborOne CU of Brockton, Mass., the $551 million Y-12 Federal CU of Oak Ridge, Tenn., the $729 million TwinStar CU of Olympia, Wash., and the $434 million iQ CU in Vancouver, Wash., posted messages on their websites stating that while they have no affiliation with Epsilon, members who have opted-in to an Epsilon client e-mail marketing list could be at risk of e-mail phishing scams.
Andrew Jaquith, CTO for Connecticut-based information security vendor Perimeter E-Security, said since customer names and e-mail addresses were the only data compromised, the incident's impact on Epsilon clients and their customers will be minor.
But he says the breach is "embarrassing" for Epsilon and indicates flaws in the company's security.
"The fact that the attackers could obtain such a vast quantity of information means that they compromised Epsilon's security to get it," Jaquith said. - Andrew Jaquith, CTO of Perimeter E-Security, will be presenting “What The Post-PC Era Means for Enterprise Security” at the 2011 SOURCE Security Conference In Boston.April 5, 2011
Andrew Jaquith, CTO of Perimeter E-Security, will be presenting "What The Post-PC Era Means for Enterprise Security" at the 2011 SOURCE Security Conference In Boston.
Session Abstract: By the end of 2012, the number of smartphones and tablets sold will eclipse PCs globally, dramatically shifting the center of the computing universe to the mobile sphere. These new Post-PC devices resemble PCs, but the security concerns are very different.
In this presentation, Perimeter E-Security CTO (and former Forrester and Yankee Group Analyst) Andrew Jaquith describes key enterprise mobility adoption trends and what it means. He outlines four landmines that enterprises must avoid, and recommends five mobile security services IT staffs must provide to their employees and customers today.
Session Title: What The Post-PC Era Means for Enterprise Security
Scheduled Date/Time: Wednesday, April 20, 2011 at 1:30 PM
Session Length: 50 minutes
Andrew Jaquith
Chief Technology OfficerAndrew Jaquith brings 20 years of IT and information security experience to Perimeter, most recently as a senior analyst with Forrester Research. At Forrester, Andrew led team coverage for data, endpoint and mobile security topics. In his time at Forrester, he wrote 20 popular reports on data leak prevention, encryption, endpoint security, mobile security and vendor M&A. Notable recent reports include "Security in the Post-PC Era," "Apple's iPhone and iPad: Secure Enough for Business?" and "The Forrester Wave: Data Leak Prevention Suites." Andrew consulted with and assisted 300 enterprise and vendor customers annually with vendor selection, compliance, strategy and effective practices.
Prior to joining Forrester, he was program manager in Yankee Group's enabling technologies enterprise group, with coverage of client security, digital identity, and web application security. Before joining Yankee Group, he co-founded @stake, a security consulting pioneer, which Symantec acquired in 2004. Before @stake, he held project manager and business analyst positions at Cambridge Technology Partners and FedEx.
Andrew's security research has been featured in publications such as CIO, CSO, and the IEEE Journal of Security & Privacy. In addition, he is the co-developer of the Apache JSPWiki open source wiki software package, and the author of the 2007 Addison-Wesley Professional book "Security Metrics: Replacing Fear, Uncertainty and Doubt." The book has sold more than 10,000 copies and has been praised by reviewers as "one of the best written security books ever."
- Is Epsilon Breach Really All That Bad?April 5, 2011
Is Epsilon Breach Really All That Bad?
Posted by Lora Bentley
IT Business Edge
Apr 5, 2011 12:57:06 PMWe first heard about the data breach at Epsilon over the weekend, when the company posted a brief notice on its website, which said, in part:
On March 30th, an incident was detected where a subset of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system. The information that was obtained was limited to email addresses and/or customer names only.
Though the company has not offered an official list of clients whose customer data was compromised, Security Week and other publications have been maintaining an updated list . It currently boasts 36 companies, including Kroger, Target, Walgreens, Citi, JPMorgan Chase and 1-800-flowers.com. The breach impacted only 2 percent of Epsilon's total clients, the company said.
In an email, Epsilon spokesperson Jessica Simon noted the company could not discuss which clients were impacted and which were not, or how many email addresses were potentially compromised. She also reiterated that only customer names and email addresses were exposed; passwords and account numbers are not at risk.
"We are conducting a full investigation and working closely with authorities," Simon told me.
Given the dearth of information provided by Epsilon, security experts are popping up left and right to speculate as to how the hackers got in, as well as what the breach might mean to those of us whose information was exposed. Not surprisingly, opinions run the gamut. Dr. Hongwen Zhang, CEO of Wedge Networks said in a statement:
With most of humanity using the Internet for communication and decision making, potential damage from this breach is enormous ... There are already many examples of large-scale phishing attacks with the messages tailored to each individual. ...
On the other end of the spectrum, however, sits Perimeter E-Security CTO, Andrew Jaquith. In a blog post, Jacquith wrote:
[S]pam happens. Just make sure that your employees and colleagues don't blindly click on attachments they shouldn't, or blindly click on links embedded in email. Take this incident as an opportunity to reinforce your security policies. But don't worry too much.
He calls the hack "very small beer." I think he's right.
- Epsilon Breach Not Too Worrisome, According to Security ExpertsApril 5, 2011
Epsilon Breach Not Too Worrisome, According to Security Experts
Still, People Continue to Worry
Chris Crum
WebProNews
April 5, 2011
The messages continue to flood inboxes, as a result of the Epsilon security breach, which put consumers' email addresses into the hands of...someone.
