Security Watch | Matt Hines » December 2007

December 27, 2007 | Comments: (0)

IT security goes Prime Time

TAGS: Security

If the watermark for attaining hip-ness in American culture is landing on TV or in Hollywood, in addition to the endless video annals of the Web -- such as YouTube -- then IT security, and penetration testing in particular, has finally made it.

Yes, we've been seeing some pretty sophisticated hi-tech gadgetry in films since before the Sean Connery era of "James Bond," and some truly awful attempts to flesh out the perils that exist in the electronic environment, but now things have gotten so absolutely wild in the real world that security gamesmanship has gone reality TV.

Last week, CourtTV began running a new series dubbed "Tiger Team" in which experts in IT and physical security engage in a pre-planned game of cat-and-mouse pitting them against high-priced protection systems put in place by actual businesses.

The initial results aren't pretty. That is, for those companies who think that they've invested sufficient time and energy in trying to defend their physical and informational assets.

In the show's initial episode, available for viewing here in four clips offered via official the CourtTV site (with minimal advertising inter-dispersed I might add), the Tiger Team experts take on San Diego's famed Symbolic Motors, a dealer of the ultimate forms of motor vehicular expression -- Lamborghinis, Lotuses and Bentleys, yum.

Without ruining all the details for you, the team makes it perilously clear that they can and will defeat expensive IT security, video monitoring, motion detection and physical defenses with a little easily-pulled off reconnaissance (including a free test drive in a new Lotus Elise, nice bonus dudes!) and virtually no resistance.

One of the most shocking aspects of the exercise is when after doing some rudimentary dumpster diving, the team uncovers details of the dealer's IT services provider (hi there LANSolutions! "We provide comprehensive, impenetrable safeguards for your business!" Hahaha!), and merely pose as one of its employees to gain access to Symbolic's server room and all the data therein.

Having nearly fully compromised the organization's entire perimeter defenses beforehand, the team carries out its plan and breaks in during the night and has its way with another free test drive.

And oh yeah, they also find a sales contract with all the personal information of an individual who appears to be well-known Hollywood car aficionado Nicholas Cage, and the records of a lot of other celebrity customers. So if they get tired of driving their free Lambo Murcielagos, Tiger Team can carry out some uber-targeted identity theft (if Cage has any money left from all those divorces, that is) whenever they feel like it (perhaps his next role should be "All my career earnings gone in 60 seconds").

Not detailed in the CourtTV show, but fed to Zero Day blog, is the information that the Tiger Team utilized automated penetration testing tools made by vendor Core Security as part of its arsenal for finding ways to crack the dealership's IT systems.

Nice product placement, but the usage also points out, as recently described to me by Symantec security research guru Carey Nachenberg, how bad guys can and will use the same commercially-produced tools as those used for protection by the white hats to find ways to get inside company perimeters.

(However, Core officials tell me that they have controls in place to prevent their tools from falling into the wrong hands.)

The high-price of such products is clearly no longer an issue for people backed by a billion-dollar cyber-crime industry it would seem.

I'm still waiting for someone to hire Steven Spielberg to make Richard Clarke's "Breakpoint" into a Hollywood blockbuster (and if done right I think it could be), but in the meantime we can let the Tiger Team's work speak to the real world relevance of IT security and the increasingly dire landscape of criminal activity being carried out by technologically advanced criminals.

CourtTV is promising more Tiger Team episodes in the near future.

Until then, keep it tuned here for further details.

Posted by Matt Hines on December 27, 2007 08:58 AM

December 21, 2007 | Comments: (0)

IT security in '08 not looking too great

TAGS: Security

I've been reading and writing about Web 2.0 malware attacks for some time -- the variety leveled at Web 2.0 content specifically, not so much at AJAX or other new programming techniques -- but I finally felt the crunch myself this morning.

Upon opening my in-box I found roughly 100 new e-mails asking for me to approve comments on this here Zero Day blog, and sadly, based on the fact that I only average a handful of responses from you my faithful readers each week, I knew that something strange was afoot.

Turns out that some attacker's automated malware threat finally found its way to this blog and attempted to post bunch of links to (what I'd suspect are) malware sites. Both the names of the e-mail addresses and the links themselves were clearly generated by machine, not hand, as they were constituted of strings of random letters and numbers.

If only my writing could garner as much interest on its own!

Anyway, the personal experience just backs up what we've been telling you here throughout 2007, that the attacks are only getting more widespread and sophisticated -- really nothing new in that sense since I started covering security roughly 4 years ago -- but clearly the stakes continue to rise.

And, according to Paul Henry, a longtime industry expert who currently wears the title of "vice president of technology evangelism" at security gateway maker Secure Computing, 2008 is shaping up to be even worse than any year in the past.

