Where’s the Data? Senior Management Doesn’t Know

Do you know where your company data is? If so, you’re doing better than two-thirds (67 percent) of respondents to a new survey from Varonis Systems Inc., a data governance software provider. Attendees from over 400 companies attending EMC World in May say their organization’s senior managers either “don’t know where all company data resides or are not sure.” Nearly three-quarters (74 percent) of organizations admit that they don’t have a tracking process so they know which files reside on third-party “cloud digital collaboration and storage services.”

A release from Varonis says it best: "With Bring Your Own Device (BYOD) -- particularly mobile and tablet devices -- and file synch services booming, companies are open to a wave of potential devastation. Files kept on third-party cloud services can be lost, misplaced, accessed by unauthorized people, or leave the company with the employee, causing data privacy and compliance issues.”

What’s worse:

Concerning those organizations that do use file synchronization services our survey uncovered some disturbing results: only 9 percent of those organizations using [third-party] collaboration services report that they have created authorization and review processes for the data residing in the cloud; 46 percent report that they don’t know how access is granted or reviewed; 23 percent report that they are still developing access processes; 10 percent report that while access is granted by users, reviews are ad hoc or not performed at all; and an astonishing 12 percent report that they have no plans to manage access to cloud based file sync services.

The report goes on to say that “These findings seem to confirm our worst fears: that organizational data is being spread to the public cloud, with little hope that access to it will be controlled.” Now you know why security surveys repeatedly report that security administrator’s biggest fear comes from the behavior of its users, not external threats.

Varonis points out that without such control, data is virtually "up for grabs.” 

The survey points out:

A bit of almost good news is that of those organizations that use 3rd party file sync services, a little over half (52 percent) hope to keep as much data in-house as possible, with the bare minimum being kept in the cloud. Almost a third (30 percent), however, are resigned to having to manage two separate infrastructures going forward: internal and cloud.

Notice that the report says the respondents hope. It doesn’t say they have any plans. Talk about wishful thinking.

Finally, another number that jumped out at me: when asked “Compared to internal file shares, how secure do you rate third-party cloud digital collaboration and services,” 27 percent said “I have no idea how secure these services are,” and 35 percent admitted the services were less secure than internal file shares.

The full report -- which should serve as a wake-up call to storage and security administrators alike -- is available at http://hub.varonis.com/CloudSurvey. A short registration is required.

-- James E. Powell
Editorial Director, ESJ

Posted on 06/25/2012 at 11:53 AM0 comments

Are Smart TVs the Next Security Target?

Codenomicon, a security solutions provider, has issued a warning to consumers about “the poor stability of name-brand smart TVs” from six manufacturers. The report, Smart TV Hacking: Crash Testing Your Home Entertainment, doesn’t disclose the manufacturer’s names and models tested “to protect users of those devises.”

The company conducted tests recently using smart model-based fuzzing tools that send “unexpected, abnormal inputs” to systems, then monitor the results. If a software is buggy, the device will crash. The technique is especially suited to finding zero-day vulnerabilities.

All of the tested units failed in repeated tests using critical communication protocols.

Given that so many smart TVs are connected to the Internet, consumers may have cause for concern. The report discusses potential problems, including denial of service attacks, loss of sensitive data, and covert malware.

The full research results (and Codenomicon’s analysis) is available for download at no cost. No registration is required.

-- James E. Powell
Editorial Director, ESJ

Posted on 06/21/2012 at 11:53 AM10 comments

Is Your Printer Going Crazy? It May Be Infected

According to Symantec, printers around the globe have become infected.

Over the past two weeks, an outbreak of Trojan.Milicenso has resulted in multiple reports of massive print jobs being sent to print servers, printing garbage characters until the printer runs out of paper. Our telemetry data has shown the worst hit regions were the US and India followed by regions in Europe and South America. We originally encountered Trojan.Milicenso in 2010 and our initial investigation had shown that this was basically a malware delivery vehicle for hire. The payload that is most commonly associated with this latest version is Adware.Eorezo; an adware targeting French speaking users.

The company says its analysis of this "printer bomb" threat’s ultimate goal "is ongoing."  The vulnerability "leverages [the] adware component as a decoy and a signed digital certificate."

Read the rest of Symantec's report here: Trojan.Milicenso: A Paper Salesman’s Dream Come True

-- James E. Powell
Editorial Director, ESJ

Posted on 06/21/2012 at 11:53 AM0 comments

Report Details Online File Sharing Risks, Trends for SMBs

SMBs need to be more vigilant about file sharing. Symantec Corp., in a new report, says that as online file sharing grows at small and midsize enterprises, so, too, are the risks.

