Aug 08 2011

Advanced persistent threats force IT to rethink security priorities

Category: cyber securityDISC @ 9:45 am

By Ellen Messmer

Network World – The biggest business challenge today, in the minds of many information security officers, is the stealthy online infiltration by attackers to steal valuable proprietary information. The reality, they say, is that these so-called “advanced persistent threats” are so rampant and unrelenting they are forcing IT to rethink network security.

“Tackling advanced persistent threats means giving up the idea that it’s possible to protect everything. This is no longer realistic,” states the Security for Business Innovation Council, the group of 16 security leaders from companies that include eBay, Coca-Cola Company, SAP, FedEx Corp., Johnson & Johnson and Northrop Grumman. The council today published a report — “When Advanced Persistent Threats Go Mainstream” — outlining the problems and challenges facing large organizations.

These advanced persistent threat (APT) infiltrations can emanate from nation-states and their hired-hand attackers as well as industrial competitors, or organized crime and “hactivists” like Anonymous. The term APT is thought to have originated within the U.S. military, primarily the Air Force, which used the phrase as shorthand to describe cyberattacks that seemed to originate from somewhere in mainland China.

The overall sense, according to the report, is that an APT is a “cyberattack that is highly targeted, thoroughly researched, amply funded, and tailored to a particular organization — employing multiple vectors and using ‘low and slow’ techniques to evade detection.”

This stealthy attack infiltration to steal important data has become widespread, with several companies and government agencies disclosing they’ve been targets, including Google, EMC’s security division RSA, Epsilon, Citigroup, The Washington Post and the Department of Energy research labs Oak Ridge National Laboratory and Pacific Northwest National Lab.

Timothy McKnight, chief information security officer at Northrop Grumman, who is a member of Security for Business Innovation Council, recently discussed how the aerospace and defense firm virtually every day has to defend itself against what it believes are a dozen separate groups of attackers trying to get into its network to steal sensitive data.

In the council report the 16 information security officers are advising security teams to work closely with their business managers to identity the “crown jewels” of the organization and protect these “core assets,” while “also moving away from a perimeter-centric view.”

“Focusing on fortifying the perimeter is a losing battle,” their report bluntly states. “Today’s organizations are inherently porous. Change the perspective to protecting data throughout the lifecycle across the enterprise and the entire supply chain.” And the report adds: “The definition of successful defense has to change from ‘keeping attacks out’ to ‘sometimes attackers are going to get in; detect them as early as possible and minimize the damage.’ Assume that your organization might already be compromised and go from there.”

To read the remaining article Advanced persistent threats force IT to rethink security priorities

Aug 05 2011

Homeland Security Begins at Home

Category: cyber security,CybercrimeDISC @ 1:26 pm

Aug 02 2011

Social Media Stalking

Category: Social networkDISC @ 9:25 pm

Jul 27 2011

Tim O’Reilly: The Future of Business Intelligence is Now

Category: Data miningDISC @ 10:15 am

When Tim O’Reilley talks, it’s better for all to listen very very carefully! This man is absolute visionary! I still remember how shocked I was at first, when he answered that the next big innovation(or change) is the off-line shopping! He is so damn right…

Jul 24 2011

Security as a Service and Office as a Service

Category: Cloud computingDISC @ 10:23 pm

The Windows Intune cloud service helps you centrally manage and secure your PCs through a simple web-based console, whether your IT staff or end users are in the main office, at a branch office, or on the road.

Click the fig below to see a video of Windows Intune benefits:

Windows Intune simplifies and helps businesses manage and secure PCs using Windows cloud services and Windows 7—so your computers and users can operate at peak performance, from virtually anywhere

Take an advantage of this free trial for a month to see if Windows Intune align with your business requirements, help you comply with industry standards and regulations, and if it’s cost effective for your business. To do that you may have to fnd out the total cost of existing infrastructure and support and maintenance fee. Also a gap analysis based on standard or regulation which apply to your business will help to find out how this security as a service can assist you in your compliance effort. We do need to manage and protect our PCs from malwares and it’s cost of doing business these days. For cost analysis, you should keep in mind that implementation of a control (Intune) should not be greater than the cost of the impact of the risk should a malware exploit your network.

