by Joan Goodchild, Senior Editor, CSO

You may be a champ at Mafia Wars and Farmville, but what do you know about the security risks of social media sites?

The collaboration and sharing made possible by Web 2.0 technologies also bring along a specific set of risks. In Slapped in the Face: Social Networking Dangers Exposed, security researchers Nathan Hamiel and Shawn Moyer explain how attacks are made easy because of the very nature of these sites, where users can upload and exchange pictures, text, music and other types of information with little effort.

“Social networking sites are meant to get as many users in one place as possible on one platform, and for attackers there’s a lot of return-on-investment in going after them,” Moyer said, describing the climate as a perfect storm of social engineering and bad programming.

In this guide, we outline the many risks posed by social media sites and social networks, and how to keep yourself and others from falling victim to a scam or security hole.

• How common are scams and hacks on social networks?
• What are the most basic risks involved?
• Give me some examples of this type of scam.
• If my company allows employees to use social media and access networking sites, should we have a social media security policy in place?
• New scams and threats pop up all the time. How can employees stay on top of these new concerns?

 

How common are scams and hacks on social networks?

In 2009, Facebook officials announced they had surpassed 300 million users. Twitter claims to have 6 million unique monthly visitors and 55 million monthly visitors. With that kind of reach, it’s not surprising that criminals view these sites as a great venue for finding victims. As a result, security stories about Twitter and Facebook have dominated the headlines in the past 12 months. In one high-profile story from 2009, hackers managed to hijack the Twitter accounts of more than 30 celebrities and organizations, including President Barack Obama and Britney Spears (See: Hackers Hijack Obama’s, Britney’s Twitter Accounts. Hacked accounts had been used to send malicious messages, many of them offensive. According to Twitter, the accounts were hijacked using the company’s own internal support tools.

Twitter has also had problems with worms as well as spammers who open accounts and then post links on popular topics that actually link to porn or other malicious sites. Facebook, too, is regularly chasing down new scams and threats.

Both sites have been criticized for their lack of security, but have made improvements in recent months. Facebook, for example, now has an automated process for detecting issues in Facebook users’ accounts that might indicate malware or hacker attempts. The site also recently announced a partnership with security software vendor McAfee aimed at improving security for Facebook users. See: Facebook, McAfee Team on Facebook Security Effort.

What are the most basics risks posed by social media and social networking?

 

Password sloth is a simple and prevalent mistake by users of social networking sites. As described in Seven Deadly Sins of Social Networking Security, password sloth refers to using the same password on all sites—if that password is discovered via a hack or accidental leak on one site, it provides hackers a way into all the other sites. In a worst case scenario, it might mean a Twitter password hack gives someone the key to your online banking account.

Plain old TMI—too much information. It’s a great idea to let your neighbors know you’re headed out on vacation so they can keep an eye on your house or apartment. It’s NOT a great idea to post those vacation plans on public Internet sites. It’s also not a great idea to freely reveal lots of personal details&your birthday, your town of birth, your family tree—as that information can be used for identity theft.

(continued)

Your personal brand is another thing to consider in your online interactions.

Don’t engage in “Tweet rage”. Scott Hayes, president and CEO of Database-Brothers Inc., notes that “Posting any content when angry is about as dangerous as sending flaming emails, if not more so. Think twice about clicking ’submit’ because the world may be looking at your angry, immature rant for years.”

That include present and potential future employers, your parents, your kids, your co-workers. Think before you post.

Another risk to consider is your company’s brand and reputation. Can you be sure your employees aren’t leaking data, either intentionally or unintentionally, on social network sites? Can you be sure they are not disparaging your brand? According to legal expert Michael Overly, new FTC guidelines that went into effect on December 1, 2009, may impose liability on businesses for statements their employees make on social networking sites, as well as personal blogs, and other sites  even if the company had no actual knowledge those statements were being made. See Overly’s blog for more information on the new rules.

Then there is a big set of risks that we can put under the general heading of scams. These are active attempts by bad guys to get you to do one of two things:
- Share information you shouldn’t (passwords, sensitive data, company secrets) or
- Click on a link you shouldn’t (because it leads to a website infected with malware).

Give me examples of this type of scam.

In 5 Facebook, Twitter Scams to Avoid and 5 More Facebook, Twitter Scams to Avoid we outline many examples of the types of come-on scammers use, including:

Secret details about Michael Jackson’s death!
People love gossip and celebrity news is always a hit. These scams often claim to have secret information on a celeb and include links that actually lead to malicious sites or that install malware onto a computer.

