About

Subscribe to InfoSec

  • Enter your email address:

    Delivered by FeedBurner

Bookmark and Share

Recent Posts

Westfield Links

Westfield Blogs

Categories

Blogroll & other links

« May 2009 | Main | July 2009 »

June 2009

30 June 2009

Not a “Thriller”

Hours after the death of Michael Jackson, the first wave of spam began hitting in-boxes. Currently the email, with a subject line “Confidential – Michael Jackson”, is not pitching a product or directing you to a malicious website but it is trying to get people to reply to capture email addresses.

Graham Cluley, a Sophos senior technology consultant, said “Undoubtedly we'll see more with Jackson. Actually, spammers and hackers have done Jackson before. Several years ago they pitched a breaking news story, claiming that he had attempted suicide."

Right now, there are only guesses as to what hackers may do to use the pop singer’s death as a means to deploy bots. One thought was top-secret hospital footage to get you to download software to view it.

You should also use caution with results from searches run with the singer’s name. There has already been search engine manipulation relating to Farah Fawcett who also just recently passed. Criminals will create web pages with keywords and news stories in order to get them to the top of search lists. If you go to one of the sites, they drop malware on your box.

The best thing that you can do is be cautious, update your virus definitions and OS patches. Don’t just install any software. 

You can read the full article @ http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9134895&taxonomyId=17&intsrc=kc_top

Posted by Jeff Gibson | | Comments (0) | TrackBack (0)

| | | | |

23 June 2009

Social Networks: The Good, The Bad and The Ugly

Where were you on June 9, 2009 at 10:22am?  At that moment in history, the 1,000,000th word was adopted into the English language.  What was that word?  Web 2.0.  Now you are probably asking yourself, I’ve heard of Web 2.0 well before June…why are we only adopting it now?  Well, the Global Language Monitor has certain criteria by which they judge; but that is well beyond the scope of our discussion here.

So what is Web 2.0?  It has nothing to do with the technology or domain naming.  Mostly it is about the dynamic content and the way users interact with the Internet.  Remember how your parents read the newspaper every evening or watched a newscast on television?  The information flow was one way.  Web 2.0 is about sharing information, opinions and experiences.  You live with Web 2.0 everyday and you probably don’t even know it.  Have you read a review on Amazon?  Have you commented on a news article?  Those are just a couple examples of user provided content.  Websites such as Facebook, Twitter and MySpace, YouTube and other social networks are the big names in social networks or Web 2.0 but there are countless others.  You may think that because you don’t have a Facebook account or don’t visit social networking sites that you, your family or business are immune from anything harmful; you better think again.

The Good

Rather than jump right into the bad or ugly, let’s first discuss how social networks can be good.  Social networking or social media IS the future of communication.  Rather than wait for the newspaper to be delivered, you get news as it happens by the people who are experiencing or involved in the situation.  Remember the US Airway’s flight that landed in the Hudson River?  Well before the media had a chance to deploy reporters to the scene, passengers on the flight were posting pictures and updates through their Twitter account.  Companies are using social networks as a tool to market their brand.  Have you heard of Blendtec?  How about “Will it Blend?”  Blendtec CEO, Tom Dickson, became an instant celebrity when he began posting videos of his blender destroying things like iPhones, Guitar Hero guitars, etc on YouTube.  It also helped them sell a lot of blenders.  Even Westfield Insurance uses LinkedIn and Facebook to find talent, as well as, communicate promotions and events.  Blogs such as this one and the Westfield Loss Control Blog are another way that companies can reach out to current and potential customers.  Internally, employees can network between departments giving them a feeling of being more than just another “employee.”

The Bad

Those were just a few examples of how social networks can be beneficial to a company. What are some of the drawbacks?  First, it is difficult to balance a work culture that embraces social networking while ensuring that it does not impact productivity.  It is increasingly more difficult to monitor or limit these activities as social networks extend beyond the desktop and onto cell phones.  Additionally, companies may have a difficult time restricting or limiting the content that employees post.  A disgruntled employee may post negative information about their employer for all to see.  Companies may have human resource policies when it comes to employees posting information about their employer; but how does a company draw a hard line in the sand between moral, religious and political biases and freedom of speech?  Social networks are making it difficult for companies to separate an employee’s business relationship and their personal lives.  On the other hand, employees are learning that inappropriate use of social networking may allow a company to terminate their employment.

The Ugly

So your company is on the cutting edge of technology and you have an HR policy that addresses social networks; is that enough?  Not quite.  Aside from the fact viruses, Trojans and other malware have found a new distribution vector; there are many other security concerns.  Data Loss Prevention is among the top as employees may maliciously or accidentally distribute sensitive company information.  Depending on the leaked information, your company may be faced with regulatory fines and requirements such as privacy breach.  Even if the information isn’t overtly sensitive, information may trickle that may give a hacker or your competitors an inside advantage.  Take for example your network administrator who blogs and/or posts questions about Cisco routers and firewalls.  A hacker may use that inside knowledge to target the vulnerabilities specific to Cisco products.  I am sure there are additional threats that remain to be discovered.

Conclusion

Whether your company has adopted or is blocking social networks; it is probably time for a revisit.  While the inherent risks and productivity impact of social sites such as Twitter, Facebook, etc. are good reason to not allow them in the work environment; you may find that people are spending more time on their cell phones texting or other social activities.  It is difficult to balance a no tolerance policy for social sites while allowing shopping or other entertainment sites while on company time.  Blocking all non-work essential sites has proven time and time again to reduce employee morale; which in turn has greater impact in reducing productivity.  If you feel your company is behind in addressing this issue, don’t feel alone.  Many companies are working struggling to weigh the risk versus the reward.  We would love to hear how your company handles social networks. Please make a comment or contact us at infosec@westfieldgrp.com.