Intune manage updates
Centrally manage the deployment of Microsoft updates and service packs that you choose to all your PCs from the Windows Intune console.

Intune protect PCs from malware
Help safeguard your PCs from the latest threats with centralized endpoint protection built on the award-winning Microsoft Malware Protection Engine and using the same trusted technologies as Microsoft Forefront Endpoint Protection and Security Essentials

Leverage location agnostic Security as a Service to Defend your information assets

** Windows Intune™ – Trial **

Try Windows Intune™ for 30 days to see how businesses can simplify PC management and security by using Windows® cloud services.
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Every business has needs and yours is no different. Your people need to stay connected and you need to maintain essential security and control. So why not have both? Make productivity easier by giving everyone endless ways to work and collaborate from anywhere at any time and on any device. In the cloud you make the rules.

Leverage access to e-mail, documents, contacts and calendars on nearly any device

** Office 365™ – Trial **

Office 365 trial for professional and small businesses

Office 365 trial for Kiosk worker plan

Office 365 trial for Enterprise level plan

Microsoft Exchange Online Archiving provides an enterprise-class service to assist organizations with their archiving, compliance, regulatory and e-discovery challenges while simplifying their on-premises infrastructure, enabling cost savings and easing the burden on IT.

** Exchange Online Archiving™ – Trial **

Exchange online archiving trial

Related article:

City and County of San Francisco Adopts Microsoft Cloud Solution

Jul 23 2011

Latest In U.S. Drone Technology

Category: Information WarfareDISC @ 7:20 pm

http://www.youtube.com/watch?v=2ediTghuXrQ

Jul 21 2011

Information Security Breaches: Avoidance and Treatment based on ISO27001

Category: ISO 27k,Security BreachDISC @ 2:47 pm

Information Security Breaches: Avoidance and Treatment based on ISO27001
If you are running a business, you learn to expect the unexpected. Even if you have taken all the right precautions, your company might still find itself confronted with an information security breach. How would your business cope then?

There are lots of books that will tell you what to do to prevent an information security breach. This book is different. It tells you what you have to do if a security breach occurs.

Security breaches sometimes occur because computers containing sensitive information are not returned to their owners. NATO laptops have been spotted in flea markets, and US government computers were put up for sale on Ebay. Security breaches may also be the result of data theft. A bad apple in your company may be tempted to sell your confidential data to a rival firm.

If something happens, your company needs to be ready to take prompt and decisive action to resolve the issue. This book tells you the plans and procedures you need to put in place to tackle an information security breach should it occur. In particular, the book gives you clear guidance on how to treat an information security breach in accordance with ISO27001.

If a breach occurs, the evidence needs to be secured professionally. You need to know the rules on evidence gathering, and you need to be capable of isolating the suspect laptops right from the start. If you want your company to respond rapidly to an information security breach, you need to make sure that the responsibilities and roles in your company are clearly defined.

Benefits to business include:

Recover faster
An information security breach can have crippling consequences. However, with the right emergency measures in place, you will be able to recover quickly from the incident and resume normal operations.
Preserve customer confidence
An information security breach can result in loss of records and disruption to service. This can do serious damage to your relationship with your customers. It is vital for you to be prepared for an information security breach, so that if it ever happens you can preserve customer confidence.
Assist the investigation
Uncovering the root causes of an information security breach requires detective work. If an information security breach occurs, the investigators will need to be able to identify the problem. You can help them to do that by keeping proper records.
Catch the criminals
In the event of data theft, you will want to be in a position to act promptly and decisively. So you should set up an incident management system. This will mean that in the event of data theft, the police will have a greater chance of getting hold of the incriminating evidence they need to secure a conviction.

As Michael Krausz warns, “It is the prudence of management that decides on a company’s fate once a serious incident occurs, not only the size.”

