Archive for March, 2009

Phishing attacks on the increase as the recession starts to bite

Tuesday, March 31st, 2009

As predicted, phishing attacks are on the increase as we start to feel the recession bite. Figures that we’ve released today show that phishing attacks now account for half of all viruses.

 

The US is back at the top spot of malware producing countries – not quite up at the levels we were seeing before the shutdown of the McColo spam hosting service, but still significantly increased from the beginning of the year.

 

It really is time to review the basics of corporate security. Whenever an economy is depressed, the instances of cyber crime – just like burglaries – increase.

 

Time spent now on educating employees, checking your Internet use policy, and applying some common sense security measures will pay dividends through the coming months.

Posted in Security | Comments Off

Why do a security review?

Friday, March 27th, 2009

Yesterday I mentioned the benefits of a security review and today an example of what a review could have prevented is illustrated graphically by the following article in SC Magazine:

Government network hit by Conficker worm as trail of poor management exposed

It is sadly not uncommon for organisations not to have a policy towards laptops being connected to their LAN, we see this in companies big and small.  It is usually the case that it has always been done this way and nobody questions the procedure.  Furthermore, the people bringing in the laptops can be senior so nobody challenges them.  Worst still, is the acceptance of laptops from a different organisation being allowed to connect which still happens.  A review would have revisited these practices and would have flagged it up as a major vulnerability.

Companies must develop a policy that isolates these devices, scans and cleans them of any malware but even after this, it is still advisable where possible to lock down their access to the main LAN.  This can be done on a DMZ with thin client access to the LAN and a gateway that scans outgoing traffic.  These two precautions ensure that even if the laptop is infected with some malware that the anti-virus has not detected, it will not infect the LAN and will not be busy spamming the world from the organisation’s IP address.

Posted in Security | Comments Off

Information Security – Don’t be passive

Thursday, March 26th, 2009

We do security reviews for companies which are proving popular as we move into more difficult times.  Companies want to ensure – with the increased threat both from internal and external sources – that they are covered, and that they are making the right moves to secure their information.  In a strange way, the government have done much to increase awareness of security pitfalls, by losing so much public data themselves. On one hand everyone (quite rightly) complains; but on the other they are thinking: “I hope that couldn’t happen to us.”.  Prevention is so much cheaper than cure. Most of the time the recommendations that we make don’t involve expenditure in new equipment or personnel, but rather just the implementing of simple strategies to ensure compliance with good practice.

 

For instance, with increased regulation there is concern that companies might be in violation of some new law that they were not aware of.  A typical example is the changes that have been made to the Companies Act in 2005 and 2006: these are old enough, but still we see companies not making the mandatory inclusions to their emails and websites.  It is quick and easy to add the right footers and information which immediately puts the company in compliance with the Act and prevents the company from being seen to be unprofessional.

 

However, there are still many examples of poor practice. For example: the annual accounts being sent on unencrypted CD’s to the accountants at the end of year; or no acceptable use policy that the employees can actually understand and sign; or passwords that haven’t been changed for a year and whose simplicity is frankly appalling.

 

The problem for security-minded professionals, of course, is not getting in the way of companies doing business.  It is easy to recommend a raft of procedures that will secure a company – and at the same time stop it from being productive!  The task is to assess the risk, and to ensure that serious risk is identified and tackled by avoiding, mitigating, transferring or accepting it. This is what companies need to spend more time doing now.  Risk grows as a depression deepens.  A poor economy means greater numbers of disgruntled employees, desperate individuals trying to make money and increased opportunity as we become more technologically enabled.

 

It’s not essential to employ an outsider to do this job for you. All the information you need is on the Internet and if you have the time, you can get up to speed on it. But the advantage of an outsider is that they bring an objective viewpoint, the experience of numerous reviews across a range of companies, and the time that they will save you.

 

In the end, the important thing is to take action. It could save money, reputation and careers.

 

Posted in Security | Comments Off

Securing social media use

Tuesday, March 24th, 2009

We are often asked by companies how to help them block applications (like IM), or control what employees are downloading from social networks (Facebook, MySpace) or microblogs (Twitter). As a result, we’re publishing a series of ‘securing social media’ guides for IT managers to use with their employees, and help keep the use of these applications or networks secure.

The first of these was a guide to secure blogging, which proved extremely popular. We’ve just brought out the second in the series, on securing social networks.

Since we first wrote about advising companies on the security issues of Facebook and other networks, we’ve seen a significant shift in company policy. A year ago, many companies were blocking access to social networks, which were seen as for personal use only. But now, these same companies are using the likes of LinkedIn and Facebook for their own promotion, networking and even customer contact.

I hope that our guide will help IT managers within those companies to update their security and access policies so that employees get the access they need, but without a negative impact on corporate security, productivity and bandwidth; and educate users on the part they play in corporate security.

You can download the guide here.

Tags: ,
Posted in Security, social media series | Comments Off

Are your proxy connections vulnerable?

Monday, March 16th, 2009

At the end of February, the US Computer Emergency Readiness Team (US-CERT) issued an alert that proxy servers operating in interception mode (‘transparent proxies’) may be vulnerable to hacking.