(Consider that according to McAfee, 2007 was by far the worst year ever for malware exploits, as the company's Avert Labs tracked an estimated 357,000 individual pieces of malware, a 60 percent increase over 2006. FTR, McAfee is predicting that we will see over 550,000 samples during 2008.)

There are several issues feeding into this trend of rising attack professionalism, sophistication and ubiquity that Henry outlined on a recent call where we discussed the fate of '08.

Among the most striking observations he made was that many security companies aren't helping the problem, but rather adding to it.

TippingPoint, for one, and many others, he said, are intensifying the issues created by exploit bidding sites like WabiSabiLabi -- where anyone willing to pay more than the next guy can buy newly-discovered and previously unreported software vulnerabilities.

These companies are doing so by purchasing unique exploits for themselves and creating "vaccines" to protect their customers, rather than reporting the flaws to the affected applications makers or detailing them in any public forums.

Now, most security vendors will tell you they do report the vulnerabilities to the apps makers, but Paul said that increasingly many are sitting on the details longer to give themselves some sort of perceived advantage.

Being the first to report and protect against a new attack isn't good enough anymore it would seem, and he claims that more companies than ever are sitting on their vulnerability information.

That includes Symantec and McAfee, he said, but those companies are being less flagrant and merely trying to compete with everyone else who is doing it.

Another alarming issue related to this trend is that in their vaccines, Henry contends that the vendors are not hiding the details of the new exploits very well. Thus, more hackers are getting their hands on these unprotected vulnerabilities by taking the information directly from these AV providers. Yipes.

"It's like the old protection schemes in the Fifties in New York where the shady insurance guy would show you a picture of your business on fire and ask you if you wanted to buy fire insurance," said Henry. "It borders on extortion, and I've been very surprised by the number of security companies doing it; people seem to be jumping on the bandwagon because they don't want to be at some sort of competitive disadvantage."

Henry contends that the open window on a lot of these threats is as long as 18 months.

Along with more automated Web 2.0 threats such as the one attacking the comments section of this here blog, the expert believes that we'll also see more advanced social engineering threats such as the CyberLover attack that I detailed here one week ago -- which poses as an available guy on singles site forums and tries to lure women into handing over their personal details or trick them into visiting malware sites.

He believes that we'll see more targeted attacks on businesses that attempt to use this level of sophisticated, human-like automation to trick people into handing over data about their companies or their network log-in credentials. Sweet.

Some of these programs, including CyberLover, appear to be emanating from our old friends the RBN, who Henry said (echoing many other experts) have moved their ops largely to China, possibly using an ISP/hosting company known as HostFresh, located in Hong Kong.

Among the other types of attacks he believes will come from this group and other professional-grade exploit providers in '08 are more cross site request forgery (CSRF) threats, which try to capture Web session and browser cookie data and use it to break into Webmail accounts and the like.

Recent samples the expert has observed included CSRF attack for sale that advertised the ability to get into Webmail domains controlled by all big players, including Google, Yahoo, MSN and Lycos.

Some of the CSRF threats involve "cookie sniffers" which grab available log-in information from people's browsers and send it back to a central database controlled by attackers. "Cookie replayers" are actively sitting on people's machines waiting to grab their credentials when they log into their accounts.

FTR, Henry thinks that political pressure in Russia may have led RBN to move its operations to China. If that's the case, it's good to hear that the Russian law enforcement types are finally turning up the heat.

At the same time that the malware world is getting so much more professional -- and those finding the vulnerabilities and building the threats are getting better at productizing their stuff and further separating themselves from those actually carrying out the attacks -- Henry points to overconfidence on the part of security professionals as another disturbing trend.

As highlighted in the E-Crime report put out by InfoWorld sister pub CSO Magazine, along with CERT and other government experts in September, many IT and security professionals seem to think that the defenses they already have in place, including AV, firewalls and intrusion prevention systems (IPS), are sufficient to stop most threats.

But, in fact, as according to the report and Henry, real experts don't think that's the case.

Combined with these other trends, 2008 could be pretty nasty.

"As the hacking community gets more professional and we see this overconfidence in security teams, it leads me to believe that 2008 could be pretty interesting," Henry said. "We're really in a rough spot, the most common defense methodology is the negative security model today, and hackers have proven that this is of no consequence to them."

On the flip side, if more people start considering a move to positive security models, such as the white listing techniques described in my recent story on Symantec researcher Carey Nachenberg, Henry thinks we may seem some progress in the not-too distant future.