I’m trapped in Paris! Please send money.
Known as a 419 scam, fraudsters break into Facebook accounts accounts and then message the victims “friends” asking for money.

OMG! Did you see this picture of you?
Both Facebook and Twitter have been plagued by several phishing scams that involve a question that piques the user’s interest and then directs them to a fake login screen.

(continued)

Test your IQ
Facebook members often add quirky applications that allow them to take quizzes and fill out polls. One recently caused members to unwittingly subscribe to a text messaging service that cost approximately $30 a month.

Join State University’s Class of 2013 Facebook group
A college guide book publisher called College Prowler was recently criticized for creating Facebook communities for students in the class of 2013 that appeared to be organized by their college or university, but were not.

Tweet for cash!
This scam takes many forms. “Make money on Twitter!” and “Tweet for profit” are two common come-ons security analysts say they’ve seen lately.

Ur Cute. Msg me on MSN
The sexual solicitation is a tactic spammers have been trying for many years via email, said Graham Cluley, senior technology consultant with U.K.-based security firm Sophos. In the updated version of this ruse, Twitter “tweets” that feature scantily-clad women and include a message embedded into the image, rather than in the 140-character tweet itself.

Protect your family from swine flu
Bad guys will always take advantage of what is in the headlines, such as the world’s concern over swine flu, to snare unsuspecting users. These days it is even easier for a user to end up clicking on a bad link looking for news because of the prevalent use of the shortened URL (See: New Spam Trick: Shortened URLs).

Mike Smith commented on your post!
Reading friends’ comments is one of the major features of Facebook. But some malicious applications have names such as “Your Photos” and “Post” and begin with a notification that someone has “commented on your post.” However, once the user clicks on that notification, they are lead to a harvesting site called “fucabook.com” which looks like a Facebook log-in page and asks users to enter their log-in information in order to “enjoy the full functionality” of the application. It then steals that log-in information and then spams friends.

Amber alert issued!!
This one is not so much as scam as it is a hoax. Amber alerts are pasted into status updates that turn out to be untrue.

If my company allows access to social media sites, should we have a social media security policy in place?

IANS, a Boston-based research company that focuses on information security, regulatory compliance and IT risk management, surveyed companies in 2008 and found most did not have a security policy in place with regard to social media. But the same survey conducted just a year later in 2009 turned up a dramatic increase. Policies might touch upon appropriate usage of social media and networking sites at work as well as the kind of conduct and language an employee is allowed to use on the sites.

“We saw about a third of the audience now has something in place and another large percentage is considering these kinds of policies,” said Jack Phillips, IANS co-founder and CEO.

Specifically, just under ten percent of respondent enterprises said their social media policy was fully implemented and communicated in 2008. That jumped to 34 percent in 2009, with another third responding that they had either created or implemented a policy for social media use. The take away, according to Phillips, is that social media is front and center now in organizations and the discussion is taking place not only among the security team, but within marketing, sales, human resources and even executives.

Phillips believes this is an opportunity for security folks to raise their profile and take part in an important issue from its inception. He gives security pros tips in 4 Tips for Writing a Great Social Media Security Policy. The include:

1. Don’t start from scratch
The media landscape is so dynamic that if you create policy for today’s hot technology, tomorrow it will be obscure. Instead, said Phillips, use this as an opportunity to draw attention to existing policies.

2. Use social media policies to raise security awareness
“This issue is an opportunity for info sec leaders to refocus attention on information security and risk management, said Phillips.

(continued)

3. Use social media access to raise security’s positive profile within the organization
While the initial security reaction to new media is often to block, Phillips said most organization now need to consider that not only may allowing access be necessary, but also useful from an info sec perspective.

4. Be prepared for the next phase
As social media platforms come and go, some will ultimately become commonplace and integral to an enterprise. While creating entire new policies around social media doesn’t make sense right now, at some point, said Phillips, it will become necessary for policies to be more specific.

New scams pop up all the time. How can employees stay on top of these new threats?

The threats posed by social media and social networks are ever evolving, so it’s important to keep users up to date on what the latest and greatest “come-ons” might be as part of a solid security awareness program. In 9 Dirty Tricks: Social Engineers Favorite Pick Up Lines we lay out some of the underlying tactics seen on social networks. And, to help users identify what THEY might be doing wrong, mistakes folks make using social networks are outlined in Seven Deadly Sins of Social Networking Security.

