attackers

A new technique to assess network security

Judi Hasson — Sun, 27 Jul 2008 11:39:41 -0400

Researchers at the National Institute of Standards and Technology have figured out a new way to help IT administrators assess security risks using attack graphs and the National Vulnerability Database.

"We analyze all of the paths that system attackers could penetrate through a network and assign a risk to each component of the system," computer scientists Anoop Singhal said. "Decision makers can use our assigned probabilities to make wise decisions and investments to safeguard their network."

NIST notes that a hacker can take a number of routes through the network to find confidential data once inside the firewalls. The new technique evaluates each route and assigns a risk based on the level of difficulty for the hacker. Using an attack graph analysis, three potential attack paths are determined, and an attack probability is assigned for each path.

For more:
- see this eWeek.com article

More Mac attacks on the way

Tue, 19 Feb 2008 06:59:58 -0500

It's likely that Apple's Macintosh computers are headed for more malware attacks, according to some recent predictions. Sophos, a computer security firm, recently surveyed 355 Mac computer users about the potential for attacks. It found that 93 percent of them expect an increase in malware threats, a jump from 79 percent in 2006.

Since the Mac has been relatively free of attacks in the past, it's inevitable that attackers will turn their sights on such a prized target. The first area to be hit? According to Sophos, it's likely to be financial sites where hackers will infiltrate Apple's software and hardware. And what can the CIO do to protect his system? Stay alert and look into every attack. And if you start spotting more attacks on Macs, get ready to deploy some technology to fight it.

For more on this new hack threat:
- See this InformationWeek article

Gartner: Phishing on the rise

Thu, 03 Jan 2008 06:59:59 -0500

Watch out! Phishing attacks in the United States increased dramatically this past year, costing consumers more than $3 billion in 2007, and there is no end in sight, according to a recent survey by Gartner. Phishing is one of the latest weapons being used by hackers to crawl into a database, distort it and steal valuable data. The Gartner survey found that 3.6 million adults lost money in phishing attacks in the 12 months ending in August 2007, compared to 2.3 million adults the previous year.

"Phishing attacks are becoming more surreptitious and are often designed to drop malware that steals user credentials and sensitive information from consumer desktops," Avivah Litan, vice president and analyst at Gartner, told Tekrati. "Anti-phishing detection and prevention solutions are available but not utilized widely enough to stop the damage. These must be deployed and combined with solutions that also proactively detect and stop malware-based attacks."

At the top of the phishing target list are, of course, PayPal and eBay, but it's too soon for any CIO to breathe a sigh of relief. Phishing attackers are using all kinds of devious methods such as electronic greeting cards, charities and foreign businesses to lure computer users into letting the hacker in. The survey found that 47 percent of those who lost money had unauthorized charges made on their debit or check card in 2007. Thieves may be targeting debit cards and bank accounts because back-end fraud detection systems are traditionally weaker than credit card accounts, according to Litan.

"Regulators must get a better handle on the problem through consistent and timely bank reporting on their fraud incidents and losses," Litan said. Gartner expects phishing and malware attacks to grow in the year ahead because it's a lucrative business. And the consulting company sees no easy way to thwart these attacks unless e-mail providers spend the money on solutions that can keep phishing out. "Enterprises should at least protect their own brands from being used in phishing attacks by subscribing to an anti-phishing solution," Litan said. So the big question for CIOs is this: Are you there yet, and what would it take to make your company phish-proof?

For more on phishing dangers:
- See this Tekrati Article

Deal with password theft

Thu, 15 Nov 2007 06:59:58 -0500

There is nothing quite as sacred as your password. And that's why it is increasingly frustrating when hackers steal it. In a recent case, it was disclosed that attackers stole passwords and accounts from 92 nonprofits by infiltrating systems at Convio, the leading online marketing company for nonprofit organizations. What's a CIO to do? Come back with a vengeance and throw up a bullet-proof system to protect your most basic assets like passwords. Convio sent a letter to one affected company disclosing that email addresses and passwords were downloaded without authorization between Oct. 23 and Nov. 1.

But that's not all. Convio is taking a number of steps to deal with the theft. It's in the process of rewriting the functionality that it gets from the GetActive application into a native version on its own system. Convio has also created a query within its dashboard that can be used to identify which members of an organization's list might be affected. This is a headache for just about anyone, but you can ease it by having a plan in place if you are hacked, too. Tell us about your plans in a theft like this.

To deal with password breaches:
- See this eWeek article

Hack attack alert

Mon, 22 Oct 2007 06:59:59 -0400

Most CIOs realize that hack attacks are becoming more sophisticated. The days of throwing up a firewall to fix a problem are over. And it's less common now for attackers to break in through the front door. It's becoming more likely that an end-user will launch a worm or bot that causes an attack. It's not that hard; a hacker can send 100 spam e-mails to a company and get one lucky hit. So if you are working on your company's computer security strategy, pay at least as much attention to client-side protections as you do the hacker's old habits.