"If you look at what people are using today, you can literally see where they're falling short; they're using simple packet filters for the firewall, and nothing to protect against Web 2.0 attacks, where the big push by the attackers is moving," he said. "The entire negative security model where traffic flows freely and you try to use signatures to block threats has failed, and hackers are blowing right through it using obfuscation. But, I think that a positive security model can work someday, where you configure your firewall to accept only the good traffic you define."

The only big question? How many more years it will be until the industry can make such an approach practical to emply on a widespread basis.

Happy Holidays!

Posted by Matt Hines on December 21, 2007 09:09 AM

December 19, 2007 | Comments: (0)

Symantec's take on mobile security

TAGS: Security

According to analysts at Gartner, the number of smartphones shipped to end users will outnumber the volume of laptop shipments to customers as early as 2008.

Rival analyst firm IDC (a sister company of InfoWorld under parent IDG) estimates that as many as 304 million smartphones will be in user's hands by 2011.

That's a lot of devices.

And, according to many security experts, along with the proliferation of handhelds, there will also be an increasing number of attacks aimed specifically at the devices.

Now, some mobile security experts, such as the esteemed Mikko Hypponen of F-Secure -- a company that got in on the "mobisec" angle early based largely on its close proximity to device giant Nokia --contend that the issue of mobile attacks might not turn out to be as big a deal as other think.

Because of the wide number of mobile operating systems, and the process of applications-signing that OS vendors and carriers have thus far adhered to for the most part to keep unwanted apps off of devices, he claims, malware authors won't be able to easily introduce attacks that have the same widespread impact as threats aimed at, say, computers running on the Microsoft Windows OS.

However, with the rise of platforms such as Google Android, and the push therein for more openness in the mobile device applications world, perhaps the issue of mobile security won't be as easily handled as we have been led to believe.

Symantec, among many others in the security space, has earmarked mobile device protection as one of its top areas of strategic focus for 2008.

What follows are excerpts from a Q&A supplied by the vendor with Khoi Nguyen, group product manager of Symantec's Mobile Security Group.

Question: Why have mobile threats recently become such a hot topic?

Nguyen: These devices are increasingly storing financial and confidential information. In Asia, smartphone users can use their phone like cash through pay-by-wave technology. London, England is also implementing this service in their Underground transportation system on a trial basis. Many consumers are also using their smartphones for e-mail, mobile banking, and file downloads.

Question: What is the motivation for hackers to focus on these devices?

Nguyen: Cyber-criminals go where the money is. With the increasing popularity of these devices and as people begin using them to store sensitive data, make purchases and surf the Internet, hackers will naturally look for ways to exploit the weaknesses in the operating systems.

Question: Can we learn anything from our historical experience with PCs to help guide us with these devices?

Nguyen: We have noticed that the mobile threat landscape is similar to what the PC threat landscape was 15 years ago. For example, for every mobile virus variant in the wild today, there are more than 450 variants for the PC. It is important for users to develop the same critical thinking when using their mobile phones that has become second nature on their PCs. As these viruses propagate, it will be increasingly important for users not to use a discerning eye when receiving strange IM, e-mail, and other requests.

Question: How do mobile threats differ from PC threats?

Nguyen: There is a current attack we have labeled "Snoopware." This kind of attack compromises a person's privacy rather than their bank account. Snoopware threats can remotely activate a device's microphone or camera, allowing the hacker to spy on or listen in on the victim's conversations, whether or not the phone is currently in use. Because these devices are rarely far from the owner, it is a definite violation of a person's privacy. Other attacks use the phone features for financial gain.

Question: What can people do to protect themselves?

Nguyen: [People] need to remember that with increasing flexibility, mobile devices shift away from the definition of a traditional cell phone and become in truth more of a PC. As a result, users need to develop [their] awareness when using a device's Internet, Bluetooth or WiFi functionality and bring the same scrutiny for their mobile devices that they have cultivated for their PCs. With awareness and a layer of trusted protection, consumers can feel comfortable making the most of their mobile experience.

Question: What else can users do to protect themselves besides software protection?

Nguyen: Aside from installing security software on their smartphone, users should be generally aware and informed about potential security risks, the same way they’ve come to be about their PCs. For example, many smartphones come Bluetooth-enabled by default. This means that whenever possible the phone will look for available Bluetooth networks to connect with. Some cyber-criminals use these networks to propagate malware, so it is important for a user to disable Bluetooth. If a person has a Bluetooth headset or some other device that requires this feature to be enabled, they should pair it with the accessory and disable the Bluetooth broadcast option in their phone.

Posted by Matt Hines on December 19, 2007 02:00 PM

December 18, 2007 | Comments: (0)

Microsoft ships security assessment tool

TAGS: Security

Microsoft delivered a new version of its Microsoft Security Assessment Tool (MSAT) on Tuesday, launching version 3.5 of the free diagnostic program that is aimed at helping customers find potential IT security risks.

