Symantec: Internet Security Threat Report 2012

Comprehensive report from Symantec, worth reading!

Spam, phishing and malware data is captured through a variety of sources, including the Symantec Probe Network, a system of more than 5 million decoy accounts and more. Over 8 billion email messages and more than 1.4 billion web requests are processed each day across 15 data centres.

Symantec also gathers phishing information through an extensive antifraud community of enterprises, security vendors, and over 50 million consumers.

Download: Symantec Internet Security Threat Report (registration may be required).

FBI Warns of Mobile Malware Risks

Android Devices Hit by Two New Trojans

The Federal Bureau of Investigation has issued a consumer alert warning of malware attacks against mobile devices that run the Android operating system. Trojans pose serious risks for any personal and sensitive information stored on compromised Android devices, the FBI warns.

But experts say any mobile device is potentially at risk because the real problem is malicious applications - which in an open environment are impossible to control. And anywhere malicious apps are around, so is the potential for financial fraud.

Two Trojans

The alert from the Internet Crime Complaint Center, a unit of the FBI, addresses two new Android Trojans known as Loozfon and FinFisher.

Recent attacks showed Loozfon has the ability to steal a mobile user's phone number as well as contact details. In one type of Loozfon attack, unsuspecting consumers were lured in by advertisements promoting fraudulent work-at-home opportunities.

The alert does not specify how those ads were promoted - through e-mail, SMS/text or both. But the FBI warns that links within the ads lead to websites designed to push Loozfon to users' device.

FinFisher, on the other hand, is spyware that targets Android smart phones, hijacking specific components that enable hackers to remotely control and monitor a compromised device, regardless of its location. The spyware is transmitted to a smart phone by clicking infected web links or by opening SMS messages sent directly to the mobile user, usually falsely appearing to provide links to system updates, the FBI states.

Bad Rap for Android?

The Android operating system is not the cause of the problem. It's the openness of the app marketplace that allows malware to run rampant, not the Android OS itself. This is one of the first consumer-focused, security-oriented lists for mobile I've seen. That's a good thing, but it also is a pretty definite signal that security is becoming a problem.

Until the mobile industry can figure out a way to better control or vet readily available apps, mobile malware concerns will mount. I'm not saying there should only be one store, but there does need to be some sort of reputational measure, akin to what SSL [secure socket layer] site certificates can help provide.

Social Media: Addressing Risk

A Refresher on the Risks, Mitigation Strategies

The biggest social media concern for risk managers is the potential reputational impact to the organization. Reputational risk comes in two areas, one is from the company's own social media activities, which tend to be a little less regulated and controlled at the corporate level than other communications going through traditional public relations and advertising channels. 

The other area of reputational harm comes from public discussion about the organization via social media, whether it's true or not true. It could be a rumor. It could be a fact. But it can spread like wildfire. 

To mitigate the risks, an organization first and foremost needs to develop a social media policy. [The company] has to be able to control what's coming out of the company via social media for the official channels. In the policy, it's important to designate who can talk about the company and what they're talking about. 

Also, guidelines should be established to provide employees with reminders about how their statements can reflect on the company and to be cautious of their own activities using platforms like Facebook, Twitter and LinkedIn.

Organizations also need to monitor social media to be aware of public attitudes towards the company and what's being said. And have a plan in place to respond if there's an incident that results in a negative issue being communicated via social media.

Tips for IT Security Auditing

How to effectively conduct IT Security Audit?

As an information security professional, it is your responsibility to protect and sustain the enterprise’s information assets from all types of threats. One way to enhance the security posture of your enterprise is to leverage the expertise of a security auditor to help find and fix the worst problems in your security infrastructure.

You may be thinking, “Why would I want to invite a security auditor to help me find my greatest weaknesses?” No one relishes an audit—which often seems to involve people poking around and looking for holes in the network or systems. 

However, a thoroughly conducted audit, with appropriate risk-based scoping, can keep you from having to report to your management or board that a data breach happened on your watch.

In most enterprises, the information security and audit functions are involved with protection and sustainment of important organizational assets. The information security function has the primary responsibility for establishing and maintaining a cost-effective and robust security program.