Posted by John Doan | | Comments (1) | TrackBack (0)

| | | | |

15 June 2009

Securing the future

Today was a day for milestones... I've reached 10 years with Westfield and my 8 month old starting saying da da. 

10 years ago information security meant keeping up with anti-virus, and making sure you sent your e-mail to the right person.  People were concerned about locking their doors, and making sure their checkbooks were still in their possession.  Schemes weren’t as complex as they are today.

 

Today information security is almost as complex as the brain teasers you can pick up at the local toy store.  You still need to keep your doors locked, but now you need to make sure you clean the circle the GPS device leaves on your windshield so your car doesn't get broken into.  You also need to shred every document which could remotely leak your identity.  If that's not enough, you need to keep your computer as secure as Fort Knox, with anti-virus software, personal firewalls, anti-spyware, anti-spam, and quite a few more anti-products that are widely available.  If people are willing to dig through trash cans, and spend countless numbers of hours creating viruses what could tomorrow hold in store?

What is information security going to be like in 10 years?  Will your home computer be joined by many other devices requiring all of the anti products above?  Will your car need them, so a hacker doesn't program it to follow their car back to a chop shop?  Will you have to use your fingerprint to access any computer information, including your email?  Will your cell phone be capable of communicating with a maintenance robot doing your laundry, as it senses an intruder breaking into your home? 

 

The message here is that we don’t know what is coming next, but it doesn’t mean that we can let our guard down.  The best we can do is to educate ourselves and others to help protect the future and prepare for the unexpected.

 

I'm interested in hearing others thoughts on this topic?  Please drop a comment, and help us keep the future secure.

Posted by Jake Harris | | Comments (0) | TrackBack (0)

| | | | |

09 June 2009

Don't Toss that Paper !

In today's post, I want to remind everyone that the proper protection and disposal of printed information is equally important as the protections we place on information stored on electronic media. 

In the past, business was conducted primarily with paper acting as the primary mechanism for information storage and processing.  Businesses had "clean desk" policies and their file cabinets were locked up at night when they were not in use.  Only the appropriate people had the file cabinet keys.  Files and documents were taken and shredded when they were no longer needed.

As we all know too well, technology has forever changed the way businesses work, introducing automation, database processing, the Internet and all the benefits that go with these advancements.  Protective controls have also evolved along with technology such as; system passwords, Role Based Access Control, file encryption, etc... 

There has been a tremendous focus on the protective controls for electronic information but we have to remember that paper has not been completely replaced yet (if it ever will be).  All the rules that made sense in the past still make sense today, but in some cases we have stopped practicing them.  Agreed, it is much more damaging to a company to have a million pieces of information  from a database be sent to a hackers website, however, you may be in a privacy breach situation if someone steals a folder of printed customer information containing SSN's, credit card numbers or account numbers.  Even a report of employees and their personal information, that is lost or improperly disposed of, might also place you in a breach situation.  The new laws are tough and they do not care if information was lost on a disk drive, backup tape or paper report.  One thousand records lost on an unencrypted USB drive is just as bad as one thousand records lost through someone "Dumpster Diving" and finding last months discarded report.

Please remember to physically protect all reports, printed e-mails. photocopies of receipts and other paper materials.  Lock them up and only access them when needed.  Shred everything before throwing them away -or- place all paper into specially designated paper disposal bins (if your company has them - we do at Westfield).  Many companies have worked out recycling arrangements so you can safely dispose of your paper and help the environment at the same time!

Protect information on paper as you protect information on electronic mediums. Don't think that it isn't important because it is on paper.

Posted by Bill Murray | | Comments (0) | TrackBack (0)

| | | | |

01 June 2009

Internet Domain Names

    Internet domain names such as www.westfieldinsurance.com are managed by the Internet Assigned Numbers Authority (IANA) on behalf of the U.S. Commerce Department. The US government therefore has the ultimate authority to review or revoke any decision as it pertains to domain names.

    This authority has European allies and Third World countries placing pressure on the current administration to surrender this control as the central manager of key aspects of the Internet. Other countries are pushing for more control. It would be a mistake to change America’s role of managing the Internet.

    There are persistent proposals to break IANA and the U.S.government in favor of an international body like the United Nations or International Telecommunication Union to direct IANA. There have been no serious complaints about American administration of the Internet. If this role was relinquished this could present difficulties.

    One serious difficulty in relinquishing control of Internet domain names could be the ability to restrict content on the Internet. Many governments already attempt to control speech on the Internet. If control is given to an international organization, we can expect attempts of censorship of Internet content.

    Most countries lack our First Amendment right, and if we wish to protect free speech, we should not let Internet domain names be subjected to foreign standards. Many other countries already have government-imposed restrictions on Internet speech.

    American supervision of Internet naming is no accident. Much of the world’s telecommunications infrastructure was developed by national post offices. Our development of private infrastructure, including railroad and telephone networks, made America fertile ground for Internet development. The extent to which the Internet is de-centralized and self-governing is because Americans expect society to work that way.

    It is only natural for other countries to resent the United States for controlling Internet administration of domain names and demand more control themselves. But if we believe in freedom of speech, we need to keep control of the Internet away from foreign countries that do not value it as we do.

Posted by Jeff Gibson | | Comments (0) | TrackBack (0)

| | | | |