Available for download at no charge here, the application is specifically aimed at helping SMB users discover the types of problems that larger companies can find via the work of their dedicated IT staffers and external consultants.

"Localized" (is that a real word?) in 15 languages, the latest iteration of MSAT promises expanded tests for assessing security threats, updated best practices, and an all new Infrastructure Optimization Security Assessment feature.

Other additions to the program include improved graphics and reporting capabilities, as well as advice for programmers seeking to improve the security of their applications development methodology (hello SDLC!).

The release marks the first update to the program since Microsoft introduced version 2.0 in 2006. The initial iteration of the application debuted in 2004 under the name Microsoft Security Risk Self-Assessment Tool (MSRSAT).

According to Redmond, "security issues have evolved since 2004 so additional questions and answers were needed to ensure you had a comprehensive toolset to become more aware of the evolving security threat landscape that could impact your organization."

The tool promises to employ "a holistic approach to measuring your security posture" by addressing issues related to people, process, and technology. Far out.

Findings, we are told, are "coupled with prescriptive guidance and recommended mitigation efforts," which include links to additional Microsoft security resources (and product spec sheets?).

There are three assessments that the company said the MSAT is particularly geared for:

-Business risk profile
-Defense-in-depth
-Mid-market security core infrastructure operations

Microsoft promises that the questions and answers included in the survey were derived from widely-accepted industry practices, and based on standards such as ISO 17799 and NIST-800.x.

After completing the questionnaire, participants are presented with their results and their perceived security standing, and then offered the chance to compare their answers to other people who have used the tool.

Microsoft is asking people who use MSAT to share their results for the purpose of giving others a comparative basis on which to judge their own performances.

The company promises total anonymity for those who choose to do so.
Some security cynics will always question Microsoft's mores -- and of course, I'm sure that the powers that be in Redmond hope that those people who decide to fill out the survey also decide to buy some of their shiny new security products -- but I say, good on ye Microsoft, regardless.

Who said that nothing in life is free?

People tend to prattle on about all the security problems Microsoft has created with the vulnerabilities in its products, but at least they're giving away something useful for nothing to help people understand where they're at -- a position that many small businesses can't afford to hire outsiders to help them determine.

Of course, they must do something else with all that data…

Posted by Matt Hines on December 18, 2007 01:38 PM

December 14, 2007 | Comments: (0)

Beware of the love bot!

TAGS: Security

We've seen the reports on popular news programs and talk shows for years -- (cue Geraldo voice) men who pose as chivalrous mates to vulnerable women only to end up taking off with their savings, leaving a trail of broken hearts and emptied bank accounts in their wake.

Apparently, malware posing itself as a man has finally caught up to the real deal.

According to a report issued by AV software maker PC Tools, a new program has appeared in online dating chat rooms in Russia that advertises itself as an attractive male romance candidate, flirts with available females, and attempts to trick those ladies (and men?) who fall for its lecherous ploys into handing over their personal data.

Dubbed by the firm as "CyberLover," PC Tools researchers claim that the program can conduct "fully automated flirtatious conversations" before trying to lure people into handing over their details, or tricking them to visit malware-infested Web sites.

Based on the company's research into the program's authors, the researchers said that CyberLover is capable of building new relationships with up to ten partners in only 30 minutes (can any real man match that?).

The malware code writers claim of course that victims of the threat can't begin to distinguish the program it from a human being.

Beyond that, PC Tools submits that CyberLover represents a new breed of malicious program that can truly mimic human behavior during online interactions to carry out their nefarious schemes, one that the company said could become increasingly popular.

"As a tool that can be used by hackers to conduct identity fraud, CyberLover demonstrates an unprecedented level of social engineering," Sergei Shevchenko, senior malware analyst at PC Tools, said in a research note on the threat. "It employs highly intelligent and customized dialogue to target users of social networking systems."

Part of the danger of the automated lover is that it is "designed as a bot [robot] that lures victims automatically, without human intervention," the expert maintains.

The CyberLover software can also cloak itself in a number of personality types, including "romantic lover" to "sexual predator," PC Tools said.

Something tells me that the romantic lover iteration just might catch a few more flies than the one advertising itself as a sexual predator… but you just never know online, do you?

The program is also pre-programmed with a range of "dialogue scenarios" that involve different types of questions and discussion topics to be aimed at potential victims. The threat was designed specifically to recognize certain likely responses from chat-room users to further tailor its subsequent interactions, the researchers said.

I wonder how it responds to expressions like "what are you wearing," "how much money do you make," or the time-honored "leave me alone you predictable jerk."

