Wednesday, October 29, 2008
Sunday, October 26, 2008
Yet with the pervasiveness of small business, these information systems can become unwitting tools for attackers and provide a stepping stone for larger attacks on enterprise networks.
By understanding the pertinent issues in creating and maintaining effective policy, small businesses can create workable rules by first understanding the psychology of their workers, the Information landscape in which they operate, and the value of the information being protected.
Friday, October 24, 2008
The emergency update comes just one week after the regularly scheduled Patch Tuesday and follows the discovery of a targeted zero-day attack, Microsoft said in an advisory. The vulnerability is rated “critical” on Windows 2000, Windows XP and Windows Server 2003.
On Windows Vista and Windows Server 2008, the flaw carries an “important” rating.
For more information about this patch visit:-
Seventy-five percent of all data breaches result in compromised data within a matter of days. Despite this, the study also reveals that 63 percent of companies don't learn about data breaches until months after their data has been compromised. Even after breaches are discovered, the study finds that nearly half of them take weeks to fix.
The Verizon Business Risk Team reviewed more than 500 corporate data breaches between 2004 and 2007 and found that 87 percent could have been prevented -- if only the companies had the proper security measures in place at the time of the breach. After four years of forensic research involving more than 230 million records, the "2008 Data Breach Investigations Report" found that 73 percent of breaches resulted from external sources, while 18 percent were caused by insiders. Thirty-nine percent implicated business partners -- a number that increased five-fold over the time period of the study -- while 30 percent involved multiple parties.
The first-of-its-kind study looked at data breaches in a wide variety of industries, including retail, food and beverage, technology, and financial services. According to the findings:
* Most breaches resulted from a combination of events rather than from a single action. Specifically, 62 percent were attributed to a significant error; 59 percent resulted from hacking and intrusions; 31 percent incorporated malicious code; 22 percent exploited a weakness; and 15 percent were due to physical threats.
* Of those breaches caused by hacking, 39 percent were aimed at the application or software layer. Fewer than 25 percent of attacks took advantage of a known or unknown vulnerability. Significantly, 90 percent of known vulnerabilities exploited had patches available for at least six months prior to the breach.
* Nine of 10 breaches involved some type of "unknown" -- unknown systems, data, network connections, and/or account user privileges. Also, 75 percent of breaches were discovered by a third party rather than the affected organization.
* Seventy-five percent of all data breaches result in compromised data within a matter of days. Despite this, the study also reveals that 63 percent of companies don't learn about data breaches until months after their data has been compromised. Even after breaches are discovered, the study finds that nearly half of them take weeks to fix.
The study urges businesses to be proactive and provides key recommendations to help them protect themselves:
* Align process with policy -- In 59 percent of data breaches, organizations had established security policies and procedures, but they had not been enacted through actual processes. Create solid data protection policies and then follow through.
* Achieve "essential" then worry about "excellent"- Identify a set of essential controls and ensure they are implemented across the organization without exception before moving on to more advanced controls.
* Create a data retention plan -- Sixty-six percent of breaches involved data that the victim did not know was on the system. Identify and quantify the types of data retained during business activities and then work to categorize it based on risk and liability.
* Control data with transaction zones -- Investigators concluded that network segmentation can help prevent, or at least partially mitigate, an attack.
* Monitor event logs -- Evidence of events leading up to 82 percent of data breaches was available to the organization prior to actual compromise. Processes that ensure the timely, efficient, and effective monitoring of and response to network events are critical to protecting data.
* Create an incident response plan If a breach occurs, be ready to act. An effective incident response plan will ensure a breach can be stopped before data is compromised.
* Increase awareness and testing -- Educate employees about the risks of data compromise, their role in preventing it, and how to respond.
Thursday, October 23, 2008
Of organizations that block social networks, 70 percent do so for virus or spyware prevention; 52 percent restrict Web surfing due to employee productivity drain. This year, 65 percent of businesses say they will restrict Web surfing, up 23 percent. Companies also cite bandwidth and liability issues as reasons to cut into employee Web surfing.
Fifteen years ago, they were called bulletin boards. Judged by today's technologies, they were pretty clunky. You typed questions or information in a few fields and waited (and hoped) for a response. They were the Internet's first "social networks." Today, of course, when the topic of social networks comes up, Facebook, MySpace, YouTube and LinkedIn come to mind. ,p> Social networks, however, can take on shapes different from these more consumer-oriented sites -- as intranets, for example. Intranets are fairly simple to set up and maintain, and can improve employee productivity and idea implementation.
Forrester Research estimates that social networking will be a huge priority for organizations, part of a $4.6 billion Web 2.0 industry by 2013, with social networks making up nearly $2 billion of that amount. How much of that, however, will involve consumer social networking sites versus intranet social networking?
Forrester predicts there will be a lot of intra-company networking tools (e.g., corporate directories or internal forums), as well as more interactive varieties of technical support. The biggest adopters of social networking are expected to be large companies; smaller businesses, meanwhile, are more skeptical.
While intranets seem to be a logical adaptation of social networking, allowing employees unfettered access to consumer social networking sites does not seem to be as big a concern among enterprises as one would think, given the security and productivity issues involved. According to an evaluation of businesses using Barracuda Networks' Web Filters product, only 50 percent of organizations are blocking MySpace or Facebook.
Of those organizations that do block these sites, 70 percent do so for virus or spyware prevention; 52 percent restrict Web surfing due to employee productivity drain. This year, however, 65 percent of businesses surveyed by Barracuda say they will restrict Web surfing, up 23 percent. Companies also cite bandwidth concerns (36 percent) and liability issues (28 percent) as additional reasons to cut into employee Web surfing.
There seem to be many companies, however, that are waiting for bad things to happen before they implement Web surfing controls. Much the same way they did regarding network security and customer data protection. And much the same way they did before blocking porn. After all, these aren't bulletin boards we're talking about.