WindowsSecurity.com Monthly Newsletter

WindowSecurity.com Newsletter of February 2012 Sponsored by: Collective Software

Welcome to the WindowSecurity.com newsletter by Stu Sjouwerman, Founder of Sunbelt Software & CEO of KnowBe4.com . Each month we will bring you interesting and helpful information on the world of Security. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: feedback@windowsecurity.com

Affordable Two Factor Authentication with AuthLite

Static passwords are insecure, and strong policies lead to poor user compliance. AuthLite provides OTP security that's painless to use, far more secure, and affordable to any size organization. AuthLite's unique design enables existing password logon applications to support strong two-factor security, without needing drivers or client software changes. In San Francisco? Come see AuthLite live with a Free pass to the 2012 RSA Security Expo right now! (Feb. 27 to March 2) Register with code EC12CSOFT.

You can evaluate AuthLite today with no obligation from Collective Software.

Editor's Corner

There Are Three Ways To Learn

There are three ways to learn. 1) Read it in a book and apply it to your own situation. 2) See someone else do it and do the same. 3) Pee on the electric fence. The third example is the most painful, and in IT security, unfortunately it’s very often the case.

I found a very instructive article for you that will allow you to learn using option 1) or 2) above, and hopefully not be forced into option 3. The article is called the 15 worst data security breaches of the 21st Century. The nominations for the list came from the Chief Security Officer LinkedIn community and here is the list. Note that they mention how this company was hacked if that data is available. Read and learn!

Poll: Security Resource Allocation

Here is my first WindowSecurity Poll. Please take 10 seconds to answer and next month we will publish the results! Here is the question: "When making resource allocation decisions for security programs, do you have a methodology that helps you prioritize your investments based on greatest risk to the organization’s overall business strategy?"

- Yes
- No
- Somewhat, but immature

Take the poll now!

Quote Of The Month

"All truths are easy to understand once they are discovered; the point is to discover them." - Galileo Galilei, born this month in 1564.

Email me at feedback@windowsecurity.com

Warm regards,
Stu Sjouwerman
Editor, WindowSecurity.com Monthly Newsletter

Security Detail

Cool Cop Tech: 5 New Technologies Fighting Crime

Computerworld reported: CSI and its imitators have introduced TV viewers to some of the advanced technologies used by crime-scene investigators. But they aren't the only law enforcement personnel benefiting from technology; police officers across the nation have an arsenal of high-tech devices to help them investigate and solve cases. From eye-in-the-sky drones to GPS vehicle pursuit darts and even ordinary iPads, here's a look at five tech tools that are being used or tested by police to protect their communities.

Some of these technologies are relatively uncontroversial, while others have raised eyebrows among privacy and civil rights advocates. The legality of one has even been called into question by the courts, highlighting a potential pitfall of using advanced tech to conduct police work. Read the article.

How Do I Know If A Wireless Network Is Secure?

Microsoft has a very useful page on their site that you should send to your employee road warriors with laptops. It may very well prevent their machines getting infected, or worse.

Security Manager's Journal: Hackers Phone Home -- On Our Dime

"At issue: A small office in Europe discovers that someone has hacked its IP telephony router.

Action plan:: Update the operating system to prevent toll fraud, and assess the IP telephony setups at offices around the world.

It's been a while since we've had a security breach worth mentioning (that we know of). Last week we had one, and it was an eye-opener. A small development office in Western Europe was informed by the local telephone company that a high number of calls were being made from the office's IP telephony setup to a Middle Eastern country. When we looked into it, we found that in just 15 days, over $30,000 in calls had been made to several Middle Eastern countries, as well as Russia, China and a couple of Central American nations." Here is the story.

Affordable Two Factor Authentication with AuthLite

Static passwords are insecure, and strong policies lead to poor user compliance. AuthLite provides OTP security that's painless to use, far more secure, and affordable to any size organization. AuthLite's unique design enables existing password logon applications to support strong two-factor security, without needing drivers or client software changes. In San Francisco? Come see AuthLite live with a Free pass to the 2012 RSA Security Expo right now! (Feb. 27 to March 2) Register with code EC12CSOFT.

You can evaluate AuthLite today with no obligation from Collective Software.