The audit function, whether internal or external, provides an independent review and analysis of the program. Here are some considerations for participating in and preparing for an IT security audit:

• Remember that audits are opportunities to improve the security program, not a personal indictment of security practices. Taking the initiative to request a thorough audit of your security shows management that you are willing to do what is best for the enterprise. It can also help you get additional budget to address serious areas of risk.
  
• Receive from the audit team an audit plan outlining the purpose, scope and approach to the audit. If you are the requestor of the audit, you have an opportunity to provide input on what areas of focus you think are most at risk.
  
• Conduct a review of the current security policies, standards and guidelines, and make sure you understand how those policies are implemented in operation. Often, there are conflicts in the way policies are implemented, especially when relying on technology alone, and an audit can pinpoint the gaps.
  
• Collect, document and organize the procedures and processes that your staff follows to perform their duties. You may find that lack of consistency in performing the processes results in unacceptable variance in the way that certain security controls are implemented.

Security audits should not be limited to technology testing, penetration testing or exploiting vulnerabilities, but should provide an accurate analysis of the risk areas that pose the most danger to the enterprise. A thorough security audit is about regular and consistent validation and verification that the security program is effective in doing what it is designed to do: protect and sustain the enterprise’s critical assets.

Source: ISACA

Key Qualities of Good Leadership During Bad Times

How to be a good crisis manager?

This is a difficult question for a business continuity practitioner to ask because generally they will be asking it of a senior executive or even a CEO, who is unlikely to believe they are anything less than excellent.

There are some aspects to a crisis which differ from day-to-day management. Unlike managing commercial and operational challenges, in a crisis the route map to follow is often unclear and the consequences of failure much more serious.

A wrong decision can potentially damage the reputation of a company beyond repair. Who now remembers what a strong and influential company Arthur Anderson once appeared? It failed not because it had a bad business model, but because in one situation it failed to take control of the crisis that eventually engulfed it. However, just because you cannot predict the exact nature of a crisis doesn't mean you cannot prepare for it. 

Because it is usually so serious, top management often plays the leading role in dealing with external stakeholders, including the media. This is good in that it shows the organization is taking it seriously, but bad if that leader is ill-prepared.

A crisis is too urgent for a consensus debating style of leadership, but conversely the biggest danger can be over-confidence. Often top managers are dealing with circumstances in which they do not know the details of what plans or capabilities are available (or at least not the details), what the latest information is relating to cause and effect and what is actually happening "on the ground." 

The two crucial elements needed to make decisions are situational awareness and up-to-date information. It is too late to work out how you get the information when the crisis has happened, so a way of monitoring potential problems needs to be constantly running. Despite this, when the crisis erupts, managers can still fail if they are not perceived as being "on top of the situation."

Some ways in which they can show this level of leadership are:

• Always tell the truth based on the facts that are available.
• If you don't know answers to a question, explain why and when you might know.
• Always follow up on what you promise.
• Do not delay making decisions and taking action.
• If you delay taking action, you almost always make things worse and are seen to be drifting.
• Concentrate on protecting reputation, not necessarily minimizing short-term financial loss.
• Ensure proper processes and systems are in place so that situation changes can be constantly monitored and responses modified as appropriate.
• Communicate with all stakeholders, regularly and often.
• Make sure technical mechanisms are in place and the correct people are involved.
• Ensure that internal and external messages are consistent.
• Do not tell the media one thing and staff something different.

China Gets Serious about Grid Security

China announced its plans for a massive increase in smart grid security spending in an effort to contain risks that may arise from its aggressive smart grid expansion

What happened

Fears that it’s rapidly expanding electricity infrastructure may be vulnerable to security and cyber attacks prompted China to announce plans of staggering increase in smart grid security spending. Representing an annual compound growth rate (CAGR) of almost 45%, grid defense spend will grow from US$1.8b in 2011 to US$ 50b by 2020.

Background

A new report by the business analysts at GlobalData described China’s smart grid security situation as an anomaly due to the scale of expenditure when compared with that of other regions. For example, Europe and North America combined are predicted to spend a comparatively modest US$16b on cyber security during the same forecast period.

But to put things in perspective, the GlobalData research also offers the insightful observations on China’s grid security policy:

• China has a strained relationship with a number of nations in relation to cyber security.

• The United States, in particular, has on several occasions accused Chinese hackers of attempting to breach their power systems.