As with many security slip-ups, the mistake, and the lesson that needs to be learned, often goes back to the individual. As Peter Soderling points out in Why a Twitter Hack is NOT a Cloud Security Wake-up Call, many of the hacks that take place on these sites are the result of weak passwords. Check out these tips for How to Write Great Passwords for great advice to give users when it comes to creating secure log-in credentials.

ENTIRE ARTICLE

Popularity: unranked [?]

Popularity: unranked [?]

 

Mark Ruquet with National Underwriter writes that oversight of employee Internet use is important to protect an independent insurance agency from computer viruses, legal exposures and time wasting, according to an industry expert.

Chris Borchert, business development executive with iPrevision, made his comments during the 34^th annual AMS Users Group meeting, now called Network of Vertafore Users Group (NetVU).

Mr. Borchert, whose firm is an Internet security solutions provider based in Yorba Linda, Calif., reviewed how susceptible today’s producer technology systems are to outside attacks.

He said studies show that employees can spend a lot of work time – as much as two hours of company time – on personal Internet browsing, which can amount to an average of close to $5,500 in lost productivity.

However, many employers may not realize that there are legal liabilities that such activity can expose them to, he said.  Also, activity on these sites can inadvertently expose the company’s network to viruses and malware that can infect a single computer or the entire agency system.

ENTIRE ARTICLE

Popularity: 6% [?]

In an article from EzineArticles.com, author Frank Hughes writes that many business owners find themselves in the position to confront employees about their Internet use.  Non-work related activities including online games, Internet shopping, stock trading, Internet radio, streaming media and MP3 downloads represent the new temptations in the workplace.

When an employee connects to the Internet, your company is exposed to these four threats:

- Productivity Threats: Just 20 minutes of recreational surfing a day can cost a company with 30 employees over $1000 per week (at $25/hr per employee).

- Legal Threats: Employees can sue if you don’t provide a work environment free of gender and minority harassment.  This means taking reasonable care to block offensive Internet content.

- Network Threats: An employee can crash your network just by logging into the wrong website.  Other activity like recreational surfing and downloading MP3 files can divert valuable bandwidth from critical business needs.

- Security Threats: Viruses enter networks through a variety of sources, such as web-based email, Instant Messenger file transfer, email attachments or through other files directly downloaded from a website.

ENTIRE ARTICLE

Popularity: 4% [?]

As more and more people go online to create profiles, share photos, news and gossip with friends and spend hours updating their details and friend lists, organizations are starting to reassess their approach to social networking in the workplace.

What makes social networking on the Internet so popular is the power it gives individuals to create, maintain and expand any number of networks to include family, close friends and people who share a similar interest, profession or hobby.

When used properly and with discretion, social networking can be a valuable resource for businesses looking to expand their visibility or for employees who need to communicate with colleagues. In most cases, its also a free service.

It is not uncommon for businesses to use social networking sites to carry out initial background checks on new recruits and a discreet way to check on what their employees are doing and saying in the public domain.

To ban or not to ban? A recent University of Melbourne study showed that people who use the internet for personal reasons at work are about 9% more productive than those who do not. However, the study fails to factor in a very important element: security. Every action, every minute spent online (and on social networking sites) may expose an organization to numerous security threats. While the subject of productivity increase is debatable, the security issues are not — they are all too real.

Where does that leave businesses?

They have three options.

1. Ban access to social networking sites (and access to Internet as well).

2. Set limits and restrictions on their use

3. Allow unmonitored access

Banning access to social networking sites may be an optimal solution for some organizations, and one can see banks and government departments particularly keen on keeping the status quo. However, many smaller organizations may feel that taking a heavy handed approach could be counterproductive, indicate a lack of trust in employees (probably justified to an extent) and is too restrictive.

On the other hand, you certainly do not want to give unfettered access to social networking sites; for reasons that will be explained further on. The best option may be to allow access to social networking sites while imposing limits (when these can be used and by whom). Regardless of which option an organization may choose, they must ensure that the basic safeguards are in place:

* up-to-date anti-virus software

* a firewall and the ability to monitor the use of the internet in general

* ability to monitor social networking sites in particular.

The CONCERNS

What is important to note is that social networking sites (e.g. FaceBook) as applications are not a problem per se for organizations. It is the people who use them that are a cause for concern. Social networkers, if one can call them so, are the root of five problems.