SecureToolBox

ViewPoint –-Your Take

Write me! This is the spot for your take on things. Let me know what you think about Security, tools, and things that need to be improved. Email me at feedback@windowsecurity.com 

SecOps: What You Need To Know

Microsoft Fixes 21 Security Flaws

Paul Thurrott has the best write-up about them, and make sure you test, test, test on a testbed before you deploy. These updates tend to break things. "Microsoft on Tuesday issued nine security updates addressing 21 separate flaws in products such as Windows, Internet Explorer (IE), .NET, Silverlight, and SharePoint. Several of the fixes address critical flaws, including some that could aid in so-called drive-by attacks.

The fixes come as part of Microsoft's regularly scheduled Patch Tuesday event. And the software giant noted that it has now been providing these regular fixes, and the associated guidance, for a bit over 10 years. More here.

What Is Your Email Attack Surface?

Always been curious to find out what percentage of your employees actually are Phish-prone? Did you know that almost half of all network malware infections are caused by social engineering? Because cyber-attacks are rapidly getting more sophisticated, the frustration level and risk continues to mount.

Take the first step now to improve your organization’s defenses against cybercrime. Fill out the form, and you will be able to start your Free Simulated Phishing Attack. That allows you to find out what percentage of your users is Phish-prone. The number is usually much higher than you think.

You will get immediate access to start the simulated attack. We call it the 'Phishing Security Test' (PST). Sign Up For Your FREE Simulated Phishing Attack Now.

13 Security Myths

Ellen Messmer at Network World had a good story that you should take a look at. "They're "security myths," oft-repeated and generally accepted notions about IT security that arguably are simply not true -- in order words, it's just a myth. We asked security experts, consultants, vendors and enterprise security managers to share their favorite "security myths" with us. Here are 13 of them."

Affordable Two Factor Authentication with AuthLite

Static passwords are insecure, and strong policies lead to poor user compliance. AuthLite provides OTP security that's painless to use, far more secure, and affordable to any size organization. AuthLite's unique design enables existing password logon applications to support strong two-factor security, without needing drivers or client software changes. In San Francisco? Come see AuthLite live with a Free pass to the 2012 RSA Security Expo right now! (Feb. 27 to March 2) Register with code EC12CSOFT.

You can evaluate AuthLite today with no obligation from Collective Software.

Hackers’ Haven

Adobe Confirms New Zero-Day Flash Bug

"Adobe on Wednesday patched seven critical vulnerabilities in Flash Player, including one reported by Google researchers that hackers are using in "active targeted attacks." The bug attackers have been exploiting is a cross-site scripting (XSS) flaw in the Flash Player plug-in used by Microsoft's Internet Explorer (IE).

"This update resolves a universal cross-site scripting vulnerability that could be used to take actions on a user's behalf on any website or Web mail provider, if the user visits a malicious website," read the Adobe security advisory that accompanied yesterday's Flash update.

"There are reports that this vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message."

Java Security Update Scrubs 14 Flaws

Oracle has shipped a critical update that fixes at least 14 security vulnerabilities in its Java JRE software. The company is urging users to deploy the fixes as quickly as possible. Read the article.

Nortel Was Hacked For 10 Years - Execs Did Nothing

Now this is a scandal from many different angles. The Chinese had penetrated their networks, it was reported up the flagpole, and nothing was done about it. Then they sold the company in parts,and the infected machines were sold as well. So this may be the first instance of a Corporate Transmitted Infection (CTI).

CSO Online has the whole story, and it's a cautionary tale that you should all have a look at. Wipe any strange machine completely clean by formatting the drive, and rebuild them from scratch!

Fave links & Cool Sites

Affordable Two Factor Authentication with AuthLite

Static passwords are insecure, and strong policies lead to poor user compliance. AuthLite provides OTP security that's painless to use, far more secure, and affordable to any size organization. AuthLite's unique design enables existing password logon applications to support strong two-factor security, without needing drivers or client software changes. In San Francisco? Come see AuthLite live with a Free pass to the 2012 RSA Security Expo right now! (Feb. 27 to March 2) Register with code EC12CSOFT.

You can evaluate AuthLite today with no obligation from Collective Software.