PC Tools said that the attack also compiles a report on each person it interacts with which it funnels back to a remote source for safekeeping. The report can include information such as a victim's name, contact details and photo.

As part of its attack, CyberLover invites potential victims to visit its personal Web site or blog, which -- surprise, most often holds a nice drive-by malware infection for anyone gullible enough to end up there.

The lesson of the story is -- never trust what men tell you online.

Either that or -- if he seems to good to be true he probably is (a malware program).

Or how about -- try interacting with real humans, it just might be safer than trying to deal with them over the Web.

Maybe.

PC Tools predicts that CyberLover will wash up on U.S. shores by early 2008.

Keep a nose out for the smell of cheap cologne.

Posted by Matt Hines on December 14, 2007 12:57 PM

December 13, 2007 | Comments: (0)

Don't be a phishing vigilante

TAGS: Security

If you talk to any law enforcement official about the idea, they'll tell you time and time again that it almost never pays to take the law into your own hands.

Apparently the same rules apply in the world of cyber-crime.

While there have been some funny examples of people who have gone to great lengths to hoodwink phishers and other online fraudsters -- and some people have even turned the pursuit into a full-time hobby, new research shows that playing games with the cyber-thieves just might not be a good idea.

According to experts with Cyveillance, a company hired by large banks, pharmaceutical companies and ISPs to keep an eye out for emerging attacks -- including phishing campaigns, a lot of people seem to think it's fun to click through to fraudulent sites these days to taunt the URL's operators by using their online forms to curse them out.

Rather than providing their personal information, these people find joy in filling in the forms with expletives and other forms of derisive invective.

However, as you might have already guessed, merely by pointing their browsers to the phishing sites, many of these users are getting nailed by drive-by exploits that target holes in the applications, Cyveillance officials said.

"Sometimes we're able to get into the back end databases behind these phishing sites, and it's remarkable how many people click the e-mail, go to the site, and then start filling in the forms with curses and insults against the scammers," said Todd Bransford, vice president of marketing at Cyveillance.

"But, from what we can tell a good percentage of those people are being infected by malware that's being delivered by the sites themselves in the background," he said. "They probably wouldn't think it was that funny at all if they knew what was really going on."

In addition to using blended attacks such as phishing sites that are distribution points for zero day exploits, attackers are also getting savvier about the timing of their campaigns, Bransford said.

For instance, Cyveillance tracked a 300 percent increase in phishing attacks over the Thanksgiving weekend in November, compared to the average number of phishing attacks seen the in the previous week.

According to the company -- which does everything from take down phishing sites for banks to pursue people selling counterfeit drugs for pharmaceuticals -- the uptick in activity is specifically aimed at getting as much mileage out of their threats during the timeframes when those people hired to stop them aren't at work.

As phishers move away from targeting customers of larger companies and focus more of their efforts on smaller credit unions and online retailers, the "weekender" tactic may prove even more efficient, the company maintains, as those diminutive businesses are far less likely to have anyone on call to watch out for attacks.

Bransford said the firm expects to see similar threats carried out over the upcoming holiday season, especially with Christmas falling on Tuesday this year, giving attackers an extended 4-day weekend to spread their nefarious forms of cheer.

Cyveillance said it first noticed the trend this summer over the 4th of July and Labor Day weekends.

"Basically these people know that smaller service providers and banks don't have people working over the weekend, so, there's no one in the office to do anything about the attacks," Bransford said. "This is just another example of how innovative and thoughtful some of the smarter attackers are getting in finding ways to carry out their campaigns; they keep refining their techniques like any good marketers would to go undetected longer and find new ways to victimize people."

And while many different technologies and services have been launched with the aim of filtering-out more phishing-laden spam e-mails further upstream, such as pattern matching tools used by ISPs and other carriers, Cyveillance maintains that phishers are still having a field day by easily circumventing the signature-based formats utilized in most of those applications.

Overall, it would seem that until filtering technologies improve, or end users finally get the message, phishing attacks will continue to catch plenty of suckers.

"We've been dealing with his problem for almost five years now, and its pretty amazing that with all the consumer education programs that are out there the problem only seems to be getting worse," Bransford said. "People just don't seem to be getting it, and I'm not sure what else the industry can do to harden consumers against the problem."

Posted by Matt Hines on December 13, 2007 12:22 PM

December 12, 2007 | Comments: (0)

Rootkits taking hold

TAGS: Security

Malware infections -- in particular insidious rootkit attacks -- continue to proliferate at a rapid pace, according to new figures released by security vendor Prevx.

Based on the latest results attained from over 725,000 endpoint systems tested using the company's Prevx CSI automated malware scanner, some 14 percent of the business-owned PCs involved had been exploited by one type of rootkit or another, the company said.