I've seen my share of messages from the companies that used Epsilon, warning me of the breach, but I can't say that I've noticed an increase in spam so far. I'm getting more emails from these companies themselves.
The reported list of companies that use Epsilon seems to keep growing. There are reportedly over 2,500 of them. The list includes: US Bank, Capital One, JPMorgan Chase, Citigroup, Best Buy, Kroger, TiVo, Walgreen's, Target, Disney, Robert Half, Brookstone, Home Shopping Network, McKinsey & Company, etc.
Perimeter E-Security CTO, Andrew Jaquith said he received an email from McKinsey Quarterly notifying him of the attack and made a couple quick observations - first, this is embarrassing for Epsilon and second, the attack will be of no consequence to most people. He says that companies should take this incident as an opportunity to reinforce their security policies, but shouldn't worry too much.
Still, there are plenty of questions that remain about the incident. Daniel Ionescu at PCWorld brings up some good points in that companies should probably do a better job of letting consumers know when they're email addresses are given to third-parties, and that the mystery remains around how the breach even occurred in the first place.
Epsilon itself sends about 40 billion emails per year for its clients, so it's likely that you've already been getting a ton of email thanks to the company. Now, you might get some more, as a result of the breach, and sure, it's possible that some may end up being malicious.
If you haven't been sent spam prior to this, however, you must be in the minority. Just treat it like the rest of the spam you get. Ignore it and filter it. That seems to be the message the security guys like Jaquith are sending out.
It does seem that people continue to fret about the breach, as Epsilon frequently appears as a hot search item in Google Trends.
Epsilon says it is investigating the breach. - CUs Face Compliance Tidal WaveMarch 15, 2011
CUs Face Compliance Tidal Wave
Compliance solutions help CUs swim instead of sink.
By Patrick Totty, Credit Union Magazine
March 15, 2011
Compliance will cost U.S. financial institutions about $30 billion through 2012, driven by a “tidal wave” of regulatory changes, says Lisa Fraga, vice president of banking and credit union services at Wolters Kluwer Financial Services, citing TowerGroup statistics.
Riding the crest of this wave will be the Dodd-Frank Wall Street Reform and Consumer Protection Act regulations, many of which go into effect July 21, she says. Fortunately, help is available.
Wolters Kluwer Financial Services offers a wide range of compliance solutions, both off-the-shelf and customized. ComplianceOne, the company’s core compliance documentation and workflow solution, helps users meet reporting requirements imposed by today’s alphabet soup of agencies, statutes, and regulations.
…But even well-established software has undergone significant modifications. “In the past 12 to 18 months,” says Mark Cauley, Symitar’s director of product management…
Vendor Management Made Easier
Credit unions rely heavily on third-party providers. Dealing with vendors—in some cases, scores at a time—raises another compliance issue: Making sure you’re getting what you contracted for.
1. Staff’s extensive knowledge
2. Its own vendor management product
3. The relationship
And, of course, check references, Michelle Willits, associate manager of new alliances at CUNA Strategic Services (CSS), adds, "Ask your peers if they'd recommend a vendor."
Other CSS compliance relationships include:
Perimeter E-Security - Through its security-as-a-software platform, Perimeter offers comprehensive compliance, security, and messaging services, including hosted e-mail, encrypted e-mail, firewall management and monitoring, vulnerability scanning, and intrusion detection and prevention
Download the webinar 'Preparing for Your Next Audit: Five Habits of Successful Security Programs'
- Five Big Security Threats for 2011March 7, 2011
Five Big Security Threats for 2011
We introduce you to this year's batch of security vulnerabilities to watch out for.By Ian Paul, PCWorld Mar 9, 2011 9:00 pm
Online malicious activity was a major headache in 2010, and so far, 2011 is no different: We've seen scams and malware on Twitter, Facebook, and the Android Market, as well as a rise in politically motivated online attacks. But that's no surprise to security experts such as Graham Cluley, senior technology consultant for security firm Sophos. Cluley says that Sophos analyzes about 95,000 pieces of malware every day that is either brand-new or a variant of an older attack.
The bad guys are hard at work figuring out new ways to infect your system. The good news is that the latest antivirus programs do a better job than ever at detecting suspicious activity before it can damage your computer.
But security software can't always protect you; sometimes the best defense is a dose of common sense and a little bit of knowledge about what to watch out for. Whether it's fake antivirus scams, malware on social networks, or good old-fashioned e-mail attachments loaded with viruses, it pays to be on your toes so you don't end up becoming a victim to identity theft, a raided bank account, or even a home invasion.
So here's a look at 2011's five big security threats, and the steps you can take to avoid becoming a victim.
Threat 1: Mobile Apps
What it is: It isn't surprising that smartphones are a hot new malware target: 85 percent of adults in the United States own a mobile phone, according to a recent study by the Pew Internet and American Life Project, and the smartphone market is growing at a rapid pace.As recently as March 1, more than 50 third-party applications on Google's official Android Market contained a Trojan called DroidDream. When you run a DroidDream application for the first time, the malware gains administrator access over your phone without your permission, according to mobile security firm Lookout. That means it could download more malicious programs to your phone without your knowledge and steal data saved on your device.
Google was able to stop the DroidDream outbreak by deleting the bad apps from the Market and remotely removing malicious apps from Android users' devices, but it's only a matter of time before the next outbreak occurs.
