Spam Tops Social Networks for Phishing Threats at SMBs

SpamTitan Technologies, a spam and Web-filtering software maker, revealed that its latest survey of small and mid-size businesses found that when it comes to phishing threats, traditional spam techniques still trump attacks on social networks.

Three quarters (75 percent) of IT managers surveyed say spam is their leading security threat. Did network security measures push phishing attacks from e-mail to social networks such as Twitter and Facebook? Respondents were split; 37 percent agree and 31 percent disagree, saying the rise in threats is a result of the growth of user communities on such sites.

"Clear policies along with improvements in user education and awareness topped recommendations as the best way to beat phishing in all its forms," SpamTitan said in a release.

"Phishing attacks remain a clear and present threat to businesses," said Ronan Kavanagh, SpamTitan's CEO. "There is no evidence to suggest that network security measures are discouraging the number of phishing attacks. It is simply that the arrival of social networking in the workplace has presented phishers with a bigger pond to phish in."

The company says its survey findings are consistent with a report from earlier this year from antivirus vendor Kaspersky Labs, which found that from January through March of this year, Facebook accounted for only 5.7 percent of attacks, putting it behind HSBC, eBay, and PayPal (the trio accounted for over 52 percent of all phishing scams).

The company says the latest release of its product "uses a multi-layered approach" and includes new "malware detection mechanisms" in its scan engine along with "a large set of Phishing signatures, support for SURBLs (Spam URL Realtime Blocklists), and heuristic rule tests." Using its new phishing module, SpamTitan searches for URLs within e-mail messages "and can also detect day-zero phishing e-mails."

-- James E. Powell
Editorial Director, ESJ

Posted by Jim Powell on 09/21/2010 at 11:53 AM0 comments

IT Out of Touch about Mobile Devices, Survey Finds

A new study from K2 Advisory, Digital Workplace Choices: Preparing for the 2020 Workplace, found that UK employers are impeding productivity by not measuring employee satisfaction with technology devices.

The study of 228 HR, marketing, and customer-engagement professionals in both the private and public sectors, concludes that "most ‘millenials’ or ‘echo boomers’ in their 20s are more IT savvy than their Baby Boomer bosses, creating a generational divide of frustration around corporate devices issued to employees." Senior managers, board directors, and CIOs are "distancing themselves from workplace technology and tools," in part because when most employers think of strategic IT, they only think of large servers and enterprise IT infrastructure residing in their offices. What's missing: consideration of the small tech devices employees hold in their hands. The result: enterprises are hindering employee productivity and missing opportunities to improve the competitive advantages of their organization.

The survey revealed that of the 65 percent of enterprises that conduct employee satisfaction surveys, "only about half bother to measure employee satisfaction with their technology devices, despite the dependence on devices and their importance in improving productivity."

The report also highlights how employees working from home and the culture stemming from "always-connected" personal IT devices "are redefining traditional departmental functions and responsibilities."

In what should come as a wake-up call for IT, the survey found that in one-third of the enterprises surveyed, HR, not IT, makes key decisions on policies and training. "With the ‘Crackberry’ culture impacting the health of workers, employees are ignoring rules about using their own phones, netbooks, and laptops, and successful marketing campaigns challenging the ‘locked down’ approach to blocking social media sites at work, IT needs to increase collaboration with HR and Marketing in response to the changing workplace environment," the report said.

Dr. Katy Ring, director at K2 Advisory and the report's author, said, “It’s almost become accepted that corporate laptops and mobile phones are standard issue clunky, outdated pieces of equipment. New styles of working mean new rules. IT should be consulting HR about specific job profiles and take a much more cross-functional and collaborative approach. The one-size-fits-all approach to IT and personal IT devices is at odds with the way the digital workplace is evolving. In many cases, employees know more than their bosses about what they need. The focus needs to be on end user productivity rather than a ‘use what you are given’ approach. As a result, we will see the emergence of more ‘digital allowances’ with employers giving staff a set amount of money to purchase a digital device, in the same way a company car allowance operates. Whilst budgetary constraints will always be a key consideration, there is also a significant opportunity for CIOs to drive fundamental change across the organization through both strategy and leadership.”

The changing workplace was also reflected in the survey, which found that 82 percent of marketers "intend to increase their use of social media within marketing campaigns," and about half of respondents claim their IT department "does not provide the necessary technology to enable them to fully exploit social media for marketing purposes." The survey found that less than half of UK organizations "have no official policy regarding the use of social media sites."