Rootkits -- which are loosely defined as sets of tools that give administrator-level access to a computer or network and often hide themselves as close to a machine's OS kernel as possible to evade detection -- are considered by many security experts as one of the most stealthy methods for infecting computers today, and are thus considered to be very dangerous.

[ For an in-depth look at rootkits in the enterprise, see "Rootkits: The next big enterprise threat?" ]

Overall, Prevx reported that the percentage of machines that it found to be loaded with some form of malware rose from 15 percent to 22 percent since late October, largely driven by the flood of new rootkit infections.

As reported by Prevx: "Rootkits are a major concern because while a user believes his or her computer is 'clean' from infection, he or she is exposing more and more information to criminals who can use this type of malware to gather personal information across the Web."

While rootkits are nothing new and have been in regular circulation for years, Prevx officials maintain that the "rise of rootkits" has begun as attackers have shifted their focus to the threats that attempt to evade detection at the hands of traditional anti-malware applications.

Even though most businesses are using commercial anti-virus tools, rootkits are still finding a way in the door, said officials with the scanning specialists.

"Many PCs may be infected even though users and businesses have up-to-date anti-virus and anti-spyware products," Mel Morris, Prevx' CEO, said in a research note.

"Users often don't realize something is amiss until they run a full anti-virus scan of their PCs with updated signatures. Even then, rootkits will often go undetected," he said. "Part of the problem is that anti-virus scans simply take too long and users just can't be bothered to wait."

Unsurprisingly, Prevx' technology promises to allow for less cumbersome malware scans.

Among the 1,678 rootkit-infected PCs scanned by Prevx since Oct. 22, the most prevalent attacks included NDT2.SYS (found on 121 machines), SROSA.SYS (90), UNPR.SYS (82), FMTR.SYS (82), and INDT2.SYS (78).

The company said that in the first 9 days of Dec., 93 individual companies used its malware scanning technology, with 68 of those organizations having one or more infected PCs, and 13 companies, or 14 percent, with one or more rootkit infections.

A free version of the company's CSI scanning application can be accessed here.

Posted by Matt Hines on December 12, 2007 01:16 PM

December 11, 2007 | Comments: (0)

Naive workers feed data risks

TAGS: Security

IT security studies keep arriving that point out the fact that careless actions of everyday employees remain one of the greatest areas of overall risk to data security.

Last week, Ponemon released a report that showed how few people really understand or respect their employers' security policies.

This week, EMC division RSA announced the results of its own research into workplace habits and issues of data security, and the conclusions are eerily similar to the Ponemon survey.

The 10,000 foot view of both reports tells us this -- it is the human element of the data protection problem that companies may need to address most aggressively if they truly want to bolster their overall security standing.

Because, it would seem that people are going to continue to look for ways to circumvent security policies if it makes their jobs easier as long as they are allowed to get away with it.

According to the RSA study -- based on an unreported number of interviews held with corporate and government employees in Boston and DC during November:

-Some 35 percent of respondents said that they have knowingly ignored their organizations' established security policies and procedures just to get their jobs done.

-Roughly 63 percent of respondents admitted that they frequently or sometimes send work documents to their personal e-mail accounts to get work done at home.

-Another 56 percent of respondents said that they frequently or sometimes access their work e-mail via public wireless hotspots.

-A majority 52 percent of respondents said that they frequently or sometimes access their work e-mail via public computers.

At the same time that people are seemingly blowing-off any security best practices their companies may have asked them to follow, the likelihood that they are frequently walking around or working remotely with organizational information also continues to grow.

After all:

-Some 87 percent of respondents to the study said that they frequently or sometimes conduct business remotely over a virtual private network or using Web mail.

-Another 65 percent of respondents admitted that they frequently or sometimes leave their workplace carrying a mobile device such as a laptop, smartphone and/or USB flash drive which holds sensitive information related to their jobs.

-A total of 8 percent of respondents said that they have previously have lost a laptop, smartphone and/or USB flash drive with corporate/organizational information on it.

RSA advises that organizations can mitigate this human risk by developing "information-centric policies that acknowledge and align with the needs and realities of the business."

But will that really work? It would seem that with all the results we're seeing here what is really being made clear is that policies alone do not have the desired impact on employee behavior, and that companies need technologies such as DLP and e-mail encryption that can account for people's mistakes and misdeeds now more than ever before.

At the heart of the issue is the tricky balancing act that companies need to pull off in order to keep their data safe while allowing their workers to do their jobs with as little interruption as possible.

This is an opinion that many IT security leaders have advanced over the last year as the data protection issue has become such a central business problem for so many types of firms, but clearly it is not a problem that has been remedied.

As RSA puts it, simply, "when security is as convenient as possible for end users, they are less likely to work around security policy."