What others are saying about this book …

‘…I recommend this pocket guide to anyone implementing ISO27001, and indeed to anyone who is concerned about the risks of security breaches, and who wants to know how best to prepare their organization for the unpleasant events that are bound to happen from time to time…’

Willi Kraml, Global Information Security Officer

‘…The author thankfully narrows down some important vocabulary to a practical usage in real life situations. The book gives what it advertises: a quick pocket guide to avoidance and treatment of security breaches with references to ISO27001…’

Sascha-A Beyer, Senior Manager

‘…Michael Krausz has created a valuable tool for both professional as well as less knowledgeable persons in respect to the ISO27001 Standard… Written in plain English, this handbook is easy to follow even by a novice in the Information Technology Field. Therefore “Information Secuirty Breaches” is a must within the ‘tool box’ of anyone who deals with IT issues on an every-day basis…’

Werner Preining, Interpool Security Ltd

‘Michael Krauz did a good job. His pocket guide is small enough to be read in only a few minutes, yet is packed full of valuable information presented in a structured way. The case studies especially help to understand the topic. As former CIO of a large company I can recommend it.’
Christian H Leeb, Holistic Business Development

About the author: Michael Krausz is an IT expert and experienced professional investigator. He has investigated over a hundred cases of information security breaches. Many of these cases have concerned forms of white-collar crime. Michael Krausz studied physics, computer science and law at the University of Technology in Vienna, and at Vienna and Webster universities. He has delivered over 5000 hours of professional and academic training and has provided services in eleven countries to date.

Don’t let your organisation fall victim to a security incident … download your copy today!
Information Security Breaches: Avoidance and Treatment based on ISO27001

Tags: information security brecahes, iso 27001, Michael Krausz, NATO laptops, Security Breach

Jul 20 2011

8 tactics for mobile data privacy and security

Category: hipaa,Security AwarenessDISC @ 1:21 pm

By Mary Mosquera

With the sweeping use of mobile devices by healthcare providers, physicians and hospitals need to embrace best practices for protecting sensitive patient data, privacy experts say. For example, encrypt sensitive data when it is necessary to store on wireless devices.

Sixty-four percent of physicians own a smartphone and one third of them have an iPad, with another 28 percent planning to buy one within six months, according to research cited by ID Experts, which offers data protection and response services, in a July 20 announcement

Many of the current 10,000 mobile healthcare applications were designed to enable their users to access to electronic health records (EHRs). At the same time, in the past two years, the Office of Civil Rights has reported that 116 data breaches of 500 records or more were the direct result of the loss or theft of a mobile device and led to the exposure of the personal health information of 1.9 million patients, which started many consumers questioning the security of EHR systems and the data they house.

The Office of Civil Rights oversees health information privacy in the Health and Human Services Department and publishes on its website incidents involving the sensitive information of at least 500 individuals.

To more effectively protect patient data, Rick Kam, president of ID Experts recommended the following practices:

1. Don’t store sensitive data on wireless devices. If required, encrypt data.
2. Enable password protection on wireless devices and configure the lock screen to come on after a short period of inactivity.
3. Turn on the “remote wipe” feature of wireless devices.
4. Enable Wi-Fi network security. Do not use wired equivalent privacy (WEP). Wi-Fi protected access (WPA-1) with strong passphrases offers better security. Use WPA-2 if possible.
5. Change the default service set identifier (SSID) and administrative passwords.
6. Don’t transmit your wireless router’s SSID.
7. Only allow devices to connect by specifying their hardware media access control (MAC) address.
8. Establish a wireless intrusion prevention system.

“Many Wi-Fi networks in hospitals and doctor’s offices are not secure,” Kam cautioned, “and coupled with the increased mobile device usage, patient data is at risk.”

Jul 15 2011

Court Ruling on “Due Diligence” Online Banking Security

Category: Security and privacy LawDISC @ 2:25 pm

The ruling in the Patco Construction vs. People’s United Bank case set precedence, because the judge basically ruled that the bank’s below par security was sufficient for small business — and Patco (small business) was held liable for paying for the fraud that was a result of an average bank security. To know more details of the case, Brian Krebs has written a great post on this case.

http://krebsonsecurity.com/2011/06/court-passwords-secret-questions-reasonable-ebanking-security/

Brian Krebs also wrote about another high profile case (emi v comerica) which was decided in the favor of small business (EMI)
http://krebsonsecurity.com/2011/06/court-favors-small-business-in-ebanking-fraud-case/

Baed on these two cases it is hard to know how the next online banking fraud case will be decided and on which precedence. I guess the courts are still trying to figure out how to decide these complex cases and where to set the due diligence bar for the banks.

