WindowSecurity.com Newsletter of February 2012 Sponsored by: Collective Software
Welcome to the WindowSecurity.com newsletter by Stu Sjouwerman, Founder of Sunbelt Software & CEO of KnowBe4.com . Each month we will bring you interesting and helpful information on the world of Security. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: firstname.lastname@example.org
There Are Three Ways To Learn
There are three ways to learn. 1) Read it in a book and apply it to your own situation. 2) See someone else do it and do the same. 3) Pee on the electric fence. The third example is the most painful, and in IT security, unfortunately it’s very often the case.
I found a very instructive article for you that will allow you to learn using option 1) or 2) above, and hopefully not be forced into option 3. The article is called the 15 worst data security breaches of the 21st Century. The nominations for the list came from the Chief Security Officer LinkedIn community and here is the list. Note that they mention how this company was hacked if that data is available. Read and learn!
Poll: Security Resource Allocation
Here is my first WindowSecurity Poll. Please take 10 seconds to answer and next month we will publish the results! Here is the question: "When making resource allocation decisions for security programs, do you have a methodology that helps you prioritize your investments based on greatest risk to the organization’s overall business strategy?"
Quote Of The Month
"All truths are easy to understand once they are discovered; the point is to discover them." - Galileo Galilei, born this month in 1564.
Email me at email@example.com
Cool Cop Tech: 5 New Technologies Fighting Crime
Computerworld reported: CSI and its imitators have introduced TV viewers to some of the advanced technologies used by crime-scene investigators. But they aren't the only law enforcement personnel benefiting from technology; police officers across the nation have an arsenal of high-tech devices to help them investigate and solve cases. From eye-in-the-sky drones to GPS vehicle pursuit darts and even ordinary iPads, here's a look at five tech tools that are being used or tested by police to protect their communities.
Some of these technologies are relatively uncontroversial, while others have raised eyebrows among privacy and civil rights advocates. The legality of one has even been called into question by the courts, highlighting a potential pitfall of using advanced tech to conduct police work. Read the article.
How Do I Know If A Wireless Network Is Secure?
Microsoft has a very useful page on their site that you should send to your employee road warriors with laptops. It may very well prevent their machines getting infected, or worse.
Security Manager's Journal: Hackers Phone Home -- On Our Dime
"At issue: A small office in Europe discovers that someone has hacked its IP telephony router.
Action plan:: Update the operating system to prevent toll fraud, and assess the IP telephony setups at offices around the world.
It's been a while since we've had a security breach worth mentioning (that we know of). Last week we had one, and it was an eye-opener. A small development office in Western Europe was informed by the local telephone company that a high number of calls were being made from the office's IP telephony setup to a Middle Eastern country. When we looked into it, we found that in just 15 days, over $30,000 in calls had been made to several Middle Eastern countries, as well as Russia, China and a couple of Central American nations." Here is the story.
ViewPoint –-Your Take
Write me! This is the spot for your take on things. Let me know what you think about Security, tools, and things that need to be improved. Email me at firstname.lastname@example.org
SecOps: What You Need To Know
Microsoft Fixes 21 Security Flaws
Paul Thurrott has the best write-up about them, and make sure you test, test, test on a testbed before you deploy. These updates tend to break things. "Microsoft on Tuesday issued nine security updates addressing 21 separate flaws in products such as Windows, Internet Explorer (IE), .NET, Silverlight, and SharePoint. Several of the fixes address critical flaws, including some that could aid in so-called drive-by attacks.
The fixes come as part of Microsoft's regularly scheduled Patch Tuesday event. And the software giant noted that it has now been providing these regular fixes, and the associated guidance, for a bit over 10 years. More here.
What Is Your Email Attack Surface?
Always been curious to find out what percentage of your employees actually are Phish-prone? Did you know that almost half of all network malware infections are caused by social engineering? Because cyber-attacks are rapidly getting more sophisticated, the frustration level and risk continues to mount.
Take the first step now to improve your organization’s defenses against cybercrime. Fill out the form, and you will be able to start your Free Simulated Phishing Attack. That allows you to find out what percentage of your users is Phish-prone. The number is usually much higher than you think.
You will get immediate access to start the simulated attack. We call it the 'Phishing Security Test' (PST). Sign Up For Your FREE Simulated Phishing Attack Now.
13 Security Myths
Ellen Messmer at Network World had a good story that you should take a look at. "They're "security myths," oft-repeated and generally accepted notions about IT security that arguably are simply not true -- in order words, it's just a myth. We asked security experts, consultants, vendors and enterprise security managers to share their favorite "security myths" with us. Here are 13 of them."
Adobe Confirms New Zero-Day Flash Bug
"Adobe on Wednesday patched seven critical vulnerabilities in Flash Player, including one reported by Google researchers that hackers are using in "active targeted attacks." The bug attackers have been exploiting is a cross-site scripting (XSS) flaw in the Flash Player plug-in used by Microsoft's Internet Explorer (IE).
"This update resolves a universal cross-site scripting vulnerability that could be used to take actions on a user's behalf on any website or Web mail provider, if the user visits a malicious website," read the Adobe security advisory that accompanied yesterday's Flash update.
"There are reports that this vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message."
Java Security Update Scrubs 14 Flaws
Oracle has shipped a critical update that fixes at least 14 security vulnerabilities in its Java JRE software. The company is urging users to deploy the fixes as quickly as possible. Read the article.
Nortel Was Hacked For 10 Years - Execs Did Nothing
Now this is a scandal from many different angles. The Chinese had penetrated their networks, it was reported up the flagpole, and nothing was done about it. Then they sold the company in parts,and the infected machines were sold as well. So this may be the first instance of a Corporate Transmitted Infection (CTI).
CSO Online has the whole story, and it's a cautionary tale that you should all have a look at. Wipe any strange machine completely clean by formatting the drive, and rebuild them from scratch!
Fave links & Cool Sites