And malicious apps on the Android Market aren't the only way that malware authors can target phones: A recent Android malware outbreak in China spread through repackaged apps distributed on forums or through alternative app markets.
The threat of malware, coupled with other security threats (such as data leakage from a lost phone) may soon impact your ability to use personal devices at work, according to Andrew Jaquith, chief technology officer of Perimeter E-Security. Companies may begin to set some serious ground rules for putting company data on personal mobile devices by enforcing "policies for passwords, device locking, remote wipe, and hardware encryption," Jaquith says.
Protect yourself: You can't trust that all apps on the Android Market are malware free. Make sure you read app reviews in the Market and on reputable app review sites such as PC World's AppGuide. And avoid installing any applications you get from unknown sources. That .apk file may be titled "Fruit Ninja" but in reality is a Trojan horse waiting to be unleashed. Don't forget that a number of mobile antivirus apps are available for Android, and it may be wise to have at least one installed on your phone.
Also, read an app's permissions screen carefully--it details what kinds of data an Android application can access (Google makes it mandatory for developers to have a complete list of permissions for every feature that an app has access to on your phone). You can find this list on every app's page in the Android Market (it appears right after you tap the button to download an app). See if you can uncheck undesirable permissions. If you're downloading a wallpaper application, for example, chances are it doesn't need to know your exact location.
iOS users aren't off the hook, either: Some bad actors have slipped by Apple's censors in the past despite the company's third-party app-vetting process. Over the summer, for example, a flashlight app that had hidden functionality got approved to the App Store. The actual risk may be low, but it isn't impossible for a seemingly legit app to have some hidden, malicious capabilities.
Threat 2: Social Network-Based Scams
Graphic: Diego AguirreSocial networks such as Facebook and Twitter may be a great place to connect with friends, but they are also a breeding ground for malicious activity. Cluley says some of the most rapid growth in online attacks comes from social networks. In November, antivirus maker BitDefender made a similar statement, saying 20 percent of all Facebook users are active targets of malware.
Social network scams often take the form of phishing attacks that try to lure you in with photos or videos, and harvest your personal information or Facebook login--or worse, infect your PC with malware--along the way. Often, these links will come from Facebook friends who fall victim to these scams. You could also run across rogue Facebook applications that try to access your Facebook data and that of your friends.
While it's probably no big deal if scam artists find out what your favorite movies or quotes are, your profile may contain critical data--such as your date or place of birth, cell phone number, and e-mail address--that can be used to build a profile about you and even steal your identity. Such bits of information may be the final data point a bad actor needs to impersonate you online.
You could even become a specific target for criminals through social networks. In September, three young men ran a burglary ring in Nashua, New Hampshire, by looking at Facebook postings about people going out and then targeting homes they believed were likely to be empty. Police said they recovered over $100,000 in stolen property after cracking the ring, according to New Hampshire's WMUR-TV 9.
Protect yourself: Be wary of any social networking postings that offer you the chance to see a cool photo or video or making claims you know to be untrue--such as a recent Twitter scam that offered to let you see who is viewing your profile. Often, these scams can be stopped by just revoking the app in your security permissions and changing your account password. Another smart thing to do, according to Cluley, is to stop and ask yourself why a Facebook application wants to post messages on your wall or access your friends list. If you can't think of a good reason the app would need to do this, perhaps it's not worth authorizing.
Threat 3: Fake Antivirus
What it is: Although they've been around for a few years now, fake antivirus scams are on the rise, according to Cluley. In the last eight months, Sophos says, it has analyzed more than 850,000 instances of fake antivirus. Also known as "scareware," these scams start by convincing you to download a free antivirus program, sometimes appearing to be software from a reputable security company. Then the software claims your computer is under threat from a virus and you can save your system by buying a "full" version of the antivirus program for a one-time fee.
Photo Credit: SecurelistOnce you do that, however, not only have you allowed more potential malware onto your computer, but you may have also handed over your credit card credentials to identity thieves. At that point, the bad guys can drain your bank account or steal your identity.
The irony of all this, says Cluley, is that these scams owe some of their success to the fact that we are becoming more aware of computer security. Since we want to protect ourselves as much as possible from malware threats, we become easily seduced by software promising enhanced security.
Protect yourself: First and foremost, make sure you are running a security program that's current--especially one that effectively blocks brand-new malware (see our reviews of the latest security suites and antivirus programs for which to buy). And never download a security program from a pop-up window you see online or from a third-party site.
Threat 4: PDFs
It may be the oldest online scam in the book, but e-mail loaded with malware attachments is still a big problem despite a high degree of awareness and robust antivirus scanning in Webmail clients such as Gmail and Yahoo Mail. Cluley puts the number of malware-related e-mails sent every day in the "millions," and says that "more and more spam is less about touting Viagra or fake degrees, but [is] turning malicious in nature."
PDF documents appear to be a prime method for these attacks, according to a recent report by MessageLabs, a division of Symantec. "PDFs are potentially one of the most dangerous file formats available and should be treated with caution...Because it is significantly easier to generate legitimate and concealed malicious content with PDFs," MessageLabs said in its February 2011 Intelligence Report (a PDF link--oh, the irony).
In 2010, 65 percent of targeted e-mail attacks used PDFs containing malware, up from 52.6 percent in 2009, according to MessageLabs, which further predicts that by mid-2011, 76 percent of targeted malware attacks could be using PDFs as their primary method of intrusion.