 

Transparent proxies are servers used to intercept and automatically redirect network connections to a given destination address – for example, in order to filter content, or for web caching or security purposes. The issue is this: as these proxies often make connection decisions based on the HTTP header of the original connection request, they have been found to be vulnerable to hackers who can forge the HTTP header via active content, potentially gaining access to the destination resource through the proxy server.  For example, this could be an Intranet that wouldn’t usually be accessible publicly through the Internet.

 

The risk is fairly small, but as ever, it is better to be on the lookout and prepared. Our response to customers has been to issue advice to only allow proxy servers to connect to a limited number of well-known ports; and limit the CONNECT method to traffic using destination port 443/tcp.

 

If you don’t know whether your company could be vulnerable, check the list of security systems on the US-CERT website. It’s not definitive, but does list most major vendors’ systems, and whether their products are affected.

 

If you have any doubt at all as to whether your business could be affected by this, contact your security company for advice.

Posted in Security | Comments Off

Cloud computing – a secure future?

Wednesday, March 11th, 2009

The debate about cloud computing seems to be everywhere at the moment. There are still some security concerns – as there are bound to be when you put critical data and resources outside the corporate firewall. But in general, companies are becoming more comfortable with giving data to a third party (lost USB sticks and laptops on trains aside, of course).

There are three areas of concern that seem to crop up again and again when I’m asked about cloud computing:

  1. Performance – a provider of cloud services must be able to cope with high demand; not saturating at peak times, but able to scale as demand grows across a number of providers. There are two issues to consider here:
    a. The momentary peaks when a service is suddenly in demand (say a web filtering service that is inundated at lunchtimes – when people surf for personal use – but is less busy during the rest of the day
    b. As the customer numbers grow, the provider has to decide to add machines in order to cope with demand. At what stage do they do this, and how slow can they let the service get before they add more machines?
  2. Sharing virtual hardware – customers often worry about whether their virtual hardware will be shared by other customers. Often they prefer the idea of an isolated virtual server to reduce the (perceived) risk of hacking.
  3. Data privacy. As referred to in this article by SC Magazine http://www.scmagazineuk.com/Data-privacy-clarification-could-lead-to-greater-confidence-in-cloud-computing/article/128425/, there are very real concerns about whether a cloud provider is adhering data privacy laws as they are defined in the customer’s location. Privacy laws vary hugely depending on where you are, and by its definition, cloud services can be accessed from anywhere. Companies using cloud computing should be clear where their data is being stored, what privacy laws it is subject to and from where it will be accessed and used (and what the privacy laws are in those countries).

There are a number of services that have operated ‘in the cloud’ before this term was widely used. IT security services is a good example. There are some areas, like email security services, which lend themselves well to cloud services. And others – like firewalls – that will always need to be applied locally. Cloud computing, like so many other IT systems, is not an ‘all or nothing’ solution, but one part of a mix.

Tags:
Posted in Security | Comments Off

China growing in significance as source of Internet threats

Thursday, March 5th, 2009

We’ve been watching China and Korea with interest over the last few months as they both grow in significance as sources of viruses, spam and intrusions. Every month we analyse the source of Internet threats, and February’s analysis shows that China produces nearly as many viruses as the US – 15.7 per cent, just under the US which accounts for slightly over 16 per cent.

Overall, threats from the US are down significantly, since the shut down of the McColo spam hosting service in November last year, although spam levels are rising slightly on last month. The threat from China, however, is growing rapidly. Korea took over late last year as the dominant source of intrusions and this shows no sign of abating – it accounts for just over a quarter of all intrusions (here the US takes second place at just over 13 per cent).

Tags: , , , ,
Posted in Information | Comments Off

Advice on domain whitelisting and application blocking

Wednesday, March 4th, 2009

We’ve noticed a couple of interesting trends at Network Box [www.network-box.co.uk] that have led us to issue advice to our customers and are worth repeating here.

The first relates to the whitelisting of domain names. The number of spam emails that now forge the domain name of the recipient is as high as 20 per cent – up from just one per cent in June 2008. As a result, we put out an advisory recently that companies should stop whitelisting their own domain names – a common practice to avoid ‘false positives’. One solution is to use Sender Policy Framework (SPF), which uses a filed in the DNS record. This defines all the IP addresses that an email from a legitimate sender will come from. So, if someone in Singapore sends an email to a colleague in London, the recipient’s mail server in London then verifies that the IP address it receives the email from is in the SPF record of the sender. This indicates that the email hasn’t been spoofed, and so the mail is delivered.

The second is that we have seen a significant increase in requests from companies seeking help with blocking applications such as Skype or MSN, in order to prevent a security breach. But the problem with blocking an application is that it will often find a way through a firewall – either using ‘tunnelling’ software, or by searching through all available ports until it finds one open. So, our advice is that companies should apply the same controls to outbound connections as to inbound, by configuring firewalls to block all outbound connections except those to secure proxies. This forces all web access through a gateway security system, and ensures that web access complies with company policy. Of course, this can be adapted to  individual users’ requirements.

This is a good time to remind companies to update their security policies. Many companies use legacy approaches and the security landscape changes so quickly that it’s worth checking all your processes are up to date. As ever, our team is on hand to help customers with any queries.

Tags: ,
Posted in Security | Comments Off