This seems like a no-brainer, but just like creating a foil for every flavor of human innovation being brought to the table by the bad guys these days, it's obviously a concept that is easier said than it is done.

"Organizations must understand the types of information their employees and other insiders need to access, determine the sensitivity of that information and then protect it with security measures commensurate with the associated risk," Sam Curry, vice president of product management at RSA, said in a report summary. "Well-protected information is an asset that gives individual workers and organizations the confidence to achieve more."

Posted by Matt Hines on December 11, 2007 08:52 AM

December 07, 2007 | Comments: (0)

IT security fear and grow-thing in Silicon Valley

TAGS: Security

Living on the East Coast and covering IT has its challenges as so much of the industry is centered in California's Silicon Valley.

There are plenty of vendors and tons of analysts on the East Coast, and major groupings of companies in Boston, DC and Atlanta, but, to really get a feel for the business it's vital to head west to tour The Valley from time to time (and not during the crush of an all-out industry event like the annual RSA Security confab).

That's what I've been up to all week -- specifically meeting with companies here that have their hands buried deep in the IT security business.

Just as we've been told back East (where it conveniently snowed all week), and by local all accounts and observations, things are currently thriving in the SV region -- and the security segment certainly seems to be no exception.

The seemingly ceaseless freeway traffic alone is enough to convince you that there's plenty going on here in general.

From the tidy (and surprisingly unassuming) headquarters of Symantec and McAfee, to the looming caverns of firms including Cisco, Google and Intel, along with smaller startups tucked into office parks like Cenzic and FireEye, there is enough expertise and innovation being generated here to keep a reporter like me busy gathering data for months.

With only 4.5 days to run around and see as much as I could while making time available to visit InfoWorld's San Fran headquarters, the companies above represent the list of firms I was able to visit. My apologies to all the friends and colleagues that I missed.

Some observations:

-The senior leaders of Symantec and McAfee appear to have dramatically differing strategies for running their companies, on issues ranging from adoption of SaaS to the continued acquisition of other businesses. It's pretty fascinating to talk to the respective CEOs, they're not as similar in thinking as you might tend to think with the way the companies are typically lumped together by analysts and the media.

-Major platform providers like Cisco, Google and Intel are dead serious about expanding their security businesses and integrating more tools into their existing products. Symantec and McAfee and the above companies claim that they won't compete as much as foster a broader ecosystem for endpoint, online and network protection, but it seems inevitable that the push of the platform providers will shift the product plans of those traditional security vendors.

-Threats continue to get scarier and stealthier. We've been writing about this trend for years, but after you spend a few days briefing with the experts about issues like botnets and polymorphic, targeted malware attacks, you can't help but feel a little more paranoid and amazed at the innovation of the bad guys.

-Consolidation will continue at a rapid pace. Mssrs. Thompson and DeWalt of Symantec and McAfee, respectively, make no secret of the fact that they will continue to use their balance sheets and deep pockets to acquire the tools they feel are necessary to provide the full spectrum of solutions to their customers. Something tells me Cisco and Google aren't done adding talent and products themselves, and they've got the money to do so as well. Most of the smaller VC-backed firms seem to want to be bought, but only if the buyers make sense (not just cents).

-Surprisingly few people admit to reading the Fake Steve Jobs blog, which I assumed was an everyday staple out here, as it has become for me. Maybe they're simply too busy or it has already become cliché to follow it that closely here. I still love it.

-The idea that innovation is stalling in the U.S. is overblown. As my brother who is the restaurant industry reminded me when I was recounting to him the hordes of amazing talent and incredible ideas flexing their collective muscle out here, we're losing a lot more manufacturing and services industry jobs overseas, while Americans (and the crowds of ex-pats who are living and working here) are still launching an avalanche of new concepts and technologies.

-Did I mention the traffic? I left Google two nights in a row at roughly 5pm. Bad idea, and you realize why it's vital for companies like the search giant to create such cool places for their employees to work. You need a lot of free food and soda pop to retain people when they have to come in at 6 and leave at 8 to keep from dying a slow death sitting in gridlock. It took about 2 hours to get back to my hotel in SF each night. But, traffic also means that there are lots of people working here, and we can all agree that this is a good thing. (It also softens the blow when Avis hooks you up with a brand new fire-red Pontiac Solstice convertible to roll in, even if I only got the top down once and had to use the heater when doing so).

-West Coast sports fans are really tired of the current dominance of Boston's professional teams, and the legions of (insufferable, gloating) fans that have relocated here or come to visit. I wore my Celtics cap to sports bars and a Golden State Warriors game (thanks Neil Wu Becker!) and I quickly made new friends who were interested in telling me how lucky and annoying this trend has become. With ESPN running endless cycles of Pats highlights, Red Sox trade rumors and highlights of the rejuvenated C's all week, it's hard to blame them.