The company’s 2011 SMB File Sharing Survey notes that

SMB employees are increasingly adopting unmanaged, personal-use online file sharing solutions without permission from IT, part of the broader trend of the consumerization of IT in which the adoption of online services for use on personal mobile devices blurs the lines between work and play. These early-adopter behaviors – like those driving the use of file sharing technology -- are making organizations vulnerable to security threats and potential data loss.

This isn’t a small problem. According to Rowan Trollope, group president of SMB and .cloud at Symantec, “A staggering 71 percent of small businesses that suffer from a cyber attack never recover -- it’s fatal. As the fastest adopters of cloud technologies, such as file sharing, SMBs need to use safe practices, especially when using a solution that might not be built for businesses. As employees increasingly adopt consumer cloud services at work, the risk to SMBs only grows.”

Among the survey’s findings: 74 percent of respondents “said they adopted online file sharing to bolster their own productivity.” [italics added] If security and IT personnel understand the benefits, is it no wonder that use of unauthorized file-sharing solutions is growing -- and expose the enterprise to risks? Among those risks, survey respondents listed “malware (44 percent), loss of confidential or proprietary information (43 percent), breach of confidential information (41 percent), embarrassment or damage to brand/reputation (37 percent), and violating regulatory rules (34 percent).”

Policies can help mitigate risks, but 22 percent of respondents haven’t implemented policies that restrict “how employees can access and share files.”

File sizes, remote worker, and adoption trends and preditions are also in the report, which is available here. No registration is required. Once the link is opened, double-click on the slideshow SMB File Sharing Flash Poll from the list of presentations at the right of the slideshow viewer.

The survey of “decision-makers” at 1,325 SMB organizations (defined as those with between 5 and 500 employees) around the globe was conducted in November 2011 but just released.

-- James E. Powell
Editorial Director, ESJ

Posted on 06/21/2012 at 11:53 AM1 comments

Most American Companies Have Presence on Facebook

A new study conducted by InSites Consulting reveals that eight out of ten American companies are present on Facebook, a higher usage rate than comparable enterprises in Europe. In addition, 45 percent have a Twitter account, 48 percent are available on LinkedIn, and 31 percent are using YouTube.

Having a Facebook page means nothing if you don’t use it, of course. The survey found that 61 percent of American companies “listen to consumer conversations on social media,” and 83 percent “answer client questions and complaints via social media.”

Those are the good numbers. Unfortunately, just over half (54 percent) of the surveyed companies “also talk to and actively participate in online conversations with consumers.” Furthermore, the researchers point out, usage of social media doesn’t mean social media is integrated into the enterprise’s DNA. For example, according to a statement from InSites Consulting:

A mere 11% of the companies are integrating their social media approach into their overall corporate strategy while 17% are currently mid-integration. More than 1 out of 4 (26%) of the American companies are not even doing anything on social media!

The report also predicts a “digital divide” between those enterprises using social media and those that don’t. “This survey shows that companies which are already investing a lot in new media will do so even more in the future. Companies which are not investing much yet are not intending to do so.”

The survey of 1,222 managers and business owners were interviewed from companies of 20 employees or more in the U.S., Great Britain, The Netherlands, Belgium, Germany and France. A slide show of the research’s key points can be viewed here; no registration is required.

-- James E. Powell
Editorial Director, ESJ

Posted on 06/21/2012 at 11:53 AM0 comments

What Would You Rather Lose: Your Wallet or Your Phone?

If you’re like the 500 IT professionals SecurEnvoy interviewed at the Infosecurity Europe 2012 conference, you’re more likely to be concerned about losing your mobile phone than the contents of your wallet.

The company, which specializes in tokenless two-factor authentication, said its poll results, released today, reveal that respondents would rather lose what’s in their wallet than lose their mobile phone.

When asked what people would “most fear losing from their back pocket,” more than a third (37 percent) said it was their personal phone; another 20 percent didn’t want to lose their company phone. Just one quarter said “£50,” and 18 percent said they didn’t want to lose their credit cards.

A poll the company conducted in January revealed that “two thirds of respondents feared losing their mobile phone.” In fact, “so great was this worry that 41 percent had two phones or more in an effort to stay connected.” [emphasis mine]

The concern over cell-phone separation is only likely to grow, as Andy Kemshall, co-founder and CTO of SecurEnvoy, points out.