Jul 14 2011

The TickITplus Kick Start Guide has Been Launched

Category: Security ComplianceDISC @ 12:32 pm

Following the release late last month of the Base Process Library, the Kick Start Guide – the essential guide for all organisations pursuing TickITplus certification – has been launched

/EIN Presswire/ — Following the release late last month of the Base Process Library (http://www.itgovernance.co.uk/products/3460), the Kick Start Guide – the essential guide for all organisations pursuing TickITplus certification – has been launched. The guide can be purchased here www.itgovernance.co.uk/products/3469 in a PDF format or hard copy.

The guide will provide organisations that need to achieve compliance with the TickITplus scheme with information about identifying and selecting the scope of certification and developing in-house resources. It contains guidance on identifying processes, mapping them to TickITplus processes and establishing the assessment strategy. The TickITplus Kick Start Guide also offers advice on preparing for, participating in and following up an assessment.

TickITplus (www.tickitplus.org) is the successor of TickIT and provides improved process modelling to facilitate more efficient business and quality systems planning and improvement. TickITplus gives entry level access to capability grading for small IT organisations and offers significant cost savings for those already pursuing both ISO9001 and Capability Maturity Measurements.

As an introductory guide, the TickITplus Kick Start Guide concentrates specifically on achieving the Foundation level of the scheme, either through initial entry or transition from the existing TickIT scheme.

The Kick Start Guide can be purchased today from www.itgovernance.co.uk/products/3469

Tags: TickITplus

Jul 13 2011

Do US companies do enough for their cyber security?

Category: cyber security,ISO 27kDISC @ 9:51 pm

IT Governance Ltd, the ISO27001 and information security experts have reported that they are making a number of free resources available for download from their US website to help US companies meet the challenges of increased cyber crime.

July 12, 2011 /24-7PressRelease/ — IT Governance Ltd, the ISO27001 and information security experts have reported that they are making a number of free resources available for download from their US website (www.itgovernanceusa.com) to help US companies meet the challenges of increased cyber crime. This week the company has published a white paper on cyber security which can be downloaded from here http://www.itgovernanceusa.com/cyber-security.aspx

Cyber security has become an issue for every nation in the world. In the US over the last 3 months there have been data breaches against high-profile organizations including Fox, Sony, Gmail, the IMF (International Monetary Fund) and major government departments. Two weeks ago, the Arizona State Police again became the victim of a cyber attack. The hack was announced on Twitter less than a week after a previous attack from Lulz Security.

US companies need to do their utmost in order to defend themselves form hackers and protect their information assets. At present, key changes in the US legislation are being discussed, and sooner or later, it is likely that strict data security measures will be imposed on organizations, which they will need to comply with. Organizations who do not act now may face serious fines in the future or even become the subject of a class action lawsuit, if the loss of customer’s data is established. Such was the case with Sony in April when a Canadian Play Station Network (PSN) user claimed damages in excess of $1 billion. This followed another lawsuit filed by an American PNS user. The consequences for companies compromising customers’ data can be severe, leading to both big financial implications and reputation damage.

IT Governance, which specializes in cyber security and compliance solutions, has published a white paper on their US website that provides information on some of the key developments US companies and their directors or IT managers need to be aware of in order to protect their business from cyber attacks. The white paper can be downloaded for free here: http://www.itgovernanceusa.com/cyber-security.aspx

Alan Calder, CEO of IT Governance, comments, “There are a few essential steps that organizations should be following if they are to implement an effective security strategy. Most organizations would only take certain measures if they are given the reasons why they should be doing this and know that their investment of time and money is worth. What is a more convincing reason than the data breaches we all witness? At IT Governance, we not only advise customers what should be done, but also provide guidance and solutions to their problems. We have the most comprehensive range of resources across a number of areas, from books and toolkits through to e-learning and software tools.”