It's not just businesses that are targets of e-mail scams either. Sophos recently discovered an e-mail scam in the U.K. purporting to offer an $80 gift certificate to customers of a popular pet supply retailer.
Protect yourself: Make sure you are running an antivirus program and that it's up-to-date. Also, never open an e-mail attachment that you weren't expecting.
Last but not least, make sure that you keep Adobe Reader (or the PDF reader of your choice) up-to-date; Adobe regularly releases security updates that fix known flaws. The new Adobe Reader X has an updated security architecture that can better protect you against malicious PDF attacks.
Threat 5: War Games
State-sponsored malware attacks, industrial espionage, and hacktivism are on the rise, according to Perimeter E-Security's Jaquith. They may not be threats that affect everyone, but if you manage security for a business, they are the sorts of issues you should be paying attention to.
The hacktivist group Anonymous, for example, grabbed headlines this year for mounting attacks in defense of whistle-blower site WikiLeaks, and attacking government Websites in support of recent protests in Egypt, Tunisia, and Libya. The group also leaked a cache of e-mail messages from a security researcher who was trying to identify Anonymous members. "Whether it's WikiLeaks, Anonymous, or a Chinese or Russian attacker, theft of industrial secrets is shaping up to be one of the key issues of 2011," Jaquith says in a statement.
Protect yourself: If you are trying to safeguard your company's secrets or are worried about data leaks, monitor your company's network traffic for suspicious activity and conduct regular reviews of employee data access privileges.
The Internet may be filled with malware and potential threats, but that doesn't mean you need to panic. Keep your guard up, use common sense, and keep your software up-to-date, and you should be able to reduce your risk of falling victim to attack.
- HBGary Federal CEO Aaron Barr Quits Due to Anonymous AttackMarch 1, 2011
HBGary Federal CEO Aaron Barr Quits Due to Anonymous Attack
Anonymous 2, HBGary Federal 0. Aaron Barr has stepped down from his CEO post at HBGary Federal after an extremely embarrassing data breach by the hacktivist group Anonymous.
Reposted from: Fahmida Y. Rashid, eWeek.com
The embattled CEO of HBGary Federal has resigned his post three weeks after Anonymous hacked into the company’s network and stole thousands of e-mail messages. The ease Anonymous conducted the attack left the company that provides security services to the federal government red-faced.
CEO Aaron Barr told Threatpost on Feb. 28 that he’s stepping down to help the company regain its reputation and to improve his own.
"[G]iven that I’ve been the focus of much bad press, I hope that, by leaving, HBGary and HBGary Federal can get away from some of that. I’m confident they’ll be able to weather this storm," Barr told Threatpost.
HBGary Federal declined comment.
At least one member of Anonymous saw it as a victory. “Aaron Barr has quit! Join our party on IRC,” Topiary, an Anonymous “supporter” posted on Twitter. “It seems Aaron’s fate currently lies in a trash can, reminiscing of the times he thought he took down Anon,” Topiarty added, referring to a “Where will Aaron Barr be in 6 months time?” online poll. The comments left on AnonNewsSite were far more gleeful. “At least we destroyed him in anonymous style,” wrote one commenter.
Barr had bragged to the Financial Times on Feb. 4 that the company had identified some “leaders” of the hacktivist group behind several denial-of-service attacks on Visa, MasterCard and PayPal. He’d planned to unmask them at B-Sides Security Conference, a parallel event to the RSA Conference in San Francisco.
Anonymous retaliated Feb. 7 by exploiting weak passwords and unpatched servers to steal 71,000 e-mails from both HBGary Federal and its sister firm HBGary. Using both a SQL injection attack and social engineering, the hackers gained access to the Web and e-mail servers as well as the Rootkit.com domain, a site launched by HBGary founder Greg Hoaglund for discussion and analysis of rootkits and related technology.
The attackers deleted gigabytes of research and support documentation, defaced Barr’s Twitter account and grabbed a decompiled copy of Stuxnet, which the researchers had been analyzing. The e-mails have been posted for public viewing, WikiLeaks-style, at anonleaks.ch and a Github repository was created for the “first public Stuxnet decompile.”
HBGary offers a range of computer forensics products, malware analysis tools and security services such as implementing intrusion prevention systems, performing vulnerability assessment and penetration testing. Anonymous highlighted that even security experts can make basic mistakes when securing their environment, according to the attack details outlined by Ars Technica.
The Ars Technica article listed basic mistakes that contradicted best practices, such as unpatched servers and using easily-compromised hashes to store passwords. Even more tellingly, Barr and Ted Vera, the chief operating officer of HBGary Federal, had been re-using a simple password across multiple systems.
Senior executives should be held to the same level of security as regular employees, Andrew Jaquith, CTO of another security firm, Perimeter E-Security, recently told eWEEK. Executives actually "need to be safer than most," he said.
- Perimeter E-Security Joins Hands With SecuniaMarch 1, 2011
Perimeter E-Security Joins Hands With Secunia
Reposted from: suhailajmal, HostWisely.com
March 1, 2011
Perimeter E-Security, an information security and secure messaging service provider, recently made an announcement regarding its partnership with Secunia, a dependable and efficient Vulnerability Intelligence provider.
The company articulates that with the increased evolution of threat environment each day, it is extremely important that organizations and their IT experts have knowledge of upcoming vulnerability attacks.