For more on tech threats:
- check out this InfoWorld article

Tech storage grows up Hack attack alert Why consultants get axed Tech storage grows up

Mon, 22 Oct 2007 06:59:58 -0400

For more on tech threats:
- check out this InfoWorld article

Sometimes a CIO has to bring in a tech consultant to upgrade a system. It might happen when there are no people in the IT shop who can handle the task. But there is always a risk in doing this. The consultant may not be on time, the job may be far more complicated than expected, or the consultant and CIO may not be on the same page for efficiently achieving success. In order to protect your company, make sure you have a way out when hiring a consultant. Know who you are hiring and, if at all possible, bring in a trusted consultant that you've worked with before.

To read more on why consultants get axed:
- see this Baseline article

Data storage is becoming more sophisticated. The use of a rotating magnetized disk is receding, and taking its place are solid state drives (SSDs), sometimes referred to as flash drives. They use no moving parts. SSDs are changing the way CIOs view storage for workstations and data centers. Once packaged, these drives are no different from platter-based predecessors as far as interface controllers are concerned. The key difference is the lack of moving parts, and advancement that will deliver an immediate result: data access is near instantaneous.

For more about storage:
- see InformationWeek article

Data breach costs rising

Thu, 18 Oct 2007 06:59:59 -0400

It might be time to open your company's wallet a little wider. A new study by Gartner says that data breaches are set to cost businesses 20 percent more each year through 2009. Are you ready for increasing phishing and other hack attacks that may take your system down? It's definitely a headache for any CIO. Gartner VP John Pescatore said that more attackers are using the credentials of legitimate users to sneak into secure systems. So what's a CIO supposed to do? Gartner estimates that the average business is already spending more than 5 percent of its IT budget on security, and another 7 percent on disaster recovery. The study also said that 90 percent of targeted attacks could be avoided without an increase in firms' security budgets, and said that the investments that enterprises had made in intrusion prevention, vulnerability management and network access control had largely paid off. Gartner warned that just spending more money was not the right answer. It advised CIOs to make sure that security was a top requirement for every new application, process and product. It also recommended establishing security metrics to measure spending efficiency.

To read about data breaches:
- see Washington Post article

Software security: The next frontier

Sun, 20 May 2007 20:01:38 -0400

Software security is, for the most part, uncharted territory for the CIO. This emergent discipline is the practice of designing, developing, and testing the security of software. To have a significant impact and influence on the security of software, it is vital to participate in the process from its earliest stages, and to continue to be heavily involved until the product's end-of-life. That means the CIO's staff members must be involved in software development and must understand the underlying technologies, but that's generally not the case. And in most cases, developers don't understand the attack tools and techniques that software faces today, and are incapable of independently producing software that can withstand them. The solution is cooperation among disparate teams. Testing is one example. Software testing generally falls under the purview of the quality assurance test team, but QA testers test how the software works, not how someone can break or misuse software for illicit purposes. To adequately test the security of business software, test plans and scenarios must represent the non-functional aspects of code that attackers are so adept at finding. That's where a collaboration effort with the information security staff should start.

Learn more about software security and collaboration:
- read the article at Optimize

Improving security on the cheap

Wed, 25 Apr 2007 20:01:36 -0400

Investing in expensive, complex security tools almost always pays off, but there are some much less expensive, common-sense steps you can take to improve security throughout the enterprise. First, periodically check for rogue wireless access points in corporate buildings. These access points give hackers an open door into the network. Second, enable Windows Update on all computers, but be sure to remember to verify that the systems are actually being patched. Third, don't allow HTML email through, because the text can open the door for security problems. Fourth, train users and IT staff on security procedures. Fifth, consider using Mozilla's Thunderbird and Firefox as possible alternatives to Outlook and Internet Explorer, because attackers tend to write malware for the latter software, not the former.

Read more security tips:
- read the article at InformationWeek

The march of the botnets

Wed, 18 Apr 2007 20:01:38 -0400

Botnets, networks of hundreds or even thousands of infected machines, aren't going away anytime soon. They can be used to wreak real havoc, including spamming and theft of financial and identity-related data, but they are capable of much more. They are on the brink of a technological leap to more resilient architectures and more sophisticated encryption that includes peer-to-peer networks that will make it much harder to track, monitor and disable them. With a P2P botnet, there is no centralized point for command and control. Each node in the network acts as both client and server, eliminating the central chokepoint. Individual nodes can be knocked offline, but the gaps in the network will be closed without the loss affecting the botnet's operation or the attacker's control. One of the most efficient ways for enterprises to address the bot problem is to blacklist malicious sites and hosts and block access to them. Botnet watchers are also seeing a trend toward stronger encryption, which is used by attackers to ensure that bots added to the network are in fact legitimate, as opposed to being nodes belonging to researchers working to infiltrate a botnet and block it or take it down.

Read more about the threat of botnets:
- read the article at eWeek

ALSO: read this on how trojans bolster botnet powers