-- James E. Powell
Editorial Director, ESJ

Posted by Jim Powell on 09/20/2010 at 11:53 AM0 comments

VMWorld Survey Highlights Real-World Practices

Results from a survey of attendees at the VMworld Summit last week paint an interesting picture of current virtualization practices -- at least among the 200 participants.

To no one's surprise, 58 percent of conference attendees reported having virtualized at least half of their physical servers; only 39 percent had done so last year. However, virtualization of business-critical applications isn't rising as fast -- only 35 percent of respondents run at least half of such apps on virtual servers, compared to 31 percent doing so in 2009. Holding them back: performance concerns and security were the top IT-related reasons; a lack of company and senior IT leadership support topped business reasons.

The survey also found that two-thirds (66 percent) of those deploying SANs with VMware use Fibre Channel SANs for their primary storage.

One-third of survey takers (34 percent) have implemented a private-cloud architecture; nearly a quarter (23 percent) plan to do so in the next year, but 43 percent have no private cloud plans.

The results show that "companies are increasingly motivated to virtualize applications for cost savings and business agility reasons," Len Rosenthal, vice president of marketing for Virtual Instruments, said in a statement, "but even with all the benefits of virtualization, performance concerns continue to be a significant stumbling block to virtualizing business critical applications, which are inherently I/O-intensive. ... There remains an essential requirement for SAN I/O performance monitoring and optimization solutions that to enable companies to virtualize business critical applications with confidence."

One thing's clear: virtualization environments are constantly changing. When asked how frequently changes such as virtual machines were added or deleted, over half (55 percent) said changes occur multiple times each day.

When deciding whether to virtualize critical workloads, 40 percent claim that time to deployment and cost were driving factors. When they do virtualize these workloads, 86 percent of companies consolidate mixed workloads (such as Web and database tasks) and notice greater security risks when they do. Security is the responsibility of the virtual-infrastructure administrators or network operations staff, not security admins, in nearly two-thirds (63 percent) of enterprises.

It's no wonder, then, that over a third (34 percent) put "unified management for physical and virtual network security" at the top of their list of security concerns.

“We’re seeing the majority of enterprises virtualizing their mission-critical workloads concurrently with efforts to find the best way to secure them,” said Johnnie Konstantas, a frequent contributor to ESJ's Enterprise Strategies newsletter and vice president of marketing for Altor, a virtualized data centers and cloud security provider. “The responses are at times surprising in that they reveal workloads at great risk as a result of virtualization and organizations earnest in mitigating that risk as soon as possible.”

When it comes to virtualizing an organization's lifeline -- e-mail -- the survey asked if (and which layers of) a company's e-mail infrastructure had been virtualized. Over half (56 percent) of companies have performed the migration; 38 percent said the mail store layer (in MS Exchange and Lotus Notes, among others) was the most frequent component to be moved, followed by e-mail archiving solutions (21 percent) and the gateway filtering layer (18 percent).

What benefits were considered in the migration decision? According to 59 percent of respondents, an increase in server utilization (which improves the efficiency of message delivery) topped the list, followed by high availability/failover support (which ensures message delivery). However, 45 percent said performance/throughput was the top possible limitation they weighed before migrating; security risks came in second.

The good news is that expected benefits from e-mail infrastructure migration are being realized in most cases -- 87 percent said they met or exceeded their goals when it came to improving server utilization and realizing higher availability and failover support.

Stephanie Nevin,

Sendmail's vice president of marketing and business development, said the survey was in line with "what many of our Global 2000 customers have experienced when considering moving components of their e-mail infrastructure to a virtualized environment. While many companies are turning to virtualized solutions to cut messaging infrastructure costs and improve operations, they struggle with achieving their messaging virtualization goals because often times the performance and security risks overshadow the potential benefits."

-- James E. Powell
Editorial Director, ESJ

Posted by Jim Powell on 09/07/2010 at 11:53 AM0 comments

Security Surveys Reveal Scary Stats

In its latest quarterly Web Application Security Trends Report for the first half of 2010, Cenzic reports some frightening statistics on security trends.

