Due to the increasing frequency of information security breaches, CISOs are being asked to evaluate the risk of a security breach in their environments and put appropriate measures in place to protect against them. As a result, in a recent Forrester Research survey, security and risk management professionals rated “protecting customer data” and “protecting sensitive corporate data” as their top priority for the next 12 months.
Here are some lessons learned that corporations should keep in mind when devising a plan against information security breaches.
Read the rest of this entry »
Approximately 20,000 websites have been compromised with code that could allow a user’s system to be exploited remotely, Symantec security researchers have warned.
The attacks, which began on Tuesday, originally involved two Chinese sites hosting exploits for the flaw: wuqing17173.cn and woai117.cn. Further analysis by Symantec indicated another domain involved: dota11.cn.
Malicious code is being injected into third-party domains, probably through SQL-injection attacks. The code then redirects users to sites hosting malicious Flash files, according to an advisory on Symantec’s SecurityFocus site.
The code exploits a flaw in Adobe Flash Player versions 9.0.115.0 and 9.0.124.0. Other versions of Flash Player may also be affected, Symantec warned. The flaw, which appears to be a buffer overflow vulnerability, occurs when Flash Player processes a malicious Shockwave Flash (SWF) file. Normally SWF files contain animations or interactive applications.
Read the rest of this entry »
Cyberspace, initially the invention of science fiction, has become a fact of everyday life. Digitised documents, business transactions and information exchange have highlighted the need for cyberspace security.
In 2007, the Untied States Air Force set up Cyberspace Command (AFCYBER). In the spring of 2008, the European NATO members addressed the issue. On May 14, Estonia signed a Memorandum of Understanding with Germany, Italy, Spain, Slovakia, Lithuania and Latvia, in which the seven countries agreed to fund and man a cyber-defence research and training centre in Tallinn.
This new expansion of the war zone was to be expected. After human beings settled dry land, they set their eyes on the seas, using them for military purposes. Several thousand years later, they moved the war to the air, with tethered aerostats, dirigibles and then airplanes designed to carry weapons long before they started transporting passengers and cargo.
Read the rest of this entry »
Researchers have witnessed a growing trend in phishers hacking into legitimate Websites to host their phishing exploits, enabling them to keep their attacks alive longer.
In a blog post today, F-Secure’s Sean Sullivan noted a series of so-called ‘hack-and-pier’ phishing exploits that had been reported to phishing clearinghouse PhishTank.
“Instead of setting up their own sites, we’re seeing more and more evidence of phishing from hacked sites; legitimate sites that are unknowingly hosting phishing,” Sullivan blogged. “And then the site cannot simply be pulled offline without collateral damage to the legitimate business. So the Website’s administrator must be contacted to repair the damage.”
Read the rest of this entry »
Google is now sharing details on why its automatic search deems certain Websites risky.
The search giant this month quietly added a new, free service called the Safe Browsing Diagnostic Page that tells whether a site flagged by Google as potentially dangerous is hosting malware, or helps distribute malware, for instance.
Google’s new diagnostics service provides information about any bad behavior by the site within the past 90 days. The idea is to give owners of the compromised Websites more information to assist in their remediation and cleanup of the site, and to provide users more information on why the site has been flagged.
Read the rest of this entry »
The year of the guru
Bruce Schneier When it comes to information security Bruce Schneier is perhaps one of the biggest names in the industry and has been referred to as a security guru. He spoke to Henry Tucker about security legislation, new threats and the latest IS concerns.
In terms of enterprise security, what would you say are the major concerns for 2008?
Crime. Crime has been the most serious threat for years now, and it continues to be so. That’s a constant; what changes are the tactics and the mechanisms. I expect to see more Trojan-based identity theft as two-factor authentication becomes more common, and IP telephony-based attacks as that becomes more common.
Read the rest of this entry »
“Browser virtualization” sandboxes OS, consititutes new category of products, Says the Firewall Gaint Check Point Technologies
The name “Browser Virtualization” isn’t as catchy as “firewall.” But Check Point Technologies says “Browser Virtualization” could be the next hot security technology for the consumer market.
Check Point, which helped popularize the firewall a decade ago, yesterday introduced ZoneAlarm Forcefield, a browser tool and service that creates a mirror environment — sometimes called a “sandbox” –where users can surf safely without fear that their systems will be permanently damaged by hackers or malware.
Read the rest of this entry »
Google announced Thursday its Web Security for Enterprise, which is designed to protect corporate Web surfers from viruses, spyware, and malicious Web sites. It also extends the protection to remote workers if needed.
In addition to real-time malware protection and URL-filtering, the product also offers reporting and policy enforcement features. It’s basically a re-branded and more affordable version of a product from Postini, a company that Google acquired last year, a Google representative said.
With Web Security, companies have the option of adding protection for off-network employees who may be working in places such as hotels or airports, without requiring them to sign on to their secure corporate network.
Read the rest of this entry »
Top-level managers and chief executives often do not realise the impact that IT-security incidents can have on their organisations, according to influential group the British-North American Committee.
In a report entitled Cyber Attack: A Risk Management Primer for CEOs and Directors, launched on Wednesday, the Paul Twomey said that chief executives underestimate the scale of data-security problems and fail to recognise the consequences of data breaches for business. BNAC is a group of business leaders and academics from the UK, US and Canada aimed at lobbying the governments of all three countries about management and business-related issues.
Read the rest of this entry »
Sun Microsystems is helping fund new startup dedicated to minimizing — rather than detecting or preventing — attacks
First there was intrusion detection, then intrusion prevention, and now, intrusion tolerance. A professor and researcher at George Mason University is readying the commercial rollout of a new, patent-pending technology that basically assumes an attack or infection on a server is inevitable, so it instead minimizes the impact of an intrusion.
Read the rest of this entry »