Perimeter’s Threat Intelligence Service, powered by Secunia, is able to deliver the most updated vulnerability information to end users. The service promises to deliver only relevant information to each customer so that planning and remedial time is reduced when the right information is already sorted out. The service will begin in the first quarter of 2011 and will be available to both Vulnerability Management and MSSP customers.
Perimeter’s Executive Vice President, Product, and Engineering, John Viega said,
“We continue to evolve our services to deliver the most comprehensive protection for our customers’ networks. The Threat Intelligence Service provides the data that customers need to plan for necessary system updates to be informed against the ever-changing cyber security threats.”
This partnership with Secunia will allow Perimeter to get real-time vulnerability information from Secunia’s Vulnerability Intelligence directly. Customers who subscribe to Threat Intelligence Service are going to be updated daily for relevant vulnerabilities of their IT infrastructure.
- Detecting Botnet Infections Requires Novel Tactics, Constant MonitoringFebruary 24, 2011
Detecting Botnet Infections Requires Novel Tactics, Constant Monitoring
Businesses have to improve their detection skills, minimize attack vectors and enforce Web-filtering rules to quickly find and remove compromised machines communicating with a botnet.
Reposted from eWeek.com
Businesses can defend against botnets by improving their detection skills, training employees to identify infections, and minimizing attack vectors, according to security experts.
Businesses have to improve their detection skills and not rely on preventive techniques to defend against botnets, Andrew Jaquith, the CTO of Perimeter E-Security, said in a Web presentation Feb. 24. Businesses can take a number of steps to defend against botnets, such as proactively analyzing logs to find suspicious activity, but the most important is to realize the traditional defensive technologies will fail to prevent an infection, and to plan accordingly, he said.
Previously, there was a sense that if a user was infected with malware, it was the user’s fault for going to questionable sites, Jaquith said. That is no longer the case as even mainstream sites can have malicious ads served up by advertising networks. Furthermore, increasingly sophisticated phishing and social-engineering tactics make it difficult to differentiate malicious scams from legitimate messages, he said.
Infections are quick and stealthy, said Richard Westmoreland, Lead Security Analyst at Perimeter E-Security. In a recent incident with a banking customer, it took less than 8 seconds for a computer to be compromised, he said. In that incident, the Mebroot Trojan infected the computer, based on the Neosploit kit, which opened backdoors in the system that allowed it to communicate with the Torpig botnet, Westmoreland said. The user was unaware of the infection and continued to access a number of financial sites and other sensitive information, he said.
View or Download the Webcast Here
- Perimeter E-Security Ranked #4 in MSPmentor 100February 22, 2011
Perimeter E-Security Ranked #4 in MSPmentor 100
The fourth-annual MSPmentor 100 survey results were revealed February 16, 2011 and Perimeter E-Security ranked #4 out of the Top 100 Managed Service Providers. MSPmentor is the ultimate guide to managed services and the leading global destination for managed service providers. MSPmentor takes an annual look at 100 companies that redefine MSP success. The MSPmentor 100 overall rankings for 2011 was published on February 16, 2011. This index is based on such metrics as:
- Annual managed services revenue (2010)
- Annual managed services revenue growth (2010 vs. 2009, in U.S. dollars)
- Annual managed services revenue growth (2010 vs. 2009, percentage growth)
- Percentage of overall revenue from managed services (2010)
- Devices/seats managed (2010)
- Devices/seats managed, annual growth (2010 vs. 2009, in raw numbers)
- Devices/seats managed, percentage growth (2010 vs. 2009)
- Recurring revenue per full-time employee (2010)
- CUNA GOVERNMENTAL AFFAIRS CONFERENCE - Join CUNA Strategic Services Partner at the largest annual credit union conference!February 19, 2011
CUNA GOVERNMENTAL AFFAIRS CONFERENCE - Join CUNA Strategic Services Partner at the largest annual credit union conference!
It's no secret that the past year has been challenging. Growing regulatory burdens continue to be a focus, and a new congress brings the opportunity for credit unions to get behind a shared vision. Join Perimeter E-Security at CUNA GAC to network with peers, hear from key legislative and political leaders, and experience a variety of breakout sessions on credit unions' hot issues.
When: February 27 - March 1, 2011
Where: WALTER E. WASHINGTON CONVENTION CENTER, Washington, DC
Perimeter Booth #544
More Information: http://www.cuna.org/events/gac11/index.htm
Perimeter E-Security's partnership with CUNA Strategic Services provides credit unions access to the trusted market leader of information security services that delivers enterprise-class protection and compliance for businesses of any size. Through its cost-effective security-as-a-software platform, Perimeter offers the most comprehensive compliance, security and messaging services. Perimeter offers the industry's only Regulatory Compliance Guarantee, and credit unions save 20% off of retail pricing through the company's partnership with CUNA Strategic Services. Read more about this partnership now. - iPads Storm the EnterpriseFebruary 14, 2011
iPads Storm the Enterprise
Apple's new application-level encryption paves the way for companies to run business apps on the iPad
Reposted from: Mana Korolov, Network WorldAs global accounts director at Altus, Inc., Michelle Klatt's job is to visit Fortune 500 companies and demonstrate her firm's video management software. When the iPad came out a year ago, she was all over it.
"I was one of the first salespeople to get one," she says. "I fought very hard.'' Her company's videos look "absolutely beautiful" on the iPad, she says. And once the sales presentation is over, she uses her iPad to update the Salesforce.com entry for the sales prospect, log the meeting, send out follow-up e-mails, manage her LinkedIn contacts, and do other job-related paperwork.
