Apparently that bar isn’t quite low enough for most. Venafi and Echelon One recently teamed up to survey 420 businesses and government agencies to determine how well they follow security best practices and found that more than 75 percent do not perform periodic security and compliance training.
Venafi CEO Jeff Hudson elaborated on the survey results in an interview with Infosecurity. “What was surprising was the poor state of training for those humans. Since humans are the weak link, they are not getting trained very well, and turnover is high, the problem only gets worse.”
KnowBe4, an information security training provider, echoes the findings of the Venafi / Echelon One survey. KnowBe4 claims many organizations are not investing in security training programs, and the result is a workforce that is more susceptible to phishing attacks and other security threats.
A statement from KnowBe4 describes an experiment–the FAIL500 Project–conducted by the company. “KnowBe4 sent non-malicious simulated phishing emails to employees at more than 3,000 companies featured in the Inc. 5000; and at 485 of those firms, one or more employees clicked the email.”
Further study demonstrated that companies that conducted formal information security training significantly reduce the threat of this behavior–dropping the likelihood of a successful phishing attack by as much as 75 percent. Over time–with reinforcement–that percentage can be brought to virtually zero.]]>
A research study by BullGuard found that 42 percent of the respondents had posted their birth date online. The study also revealed that 18 percent have shared their phone number, 24 percent have posted their children’s names. Even more concerning–more than a third of those who use Facebook or Twitter admit to potentially alerting criminals to rob their homes by announcing to those social networks when they plan to be gone for a vacation or long weekend trip.
“Though this sort of information may seem harmless to share with others, much of it is commonly used as security questions when accessing an online bank or confirming identity over the phone,” says Claus Villumsen, internet security expert at BullGuard. “It’s also a bad idea to publicize the fact that you will be away for any period of time, especially if the house will then be empty, as this just gives more information to would-be thieves as to your whereabouts.”
BullGuard provides some basic precautions that you should consider to protect your personal information and use the Internet and social networks safely:
The NSS Labs press release about the study explains:
Socially engineered malware (SEM) remains the most common security threat facing Internet users today, claiming one third of internet users as victims. These attacks pose a significant risk to individuals and organizations by threatening to compromise, damage, or acquire sensitive personal and corporate information. European and American users have found themselves particular targets of malware authors over the last 12 months. North America has consistently been the primary host of malicious URLs, while users in Asia have been victims of the greatest number of malicious URLs.
Cybercriminals are taking advantage of the implied trust relationships inherent in social networking sites (Facebook®, MySpace™, Badoo, StudiVZ, Skyrock, LinkedIn®, renren, Kaixin001 (a.k.a. Happy Net), 51, Multiply, Cyworld, Orkut, Mixi, etc.) and user-contributed content (blogs, Twitter™, etc.) which allow for rapid publishing and anonymity. Furthermore, the speed at which these threats are “rotated” to new locations poses a significant challenge to security vendors.
NSS Labs found, “With a unique URL blocking score of 99.9% and over-time protection rating of 99.2%, Internet Explorer 9 was by far the best at protecting against socially-engineered malware.”
Click here to download the full Web Browser Security Comparative Test Report against Socially-Engineered Malware and get all the details.]]>
If you want to win a cyber war, just like if you wanted to win a physical war, there are several important factors. Planning is your first priority, but also important is flexibility. You must be able to adapt as quickly as your enemy. It’s no secret that many wars have been lost due to an inability to adapt. When you begin thinking about modern network security threats as a war and not an attack, you will find that it requires a continuous, ongoing process – not an individual defensive action – to be successful in dealing with them. There are three phases to mitigate your way through a war of this nature: Discovery, Investigation, and Remediation. Your speed and efficiency in moving through this “Integrated Threat Management Cycle” will decide your fate.
When you don’t know what you don’t know, you are in the discovery phase. In a sense, you should always maintain a discovery posture because you will never know everything about the enemy’s tactics or the nature or state of the threat. In some cases, there will be no specific intelligence to apply to the discovery process and in other cases, you may have external indications. For example, you may be able to obtain intelligence about the tactics and techniques that your enemy has used against organizations in your industry segment from industry trade groups, peer organizations, or government agencies. And in some cases you may have specific, directly applicable intelligence. You may have information about the command and control communications behavior of endpoints that have been compromised by a threat that successfully targeted your organization on the past.
Once you feel you can accurately identify threats using threat intelligence, you are ready to move into the investigation phase. Your main focus here is to capture, store, and analyze information about the threat. If you do not have threat identification rules set in place to monitor your networks, this will be your first objective in the investigation phase. Once you can detect a network session violating threat identification rules, a huge amount of information about that violating session is stored and can be displayed, analyzed. Advanced threats leave what I like to call trails on your network. This phase is where you will need to “follow the trails”.
Once you are confident you can identify the threat’s network behavior with high accuracy, you are ready to launch a coordinated remediation campaign. Prevention is your goal here and you must learn to block any target behaviors with the same accuracy with which you detected it. This enables you to change from a monitoring posture to a prevention posture.
Now that you are approaching security threats like a war, you are sure to be more prepared and ultimately, better able to deal with anything that comes your way.
By Kurt Bertone, Vice President and Security Strategist at Fidelis Security Systems]]>
Core Security Technologies announced the first security test and measurement solution that safely replicates sophisticated real-world attacks against popular smartphones to meet the demands of enterprises to lock down their mobile infrastructures. CORE IMPACT Pro v12 penetration testing software can pinpoint security holes in Android, BlackBerry and iPhone mobile devices to help prevent the theft and compromise of sensitive enterprise data stored on or accessible through them–including phone call and SMS information, contacts and GPS location data.
“With budget cutbacks, many companies are discontinuing the supply of company-issued cell phones and allowing employees to use their personal devices to connect to the system. It is inevitable that we are, as a society, continuing to become a fully dependent mobile world with a variety of devices at our fingertips,” said William R. Whitney III, operations and technical services manager, Garland Power & Light Operations. “With Core’s new mobility testing feature, we can now feel a little sense of security with employees using their personal devices, and have the data to prove whether or not the devices are secure. Core is on the right track because they value my opinions and that helps to provide the technology I need to in order to effectively protect a public utility.”]]>
Specifically, the report highlights:
· Data from the Microsoft Exploitability Index, including a breakdown of the ratings numbers since the Index launched in October 2008 and analysis of how the Exploitability Index can help reduce the need to urgently deploy some security updates.
· Updates to the Microsoft Active Protections Program (MAPP), including testimonials from MAPP partners.
· Behind-the-scenes look into Microsoft Vulnerability Research (MSVR), including how the company investigates third-party vulnerabilities and coordinates the release of security updates.
· A summary of the announcements made about Coordinated Vulnerability Disclosure (CVD) over the past year, including customer testimonials about CVD.]]>