CIOs Optimistic but Cautious about the Cloud

An independent survey of nearly 350 CIOs’ and IT executives’ attitudes about cloud adoption, trends, value, and challenges reveals strong optimism about current and future benefits of cloud computing.

Survey participants believe the “adoption of cloud technologies is good for business” (92 percent), though IT executives are more enthusiastic than are IT managers. Participants believe the technologies help IT deliver better systems for less money (the familiar “value” proposition -- at 67 percent), and “SaaS applications give business stakeholders more ownership of key applications” (62 percent)

Despite that optimism, rollout of cloud technologies is still somewhat slow, Host Analytics, the survey’s sponsor, points out. “Only 31 percent described their systems as primarily cloud-based at this time,” while 69 percent say their company “still work[s] primarily with on-premise applications.” For those enterprises where cloud is deployed, the majority (88 percent) reported some IT adoption challenges; 12 percent said they faced no challenges (lucky them). I found it interesting that 96 percent of IT managers -- those managing the actual cloud work -- reported challenges.

The top complaint: integrating application data (67 percent), followed by concerns about knowing “where our data is” (39 percent) and difficulty developing workflows across applications (34 percent).

IT is the biggest user of cloud-based applications (67 percent of enterprises report having a cloud-based application in their IT department); the sales department comes next at 36 percent, followed closely by customer support at 35 percent.

One benefit of the cloud shines bright for more than half (54 percent) of respondents: SaaS business intelligence would provide “easier access to data currently in application silos;” 46 percent believe SaaS BI would increase visibility. Faster deployment was expected from 42 percent of survey participants.

In one troublesome trend, 37 percent of IT executives report being asked to assume ownership for solutions purchased without their input. Sound familiar? If you think data integration is tough without IT input and examination, imagine the headache of integrating data from applications dumped in your lap. (True, it’s similar to the problems of integrating data as a result of mergers and acquisitions -- where data resides in applications over which you had no input -- but in this case, the situation is preventable.)

The survey was conducted in May by Dimensional Research, which asked “an independent group of CIOs, IT executives, and other IT professionals to participate in a Web survey on the topic of cloud adoption and trends.” Most respondents (86 percent) were located in U.S. and Canada, the remainder in the EMEA and APAC regions. Results can be downloaded here, though a short registration is required.

-- James E. Powell
Editorial Director, ESJ

Posted on 06/25/2012 at 11:53 AM0 comments

Most American Companies Have Presence on Facebook

A new study conducted by InSites Consulting reveals that eight out of ten American companies are present on Facebook, a higher usage rate than comparable enterprises in Europe. In addition, 45 percent have a Twitter account, 48 percent are available on LinkedIn, and 31 percent are using YouTube.

Having a Facebook page means nothing if you don’t use it, of course. The survey found that 61 percent of American companies “listen to consumer conversations on social media,” and 83 percent “answer client questions and complaints via social media.”

Those are the good numbers. Unfortunately, just over half (54 percent) of the surveyed companies “also talk to and actively participate in online conversations with consumers.” Furthermore, the researchers point out, usage of social media doesn’t mean social media is integrated into the enterprise’s DNA. For example, according to a statement from InSites Consulting:

A mere 11% of the companies are integrating their social media approach into their overall corporate strategy while 17% are currently mid-integration. More than 1 out of 4 (26%) of the American companies are not even doing anything on social media!

The report also predicts a “digital divide” between those enterprises using social media and those that don’t. “This survey shows that companies which are already investing a lot in new media will do so even more in the future. Companies which are not investing much yet are not intending to do so.”

The survey of 1,222 managers and business owners were interviewed from companies of 20 employees or more in the U.S., Great Britain, The Netherlands, Belgium, Germany and France. A slide show of the research’s key points can be viewed here; no registration is required.

-- James E. Powell
Editorial Director, ESJ

Posted on 06/21/2012 at 11:53 AM0 comments

Is Your Printer Going Crazy? It May Be Infected

According to Symantec, printers around the globe have become infected.

Over the past two weeks, an outbreak of Trojan.Milicenso has resulted in multiple reports of massive print jobs being sent to print servers, printing garbage characters until the printer runs out of paper. Our telemetry data has shown the worst hit regions were the US and India followed by regions in Europe and South America. We originally encountered Trojan.Milicenso in 2010 and our initial investigation had shown that this was basically a malware delivery vehicle for hire. The payload that is most commonly associated with this latest version is Adware.Eorezo; an adware targeting French speaking users.