"I do everything on the iPad," she says. "It's really my laptop when I want it to be, but it's far lighter."
Klatt is at the leading edge of a growing wave of enterprise customers who are adopting the iPad for business use. "Enterprise CIOs are adding iPad to their approved device list at an amazing rate,'' Apple CFO Peter Oppenheimer said recently. "Today, over 80% of the Fortune 100 are already deploying or piloting iPad, up from 65% in the September quarter. Some recent examples include JPMorgan Chase, Cardinal Health, Wells Fargo, Archer Daniels Midland, Sears Holdings and DuPont."
A major reason that iPads are being accepted in the enterprise is that Apple significantly upgraded its iOS operating system last summer to include a number of enterprise-friendly security features.
"These include application-level encryption," says Andrew Jaquith, CTO at Perimeter E-Security and former lead security analyst at Forrester Research. "This encrypts the content of each application's data with a unique key, separating out each application's data on the device."
Encryption is built into the hardware, making it fast - and also making it easy for enterprises to wipe the device if it's lost or stolen. "In a tenth of a second," Jaquith says.
In addition, iOS 4 allows enterprises to impose security policies on their mobile devices. Policies can be imposed on all company-owned iPads and iPhones, or added to personal devices owned by employees.
They include setting a password lock, requiring a device to automatically erase company data after a certain number of failed logins, blocking camera access, or locking down the device to prevent users from installing unauthorized applications.
"It's not as sophisticated as the Blackberry, which has something like 500 security settings," Jaquith says. "But it has the important ones nailed."
- Andrew Jaquith, CTO of Perimeter and former Forrester Analyst, will be presenting “Security Metrics: A Beginner's Guide” at the 2011 RSA Conference.February 1, 2011
Andrew Jaquith, CTO of Perimeter and former Forrester Analyst, will be presenting “Security Metrics: A Beginner's Guide” at the 2011 RSA Conference.
Session Abstract: In today's economic environment, limited resources for information security programs have become even more constrained. CISOs must pick the right metrics and align with business goals to justify funding for information security priorities. This session discusses the importance and benefits of measuring security, and offers practical advice for practitioners looking to build or improve a security metrics program.
Session Learning Objectives:- Justify budget and resources for information security priorities
- Defend the importance and benefits of measuring security
- Recommend practical techniques for starting a security metrics program
Session Code: GRC-301
Session Title: Security Metrics: A Beginner's Guide
Scheduled Date/Time: Thursday, February 17, 2011 at 8:30 AM
Location: Orange Room 300
Session Length: 70 minutes
Andrew Jaquith
Chief Technology OfficerAndrew Jaquith brings 20 years of IT and information security experience to Perimeter, most recently as a senior analyst with Forrester Research. At Forrester, Andrew led team coverage for data, endpoint and mobile security topics. In his time at Forrester, he wrote 20 popular reports on data leak prevention, encryption, endpoint security, mobile security and vendor M&A. Notable recent reports include "Security in the Post-PC Era," "Apple's iPhone and iPad: Secure Enough for Business?" and "The Forrester Wave: Data Leak Prevention Suites." Andrew consulted with and assisted 300 enterprise and vendor customers annually with vendor selection, compliance, strategy and effective practices.
Prior to joining Forrester, he was program manager in Yankee Group's enabling technologies enterprise group, with coverage of client security, digital identity, and web application security. Before joining Yankee Group, he co-founded @stake, a security consulting pioneer, which Symantec acquired in 2004. Before @stake, he held project manager and business analyst positions at Cambridge Technology Partners and FedEx.
Andrew's security research has been featured in publications such as CIO, CSO, and the IEEE Journal of Security & Privacy. In addition, he is the co-developer of the Apache JSPWiki open source wiki software package, and the author of the 2007 Addison-Wesley Professional book "Security Metrics: Replacing Fear, Uncertainty and Doubt." The book has sold more than 10,000 copies and has been praised by reviewers as "one of the best written security books ever."
- Cybercrime, the Next GenerationFebruary 9, 2010
Cybercrime, the Next Generation
On The popular platforms of today are bound to be the targets of tomorrow
By Kevin Prince, Chief Technology Officer, and Doug Howard, Chief Strategy Officer, Perimeter E-Security
(The following is an edited excerpt of the forthcoming book, Security 2020, scheduled to be published next year.)
The social networking (think Facebook, LinkedIn, Twitter, MySpace) phenomenon is only going to grow. And anytime there is a system, program, or process used by millions of people, criminals look for ways to exploit it.
There have already been worms, scams, viruses, and malware targeting social-networking platforms and their users.?In addition, companies have shifted from paper records to electronically stored information. This is especially true within the healthcare industry, and other industries have had similar initiatives the past few years. While these companies are getting more efficient, digitization has opened up new doors for cyber criminals to exploit. As a result, companies will see a huge upswing in the number of data breaches. We predict massive healthcare, financial and retail breaches and fraud.
We also foresee major attacks against networks that control infrastructure and utilities around the world. Some may target mobile phone towers and communications. Others may aim for emergency service communication. Still others might mark hospitals and other critical care facilities. Cyber gridlock? - Mobility Drives Big Security Risks - And Opportunities - In 2010February 4, 2010
Mobility Drives Big Security Risks - And Opportunities - In 2010
During a recent call with Kevin Prince, CTO of Perimeter E-Security, he suggested that with the new security vulnerabilities of mobility solutions comes great opportunities for security VARs in 2010. Kevin has mobile devices on his list of top 10 security threats in 2010, and explained his reasons to me last week.