US companies can be doing more than taking partial measures to fight cyber crime. Implementing best practice in information security management has become the most popular approach to tackling cyber security; demonstrating to both customers and business partners that an organization is working to the highest standard. Accredited certification to ISO27001 gives an organization internationally recognized and accepted proof that its system for managing information security – its ISMS or cyber security readiness – is of an acceptable, independently audited and verified standard. Everything US companies need to know about ISO27001 is explained on this website: http://www.27001.com

Tags: isms, iso 27001

Jul 11 2011

Privacy and Law

Category: Information Privacy,Security and privacy LawDISC @ 1:55 pm

Your personal info is manageable and controlable most of the time as far as privacy is concern , until you have to use it for commercial use (to apply cxredit card, to apply for bank account or to apply for a job). then it depends on these commercial entities how they are goning to use, share, manage or secure your personal information. Most of the laws regarding privacy tells you how your privacy being violated but they leave to us how to make these commercial entities to protect our personal information or stop them from selling it to the highest bidder.

Below are the some of the privacy protection laws for consumers which you need to be aware of:

Privacy act of 1974: this legoslation prohibits the federal government from creating secret database on individuals and limits how agencies can share information. This give you the right to request your information and to sue the government for failing to follow the Act. This might be important to know for the people who are on the no fly list database. For more details check out http://www.epic.com/privacy/1974act/

Fair Credit Reporting Act: FCRA lets you access your cedit bureau records and corrects inaccuracies and it alos allows you to obtain free credit resport every year.

Telephone Consumer Protection Act: This law does not provides a whole lot of protection against telemarketing calls but TCPA made it illegal to send unsolicited fax advertisement.

Family Educational Rights and Privacy Act: FERPA limits sharing of the students and lets you opt out.

Gramm leach Bliley Act: GLBA allows you to tell your bank to stop sharing your information with third parties.

Health Insurance Portability and Privacy Act: HIPAA gives you access to your medical records and limits the disclosure of medical information by health care entity or provider

More on Privacy and Law

Jul 08 2011

How to protect ourselves from Payment Fraud

Category: Cyber Threats,Cybercrime,pci dssDISC @ 11:26 pm

Some basic advice has been issued by Apacs, and includes:

    * Don’t let your cards or your card details out of your sight when making a transaction
    * Do not keep your passwords, login details or Pins written down
    * Do not disclose Pins, login details or passwords in response to unsolicited emails
    * Only divulge card details over the phone when you have made the call or when you are familiar with the company
    * Access internet banking or shopping sites by typing the address into your browser. Never enter your personal details on a website you have accessed via a link from an e-mail
    * Shop at secure websites by checking that the security icon is showing in your browser window (a locked padlock or an unbroken key)
    * Always log out after shopping and save the confirmation e-mail as a record of your purchase

      For more advice you can visit:

      Spotting and avoid common scams, fraud and schemes online and offline

      How the scam works and what you need to do about it.

      and

      Online payment Security and Fraud Prevention

      Tags: Australia, Business, Credit card, Financial services, fraud, Internet fraud, Online banking

      Jul 07 2011

      Securing the Enterprise in a Changing World

      Category: Information SecurityDISC @ 10:31 pm

      RSA Conference 2011 Keynote – Securing the Enterprise in a Changing World – Bill Veghte

      An applications transformation has begun, creating both challenges and opportunities: with users (consumers) demanding everything as a service, anywhere, how can enterprises secure critical corporate infrastructure assets and information? Building security into applications, assessing risk– even before coding begins, and applying quality and operational management using ITIL concepts to the practice of security are key.

      Enterprise Security

      Jul 05 2011

      Newly released ISO/IEC 27005:2011 helps improve risk management

      Category: ISO 27k,Security Risk AssessmentDISC @ 12:55 pm

      /EINPresswire.com/ ISO 27005:2011, the newly released international information security risk management standard, is now available to the international community of business continuity and information security practitioners.

      Information security risk management is one of the core competencies of information security. This Standard is an essential companion to ISO/IEC 27001 and ISO/IEC 27002 and replaces ISO/IEC 27005:2008.

      ISO 27005:2011 supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. The Standard is applicable to all organisations of all types and sizes, which intend to manage risks that could compromise the organisations information security.

      IT Governance Ltd, an international distribution partner for IEC and a global leader in ISO27001 information, products and services, is making ISO/IEC 27005:2011 available from all its main websites. ISO 27005:2011 ISRM, can be downloaded today from www.itgovernance.co.uk/products/1852 .