Perhaps most troubling for security administrators: 60 percent of Web vulnerabilities the company studied still have no fix available. Also of concern: nearly half (45 percent) of Web vulnerabilities have an exploit code that is publicly available so that hackers can easily use it in attacks of unpatched Web sites. "Making it worse, almost 1000 Web related vulnerabilities that had no known solution had a public exploit available," the report warns.

Nine out of 10 proprietary applications (those developed in-house using internal or outsourced resources) were vulnerable "with at least Information Leaks types of vulnerabilities," and eight in 10 had Authorization and Authentication vulnerabilities. Nearly seven in 10 (68 percent) had Cross Site Scripting and/or Session Management vulnerabilities.

"Some of the interesting attacks during this period included exploitation of a SQL vulnerability to plant malware on over 100,000 pages and a session vulnerability attack leading to exposure of information of over 100,000 iPad users including the White House ..." the report notes. "Among the published Web vulnerabilities in Commercial Off The Shelf (COTS) software, Cross Site Scripting and SQL Injection again topped the list with 28 percent and 20 percent respectively)."

The company says that of 4,019 vulnerabilities reported, two-thirds (66 percent) were related to Web applications (down from 82 percent of all vulnerabilities at this time last year).

In terms of browsers, Opera saw an increase in reported vulnerabilities but still has the fewest number among browsers. IE and Firefox improved; Cenzic found 40 vulnerabilities in IE compared to 44 in the second half of 2009; Firefox dropped from 77 to 59 for comparable periods. Safari more than tripled, rising from 25 to 83; Chrome problem also rose, jumping from 25 to 69.

Tough Numbers from Tufin

Tufin Technologies, which bills itself as a "security lifecycle management specialist," today released the results of its yearly Hacking Habits survey that focuses on "how trends in the hacking community impact corporate security teams." It found that nearly three-quarters (73 percent) of security professionals attending July's DEF CON 18 conference "came across a misconfigured network more than three quarters of the time – which, according to 76 percent of the sample, was the easiest IT resource to exploit."

According to a Tufin release, Reuven Harrison, the company's CTO and co-founder, was surprised to find that over half (58 percent) of respondents "also viewed network misconfiguration as being caused by IT staffers not knowing what to look for when assessing the status of their network configurations." Harrison noted that over half of survey respondents work in corporate IT. “The really big question coming out of the survey,” according to Harrison, “is how to manage the risk that organizations run dealing with the complexity that is part and parcel of any medium-to-large sized company’s security operations."

The report found that 18 percent attribute the misconfiguration to "insufficient time or money for audits;" 14 percent lay the blame in part on "compliance audits that don’t always capture security best practices;" and 11 percent say a contributing factor is threat vectors that change faster than they can handle them.

The biggest threats may come from inside. The report found that 43 percent view "planting a rogue member of staff inside a company as one of the most successful hacking methodologies." Harrison says that "This realization is made worse when you consider that 57 percent of the security professionals we surveyed classified themselves as a black or gray hat hacker, and 68 percent ... admitted hacking just for fun."

Finally, 88 percent of respondents think an organization's biggest threat can be found inside the firewall.

-- James E. Powell
Editorial Director, ESJ

Posted by Jim Powell on 08/31/2010 at 11:53 AM0 comments

Old Meets New: Monitor Mainframes from Your iPad

William Data System's z/OS network management suite, ZEN, has been ported to Apple's iPad. The company says the program lets users (typically IT support staff) monitor the performance of z/OS networks in real time.

"IBM continues to future-proof mainframes to maximize the reliability and scalability that millions of users rely on every day, often without realizing what enables their daily

transactions. Twenty-first century technology components already contribute to z/OS mainframe capabilities so William Data Systems looked at the mobile user end of the network and decided the current mobile device of choice is an Apple iPad," the company said in a release.

WDS says that "minimal development" was needed for the port, including taking advantage of the iPad's touch screen capabilities.

More information about ZEN can be found on the company's Web site

-- James E. Powell
Editorial Director, ESJ


Posted on 08/25/2010 at 11:53 AM0 comments

What Economic Hard Times?

The hills are alive with the sound of acquisitions.

As we reported, Intel will acquire security software specialist McAfee Inc. for $7.68 billion in cash. Intel said the acquisition will enable the company to provide processor and network-based security. Based on the previous-day's closing stock price, Intel is paying a hefty 60 percent premium for McAfee.

