A penetration test can help validate whether your vulnerability management program is effective or not. It also helps determine whether the remediation steps for regular vulnerability scans are being performed properly.
And more importantly, it can also shed light on how easily or not an outside attacker can gain access to your company’s crown jewels.
Despite overall economic difficulties, survey respondents say they still plan to invest in technology this year.
IT security budgets remain stable despite overall economic difficulties, a recent survey found.Security vendor Astaro surveyed 300 attendees at the RSA Conference in San Francisco, Calif., from April 7 to April 11. They found that 67% of the respondents said they do not see their security spending behavior affected by a recession this year.
SAN JOSE, Calif. (AP) — A simple flaw in the coding of Sen. Barack Obama’s Web site led to a hacking switcheroo of presidential proportions just days before the important Pennsylvania primary.
Some supporters who tried to visit the community blogs section of Obama’s site started noticing late last week they were being redirected to Sen. Hillary Rodham Clinton’s official campaign site.
Trojan attacks jump by 300 percent, but publicly disclosed vulnerabilities reach three-year ebb
Here’s another reason to hold onto your laptops: 57 percent of publicly disclosed security breaches came from lost or stolen equipment in the second half of last year, compared with only 13 percent from hacking and malware, according to Microsoft’s latest Security Intelligence Report, which was released today.
The new Microsoft report, which focuses on vulnerability and exploit data it gathered from July through December of 2007, found that exploits, malware, and hacks made up only 23 percent of security breach notifications between 2000 and 2007.
And the software giant recorded a whopping 300 percent jump in Trojan downloaders and droppers detected in the second half of ’07, as well as a curious 15 percent drop in the disclosure of new vulnerabilities. Overall, vulnerability disclosures decreased by 5 percent for all of 2007.
It was the decrease in vulnerability disclosures that most caught Microsoft by surprise, says Jimmy Kuo, principal architect of the Microsoft Malware Protection Center. “This is the first time since 2003 that there’s been such a decrease,” Kuo says.
The finding also surprised other security experts, including Doug Camplejohn, CEO of Mi5 Networks. But Camplejohn warns that one data point doesn’t make a trend. “It remains to be seen whether there’s a true downward trend here, or whether vulnerability discoverers are just being more tight-lipped about vulnerabilities,” Camplejohn says.
To succeed, IT security must raise its profile in the business, says former CIO
SAN FRANCISCO — RSA Conference 2008 — Security pros need to stop fighting fires in the data center and start getting themselves noticed in the boardroom, a former CIO and top-ranking security executive said here last week.
Many IT security people see themselves primarily as technologists and problem-solvers, said Dave Hansen, former CIO at Computer Associates and currently senior vice president and general manager of CA’s Security Management business unit. But as security becomes more critical to the business, CSOs need to delegate some of the operations functions and get more tied into the business, he said.
“Right now, 46 percent of CSOs spend up to a third of their day just analyzing security event reports,” Hansen said. “That’s not the way to maximize value to the organization — and it needs to change.”
To help make his point, Hansen showed the audience a humorous video that demonstrates how deeply the security function may be buried in some organizations.
“If you’re a CIO and you don’t know where your CSO sits, you’re probably missing a critical component in your strategic planning,” Hansen said during the keynote and in a subsequent question-and-answer session afterwards. “When I was a CIO, I wanted that CSO close by, because I was ultimately responsible and I needed to know what was going on.”
Security
researcher Joel Eriksson recently demonstrated how security vulnerabilities within hacker attack tools can be used to turn the tide on online criminals.
According to a Wired blog post, Eriksson, a security researcher with Swedish security form Bitsec, demonstrated how he has successfully reverse engineered attack software, such as Trojan horses, so that he can upload his own exploits on the attacking systems.
It seems Eriksson is finding vulnerabilities in a number of “remote administration” tools, including Bifrost and PCShare.
“If there is a vulnerability, it is still game over for the hacker,” Eriksson is quoted as saying.
Some companies are failing to encrypt dat
|
Companies and public bodies are not doing enough to protect customers’ data, the UK’s privacy watchdog and a major survey of security have said.
The Information Commissioner said that the 94 security breaches reported to him last year was an “alarming” number.
The survey of more than 1,000 firms suggested that almost 90% of them let staff leave offices with potentially confidential data stored on USB sticks.
Firms and public bodies were urged to make data protection a priority.
Information Commissioner Richard Thomas said of the 94 data breaches, two thirds were committed by government or other public sector bodies.
Data had been recovered in only three of the 94 cases, he said.
Stolen computers
The material included personal details of UK citizens, including health records.
“The evidence shows that more must be done to eradicate inexcusable security breaches,” he said.
Mr Thomas’ findings and the separate Information Security Breaches Survey will be detailed at the InfoSec show in London, the world’s largest event of its kind.
The rate at which Internet security company Sophos detected infected Web pages nearly tripled in the first quarter of 2008, the company said.
In its Q1 08 threat report released Monday, Sophos says that it discovered a new infected Web page every 5 seconds. In 2007, the company says, it saw new infected Web pages every 14 seconds.
“The Web continues to be the preferred way for malware authors to deliver their attacks,” the report says. “Our growing dependence on the Web for purchasing and gathering information makes it an ideal hunting ground for cyber criminals chasing poorly protected users.”
The rise in infected Web pages is related to a decline in infected e-mail. Sophos says that about 1 out of every 2,500 e-mail messages contained malware, compared to 1 out of every 909 messages monitored in 2007.
Infosec professionals are certainly aware of best practices, like employee awareness training, proper firewall configuration and data encryption, just to name a few. Perhaps the “worst practices” in information security are the ones that are either dropped or not followed.
Frequently, after a company has paid a security staff to identify vulnerabilities, develop appropriate policies and roll out plans to address security risks, someone comes along and decides one or more of the following:
And it’s not just companies that are guilty of this. Here are a few true security stories that prove my point:
Tens of thousands of corporate executives were the target of a series of identity-theft scams this week, e-mail-borne schemes that appear to have netted close to 2,000 victims so far.
Early Monday morning, according to two security experts with firsthand knowledge of the attacks, nearly 20,000 executives received an e-mail purporting to be a subpoena ordering each recipient to appear in court for legal violations leveled against their company. The messages addressed each executive by name, and included their phone number and the name of their company.
Recipients who clicked the link were brought to a Web page that claimed they needed to install a Web browser add-on in order to view the subpoena. Those who agreed were shown an Adobe PDF document that referenced a lawsuit filed in a California district court.