The company says its analysis of this "printer bomb" threat’s ultimate goal "is ongoing."  The vulnerability "leverages [the] adware component as a decoy and a signed digital certificate."

Read the rest of Symantec's report here: Trojan.Milicenso: A Paper Salesman’s Dream Come True

-- James E. Powell
Editorial Director, ESJ

Posted on 06/21/2012 at 11:53 AM0 comments

Report Details Online File Sharing Risks, Trends for SMBs

SMBs need to be more vigilant about file sharing. Symantec Corp., in a new report, says that as online file sharing grows at small and midsize enterprises, so, too, are the risks.

The company’s 2011 SMB File Sharing Survey notes that

SMB employees are increasingly adopting unmanaged, personal-use online file sharing solutions without permission from IT, part of the broader trend of the consumerization of IT in which the adoption of online services for use on personal mobile devices blurs the lines between work and play. These early-adopter behaviors – like those driving the use of file sharing technology -- are making organizations vulnerable to security threats and potential data loss.

This isn’t a small problem. According to Rowan Trollope, group president of SMB and .cloud at Symantec, “A staggering 71 percent of small businesses that suffer from a cyber attack never recover -- it’s fatal. As the fastest adopters of cloud technologies, such as file sharing, SMBs need to use safe practices, especially when using a solution that might not be built for businesses. As employees increasingly adopt consumer cloud services at work, the risk to SMBs only grows.”

Among the survey’s findings: 74 percent of respondents “said they adopted online file sharing to bolster their own productivity.” [italics added] If security and IT personnel understand the benefits, is it no wonder that use of unauthorized file-sharing solutions is growing -- and expose the enterprise to risks? Among those risks, survey respondents listed “malware (44 percent), loss of confidential or proprietary information (43 percent), breach of confidential information (41 percent), embarrassment or damage to brand/reputation (37 percent), and violating regulatory rules (34 percent).”

Policies can help mitigate risks, but 22 percent of respondents haven’t implemented policies that restrict “how employees can access and share files.”

File sizes, remote worker, and adoption trends and preditions are also in the report, which is available here. No registration is required. Once the link is opened, double-click on the slideshow SMB File Sharing Flash Poll from the list of presentations at the right of the slideshow viewer.

The survey of “decision-makers” at 1,325 SMB organizations (defined as those with between 5 and 500 employees) around the globe was conducted in November 2011 but just released.

-- James E. Powell
Editorial Director, ESJ

Posted on 06/21/2012 at 11:53 AM1 comments

Are Smart TVs the Next Security Target?

Codenomicon, a security solutions provider, has issued a warning to consumers about “the poor stability of name-brand smart TVs” from six manufacturers. The report, Smart TV Hacking: Crash Testing Your Home Entertainment, doesn’t disclose the manufacturer’s names and models tested “to protect users of those devises.”

The company conducted tests recently using smart model-based fuzzing tools that send “unexpected, abnormal inputs” to systems, then monitor the results. If a software is buggy, the device will crash. The technique is especially suited to finding zero-day vulnerabilities.

All of the tested units failed in repeated tests using critical communication protocols.

Given that so many smart TVs are connected to the Internet, consumers may have cause for concern. The report discusses potential problems, including denial of service attacks, loss of sensitive data, and covert malware.

The full research results (and Codenomicon’s analysis) is available for download at no cost. No registration is required.

-- James E. Powell
Editorial Director, ESJ

Posted on 06/21/2012 at 11:53 AM10 comments

What Would You Rather Lose: Your Wallet or Your Phone?

If you’re like the 500 IT professionals SecurEnvoy interviewed at the Infosecurity Europe 2012 conference, you’re more likely to be concerned about losing your mobile phone than the contents of your wallet.

The company, which specializes in tokenless two-factor authentication, said its poll results, released today, reveal that respondents would rather lose what’s in their wallet than lose their mobile phone.

When asked what people would “most fear losing from their back pocket,” more than a third (37 percent) said it was their personal phone; another 20 percent didn’t want to lose their company phone. Just one quarter said “£50,” and 18 percent said they didn’t want to lose their credit cards.

A poll the company conducted in January revealed that “two thirds of respondents feared losing their mobile phone.” In fact, “so great was this worry that 41 percent had two phones or more in an effort to stay connected.” [emphasis mine]

The concern over cell-phone separation is only likely to grow, as Andy Kemshall, co-founder and CTO of SecurEnvoy, points out.

“This study really highlights just how high a value we place on them, especially with so many preferring to lose a relatively significant amount of money to their phone. As functionality increases on devices, so too will our dependence on them -- we can already use them for so much more than talking. With that in mind, using a mobile phone as your authentication token seems a natural choice and far more convenient than carrying old-fashioned style hardware.”