PRODUCTIVITY

One reason why organizations are keen on banning social networking in the workplace is the fact that employees spend a great deal of time updating their profiles and sites throughout the day. If every employee in a 100-strong workforce spent 30 minutes on a social networking site every day, that would work out to a loss of 13,000 hours of productivity in one year! Although this may be a generalization, organizations do look very carefully at productivity issues and it goes without saying that 50 hours of non-productive work a day does not go down well with management. When you factor in the average wage per hour you get a better (and decisive) picture.

There is also an effect on company morale. Employees will not appreciate colleagues spending hours on social networking sites (and others) while they are working hard to clear the workload. The impact is greater if no action is taken against the abusers.

RESOURCES

Although updates from sites like FaceBook or LinkedIn may not take up huge amounts of bandwidth, the availability of (bandwidth hungry) video links posted on these sites (or links taking users to sites like YouTube) creates problems for IT administrators. There is a cost to internet browsing, especially where high levels of bandwidth are required.

VIRUSES AND MALWARE

This threat is often overlooked by organizations. Hackers are attracted to social networking sites because they see the potential to commit fraud and launch spam and malware attacks. There are over 50,000 applications available for FaceBook (according to the company) and while FaceBook may make every effort to provide protection against malware, these third-party applications may not all be safe. Some have the potential to be used to infect computers with malicious code which in turn is can be used to collect data from that users site. Messaging on social networking sites is also a concern and the Koobface worm is but one example of how messages are used to spread malicious code and worms. A worm infection is the last thing an administrator wants to have to deal with!

SOCIAL ENGINEERING

This can result in data or identity theft. Social engineering is becoming a fine art and more and more people are falling victim to online scams that seem genuine. Users may be convinced to give personal details such as social security numbers, employment details and so on. By collecting such information, data theft becomes a serious risk. On the other hand, people have a habit of posting details in their social networking profiles that beggars belief. While they would never disclose certain information when meeting someone for the first time, they see nothing wrong with posting it online for all to see on their profile, personal blog or other social networking site account. This data can often be mined by cybercriminals.

REPUTATION AND LEGAL LIABILITY

Although there have been no major corporate lawsuits involving evidence from social networking sites, organizations need to be observant for employees who may be commenting publicly and talking about their employer. For example, one young employee wrote on her profile that her job was boring and soon received her marching orders from her boss. What if a disgruntled employee decided to complain about a product or the companys inefficiencies in his or her profile? The legal implications and the damage to the organizations reputation could both be substantial.

 

Striking a balance What is worrying about social networking sites is that they encourage people to give as much information about themselves as possible. Even the most prudent and well-meaning individuals can give away information they should not. At the same time, nearly everyone today (even senior managers) have their own online profile on a social networking site and like the idea that they can keep in touch with contacts and friends via that interface.

If you are going to allow access to social networking sites there are some basic tips suggested:

1. Restrict access. Give employees a breather and allow them to access social networking sites during their lunch break, before and after office hours. Web filtering software gives administrators the ability to implement time-based access to these and other sites.

2. Educate and train staff. This is very important. Most employees are not aware how their actions online can cause security issues for the organization. Tell them in a language they understand how a simple click on a link they receive or an application they download can result in malware infecting their machine and the network. Additionally, tell them not to click on suspicious links and to pay attention when giving out personal details online. Just because employees are clever enough to have an online profile does not mean they are technically-savvy or that they have a high level of security awareness.

3. Set security and usage policies. Have all employees sign any policies related to the use of the internet at work, access to social networking sites and what they are allowed to say or do during office hours. Monitoring of all web activity is important and employees should be aware that their actions are being recorded and that failure to adhere to company policy can result in disciplinary action and/or dismissal.

ENTIRE ARTICLE (Click Here)

David Kelleher is communications and research analyst at GFI.

Popularity: 100% [?]

More than ever, companies want to know what their employees are up to

IF THE workers at Japan’s Keihin Electric Express Railway Company seem unnaturally cheerful for drizzly autumn mornings, it is because they are being watched. The firm has installed cameras with special scanners at 15 of its stations to measure employees’ smiles, ensuring that harried commuters are always greeted with a grin, however forced.

It may seem extreme to Western eyes but it is just one example of a business that is booming: employee monitoring. Companies have long kept a close eye on employees to maintain productivity and guard against theft. But the economic downturn has prompted some to redouble their efforts—and advances in technology have given them the means.

A recent report from Gartner, a consultancy, found that spending on security software rose by 18.6% to $13.5 billion in 2008. The market for security information and event management software (SIEM), which can be used to mine e-mails for keywords and security breaches, grew by 50% according to Gartner. The fastest-growing area is network forensic software, which lets firms record and playback exactly what happens on employees’ computer screens, and can even record keystrokes.