Security has also been on the mind of HP, which announced today that it is acquiring security software vendor Fortify Software Inc. for an undisclosed amount. Fortify markets a security remediation suite called Fortify 360.

Meanwhile, Google has acquired Instantiations, an Eclipse-based commercial software tools and services provider. Terms of the deal were not disclosed.

-- James E. Powell
Editorial Director, ESJ

Posted by Jim Powell on 08/19/2010 at 11:53 AM0 comments

Microsoft Monthly Patch Sets Record

Today's set of patches meets or exceeds previous records.  The 14 security bulletins -- a record for the number of bulletins released in a month -- correct 34 vulnerabilities (tieing the previous record), says Symantec Security Response. Fourteen of the fixes are rated as "Critical."

“The SMB pool overflow vulnerability should be a real concern for enterprises,” notes Joshua Talbot, security intelligence manager at Symantec Security Response, in a release. “Not only does it give an attacker system-level access to a compromised SMB server, but the vulnerability occurs before authentication is required from computers contacting the server. This means any system allowing remote access and not protected by a firewall is at risk.

“Best practices dictate that file or print sharing services, such as SMB servers, should not be open to the Internet,” according to Talbot, “but such services are often unprotected from neighboring systems on local networks." He notes that a multi-staged attack could be launched that would "likely start by compromising an employee’s machine via a drive-by download or socially engineered e-mail, and would end by using that compromised computer to attack neighboring machines on the same local network that have the SMB service running.

“This issue affects more than just file servers using the SMB service.” Talbot warns that “Workstations that have enabled file and print sharing are also at risk. Laptops with this configuration that connect to untrusted networks, such as public Wi-Fi, or that allow ad hoc connections could be attacked by neighboring computers. The user could then unwittingly carry their infected system back to the enterprise, opening the door to an organization’s entire network.”

According to Jason Miller, data and security team manager at Minneapolis, MN-based Shavlik Technologies, four of the bulletins should grab an administrator's attention right away.

Two bulletins (MS10-052 and MS10-055) target media files and are rated as Critical. Miller points out that "Opening a malicious media file can lead to remote code execution. Downloading and playing media files is becoming more prevalent today as social interaction is moving to video. This makes these vulnerabilities prime targets for attacks."

Bulletin MS10-056 corrects a remote execution problem in Microsoft Word. According to Miller, "Microsoft Outlook 2007 can also play a part in exploitation. In Outlook 2007, simply opening an e-mail with a malicious attachment can lead to remote code execution. This version of Outlook can be affected by viewing the document in the reading pane as Outlook 2007 uses Microsoft Word as the default email reader. RTF documents are extremely common and are typically not blocked by companies as attachments. We can expect malicious RTF documents in users e-mail boxes in the coming weeks."

Another remote code execution vulnerability -- this time in Silverlight -- is part of the most important fixes, Miller says. "Microsoft has patched Silverlight in the past, but this patch is more critical than past patches. An attacker only needs to entice a user to visit a malicious [Web site] in order to deliver a payload. The Silverlight install is amazingly easy, so you can assume that a lot of your computers currently have this program installed. I have not heard of any Silverlight exploits, but I expect to see more with the release of this patch."

Miller advises that, due to the size and scope of the fixes, "This large patch month will affect all of your systems, workstations, or desktops. This many patches can increase network bandwidth, increase the time for the system to run each patch, and require reboots. Be sure to take the time and review the bulletin summaries and have a clear plan of a patch attack."

-- James E. Powell
Editorial Director, ESJ

Posted by Jim Powell on 08/10/2010 at 11:53 AM0 comments

IT Contradictions Abound in Data Management Survey

When it comes to information management, IT's mantra seems to be "do as we say, not as we do." That's one clear message from Symantec's 2010 Information Management Health Check Survey, released this week.

For example, 87 percent of respondents agree that a formal information retention plan is valuable, but fewer than half (46 percent) have a formal plan in place. The plan at many organizations is "keep everything indefinitely."

What's getting in their way? It depends on whom you ask.

In companies with no information plans, 41 percent of IT employees say they don't see a need for it, and nearly a third (30 percent) say no one has been given the responsibility. Cost is a factor for 29 percent of IT respondents; 22 percent say time is the issue, and 14 percent say they lack the expertise needed to build such a plan. For the legal department, cost is a factor for 58 percent of respondents, followed by a lack of expertise (48 percent), unassigned responsibility (40 percent), time (23 percent), and lack of need (20 percent).