      “The new ISO/IEC 27005:2011 is a much better standard than was the 2008 version”, comments Alan Calder, CEO of IT Governance, “First, it is a better written, more coherent standard. Second, it is aligned with the risk management standard ISO31000, which makes it easier to integrate Enterprise Risk Management approaches with information security risk management. Third, it provides good, practical guidance on carrying out the risk assessment required by ISO27001, together with clear guidance on risk scales. Fourth, it has good guidance on threats, vulnerabilities, likelihoods and impacts. ISO27005 should become standard additional guidance on risk assessment – the ISMS core competence – for all organisations tackling ISO27001.”

      Organisations that would like to save time and money whilst implementing the new Standard should consider applying vsRisk – an ISO27001:2005 compliant information security risk assessment tool produced by Vigilant Software, the specialist software subsidiary of IT Governance.

      vsRisk (www.itgovernance.co.uk/products/744) simplifies each step of an ISO27001 risk assessment, allowing compliance project managers to capture their information security policy and objectives, plus the scope of their information security management system, and undertake a rapid appraisal of all key areas, including groups, assets and owners. The tool makes ISO27001 compliance achievable for a far wider range of organisations and professionals by minimising the need for specialist knowledge and significantly undercutting the cost of generalist risk management tools.

      As well as supporting ISO/IEC 27001:2005 and ISO/IEC27002, vsRisk complies with BS7799-3:2006, ISO/IEC27005, NIST SP 800-30 and the UK’s Risk Assessment Standard.

      A copy of the ISO27005:2011 standard can be downloaded immediately from www.itgovernance.co.uk/products/1852 and the vsRisk CD-ROM can be ordered from www.itgovernance.co.uk/products/744 .

      Jul 03 2011

      Identity Theft Prevention | Credit Reports & Fraud Alerts

      Category: Identity Theft,Security AwarenessDISC @ 10:45 pm

      “Identity theft is the information age’s new crime. A criminal collects enough personal data on the victim to impersonate him to banks, credit card companies and other financial institutions. Then he racks up debt in the victim’s name, collects the cash and disappears. The victim is left holding the bag.
      While some of the losses are absorbed by financial institutions–credit card companies in particular–the credit-rating damage is borne by the victim. It can take years for the victim to completely clear his name.” Bruce Schneier

      http://www.youtube.com/watch?v=wyLzWYRC8CA

      More Info on Identity Theft Countermeasures and Safeguards

      Jun 29 2011

      TSA Is NOT Security It’s A JOKE!

      Category: Access Control,Information SecurityDISC @ 10:10 pm

      “Security measures that just force the bad guys to change tactics and targets are a waste of money,” said Bruce Schneier, “It would be better to put that money into investigations and intelligence.”

      The security boss of Amsterdam’s Schiphol Airport is calling for an end to endless investment in new technology to improve airline security.
      Marijn Ornstein said: “If you look at all the recent terrorist incidents, the bombs were detected because of human intelligence not because of screening … If even a fraction of what is spent on screening was invested in the intelligence services we would take a real step toward making air travel safer and more pleasant.”

      “TSA Is NOT Security It’s A JOKE!” Issac Yeffet
      http://www.youtube.com/watch?v=s7pICJ0i6Jc

      Don’t touch my Junk

      Jun 29 2011

      The weakest link in computer hacking?

      Category: Security AwarenessDISC @ 10:30 am
      Hack

      Image by copyfighting via Flickr

      The weakest link in computer hacking? Human error
      By Cliff Edwards, Olga Kharif,Michael Riley, Bloomberg News

      The U.S. Department of Homeland Security ran a test this year to see how hard it was for hackers to corrupt workers and gain access to computer systems. Not very, it turned out.

      Staff secretly dropped computer discs and USB thumb drives in the parking lots of government buildings and private contractors. Of those who picked them up, 60 percent plugged the devices into office computers, curious to see what they contained. If the drive or CD case had an official logo, 90 percent were installed.

      “There’s no device known to mankind that will prevent people from being idiots,” said Mark Rasch, director of network security and privacy consulting for Falls Church, Va.’s Computer Sciences Corp.

