Monday, February 26, 2007

Top 10 Admin Passwords to Avoid

In the end, it's all a big guessing game. You create passwords to protect your systems; hackers try to guess the password you created.

It's a game that's going on all the time. As we reported last week, researchers at the University of Maryland recently completed a study in which four live Linux servers were set out as bait to see how often they would be attacked. The study racked up 269,262 attempts in a 24-day period. (See Study: Two Hacks a Minute.)

During that time, 824 attempts were successful -- the attacker got the server's username and password. On average, that means that each of the servers was "cracked" almost 10 times a day. And these were relatively anonymous servers, sitting in a university data center and intentionally loaded with mundane, uninteresting data. We can only imagine what these attempt statistics might look like at, say, Bank of America or the U.S. Department of Defense.

Click here for the full story.

Tuesday, February 20, 2007

How to protect yourself at wireless hot spots

They can be an invitation to disaster, says Preston Gralla, who offers a surefire plan to avoid security breachesWi-Fi hot spots in airports, restaurants, cafes and even downtown locations have turned Internet access into an always-on, ubiquitous experience. Unfortunately, that also means always-on, ubiquitous security risks.

Connecting to a hot spot can be an open invitation to danger. Hot spots are public, open networks that practically invite hacking and snooping. They use unencrypted, insecure connections, but most people treat them as if they are secure private networks.

Click here for the full story.

Monday, February 19, 2007

What would you do first as chief information security officer?

Becoming the chief information security officer (CISO) of a corporation makes you a strategic IT advisor to business management, the chief information officer, and the rest of the information technology staff. Just as no company is the same as another, the job of CISO -- or alternately, “chief security officer,” which might include physical security as well -- isn’t either. The four security professionals who share their priorities with us make it clear there’s nothing cookie-cutter about the top IT security job.
Click here for the full story.

Friday, February 16, 2007

Massive Insider Breach At DuPont

The Delaware U.S. attorney on Thursday revealed a massive insider data breach at chemicals company DuPont where a former scientist late last year pleaded guilty to trying to steal $400 million worth of company trade secrets. He now faces up to a decade in prison, a fine of $250,000, and restitution when sentenced in March.

Click here for the full story.

Thursday, February 15, 2007

Getting Users Fixed

Dark Reading’s editorial advisory board held a meeting at last week’s RSA Conference in San Francisco, bringing together security experts from several different walks of life. During the meeting, hackers, industry analysts, and enterprise security people discussed some of the chief problems facing security managers today, and their views on the industry’s greatest obstacles. The following are excerpts from that conversation.

Botnets are the chief exploit facing IT managers today, according to Ira Winkler, security expert and author of Spies Among Us.

Click here for the full story.

Wednesday, February 14, 2007

Data Destruction, at Your Disposal

So what do you do with those old PCs and servers when you buy new equipment?

Some organizations out them in storage, delaying the inevitable, while others donate, auction, landfill, or recycle the equipment. Most companies still take responsibility today for wiping their own hard drives clean of data, although not always safely and thoroughly, which leaves data vulnerable to falling into the wrong hands. (See Second-Hand Drives Yield First-Class Data and A Garbage Can for Hard Drives.)

Click here for the full story.

Tuesday, February 13, 2007

E-mail retention policies, Part 2

Tips for defining e-mail retention policies
In the previous column, my friend and colleague Prof. Don Holden, MBA, CISSP-ISSMP, and I reviewed some of the issues arising from pre-trial discovery orders involving stored e-mail and e-mail archives.

As we looked through several articles on the subject and thought about the issues, we put together the following list of practical pointers for readers:

Click here for the full story (Part 2).

E-mail retention policies, Part 1

Why e-mail retention is not just a good idea
One of the big factors driving proper retention and destruction of e-mail is that e-mails are discoverable evidence in both civil procedures as well as criminal investigations. Retention of e-mail and other unstructured content such as instant messaging is also required in certain industries, particularly in the financial industries where brokerage house have been fined millions of dollars for failure to produce e-mails in a timely fashion.