Security admins’ concerns over mobile security seems justified after I read this comment from Kemshall: “The study we conducted in January found [that] 46 percent do not use any protection at all. Perhaps it’s time we showed these little devices just how much we love them and secure them.”

Well said.

-- James E. Powell
Editorial Director, ESJ

Posted on 06/07/2012 at 11:53 AM1 comments

Survey Confirms: Your E-Mail Inbox Is Mostly Junk

What’s filling up your inbox? As you probably suspect, it’s mostly junk. Not necessarily junk mail -- just “non-essential” communication.

In survey results released today by Mimecast, only one in every three e-mail messages in your business inbox has any “real, immediate value.” If you’re like those surveyed, only a quarter of your inbox contains e-mail you consider “essential for work purposes,” and you consider another 14 percent of your inbox as being “of critical importance.”

Mimecast’s The Shape of E-mail report, the first the company has issued, asked IT departments about their e-mail practices and what’s in the inbox of an “average employee.”

According to the report, the study “attempts, for the first time, to describe the content of a typical corporate inbox in terms of its importance and relevance to the user, through the eyes of the professionals tasked with its management.”

Among the findings: 13 percent of a “typical” inbox is filled with personal (non-work-related) e-mail. Another 40 percent is either “functional” or of “low-level” importance. On average, 63 percent of your messages are coming from your co-workers; 7 percent is classified as “spam” or “junk.”

What Mimecast calls “high-quality inboxes” are typically smaller in size (by about 10 percent from “low-quality” inboxes), are found in large organizations (those with more than 500 employees), have a high percent of internal (employee-to-employee) e-mail, and are mostly likely in the IT/Telco market or are public sector employers.

The report drills down into the nature of e-mail. For example, two-thirds of messages contain more than just text. On average, one-quarter (27 percent) contain attachments, 14 percent have hyperlinks, and 22 percent embed either HTML or images.

Security is, as always, a concern: 41 percent of respondents worry about remote access; 39 percent are “concerned specifically with access to e-mail via a mobile device.”  The report identifies other security risks and, like those non-essential messages, time wasters: 73 percent of organizations allow social media use in the workplace (professional networking sites such as LinkedIn are allowed by 55 percent of organizations, social networking sites -- Facebook is the most popular -- by 47 percent). The problem: 59 percent say such social activity increases risks from information leaks, and 55 percent say it increases security risks.

The report also covers e-mail challenges by region, causes of e-mail downtime, and archive management practices. It’s available here; a short registration form must be completed for access.

The study is based on answers from 200 U.S. respondents, 200 respondents in the UK, and another 100 participants in South Africa. Mimecast is a cloud-based e-mail archiving, security, and continuity provider for Exchange and Office 365.

-- James E. Powell
Editorial Director, ESJ

Posted on 06/06/2012 at 11:53 AM0 comments

Prolexic Issues Defense Strategy Against HULK Attacks

Prolexic Technologies, a distributed denial of service (DDoS) protection service, has released a threat advisory on the HTTP unbearable load king (HULK) denial of service (DoS) script that has many security administrators panicking. 

HULK, release on May 17, was intended as an educational proof-of-concept, according to Prolexic. It works by using randomized header and parameter values to generate a flood of threaded GET commands. The company said that “the randomized requests make it more difficult to distinguish attack threads from legitimate traffic, particularly for automated mitigation solutions. “

Making its job still easier is the fact that HULK exploits “out-of-the-box Web server configuration vulnerabilities and spawns 500 threads that collectively stream random GET requests at its Web site target upon launch, bypassing caching engines to exhaust server resources.“

“What makes HULK dangerous is the fact that a single malicious actor with a single computer could feasibly take down a small, unhardened Web server in minutes. We’ve tested the tool internally and it is functional,” said Neal Quinn, chief operating officer at Prolexic. [emphasis mine]

“Fortunately, this is not a very complex DoS tool,” Quinn points out. “We were quickly able to dissect its approach and stop it dead in its tracks. It is fairly simple to stop HULK attacks and neutralize this vulnerability with the proper configuration settings and rules.”

The Prolexic Security Engineering & Response Team (PLXsert) has released a set of rules to defend against and mitigate HULK attacks. The team has made its recommendations public here. The report is free but registration is required.

-- James E. Powell
Editorial Director, ESJ

Posted by Jim Powell on 06/01/2012 at 11:53 AM0 comments