Kevin says the industry is seeing worms written specifically for iPhones, and apps written to secretly track phone applications in order to capture personal data. I've talked before about the risk to users with Bluetooth-enabled devices, especially those who leave that technology activated.
Laptops have always faced threats, not only from cyber space but from thieves who simply swipe the equipment. Kevin also reminded me that USB drives can easily carry viruses and worms, are simple to lose or steal, and provide an excellent opportunity for disgruntled employees to steal data.
Overall, the recommendation from Kevin is for VARs to talk with their customers about creating management and access policies for mobile devices and introducing them to technology that can protect devices and data, further advancing their position as a trusted advisor. - Connecticut Innovations Brings in Jobs, 10 Tech CompaniesJanuary 22, 2010
Connecticut Innovations Brings in Jobs, 10 Tech Companies
HARTFORD — More than two decades after lawmakers created Connecticut Innovations, the state’s quasi-public technology investment arm is self-sufficient, has lured 10 companies to the state and is in talks to possibly entice another half-dozen firms.
Those are some of the findings of a study released Thursday of the performance of CI over 13 years, ending in 2008.
The study found that investments made by the Rocky Hill agency in technology companies created an average of 1,610 jobs a year during the period, and resulted in $209 million in net revenue for the state in the 13 years.
The study also found CI’s cumulative investment of $106 million over that time has attracted another $1 billion into the state from outside investors.Among the companies that CI has invested in are two software-focused firms founded by Andy Greenawalt: Perimeter E-Security in Milford and Continuity Engine of New Haven.
Greenawalt said CI is helping the state make the transition from old-school manufacturing companies to technology-driven firms.
“Connecticut has some marvelous ideas, but we really haven’t had the venture culture to take advantage of them,” Greenawalt said. - There's More Than One Way to Plug Enterprise Data LeaksJanuary 12, 2010
There's More Than One Way to Plug Enterprise Data Leaks
By Kevin Prince, Chief Technology Officer, Perimeter E-Security
Even if leaked data is never used to commit fraud or used for identity theft, data breaches can cost companies millions of dollars and a great deal of trust among customers and partners. Within a couple of years, all financial organizations will have to take data leakage prevention very seriously.
Data leakage prevention (DLP) is a topic that has been getting a lot of attention lately. Keeping sensitive data from leaving the network has quickly risen to the top of many IT and compliance officers' lists of priorities.
DLP will likely be the first thing most organizations spend their 2010 information security budgets on.The Problem
Any time sensitive data gets into the hands nonauthorized individuals, it can constitute a data security breach. Malicious employees may take and use sensitive customer or employee information to commit fraud, identity theft or sell to others for quick, easy money. Careless and untrained employees also make mistakes that lead to breaches.
All data security breaches must be publicly disclosed, which often leads to negative public perception, loss of customers, expensive damage control, class-action lawsuits, and more.
Data breaches can cost companies million of dollars, even if the data is never used to commit fraud or used for identity theft. - The Yin and Yang of CybersecurityDecember 21, 2009
The Yin and Yang of Cybersecurity
On the Internet, the good guys and the bad guys are inextricably connected. But what happens when one side gets the upper hand?
By Doug Howard, Chief Strategy Officer, and Kevin Prince, Chief Technology Officer, Perimeter E-Security
(The following is an edited excerpt of the forthcoming book, Security 2020, scheduled to be published next year.)
Since the inception of computers and more specifically, our global reliance upon them, the number, severity, complexity, and source of security threats have all increased exponentially many times over.
Why do threats emerge? Sometimes a developer wants notoriety (that was the primary motivation in the late 90’s and the first few years of the new millennium) but today the main force behind digital threats is the hope of monetary gain. Political and religious motivations are coming on strong, too.
At the same time, threat mitigation solutions and tactics constantly are developing to deal with these threats. These solutions evolve over time and balance out each each new threat. The problem comes when threats emerge faster than solutions, and companies lose their balance. - Perimeter E-Security Names CEONovember 16, 2009
Perimeter E-Security Names CEO
IT security solutions provider Perimeter E-Security announced last week it has named Tim Harvey to the position of chief executive officer.
This is the first major appointment for Perimeter since it named Lou Kerner to the position of chief financial officer in August 2008.
Harvey joins Perimeter from open source data integration software and services firm XAware, where he served as CEO and president.
In this role, he led the strategy and transitioned the company from proprietary middleware to an open source vendor, resulting in its subsequent sale.
Before XAware, Harvey served as senior vice president of sales, marketing and product management at S1 Corporation. There he delivered a significant increase in sales revenues and implemented new sales methodologies.
He also worked as chief operating officer at SynQuest where he helped manage the company's significant growth leading to an IPO in August 2000, before it finally merged with Viewlocity and Tilion .
Havery has also served in other senior roles at Datalogix and Management Science America.
"We are delighted to welcome Tim as our new CEO; he is an accomplished software executive, whose leadership skills align with the accelerated growth track of Perimeter," says Richard Dobrow, President and chief operating officer of Perimeter E-Security. "Tim brings a rich history of experience in the software and managed services industry and we are confident that with his track record, Perimeter will reach new heights in its growth strategy as a market leader of information security and messaging services."