For example, Morgan Stanley was fined $15 million by the Securities & Exchange Commission for failing to produce e-mail messages promptly in response to court-authorized demands for evidentiary discovery.

Click here for the full story (Part 1).

Monday, February 12, 2007

Are 'Sealed' Websites Any Safer?

Hacker Safe, ControlScan, VeriSign, Cybertrust -- what's in a Website label, anyway?

As consumers become more concerned about protecting their information online, more "secure" labels have emerged, each promising to serve as a "Good Housekeeping seal of approval" for Website security. Hacker Safe and ControlScan, for example, prove that a site has been vulnerability-scanned. The new Extended Validation SSL (EV SSL) moniker, championed by digital certificate vendors such as VeriSign and Cybertrust, help verify that a site is not a phish or a phony. (See Cybertrust Enters EV SSL Fray.)

And now ScanAlert is rolling its "Hacker Safe" seal into a service for enterprises, company executives say. Hacker Safe Enterprise is a fully managed service that includes vulnerability assessment, hands-on analysis, and support from ScanAlert's security experts.

VeriSign, whose VeriSign Secured Seal logo is displayed on over 65,000 Websites, and Cybertrust, are in the process of rolling out EV SSL. If a site is EV SSL-certified, its address shows up in green on newer browsers such as Internet Explorer 7.

But are sites with a Website seal really more secure?

Click here for the full story.

Thursday, February 08, 2007

Hackers find a wealth of victims on corporate Web sites

Secure software can help fight Web attacks, experts said at RSA Conference
Insecurely written software still looms as one of the greatest threats to Internet commerce, and user-generated Web content is becoming a vast new vulnerability hackers want to exploit, according to experts at RSA Conference.

Cross-site scripting attacks on Web sites can lead to malware taking over the browsers of machines that use the sites, said Caleb Sima, a member of the Secure Software Forum and co-founder of SPI Dynamics.

Click here for the full story.

Wednesday, February 07, 2007

Attackers Take Trojans to the Bank

Mobility, money, and malicious intent have formed a toxic brew, a researcher at Kaspersky Lab said yesterday on the eve of the security conference here. And it's a mix that threatens banks and their customers alike.

Cybercriminals are targeting financial services and consumer banking customers, which is no great surprise, acknowledged Eugene Kaspersky, head of research and development for the international antivirus vendor. But "bank Trojans," in particular, he told Dark Reading, have recently demonstrated more malevolence and effectiveness, threatening to overwhelm antivirus researchers and the methods they use to shut down such malware.

Click here for the full story.

Monday, February 05, 2007

Gates, Ellison to tout security at RSA

The annual RSA Conference, expected to draw 15,000 security professionals and more than 325 vendors from around the world to San Francisco's Moscone Center exhibit hall, kicks off this week with keynotes from industry luminaries Bill Gates and Larry Ellison.

Microsoft Chairman Bill Gates, accompanied by Craig Mundie, chief research and strategy officer, is expected to tout the security of Microsoft's new Vista operating system, plus how e-commerce can improve if Web sites make use of the industry's new Extended Validation Secure Sockets Layer (EV SSL) certificate for authentication.

Click here for the full story.

Friday, February 02, 2007

Call the cops: We're not winning against cybercriminals

Kaspersky seeks police help with fighting cybercrime
Kaspersky Lab Thursday will acknowledge that cybercriminals have the upper hand and cooperative international policing is needed to protect honest users.

"We don’t have the solutions," says Natalya Kaspersky, CEO of the company. "We thought it was possible to do antivirus and that was adequate protection. That time is gone."

Click here for the full story.

About Me

Choose Dyrand Systems as your virtual IT department and focus on growing your business—not on the technology that supports it. You deserve peace of mind when it comes to IT. When you choose Dyrand, you’re choosing more than just an IT firm—you’re choosing an extension of your own team.