Symantec says a common obstacle is analysis paralysis. Enterprises are unsuccessful in determining what tools they need and what information should be retained (as well as for how long), but they fear mistakenly deleting data, so they keep everything "while they try to formulate an effective information retention plan." The trouble is that while creating these policies, "organizations often delay implementation of an archive thinking they have to get everything right before they proceed. In reality, getting control of information can help an organization make informed retention decisions. In addition, once the policies are finalized, they can be applied to the information in the archive, efficiently and simply automating the process."

Symantec says most organizations lack functional policies "for the retention and expiration of electronically stored information such as e-mail, instant messages, Microsoft SharePoint libraries, Microsoft Personal Storage Table (PST) files, Lotus Domino files, and file share data." It's no wonder, then, that e-discovery requires them to search all locations where data might be stored, adding to the cost and risk of the process. "Provisions in the Federal Rules of Civil Procedure provide a limited “safe-harbor” for organizations that can show the routine and good faith operation of an electronic information system if preservation practices are challenged. With the current volume of electronic information stored by most organizations, an automated process for the collection and eventual expiration of information is critical for both routine storage management and e-discovery," the company points out.

Among the survey findings: 75 percent of backup storage is in an "infinite retention" or "legal hold" backup set, and one out of every six files is archived forever. Enterprises admit it's not the best policy: one-quarter of the backed up data isn't needed and probably need not be retained, respondents estimate.

Part of the problem is that companies aren't properly applying legal-hold procedures, which respondents say accounts for 45 percent of their backup storage. Worse: 70 percent of enterprises "use their backup software to achieve legal holds and 25 percent preserve the entire backup set indefinitely."

The survey found that almost half of enterprises surveyed are "improperly using their backup and recovery software for archiving," and that although 51 percent don't allow employees to create their own archives (on their own systems or on shared resources), 65 percent admit that their employees do it anyway.

Symantec told Enterprise Strategies that enterprises "are also misusing their backup, recovery, and archiving practices. Our survey found 81 percent routinely perform backup restores for their end users, increasing the chances that a court may find backup sets are accessible for discovery. Using archiving for discovery and backup for recovery provides an organization immediate access to its most pertinent information while allowing it to backup less."

The result of this mismatch between "what we should do" and "what we do," says Symantec, is that enterprises "suffer from rampant storage growth, unsustainable backup windows, increased litigation risk, and expensive and inefficient discovery processes." In addition, the report concludes, "storage costs are skyrocketing as over-retention has created an environment where it is now 1,500 times more expensive to review data than it is to store it, highlighting why proper deletion policies and efficient search capabilities are critical for enterprise organizations."
"Infinite retention results in infinite waste. Enterprises see the value of a solid information management plan, but too many still follow the outdated practice of keeping everything forever,” said Brian Dye, vice president of product management at Symantec's information management group. “The sheer volume of data is growing exponentially, so trying to keep everything consumes large amounts of storage space and demands too much of IT's resources. As a result, businesses spend more time and money addressing and fixing the negative consequences of poor information management and discovery practices than they would by working to prevent them."

To get back control over data, Symantec recommends enterprise stop using backup as an archive and legal-hold mechanism. "Backup is intended for disaster recovery, archiving is for discovery. Enterprises need to retain a few weeks of backup (30 - 60 days) and then delete or archive data in an automated way thereafter." By properly using backup for short-term and disaster recovery, "enterprises can [back up] and recover faster while deleting older backup sets within months instead of years. That’s a huge amount of storage that can be confidently deleted or archived for long-term storage."

Automatic administration is among Symantec's recommendations. "Enterprises should also develop and enforce information retention policies (what can and cannot be deleted, and when) automatically. Courts are more supportive of automated, policy-driven deletion than of ad hoc, manual deletion."

The company also recommends using a "full-featured archive system to make discovery as efficient as possible. Companies can then search for information more quickly -- and with more granularity than they would in a backup environment," thereby reducing "the time and cost it takes to evaluate litigation risk, resolve internal investigations and respond to compliance events."

The survey, conducted in June, drew responses from 1,680 senior IT and legal executives from 26 countries. It can be viewed here; registration is not required.

-- James E. Powell
Editorial Director, ESJ

Posted by Jim Powell on 08/05/2010 at 11:53 AM0 comments