“This study really highlights just how high a value we place on them, especially with so many preferring to lose a relatively significant amount of money to their phone. As functionality increases on devices, so too will our dependence on them -- we can already use them for so much more than talking. With that in mind, using a mobile phone as your authentication token seems a natural choice and far more convenient than carrying old-fashioned style hardware.”

Security admins’ concerns over mobile security seems justified after I read this comment from Kemshall: “The study we conducted in January found [that] 46 percent do not use any protection at all. Perhaps it’s time we showed these little devices just how much we love them and secure them.”

Well said.

-- James E. Powell
Editorial Director, ESJ

Posted on 06/07/2012 at 11:53 AM1 comments

Survey Confirms: Your E-Mail Inbox Is Mostly Junk

What’s filling up your inbox? As you probably suspect, it’s mostly junk. Not necessarily junk mail -- just “non-essential” communication.

In survey results released today by Mimecast, only one in every three e-mail messages in your business inbox has any “real, immediate value.” If you’re like those surveyed, only a quarter of your inbox contains e-mail you consider “essential for work purposes,” and you consider another 14 percent of your inbox as being “of critical importance.”

Mimecast’s The Shape of E-mail report, the first the company has issued, asked IT departments about their e-mail practices and what’s in the inbox of an “average employee.”

According to the report, the study “attempts, for the first time, to describe the content of a typical corporate inbox in terms of its importance and relevance to the user, through the eyes of the professionals tasked with its management.”

Among the findings: 13 percent of a “typical” inbox is filled with personal (non-work-related) e-mail. Another 40 percent is either “functional” or of “low-level” importance. On average, 63 percent of your messages are coming from your co-workers; 7 percent is classified as “spam” or “junk.”

What Mimecast calls “high-quality inboxes” are typically smaller in size (by about 10 percent from “low-quality” inboxes), are found in large organizations (those with more than 500 employees), have a high percent of internal (employee-to-employee) e-mail, and are mostly likely in the IT/Telco market or are public sector employers.

The report drills down into the nature of e-mail. For example, two-thirds of messages contain more than just text. On average, one-quarter (27 percent) contain attachments, 14 percent have hyperlinks, and 22 percent embed either HTML or images.

Security is, as always, a concern: 41 percent of respondents worry about remote access; 39 percent are “concerned specifically with access to e-mail via a mobile device.”  The report identifies other security risks and, like those non-essential messages, time wasters: 73 percent of organizations allow social media use in the workplace (professional networking sites such as LinkedIn are allowed by 55 percent of organizations, social networking sites -- Facebook is the most popular -- by 47 percent). The problem: 59 percent say such social activity increases risks from information leaks, and 55 percent say it increases security risks.

The report also covers e-mail challenges by region, causes of e-mail downtime, and archive management practices. It’s available here; a short registration form must be completed for access.

The study is based on answers from 200 U.S. respondents, 200 respondents in the UK, and another 100 participants in South Africa. Mimecast is a cloud-based e-mail archiving, security, and continuity provider for Exchange and Office 365.

-- James E. Powell
Editorial Director, ESJ

Posted on 06/06/2012 at 11:53 AM0 comments

Prolexic Issues Defense Strategy Against HULK Attacks

Prolexic Technologies, a distributed denial of service (DDoS) protection service, has released a threat advisory on the HTTP unbearable load king (HULK) denial of service (DoS) script that has many security administrators panicking. 

HULK, release on May 17, was intended as an educational proof-of-concept, according to Prolexic. It works by using randomized header and parameter values to generate a flood of threaded GET commands. The company said that “the randomized requests make it more difficult to distinguish attack threads from legitimate traffic, particularly for automated mitigation solutions. “

Making its job still easier is the fact that HULK exploits “out-of-the-box Web server configuration vulnerabilities and spawns 500 threads that collectively stream random GET requests at its Web site target upon launch, bypassing caching engines to exhaust server resources.“

“What makes HULK dangerous is the fact that a single malicious actor with a single computer could feasibly take down a small, unhardened Web server in minutes. We’ve tested the tool internally and it is functional,” said Neal Quinn, chief operating officer at Prolexic. [emphasis mine]

“Fortunately, this is not a very complex DoS tool,” Quinn points out. “We were quickly able to dissect its approach and stop it dead in its tracks. It is fairly simple to stop HULK attacks and neutralize this vulnerability with the proper configuration settings and rules.”

The Prolexic Security Engineering & Response Team (PLXsert) has released a set of rules to defend against and mitigate HULK attacks. The team has made its recommendations public here. The report is free but registration is required.

-- James E. Powell
Editorial Director, ESJ

Posted by Jim Powell on 06/01/2012 at 11:53 AM0 comments