Archive for the 'Risk Management' Category
Friday, November 23rd, 2007
What changes can we expect to see in terms of information security threats during 2008?
http://www.continuitycentral.com/news03614.htm
McAfee, Inc. has released its top ten predictions for security threats in 2008. Researchers at McAfee Avert Labs expect an increase in Web dangers and threats targeting Microsoft’s Windows Vista operating system, among other new or increased threats. At the same time ad-serving software known as adware is expected to continue to decrease.
“Threats are moving to the Web and newer technologies such as VoIP and instant messaging,” said Jeff Green, senior vice president of McAfee Avert Labs and product development. “Professional and organised criminals continue to drive a lot of the malicious activity. As they become increasingly sophisticated, it is more important than ever to be aware and secure when traversing the Web.”
McAfee Avert Labs’ top 10 security threats for 2008:
Bull’s Eye on Web 2.0
Compromises and malware at Salesforce.com, Monster.com and MySpace, among others, represent a new trend in attacking online applications and social networking sites. Attackers are using Web 2.0 sites as a way to distribute malware and are data mining the Web, looking for information that people share to give their attacks more authenticity. McAfee Avert Labs expects a large increase in this activity in 2008.
Botnets follow the Storm
With a handful of high-profile prosecutions of bot herders in 2007, criminals will be seeking better ways to cover their tracks. The Storm Worm set a worrying precedent. Also known as Nuwar, the Storm Worm has been the most versatile malware on record. The creators released thousands of variants and changed coding techniques, infection methods and social engineering schemes far more than any other threat in history. Storm created the largest peer-to-peer botnet ever. McAfee Avert Labs expects others will ride the coattails of that questionable success, pushing up the number of PCs turned into bots. Bots are computer programs that give cyber crooks full control over PCs. Bot programs typically get installed surreptitiously on the PCs of unknowing computer users.
IM = Instant Malware
The scenario of a ‘flash’ worm via instant messaging applications has been foreshadowed for years. This threat could spawn millions of users around the globe in a matter of seconds. There has been malware that spreads via IM, but we have yet to see such a self-executing threat. However, this may be closer than ever as the number of vulnerabilities in popular instant messaging applications more than doubled in 2007 compared to 2006. More importantly, there were 10 high-severity risks in 2007, compared to none in 2006. Additionally, the top IM virus families of 2005 and 2006 were replaced with new active threats, signifying an out with the old and in with the new milestone. Skype saw its first batch of worms in 2007. Many more are expected to follow.
Target: online gaming
The threat to virtual economies is outpacing the growth of the threat to the real economy. As virtual objects continue to gain real value, more attackers will look to capitalise on this. The evidence is already there. The number of password-stealing Trojans that targeted online games in 2007 grew faster than the number of Trojans that target banks.
Vista joins the party
In 2008, Windows Vista is set to gain additional market share and cross the 10 percent barrier. The release of Service Pack 1 for Vista is also likely to accelerate the adoption of the Microsoft operating system. As Vista becomes more prevalent, attackers and malware authors will start in earnest to explore ways to circumvent the operating system’s defences. There were 19 Vista vulnerabilities reported since its release earlier this year. We can expect a lot more Vista vulnerabilities to be reported in 2008.
Adware continues its decline
The US government crackdown against purveyors of ad-serving software has had a positive effect. The combination of lawsuits, better defences, and the negative connotation associated with this form of advertising helped start the decline of adware in 2006. This trend was confirmed in 2007 and with the major players out of the game; adware is expected to continue its decline in 2008.
Phishers catch a wider net
Cybercrooks will increasingly target smaller, less popular sites with data-thieving phishing scams. It has become tougher and riskier to target top-tier sites as the big-name brands are responding more quickly and providing increased security. Knowing that a large percentage of people reuse their usernames and passwords, less popular sites are likely to be targeted more frequently than before, giving criminals the same access.