• China fears that these accusations may have fostered an environment of mistrust which may lead to retaliatory cyber-attacks on their own power infrastructure.

• China continues to experience rapid urbanization and expanding its smart grid, which directly results in increased exposure to cyber attacks.

And let us not forget the Stuxnet computer worm discovered in 2010. The Stuxnet example is arguably the most dramatic demonstration of the vulnerability of modern power grids to malicious cyber-attack.

According to Global Data, “the worm focused on 5 Iran-based organizations and was believed by many to be a deliberate attempt to disrupt the Iranian nuclear power program.”

Serious threats to securing the grid

A Pike Research 4Q 2011 report, entitled Utility Cyber Security: Trends to watch in 2012 and Beyond, identified the following threats to power grids everywhere:  

• One size doesn’t fit all: cyber security investments will be shaped by regional deployments. As an example, consider smart meters saturation in the US and, comparatively, versus EV adoption rates in the Middle East.

• Industrial control systems, not smart meters, will be the primary cyber security focus. Here, they refer to control systems such as transmission upgrades, substation automation, and distribution automation.

• Assume nothing: “security by obscurity” will no longer be acceptable. Using the example of the Stuxnet worm, assume attacks are a probability and not merely a possibility.

• Chaos ahead?: The lack of security standards will hinder action. No industry standards exist.

• Aging infrastructure: older devices will continue to pose challenges. While modern advanced metering infrastructure (AMI) devises have built in cyber security, some supervisory control and data acquisition (SCADA) systems are older and have no built-in security features.

• System implementation will be more important than component security. Cyber security works to protect a whole entity and attackers look for holes.

When universities will take SECURITY seriously?

Hackers Breach 53 Universities and Dump Thousands of Personal Records Online

Hackers published online Monday thousands of personal records from 53 universities, including Harvard, Stanford, Cornell, Princeton, Johns Hopkins, the University of Zurich and other universities around the world. The group of hackers, calling themselves Team GhostShell, claimed responsibility for the attack on Twitter and published some 36,000 e-mail addresses and thousands of names, usernames, passwords, addresses and phone numbers of students, faculty and staff, to the Web site Pastebin.com.

In most cases the data was already publicly available, but in some instances the records included additional sensitive information such as students’ dates of birth and payroll information for university employees. Typically, hackers seek such information because it can be used to steal identities, crack bank accounts or can be sold on the black market.

Universities make ripe targets because they store vast numbers of personal records, often in decentralized servers. The records can be a gold mine because students often have pristine credit reputations and do not monitor their account activity and credit scores as vigilantly as adults. Dozens of universities have been plagued by breaches recently.

Last August alone, the University of Rhode Island warned that students and faculty that their information may have been exposed. And at the University of Arizona, a student discovered a breach after a Google search exposed her personal information — and that of thousands of others at the university. Smaller computer breaches at Queens College and Marquette University were also reported.

In this case, the hackers said they were not motivated by profit but to “raise awareness towards the changes made in today’s education.” In a message accompanying the stolen data, they bemoaned changing education laws in Europe and spikes in tuition fees in the United States. But they also noted that in many cases, the servers they breached had already been compromised. 

“When we got there, we found that a lot of them have malware injected,” the hackers wrote on Pastebin. To breach servers, the hackers used a technique known as an SQL injection, in which they exploit a software vulnerability and enter commands that cause a database to dump its contents.

In the case of some universities, the hackers breached multiple servers. At colleges across the country, some students set up sites that allowed students and faculty to search the leaked data for their information. For instance, at the University of Pennsylvania, Matt Parmett, a junior, created a Web site that made it possible for classmates to search the leaked data by name.

It's your responsibility to protect your data on Facebook!

Marketers are Dying for Your Facebook Data

...and Facebook wants to help them get it. In fact, the social network giant -- now under pressure from stockholders to produce revenue -- has developed new functionality designed to help advertisers better find you on Facebook.

So long as you have voluntarily given your phone number or email address to a company, that company can now use it as a means for searching and locating you on Facebook.

Be sure to check and update your settings on Facebook (and other social sites), as new functionality is added frequently, threatening your assumption of privacy online. Speaking of Facebook, be sure you are aware of another change that could result in having your emails sent to Facebook.