      The test showed something computer security experts have long known: Humans are the weak link in the fight to secure networks against sophisticated hackers. The intruders’ ability to exploit people’s vulnerabilities has tilted the odds in their favor and led to a spurt in cybercrimes.

      In real-life intrusions, executives of EMC Corp.’s RSA Security, Intel Corp. and Google Inc. were targeted with e-mails with traps set in the links. And employees unknowingly post vital information on Facebook or Twitter.

      It’s part of a $1 trillion problem, based on the estimated cost of all forms of online theft, according to McAfee Inc., the Santa Clara computer security company.

      Hundreds of incidents likely go unreported, said Rasch, who previously headed the Justice Department’s computer crime unit. Corporate firewalls costing millions to erect often succeed in blocking viruses and other forms of malware that infect computers and steal data such as credit card information and passwords. Human error can quickly negate those defenses.

      “Rule No. 1 is, don’t open suspicious links,” Rasch said. “Rule No. 2 is, see Rule No. 1. Rule No. 3 is, see Rules 1 and 2.”

      A full report on the Homeland Security study will be published this year, Sean McGurk, director of the department’s National Cybersecurity and Communications Integration Center, said at a June 16 conference in Washington.

      Tactics such as spear-phishing – sending a limited number of rigged e-mails to a select group of recipients – rely on human weaknesses like trust, laziness or even hubris.

      That’s what happened in March, when attackers used a clever ruse to exploit their discovery that RSA – the company that provides network-access tokens using random secondary passwords – was in a hiring campaign.

      Two small groups of employees received e-mails with attached Excel spreadsheets titled “2011 Recruitment Plan,” the company said in April. The e-mails were caught by the junk-mail screen. Even so, one employee went into the folder, retrieved the file and opened it.

      The spreadsheet contained an embedded Adobe Systems Inc. Flash file that exploited a bug, then unknown to San Jose’s Adobe, that allowed hackers to commandeer the employee’s PC. RSA said information related to its two-factor SecurID authentication process was taken.

      Banks may be forced to pay $50 million to $100 million to distribute new RSA SecurID devices, according to Avivah Litan, a Gartner Inc. research analyst.

      “The team that hacked us is very organized and had a lot of practice,” Uri Rivner, head of new technologies at RSA Security, said at a June 17 conference in Spain. “I can compare them to the Navy Seals Team Six, which hit Osama bin Laden.”

      The FBI began warning in early 2009 about a rise in spear-phishing attacks. To succeed, they require the target to open a link presumably sent by someone they know or trust.

      Total phishing attacks increased by 6.7 percent from June 2010 to May 2011, according to Symantec Corp.’s State of Spam & Phishing monthly report. The number of non-English phishing sites increased 18 percent month over month.

      Spear-phishing is evolving into what Rasch calls whale phishing: Targeting senior-level executives whose computers may have access to far more sensitive information that rank-and-file workers.

      Technology executives are attractive targets because their positions give them access to a trove of information, and they tend to believe they’re better protected from computer hackers than their employees, Rasch said.

      Hackers research decision makers by browsing social networks, reading up on news about the company, and creating e-mails and links that appear to be genuine and come from people that the targets know.

      “Phishing is on a different trajectory than it’s been in the past,” said Malcolm Harkins, Intel’s chief information-security officer.

      This article appeared on page D – 2 of the San Francisco Chronicle on June 28, 2011

      Hacking: The Art of Exploitation

      Related articles

      Tags: hackers, International Monetary Fund, McAfee, phishing, RSA SecurID, RSA Security, RSA The Security Division of EMC, SecurID

      Jun 28 2011

      InfraGard Insights: Separation of Duties and…

      Category: Information SecurityDISC @ 10:31 pm

      InfraGard is a FBI partner site – which is a public-private partnership devoted to sharing information about threats to US physical and Internet infrastructure.

      Discussion of two important principles of information security:
      Separation of Duties and the concept of least privilege and the Impact on System Administration.

      Principles of Information Security

      Jun 24 2011

      How safe is your personal information on social network?

      Category: Information PrivacyDISC @ 10:53 pm

      With corporations, criminals and governments all looking to capture your information via the internet, how safe are you once you logon?

      How to Be Invisible

      How Disappear Erase Digital Footprint

      « Previous PageNext Page »