Parasitic crimeware takes root
Parasitic infectors are viruses that modify existing files on a disk, injecting code into the file where it resides. While crimeware was storming ahead in recent years, parasitic malware faded to the background. In 2007 several crimeware authors turned old school to deliver threats like Grum, Virut, and Almanahe; parasitic viruses with a monetary mission. The number of variants of an older parasitic threat, Philis, grew by more than 400 percent, while over 400 variants of a newcomer, Fujacks, were catalogued. We expect a continued interest in parasitics from the crimeware community, with overall parasitic malware expected to grow by 20 percent in 2008.
Virtualization transforms information security
Security vendors will embrace virtualization to create new, more resilient defences. Today’s complex threats will be easily defeated, but researchers, professional hackers, and malware authors will begin looking at ways to circumvent the new defensive technology, continuing the classic game of cat and mouse.
VoIP attacks to rise 50 percent
Already this year, more than double the number of security vulnerabilities have been reported in Voice over IP (Internet Protocol) applications, compared to all of 2006. We have also seen several high-profile ‘Vishing’ attacks and a ‘phreaking’ conviction. It is clear that VoIP threats have arrived and there’s no sign of a slow-down. The technology is still new and defence strategies are lagging. McAfee Avert Labs expects a 50 percent increase in VoIP-related threats in 2008.
http://www.avertlabs.com/research/blog/
Posted in Compliance Management, Risk Management | No Comments »
Friday, November 2nd, 2007
From: www.cio.com – Judi Hasson, CIO - October 30, 2007
No one wants to be sued, that’s for sure. But in today’s litigious world, it is rare that any company can escape a lawsuit in its business life. It is becoming the CIO’s job to make sure, when the time comes, that IT is ready for the onslaught of directives to turn over all electronic documents in a legal case. And that’s where the headaches start for any IT department that does not have a good e-mail retention and retrieval system.
The need for better electronic record keeping evolved nearly a year ago, when the federal government overhauled its rules of civil procedure and made electronic documents an official part of the discovery process during a lawsuit. The rules for what is called "e-discovery" that took effect Dec. 1, 2006, make production of electronic documents as important as turning over hard copies of material in any legal case. Companies typically have 30 days to answer any e-discovery request (though the court may grant extensions) and face thousands of dollars in fines—not to mention risk forfeiting the case—if they fail to respond promptly.
In this new world that marries the legal system with technology, the CIO is adding company archivist to his job description. IT departments must work with the legal department to come up with a plan that saves necessary e-mails and makes them easily retrievable. Yet there are few rules for setting up an electronic records management system, training employees to catalog their e-mail and creating a standard procedure so employees consistently follow the procedures to turn over electronic documents quickly. And so, many CIOs are still scrambling to organize their corporate e-mail and keep track of these records in a comprehensive way.
The key to compliance with e-discovery rules, say legal experts and IT leaders who have already tackled the problem, is to establish enterprisewide document management and retention practices for e-mail and other types of digital documents, then deploy the appropriate software to support them. "You can achieve a lot of protection, reduce your risk and reduce the cost of discovery by adopting reasonable, repeatable and scalable processes and tools," says John Rosenthal, a partner and co-chair of the e-discovery committee at Howrey, a Washington, D.C., law firm.
Here are ways to get ready for the inevitable:
1. Get in sync with legal and business leaders.
"The problem with e-discovery is the first time it hits your radar screen is when the general counsel calls and tells you what the court wants," says Paul Zazzera, a consultant and former CIO at Time. To mitigate such surprises, IT and legal should work to develop processes, policies and tools for saving e-mail that everyone in the company follows. "A CIO and the legal department should be fused at the hip," Zazzera says.
And don’t leave business leaders out of the discussion. "Too many CIOs think of litigation as something that belongs to the legal department," says Leslie Wharton, who heads the e-discovery team at the Arnold and Porter law firm. "Litigation is something that belongs to the company, and whether the company is a plaintiff or defendant, the company [as a whole] must be able to meet document preservation and production obligations."