Gartner’s John Pescatore says the software is “like a giant TiVo” or “a security camera pointed at a till in a bank”. This niche doubled in value between 2007 and 2008, from $25m to $50m. Mr Pescatore predicts that the market will jump another 50% by the end of this year.

Companies use this kind of software, for example, to monitor employees who are about to leave, whether through redundancy or choice, to make sure they do not take sensitive information with them. Managers can spot the moment that an embittered salesperson copies a client database onto a flash-memory stick.

Financial-services firms are particularly vulnerable to the enemy within. The case of Sergey Aleynikov, the Goldman Sachs banker accused in July of stealing high-frequency trading software worth millions of dollars to the bank, was an illustration of the huge value of intellectual property that is at risk of going astray.

Companies also use monitoring software to protect employees from themselves. Malicious software often infects a corporate network by exploiting security holes in web browsers to infiltrate a PC when its user visits a dodgy website. Compromised machines can then be linked up to form “botnets” under external control, which are used to send spam e-mails or disable websites with a flood of bogus requests. When Procter & Gamble ran a security check of its 80,000 PCs, it found 3,000 were infected with botnet software.

Another use of employee-monitoring software is measuring productivity. Managers trying to decide who to make redundant can use forensic software to catch that slacking YouTube addict red-handed.

Even workers on the road are not safe from prying corporate eyes. Several start-up companies, such as Purewire and Zscaler, have launched software to monitor employees outside the company network. Workers accessing the internet from hotel rooms using a company laptop may be surprised to find their web browsing is being monitored by the IT department back in the office. Their page requests flow through a web monitoring service, which can block or report access to certain sites.

Monitoring software can also be used to spot “presenteeism”—employees who turn up in the office every day but then do nothing. Peter Cheese, managing director of Accenture’s talent and organisation practice, says that presenteeism has become more common as communications break down between managers and staff in firms that are under financial stress.

But although workforce-monitoring software may provide what seems like useful information, it is no help when it comes to addressing the problems it uncovers. It may also undermine morale and mutual trust. Mr Cheese warns: “If you have to check up on employees all the time, then you probably have bigger issues than just productivity.”

ENTIRE ARTICLE (Click Here)

Copyright © 2009 The Economist Newspaper and The Economist Group. All rights reserved.

Popularity: 85% [?]

By Brian Krebs and Ellen Nakashima
Washington Post Staff Writers

The indiscriminate use of a popular online data-sharing technology has led to the disclosure of sensitive government and personal information — including FBI surveillance photos of a Mafia hit man, lists of people with HIV, and motorcade routes and safe-house locations for then-first lady Laura Bush, a congressional panel was told on Wednesday.

The information is often exposed inadvertently by people who download the technology to share music or other files, not realizing that the “peer-to-peer” software also makes the contents of their computers available to other users, experts said.

The issue is so pressing that the chairman of the House Oversight and Government Reform Committee, Rep. Edolphus Towns (D-N.Y.), said he would introduce a bill to ban such software from all government and contractor computers and networks.

“The administration should initiate a national campaign to educate consumers about the dangers involved with file-sharing software,” he said.

Robert Boback, chief executive of Tiversa, a company that scours music- and file-sharing networks on the Internet for sensitive data, said the use of such software is being exploited by foreign governments for espionage and other purposes. “Other countries know how to access this information and they are accessing this information,” he said.

Boback told the committee that Tiversa found FBI surveillance photos of an alleged hit man on the Internet while he was still on trial. The company also found the government’s confidential witness list for that trial, which included the names of some people in the government’s witness protection program. He said the company found the documents while scouring the networks for other data for a client.

Boback, who was asked by the committee not to publicly identify the hit man, said the defendant was recently convicted and sent to prison for life.

“This is not information you want to have out there,” he said.

A spokesman for the FBI said late Wednesday that he did not have enough information to comment on the surveillance photos. The Secret Service said that the motorcade routes and safe-house locations are not classified or top secret. Such data is “not of any value” after an event, said Secret Service spokesman Malcolm Wiley. “And if something like that were to emerge before an event, keep in mind, we’ve got other security countermeasures in place.”

In addition to the list of people with HIV, which included Social Security numbers, Tiversa discovered records with full psychological assessments of patients with conditions such as bipolar disorder.