- Saas Movement Driving Content Security Spending: ReportNovember 12, 2009
Infonetics Research: Content security survey: complexity drives cloud deployments; Cisco top vendor
CAMPBELL, CA -- (MARKET WIRE) -- 11/10/09 -- Market research firm Infonetics Research (http://twitter.com/infonetics) released User Plans for Content Security, a market research study on the content security buying plans of 240 North American small, medium, and large organizations from a wide variety of vertical markets.
ANALYST NOTE "When we asked companies what kind of products they are using to combat viruses, spyware and adware, most said they use a mix of host products, gateway appliances, and gateway software, including purchased standalone software products and licensed SaaS clients. This phenomenon is one of the biggest drivers for many companies to move to hosted and cloud-based solutions; appliance sprawl and large and unwieldy client deployments are time consuming and expensive, and the promise of moving that headache off to somebody else is very tempting," explains Jeff Wilson, principal analyst for network security at Infonetics Research.
- 13 in Area Among Top 40 in State Tech Field October 7, 2009
13 in Area Among Top 40 in State Tech Field
New Haven County is home to 13 of the state’s 40 fastest-growing technology companies, it was announced Tuesday by the Connecticut Technology Council and UHY LLP.
The list of winning companies for 2009, called the UHY LLP Tech Top 40, is based on revenue growth over the last four years.
Companies considered by the council and UHY have at least $3 million in revenue and some of the public companies exceed $1 billion.
Matthew Nemerson, president and chief executive officer of the Connecticut Technology Council, said the businesses, which will be recognized at an awards ceremony later this month, could be a harbinger of growth industries for the state’s economy in the future.
“These are not flukes,” Nemerson said. “This is a dark time for most sectors. To have an occasion where everyone is successful and everyone in the room is growing by double digits or more is a rare occasion.”There were six award categories. The area winners and their categories are:
Amphenol Corp. and APS Technology Inc., both in Wallingford, for Advanced Manufacturing; Proton Energy Systems Inc. in Wallingford for Energy/Environmental Technologies; and Cervalis LLC in Shelton, Perimeter E-Security in Milford and SAI Systems International in Shelton, all for IT Services. - Vendors Allied on Compliance ToolSeptember 30, 2009
Vendors Allied on Compliance Tool
The compliance technology vendor Continuity Engine LLC is enlisting other companies to help it streamline and automate the tasks it handles for community banks that must satisfy regulators.
The start-up announced its ActionPack alliance on Tuesday, with the first group of outside providers writing modules for the company's compliance-automation system.
"These partners are a repository of amazing insight," said Andy Greenawalt, the founder and chief executive of Continuity Engine, of New Haven.
As an example, he cited Perimeter E-Security., a Milford, Conn., data security company where he formerly was the chief technology officer; it is one of the first alliance participants.
"If you are doing data security, there are 800 ways to do it. But if you are a community bank using Perimeter E-Security, you are using it in a particular way," Greenawalt said.
- Perimeter E-Security Firewall and Intrusion PreventionSeptember 9, 2009
Review: Perimeter E-Security Firewall and Intrusion Prevention
The Firewall and Intrusion Detection and Prevention service from Perimeter eSecurity provides 24/7 real-time protection and comprehensive reporting. The company monitors the network, configures and maintains the firewall device, monitors logs and analyzes trends in intrusion attempts to ensure that the network stays consistently secure against threats. The system uses Perimeter's own technology, called ThreatSmart, which uses both signature- and analysis-based detection methods.
Customers can also view network information through the Viewpoint dashboard. This provides an in-depth overview of the network security systems in place. Customers can then drill down into a specific service, such as the firewall, and easily view alert and statistical data in rich detail, as well as view and manage reports. We found all the dashboards to be easy to navigate and well-organized.
Perimeter's security analysts are immediately notified of any security or connectivity issues and take appropriate action to remediate trouble situations. Remediation can include configuration changes, network troubleshooting and customer notification. Through the use of a correlative security engine, called Viewpoint 2.0, customers get instant access to data for reporting and compliance purposes.
- Digital Medical Records: Assess Their Vulnerability July 31, 2009
Digital Medical Records: Assess Their Vulnerability
The April 23, 2009, memo put out by the Oklahoma Department of Human Services now sounds unfortunately familiar. A laptop was stolen from an employee’s vehicle containing the “names, Social Security numbers, dates of birth, and home addresses of clients” from a broad range of assistance programs. The OKDHS director stated that, “the risk of the data being accessed is low because the computer uses a password-protected system.”
Perhaps the thief was only looking for a notebook to hawk for a couple hundred bucks, and whoever fenced it on the street had the sense to wipe the hard drive, oblivious to what was on it. Or perhaps that data is still waiting to fall into the hands of the highest black market bidder. A password alone won’t stop a determined hacker.In 2006, the Veteran’s Administration had a laptop theft in which the stolen PC contained 26.5 million troop and veteran records. The laptop was recovered. Forensics determined that the data had not been touched, but the VA settled a class action lawsuit over the affair for $20 million. According to Kevin Prince, chief technology officer at security service provider Perimeter (www.perimeterusa.com), “Data breaches are almost synonymous with class action lawsuits these days.” He notes that the average breach costs organizations $2.6 million, but even that pales alongside what could happen if data suddenly turns up missing and stolen right when doctors need it for critical patient care.
21st Century healthcare data must be digital and portable, but it also must be protected. However, many organizations need guidance on how to safeguard their digital assets both during use and after a problem arises.