In June, Facebook changed everyone's email address visibility settings to hide the email addresses we purposefully shared with friends, leaving just @facebook.com addresses.

For folks who did not change this back, and for folks using the new iPhones, running iOS 6, this could result in having the preferred email addresses being replaced by @facebook.com addresses...and having sensitive information saved to the Facebook systems (a far-from-secure system to keep email messages). 

See more about it here.

Facebook applications are not always safe!

Apps Dressing Up as Innocent Fun

Many people mistakenly believe that any application found on Facebook has been vetted by Facebook, and is therefore safe. False.

As this article on Facecrooks points out, anyone can create an app for publication on Facebook. Facebook users are also guilty of clicking through the permission screen, potentially missing key information on how the application's developers plan to access their Facebook information (for those that actually provide such information).

Take the time to read these screens thoroughly before clicking OK. If an app does not provide information about how they will use your information, then don't download; it's just not worth the potential problems, no matter how yummy fun the app sounds.

How much you care about your privacy?

Apps Come Back to Haunt You

Can you count your apps on one hand? Two? As smartphones have found their way into more pockets and purses, the tendency to become "app happy" has struck more than one consumer.

Often folks will download an app, input their personal information, allow it to track and store their locations, purchase behaviors -- heck, even account numbers -- and then forget all about it. Meanwhile, the application is running in the background gathering (and potentially sharing with third parties) the private and personal details of their lives.

Have you set an app to auto-broadcast your location to a social network? Here's hoping you remember that before you arrive at the amusement park on a "sick day." Does that pizza place auto-fill your credit card number when you order a pie online? That's one lucky thief who gets a hold of your smartphone. Make it a practice to review your apps often.

A good time to do this is now; delete the ones you are not using. A friend of mine was surprised to find she had accumulated over 200! Then, check again whenever you have an app ask you to download an update.

As those notices come in, don't just ask yourself if you'd like to update (which is an important step, as many apps improve their security and privacy standards with these updates); also ask yourself if that's truly an app you need to have on your smartphone, laptop or any other type of computing device you use.

NIST Issues Access-Control Guidance

Guidelines for Access-Control Systems Evaluate Metrics

The National Institute of Standards and Technology has released an interagency report, Guidelines for Access-Control Systems Evaluation Metrics, which provides background information on access-control properties.

NIST says the guidance, NISTIR 7874, is aimed to help access control experts improve their evaluation of the highest security access-control systems by discussing the administration, enforcement, performance and support properties of mechanisms that are embedded in each access-control system. The new report extends the information in NISTIR 7316, Assessment of Access Control Systems, which demonstrates the fundamental concepts of policy, models and mechanisms of access-control systems.

Why is this guidance important?

NIST explains: Adequate security of information and information systems is a fundamental management responsibility. Nearly all applications include some form of access control. Access control is concerned with determining the allowed activities of legitimate users, mediating every attempt by a user to access a resource in the system.

Access control is concerned with how authorizations are structured; in some systems, complete access is granted after successful authentication of the user, but most systems require more sophisticated and complex control. Access-control system planning consists of three primary abstractions: Policies, models and mechanisms.

According to NIST, policies consist of high-level requirements that specify how access is managed and who may access information under what circumstances. At a high level, access-control policies are enforced through a mechanism that translates a user's access request, often in terms of a structure that a system provides.

Access-control models bridge the gap in abstraction between policy and mechanism. Rather than attempting to evaluate and analyze access-control systems exclusively at the mechanism level, access-control models are usually written to describe the security properties of an access-control system.

These systems come with a wide variety of features and administrative capabilities, and their operational impact can be significant. In particular, NIST says, this impact can pertain to administrative and user productivity, as well as to the organization's ability to perform its mission. It's reasonable to use quality metrics to verify the mechanical properties of access-control systems.

The publication provides metrics for the evaluation of AC systems based on these features:

• Administration, the main consideration of cost;
• Enforcement capabilities, the requirements for access-control applications;
• Performance, a major factor for access-control usability; and
• Support, functions allowing an access-control system to use and connect to related technologies so as to enable more efficient integration with network and host services.

"Because of the rigorous nature of the metrics and the knowledge needed to gather them, these metrics are intended to be used by access-control experts who are evaluating the highest security access-control systems," the authors of the report write.