Alan Paller, director of research at SANS Institute, a computer-security training group, said that health data are a new target of organized-crime groups. Experts say a copy of a medical record can fetch money on the Internet black market.

“This is unbelievably sensitive medical data,” said Deborah Peel, founder of Patient Privacy Rights, a health-privacy advocacy group. “It has people’s names on it from mental-health treatment programs, drug studies. All of these medical files have everything needed for identity theft, the most prominent and frightening consumer issue with electronic systems.”

Towns said he would ask the Federal Trade Commission to investigate whether inadequate safeguards on file-sharing software constitute an unfair trade practice.

Mark Gorton, chairman of the Lime Group, which makes LimeWire, one of the most popular peer-to-peer, or P2P, programs, told the committee that the latest version of his company’s software makes it extremely difficult to accidentally share sensitive documents.

He said that any effort to regulate the industry would be difficult, as LimeWire is one of hundreds of such software providers. “Most creators of P2P applications are not based in the United States, and may not even be corporations,” Gorton said.

The Department of Homeland Security warns that file-sharing technology exposes users’ computers to infection, attack or exposure of personal information. It recommends avoiding the software.

Entire Article

Popularity: 52% [?]

 

The rise in online video and bandwidth-intensive applications is posing a significant threat to enterprise network bandwidth. Instituting a clear Internet usage policy within your organization will help ensure that network bandwidth resources are used efficiently, improving performance, productivity and the bottom line. Knowledge Center contributor Ermis Sfakiyanudis explains how you can set up reasonable acceptable-use policies, as well as invest in tools that help support those policies.

Regardless of the effect on employee productivity, streaming video stresses a corporate network a hundred times more than does e-mail or Web surfing alone. Streaming video can cause severe problems ranging from slow access to outsourced application services and enterprise e-mail to complete network failure. Bandwidth-intensive applications such as video conferencing and Webinars can have similarly detrimental effects on an organization’s network.

To prevent these network bandwidth problems, there are four specific practices IT can adopt to better prepare and protect their organization:

Practice No. 1: Clearly delineate appropriate workplace Internet usage standards

Enterprises must have policies in place that both outline and even prohibit certain ways staff can utilize the Internet at work. These policies should be readily available for all employees to reference, and they must agree to abide by the guidelines before being allowed on the network. These guidelines should be as clear as possible and include such regulations as:

1. Information technologies are to be used solely for business purposes

2. Employees should not assume that any computer equipment or technologies such as e-mail and data are confidential or private

3. Designated representatives maintain the right to access computer systems and review any information

4. Anyone found in violation of the policy may be subject to disciplinary action—up to and including termination of employment

 

Practice No. 2: Establish regular communication channels with staff

Education about how corporate network usage can affect an organization is key to any successful Internet policy. Enterprise Internet resources are communal, and employees need to understand that their actions online will affect their colleagues’ access to the network—and possibly their customers’ experience as well.

To ensure that Internet policies are understood, clear communication practices are vital. Managers and IT need to have regular meeting times in which all employees gather together and the appropriate usage of workplace PCs is outlined. Management should openly discuss what employees should and should not be doing online, as well as the appropriate use of other company technologies. These meetings can also be used as a time to reinforce the Internet policy in place and discuss any changes or revisions. This is a good time to go over in detail some of the more crucial aspects of the policy and ensure that any questions are addressed.

Another critical communication channel is between IT and department directors. IT should work directly with the directors of various departments and help them to understand the online activity of their department. The benefit of this communication model is that directors get to better understand how their team is working during the day and IT learns the specific needs of a given department. Ultimately, this helps both groups estimate and allocate bandwidth by department or location, based on need.
Practice No. 3: Determine which employees need the Internet for legitimate work purposes

Being able to allocate bandwidth by person and department is a critical capability for IT staff attempting to work within the limitations of an individual enterprise network. Having an understanding of which employees require more bandwidth to do their job and which may need less is beneficial for several reasons, one of which is in accounting for network resources.

For example, if the bandwidth consumed by the billing department is negatively impacting the marketing departments’ online access, there is a problem. The marketing department is much more likely to be legitimately streaming content and downloading video (both very bandwidth-intensive) than the billing department, which likely doesn’t use bandwidth-intensive systems for work purposes.

Examining Internet use by employee and department (as opposed to the company at large) allows managers to evaluate resources using context and role-based usage information. There will always be employees and departments with different bandwidth needs than other staff members and areas of the business. It is essential to both an organization’s productivity and network health to properly identify and plan for those needs.