Over the coming weeks you'll see the results of my efforts to dig through all the content, news and perspectives I was able to cram into my notebooks and tape recorder during the visit. Yes, that's good old analog tape, because it has outlasted all its digital peers -- and yes, Dave DeWalt made fun of me for carrying it, because it is huge and decidedly out of place in SV. At least I finally got my hands on a cooler phone.

The biggest takeaway from the entire week is that the security sector is amazingly vibrant, fast-moving and full of some of the most unabashedly brilliant individuals you could ever care to interview.

Thanks again to all the interviewees themselves and the dedicated PR specialists who made my visit here such a whirlwind of fascinating briefings, wildly enjoyable meals and boisterous bar nights.

I love this town.

Now it's back to Planet Hoth.

Posted by Matt Hines on December 7, 2007 12:53 PM

December 04, 2007 | Comments: (0)

Companies still failing to enforce security rules

TAGS: Security

Guess what?

Creating the most comprehensive and restrictive security policies in the world won't do your company any good if you don't enlist means of enforcing them.

Should this be news?

One might think not, but apparently -- based on a new study published by Ponemon Institute and sponsored by DLP vendor RedCannon -- many companies are failing to implement their existing security rules, or express them in a manner that actually drives users to obey them.

Based on a survey of just under 900 corporate IT workers, the researchers found that many people believe that they can continue to skirt their employers' security laws, in those cases where they have even been made aware of them.

Among the results:

- Some 51 percent of respondents admitted that they have copied confidential information onto USB drives, even though 87 percent of those people conceded that their companies' policies forbid the practice.

- Another 39 percent said that they have lost or misplaced a portable device bearing company information, and 72 percent of those individuals said they didn't report the incident immediately.

- A majority 56 percent said that their employers would never be able to determine the type of data contained on any lost devices, and only 10 percent of those surveyed said their organizations have a policy to deal with the loss of a portable storage device that holds sensitive information.

- A total of 46 percent of respondents admitted that they share their computer or network passwords with others, even though 67 percent of those people admitted that their companies ban the practice.

Ouch.

Some of the other findings indicate a substantial level of uncertainty regarding their companies' policies governing certain risky behaviors.

This would seem to indicate that in addition to failing to properly enforce their security rules, a number of firms are failing to communicate the policies to their employees (or maybe even failing to create the laws in the first place).

For instance:

- Some 45 percent of those surveyed said that they access personal Web mail accounts on work systems, with 74 percent of those people submitting that their employers have no stated policy that forbids it.

- Another 45 percent of respondents said that they download personal software onto their company-issued devices, with 60 percent stating that their employer has no official policy governing the practice.

- A total of 33 percent of respondents said that they send workplace documents to their home computers as attachments, with 48 percent claiming that they are unsure whether this violates any existing policy.

And get this:

- Some 17 percent of respondents said that they have previously shut off some form of security settings or firewall on their workplace computers, with 80 unsure whether or not this violates policy.

Conventional wisdom would dictate that even the most lax companies probably wouldn't let this type of behavior continue if they knew it was going on.

Companies like RedCannon obviously feel that organizations concerned with these problems should enlist DLP tools or similar technologies to prohibit workers' habits from violating their security laws.

Yet, it would also seem that if companies merely reframed their policies and made sure that workers had been exposed to them, they might be able to change some of the problematic habits.

"Privacy and data protection policies are meaningless if they do not address the full spectrum of threats and if they are not enforced, and our research points to an urgent need to address this pervasive vulnerability in corporate data security programs," said Dr. Larry Ponemon, chairman and founder of Ponemon Institute. "The development of comprehensive policies, along with training and stringent enforcement of those policies should be a priority in any enterprise-wide data security program."

Even with all the rising concerns (and headlines) regarding major data breach incidents, many companies still appear to have their heads in the sand when it comes to addressing the problem, said RedCannon executives.

The company would surely love to sell its DLP tools as the perfect manner to address such issues, but experts with the company recognized the impact that simply drafting better policies, and enforcing the rules, could deliver.

"Data breaches remain the leading cause of financial losses in business, with over 75 percent of Fortune 1000 companies falling victim to data leakage, and this is not going to change without improvements in the enforcement of data security policies," said Vimal Vaidya, founder and chief executive officer at RedCannon. "This study clearly indicates key data management practices that have a serious impact on data security and regulatory compliance, and highlights ways organizations can bolster policy enforcement and reduce the risks of potential data loss."

Posted by Matt Hines on December 4, 2007 03:17 PM