WindowSecurity.com Newsletter of January 2012 Sponsored by: Collective Software
Welcome to the WindowSecurity.com newsletter by Stu Sjouwerman, Founder of Sunbelt Software & CEO of KnowBe4.com . Each month we will bring you interesting and helpful information on the world of Security. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: email@example.com
My name is Stu Sjouwerman (pronounced shower-man, originally Dutch) and as I’ll be taking over as editor-in-chief for WindowSecurity.com Monthly Newsletter. I thought it would be a good idea if I started by introducing myself. I have been in IT since ’79 and wrote four books about Windows Operating systems, and recently a book about cybercrime. Apart from that, I have been the editor-in-chief of WServerNews since 1997. Here are the archives if you are interested.
WServerNews was originally published by Sunbelt Software, and now by TechGenix. The last 10 years it was focused on IT security and system administration. I was part of the management team that decided to build a new antivirus product from scratch: VIPRE Antivirus, so I have been knee-deep in spam, malware and cybercrime since 2003. At the moment I’m the CEO of KnowBe4.com, again an IT security company. I’m excited to be taking over the editorial reins of this newsletter. I hope that the new layout, content, hints and tips will help you keep your domains secure, and your users trained to not fall for social engineering tricks. I always like feedback, so please feel free to email me at firstname.lastname@example.org
Small Fish In Big Pond Invulnerable? Nope.
Douglas Bonderud wrote an article over at the InfoBoom site about Small and Midsize enterprise that caught my eye. Reason? He correctly stated something that most of us are guilty of:
“But it's just this attitude that makes the jobs of malware creators and hacktivists easier: Overconfidence by their targets simply paves the way for future attacks. SMB IT managers, by virtue of their position as small fish in a big pond, often take this attitude unknowingly, and it can lead to data being compromised, especially when that data is stored by a virtualized or cloud provider, off-site, and partially under the control of other hands. With one in six SMBs reporting an IT security breach in 2011 and a third of those affected having lost access to files or software, security awareness and the integration of a streamlined, effective, and constantly evolving set of security protocols is essential, whether they take a professionally managed or locally developed form.” More here.
Microsoft to launch real-time threat intelligence feed
Redmond is looking to share its wealth of security information with the world through a new real-time threat intelligence feed, the company recently announced at the International Conference on Cyber Security in New York. The project, which is still under development, aims to stream Microsoft's security information on high-profile and dangerous threats to organizations ranging from business partners and private corporations to domestic and foreign governments. Eventually, based on the success of beta testing, Microsoft will consider opening the threat intelligence feed to the public, officials said. More at NetworkWorld.
BYOD: How To Minimize Risk
When it comes to mobile devices, accommodating BYOD, or Bring Your Own Device, is a fact of life for organizations in all industry sectors worldwide. So, what can information security professionals do to minimize the risks involved in enabling staff members to use personally-owned tablets, smart phones, USB drives and other mobile devices for business purposes?
It all boils down to this: Conduct an inventory of all the types of personally-owned devices employees want to use for work-related tasks. Take every possible step to apply as many of the same precautions to these personally-owned devices as you apply to corporate-owned devices. And be sure to enter a clearly spelled-out legal agreement with those who use personal devices for work-related purposes, and then provide them with extensive ongoing training. More detail at Healthcare Infosecurity.
WinServer 8 New File System More Secure
The new filesystem in WinServer 8 is more secure. It’s called ReFS for ‘Resilient File System’, and gets you a much higher level of data security than with the existing NTFS. One of the design goals of ReFS should make you very happy: to detect and correct corruption, which not only ensures the integrity of your data, but also improves system availability: less downtime. Redmond’s‘ Building Windows 8 Blog’ gives all the details, and this is a recommended read, especially the FAQ! Have a look at it here.
ViewPoint –-Your Take
Write me! This is the spot for your take on things. Let me know what you think about Security, tools, and things that need to be improved.
SecOps: What You Need To Know
Social Engineering - The Elephant In The Room
Familiar with Spiceworks.com? It’s a site for system admins that use the Spiceworks software to manage their networks, discuss many IT topics, and help each other to keep things up & running. It’s a “Facebook for admins” if you will. There are many communities on spiceworks, and one of them is the security group. One topic that I think you will like is Social Engineering, and a few days ago there was a great submission that started with:
“Wikipedia’s definition of Social Engineering is: “the art of manipulating people into performing actions or divulging confidential information. While it is similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victims.”