 

Practice No. 4: Invest in tools for your network that manage and document Internet Web usage

Once you have outlined a clear acceptable-use policy and understand the bandwidth needs of each department, the next step is to manage usage by utilizing tools to allocate bandwidth tiers by person, department and even Web site. Those departments that have been found to require more bandwidth than others can be given priority access to the available bandwidth. Departments and employees that do not require priority bandwidth can be placed in lower bandwidth tiers so that their network activities do not impact organizational productivity.

Tools available today also enable the whitelisting and blacklisting of Web sites so that mission-critical services get priority bandwidth and Web sites that are not work-related get limited or no bandwidth. For example, Web sites such as salesforce.com or other Web-based applications are whitelisted, while Web sites such as youtube.com may get blacklisted and receive no bandwidth. Managing bandwidth by Web site ensures that available bandwidth is used for work-related Web sites above all others.

IT, human resources and department managers can leverage these capabilities to easily enforce corporate Internet use policies. Several tools even provide alerting and reporting capabilities so that infractions can be identified quickly and documentation of these instances is automated.
 

Entire Article

Popularity: 56% [?]

 

One of the world’s leading Internet security organizations today warned businesses and governments to prepare for a surge in sabotage, thefts and other cyber-attacks by insiders as disaffected employees retaliate in the wake of the global depression.

New York, NY/ London, UK (PRWEB) May 21, 2009 — The massive web of internet systems on which commerce, finance and government now depend faces insider attacks on an unprecedented scale as alienated victims of the global depression resort to sabotage and fraud for revenge and gain, the world’s leading cyber security organization warned today.
As members of FIRST, the Forum of Incident Response and Security Teams, prepared to gather in Japan for their annual conference, its senior officers joined forces to urge organizations large and small to redouble their vigilance and step-up protection measures, saying that many were ill-prepared for an onslaught which could prove calamitous.

“One of the greatest security threats of our times is from insiders, as organizations lay off tens of thousands of workers,” said Scott A. McIntyre, FIRST steering committee member and representative of the Netherlands-based KPN Computer Emergency Response Team (CERT).
“People know the axe is coming, and the longer employers prolong the swing of that axe the more danger they expose themselves to – either from sabotage or data theft. An employee who thinks he or she is for the chop can start fouling up systems which are critical to the organization, or decide to take an unauthorized pay-off by stealing a mass of data – for example the credit card details of thousands of customers – or do both.”

 One of the greatest security threats of our times is from insiders, as organizations lay off tens of thousands of workers �
 You simply must have thorough exit and monitoring plans in place, and these need to be very specific when you’re dealing with employees who had any kind of access to critical systems or data. You have to make sure that under no circumstances can a departing member of staff take any sensitive information out of the organization. �
 The threat from insiders is simply not the same as the threat that most companies consider when preparing their security and recovery plans �
 It’s a totally different order of threat, and it requires a different way of thinking. �
 Right now we’re heading into a dark place where law enforcers and internet security experts are going to have to forget differences of approach and collaborate hard to find a methodology which ends cyber crime fast and still brings criminals to justice �
 Never has there been such overwhelming support from sponsors at this point in the conference cycle �
 It shows that during these troubled and threatening times, companies recognize the need to support our vital work in preserving global information security. �
Fellow steering committee member Yurie Ito, Director of JPCERT/CC, Japan cautioned:
“Don’t think you’re safer once the employee is laid off and outside the wall. A lot of these people know how the systems work – they have the keys to the castle and they know where the secret doors are. Even when companies think they have taken the necessary steps by removing ID and changing passwords these people have the knowledge and skill that means they still pose a threat. They are extremely dangerous.”

London-based Tom Mullen, Security Chief for Telco giant BT, cited a number of precautions which organizations must now take as a matter of urgency.

Exit procedures should be scrutinized and re-scrutinized, especially for employees whose severance was involuntary. “You simply must have thorough exit and monitoring plans in place, and these need to be very specific when you’re dealing with employees who had any kind of access to critical systems or data. You have to make sure that under no circumstances can a departing member of staff take any sensitive information out of the organization.”

Particularly vulnerable to alienated insiders were any organizations which relied on single security systems or electronic systems only.
Security had to be “layered” to prevent any one individual or group getting too far and too extensively inside internal and external networks – and it was crucial that electronic systems were always backed up by physical security and personnel security controls.

“The threat from insiders is simply not the same as the threat that most companies consider when preparing their security and recovery plans,” warned FIRST’s Steering Committee chair, Derrick Scholl.

