Security Snippets: Flashback Update, Disorganized Encryption

Flashback: Lessons Learned, Free Removal Tool

Symantec says the number of Flashback-infected computers is on the decline; roughly 270,000 systems (down from the original 600,000), mostly in North America, Australia, and the UK. The company has also launched a free Flashback detection and removal tool available at www.norton.com/flashback.

The company lists three “lessons learned” from the malware incident:

• No operating system is immune to malware attack and any Internet-connected device should have security precautions in place.p

• Mac users are not out of the woods. There are still hundreds of thousands of users who have not taken the steps necessary to remove the malware. Additional infections are also still possible if the appropriate security updates are not installed.

• Cybercriminals often build on the exploits of others; additional attempts at widespread Mac malware infections are likely to follow.

More details can be found in this Symantec blog post.

IT’s Encryption Efforts Disorganized, Risky

The independent research firm Enterprise Strategy Group (ESG) says chief security officers should “aggressively address risk and costs of ad hoc encryption technologies and fragmented key management.” In its paper, Enterprise Encryption and Key Management Strategy: The Time is Now, ESG’s senior principal analyst Jon Oltsik presents new research how data encryption is being used in enterprise networks. [Editor’s note: Access to the report requires registration.]

It isn’t pretty. Oltsik warns that “encryption technologies are being implemented in a disorganized, ad hoc manner that leads to increased security risks and costs.” The analyst recommends a framework to address these shortcomings.

Oltsik explains that “when it comes to information strategy, large organizations tend to focus on firefighting rather than long-term strategy. Unfortunately, this short-sighted approach has its limits. Ad hoc encryption leads to redundant processes, complex operations, and high costs while placing sensitive data at risk of accidental compromise or malicious insider attack.”

The report points to four common shortcomings in enterprise encryption and key management:

• A lack of standards and management by disparate functional IT groups without data security expertise

• No central command and control – each tool has its own policies, provisioning and management of keys

• Disorganized key management systems that place data at risk for a security breach and unrecoverable critical files

• Organizational misalignment that doesn’t address insider threats by providing adequate access management and separation of duties

Tina Stewart, vice president of marketing for Vormetric, an enterprise encryption specialist, noted that “Encryption is being implemented on a broad scale, driven by increased threats from the outside as well as within the organization. This ESG research report explains the risk and costs associated with fragmented approaches to encryption, and advantages of developing a top/down plan to centralize its management and control.”

-- James E. Powell
Editorial Director, ESJ

Posted by Jim Powell on 04/13/2012