“I’m sure you all have cases you can recall where issues have occurred involving some detail, information or security that was breached using Social Engineering techniques. I’ve been married for more than 33 years and supporting my in-laws’ IT needs for most of that time. My mother in law, in her 80’s, was recently persuaded over the phone by a young man “claiming” to be from Microsoft to provide $285 on her credit card to resolve non-existent problems on her computer. After I explained to her that it was a scam and there was nothing at all wrong with her computer, they contacted her a second time and convinced her to pay yet more money, despite having been told they were cyber criminals and she had paid the money for nothing at all. Their ability to convince her to pay appears to have been better than my ability to show her and explain she had wasted her money. A poor example of business risk, but a very good example of how widespread and effective Social Engineering is, and how less proficient computer users and generally older people are at greater risk.” Read the rest of the article here.
January Patch Tuesday Summary
Microsoft issued seven security bulletins Tuesday, addressing eight vulnerabilities, and here are the breakdowns by Symantec and Qualys. More info here.
Who Are The Go-to Cybersecurity Help Groups?
Mike Cooney at the Layer 8 Blog wrote: “There are a ton of groups out there that offer cybersecurity help and guidance, the trick, it seems is finding the right one for your organization.
The Government Accountability Office this month issued a report on just that notion saying: "Given the plethora of guidance available, individual entities within the sectors may be challenged in identifying the guidance that is most applicable and effective in improving their security posture. Greater knowledge of the guidance that is available could help both federal and private sector decision makers better coordinate their efforts to protect critical cyber-reliant assets."
“Such information though is valuable in that these myriad groups offer guidelines and principles as well as technical security techniques for maintaining the confidentiality, integrity, and availability of information systems and data, the GAO stated.
"When implementing cybersecurity technologies and processes, organizations can avoid making common implementation mistakes by consulting guidance developed by various other organizations. Public and private organizations may decide to voluntarily adopt this guidance to help them manage cyber-based risks," the GAO stated. Who are some of these key organizations?” Read the story at NetworkWorld.
Why Internet Crime Goes Unpunished
Roger Grimes, InfoWorld Security Pundit tells it like it is: “Until we make the Internet secure, cybercriminals will continue to pull off high-value, low-risk offenses. For cyber criminals, the idiom "crime doesn't pay" is laughable. Internet crime is worse than ever, and the reasons are clear: It's highly lucrative and far less risky than, say, an old-fashioned bank heist. Until we take the necessary steps to increase the risk and lower the value of cybercrimes, we won't be able to stop them.
To fully appreciate the risks and rewards of cybercrimes versus traditional crimes, consider the following statistics from the FBI: In 2010, bank robbers pulled off 5,628 heists and ran off with $43 million. The average robbery netted $7,643.” Now, read the rest of the article (not long) and check out the Internet crime stats. They make old fashioned bank heists seem lime amateurs -- scary.
Are Passwords Better Off Dead?
This is an interesting discussion in view of the recent spate of hacking attacks, using social engineering tricks to get passwords and break into large company domains:
“Cormac Herley, a principal researcher at Microsoft Research, says passwords aren't dead but they need fixing. I think passwords are better off dead. Hell, even Bill Gates called for the death of passwords, and that was six years ago. My Network World colleague Tim Greene wrote about Herley's thoughts recently and this is some of what he said. While many call for replacing passwords altogether with something else, they may be doing so based on little or no hard evidence, says Cormac Herley, a principal researcher at Microsoft Research. Keystroke logging, brute force attacks, phishing and session hijacking are all used to get around passwords, but it would be impossible to draw a pie chart of how much each method was used because nobody knows, he says in a paper on the subject. "We don't know the slice sizes not even approximately," he says. In addition to finding out, he recommends other steps that could make password use more effective”.
2011 Was The Year Of The Cybercriminal
Yes, I am a Roger Grimes' Fanboy. He’s a great writer and usually spot on when it’s about security. So this article summarizes the last year, and why it was a great year for cyber criminals: “Cyber crooks raided networks, pillaged data, and wreaked havoc in 2011, thanks to our persistently shoddy IT security practices. It’s a great little article that clearly summarizes our collective sins, and puts the finger on the sore spot. Very instructive.
Fave links & Cool Sites