“Many organizations focus on their entry points and regular recovery mechanisms. How is somebody going to get in, what might they steal, and in the worst circumstances, how to restore from backups if outsiders do break in and crash something.

“Sure, an insider is capable of stealing corporate secrets, or customer lists, or destroying computers, but their potential for harm is far worse. Imagine a software company where an insider has the ability to change code in the product without being detected. What if they can also change the backups, or if the changes aren’t detected until new backups are made?

“What if the insider altered design documents, or tampered with customer orders? Or ripped out hard drives and corrupted systems just as a big corporation was about to issue its quarterly bills to hundreds of thousands of customers?

“It’s a totally different order of threat, and it requires a different way of thinking.”

Interpol is among the latest organizations to sign up as a sponsor for the 21st Annual FIRST conference, which is being staged June 28-July 3, 2009, at the Hotel Granvia, Kyoto Station, Kyoto, Japan.

Vincent Danjean, Chief of Interpol’s Information Security Incident Response Team, will be a keynote speaker. He says Interpol predicts that levels of cyber attacks and attempted frauds will go on increasing.

Peter Allor, who is IBM Internet Security Systems’ Senior Security Strategist, Cyber Incident & Vulnerability Handling, Program Manager Office of the CTO, and FIRST’s director of conference liaison, welcomed Interpol’s decision to join the list of sponsors.

“Right now we’re heading into a dark place where law enforcers and internet security experts are going to have to forget differences of approach and collaborate hard to find a methodology which ends cyber crime fast and still brings criminals to justice,” he said.

At past conferences law enforcers and FIRST teams had admitted that collaboration was being impeded by opposing approaches: the priority for internet security practitioners was to prevent attacks or eradicate them as soon as launched; law enforcers wanted to let attacks unfold so detectives could track down the perpetrators.

“But top figures from law enforcement agencies like the US Secret Service, the FBI, Japan’s police force and Britain’s Serious Organized Crime Agency have told us they can’t mount a real fight against cyber-crime without help from emergency response and security teams, so we’re very happy – and honored – that Interpol are now confirming FIRST’s pre-eminence in the field by coming on board.”

Interpol joins, among others, Cisco Systems, Sun Microsystems, Google, BT, and Hitachi on a sponsors list for 2009 which has attracted more big names than ever before in the 21-year history of the FIRST conference.

“Never has there been such overwhelming support from sponsors at this point in the conference cycle,” said Derrick Scholl. “It shows that during these troubled and threatening times, companies recognize the need to support our vital work in preserving global information security.”

Founded in 1990, FIRST consists of internet emergency response teams from more than 200 corporations, government bodies, universities and other institutions from across the Americas, Asia, Europe and Oceania. It leads the world’s fight-back against cyber-crime, sabotage and terrorism, and also promotes co-operation between response teams and law enforcement agencies.

Entire Article

Popularity: 57% [?]

A March 30, 2009 article by Bobbie Johnson states that a Virus that has infected 10m computers leaves experts baffled.

It could be the biggest April Fool’s joke ever played on the internet, or it could be one of the worst days ever for computers connected to the network. Security experts can’t work out whether the Conficker virus – which has infected more than 10m Windows PCs worldwide – will wreak havoc on Wednesday , or just let the day pass quietly.
Experts have worked out that from midnight on 1 April, the Conficker program will start scanning thousands of websites for a new set of instructions telling it what to do next. The infected machines thus comprise one of the biggest “botnets” – a network of “robot” computers – in internet history. And if they were all given a target, such as simultaneously sending search queries to Google or trying to connect to a gambling site, they could knock it offline through the sheer volume of connections – a “denial of service”. Victims usually discover that they have been locked out of their computers or have very slow-running internet connections.

Botnets have been used in the past to generate millions of pieces of spam email and to blackmail gambling sites that need to stay online during sports events with the threat that they will be deluged by a “denial of service” attacks.

Careful study of infected machines has revealed that from midnight on Wednesday they will seek new instructions from a randomly generated list of thousands of websites that changes every day. Just one needs to be under the virus writers’ control to turn Conficker into a newly configured botnet – making the task of catching the exact site a search for a needle in a computing haystack.

Experts admit that they have little idea of where Conficker might be headed next. “It’s a brave man who puts his neck out like that,” said Graham Cluley, an analyst with internet security company Sophos. “For what it’s worth, we have never seen earlier versions of the Conficker worm downloading a malicious payload.”

Entire Article

Popularity: 54% [?]