Such preparation makes you "discovery ready," according to Mark Reichenbach, the former director of discovery and regulatory response with Merrill Lynch., rather than needing to react to litigation or regulatory investigations when they come up. Some companies have even begun to appoint cross-functional e-discovery teams to address the issue, adds Zazzera, run either by IT or the general counsel’s office.
2. Get rid of unneeded documents.
For example, if the statute of limitations has passed in a tax case or environmental issue, delete the associated records. Many companies keep data from legacy systems that are obsolete, so there’s no business reason—and unlikely any legal reason—to have them around, observes Julie Brickell, associate general counsel at Altria Corporate Services, which handles tobacco litigation for affiliate Philip Morris USA.
Defining what you should preserve is murky, however, and depends on what kind of business you’re in. Most important, says Zazzera, is to have a consistent policy for what is permissible to delete—and what is not. Have the same rules for e-mail as for other electronic documents.
"You really have to think through a policy about everything," Zazzera says. "What records you are keeping and how you are keeping them." Most companies will say that all electronic and paper documents generated by company employees on company property can become part of the e-discovery record. But there are gray areas. For example, if a person sends a personal e-mail using a company computer, should that be turned over in e-discovery? And if a person sends e-mail from his own computer about company business, can it be protected?
READ THE REST OF THE ARTICLE HERE!!!
Posted in Business Continuity Management, Compliance Management, Disaster Recovery, E-Discovery, General, Risk Management | No Comments »
Wednesday, September 26th, 2007
ITBusinessEdge.com - Posted by Carl Weinschenk on September 21, 2007 at 11:11 am
Small businesses need to watch how they research and buy — as well as discard — computers and computer-related devices. The reason is simple: In many cases, gadgets are sold, given away, donated or trashed with valuable data intact.
This week, Dell said that it is offering a service to customers with fewer than 10 pieces of computer equipment that will allow them to more professionally manage and return the machines. While security is not the only reason this is a good idea — there are dangerous materials in computer screens and keyboards that must be disposed of properly — it is a key driver. The need to manage the data on computing gear leaving an organization is growing more important as regulations tighten and criminals get more enterprising.
The key is ensuring that data really is off the devices’ drives. This well-done overview of the data wiping issue at How Secure is My Computer says that deleting or even reformatting the hard drive doesn’t actually wipe out the information. It only removes the entries in the index or table of contents; the actual data can be recovered fairly easily.
The writer says that truly erasing the hard drive involves wiping software that overwrites the real data with nonsensical data. The author also recommends “history wiping” software that deletes Internet history, pictures viewed and just about everything else. True data wiping involves spreading a pattern of meaningless data, reversing that pattern in a second sweep and, in a third sweep, spreading a random pattern of ones and zeros.
Companies worrying about information remaining on their antiquated machines after they are outside the control of the company are not neurotic. This Chosun feature recounts an experiment by two apparently well-financed MIT students who bought 158 computers from online auctions. The students recovered 5,000 credit card numbers and a tremendous amount of other personal data.
The story also notes that putting files in a machine’s trash can or recycle bin doesn’t delete the actual data and that the U.S. Defense Department only considers data truly obscured if it is covered with garbage files seven times. It is important to pay attention to cell phones as well. An effort similar to the MIT initiative led to the recovery of 27,000 pages of personal data from 10 used phones.
One sure way to make sure the wrong people don’t retrieve data from drives involves a chain saw and safety goggles. Though it’s a funny image, experts say that actual physical destruction of drives is sure-fire option. Of course, this approach tends to depress the resale value of the machine.
For those of us who failed shop class, here are a couple of examples of the many sites of the Internet that offer advice on how to truly cleanse drives. Simplehelp offers a tutorial on how to use Dariks Boot and Nuke (DBAN), which promises to wipe all data off the hard drive. With only seven steps, it’s as intense as some other online tutorials. This post at FOSSwire describes a resident program in most Linux and some UNIX distributions called shred. Again, it doesn’t seem overwhelming — especially considering it is Linux-based.
Posted in Compliance Management, Risk Management | No Comments »
