In our latest Weekend Patch and Vulnerability Report, we warned readers that significant vulnerabilities had been discovered in mobile banking applications from USAA, Chase, Wells Fargo, Bank of America, and TD Ameritrade. According to The Wall Street Journal and Yahoo News, the vulnerabilities discovered by viaForensics could potentially allow a hacker to learn your username, password, and financial information. Information could be stolen just by visiting a malicious website.
The report that critical vulnerabilities had been found in mobile banking applications brought to mind my blog post last September when I discussed the wisdom of mobile online banking with my friend, Biz Coach, Terry Corbell. In my interview with Terry on his blog I had said “I recommend that consumers ignore any and all attempts to induce them to use their phones for online banking.”
Needless to say, Terry received a scathing comment to that blog post from a marketing representative in the mobile banking industry. The commenter was absolutely positively certain that mobile banking was secure, that the software had been thoroughly tested and vetted, and that I didn't know what I was talking about.
With this week's story, it turns out that I was the one who knew what he was talking about not the mobile banking guy. But this blog isn't about who's right and who's wrong. This blog is about learning from experience, particularly that when it comes to cyber security we all need to be a lot more intellectually humble when we talk about how secure something is.
Right now, the cyber criminals are winning. They are winning in part because too many people have a false sense of their own security. They have this false sense of security because they haven't "been there, done that." I have.
For me it was a no-brainer that significant security vulnerabilities were going to be found in mobile banking applications. I had worked for several years in the Aerospace industry securing critical national security software. Before that I had been a research mathematician studying the logic of computer programs. And, as Yogi Berra said, "You can observe a lot just by watching."
I can remember the day we found a critical vulnerability in Cruise missile software that might have kept us from successfully responding to a nuclear attack. I know the managerial, political and especially intellectual challenges we went through to be in a position to catch that mistake. And that's just one example of how experience has taught me that writing high quality software is incredibly challenging (and expensive).
We're taught that pride goeth before the fall. That is certainly true in the battle against cyber crime. That's why perhaps the most important thing I learned in trying to prevent, find and fix critical logic errors in complex software is intellectual humility.
Intellectual humility is the ability to suspend our own belief in something we normally believe in, like the attorney hiring another attorney to find weaknesses in his argument or the doctor seeking a second opinion to look for holes in his diagnosis.
Most of us develop a normal amount of intellectual humility in those areas of our greatest expertise. We understand and appreciate just how hard it is to do the things that we are accustomed to doing and we learn through experience how to pay detailed attention to the things we need to do to do our job.
The challenge is that, human nature being what it seems to be, our intellectual humility doesn't easily carry over to domains where we lack firsthand knowledge and experience. We tend to over-simplify in those places we know little about. This isn't usually a problem: any intellectual humility I might lack regarding how dangerous lions are is mitigated by the fact that I am under no threat from a lion. Unfortunately, when it comes to cyber security, because we're all on the Internet it's as if the lion is right next door. And he's hungry.
We can't expect a marketing representative in the mobile banking industry to have tested communications software controlling our nuclear missiles any more than we can expect the CEO of a bank to have written cyber security software requirements for an advanced military intelligence system. Nor can we expect the people who run our business IT networks to have the same sensitivity to security that we had 25 years ago when we designed a secure network for the Strategic Air Command.
You can see where the danger is in this since these are the same people who influence (and often make) buying decisions about software that we use to manage money and sensitive information; software that has to be adequately secure to protect the money and information it touches. And, lacking the experience, these otherwise well-meaning men and women don't understand the necessity of being intellectually humble in the presence of complex software.
That's why people who have to make decisions about cyber security management must maintain their own healthy skepticism, resisting any temptation they may have to believe cyber security claims, whether from marketing people, their banks or their own internal IT staff. Ronald Reagan is famous for saying: "Trust. But verify." Do him one better: drop the trust.
© Copyright 2010. Citadel Information Group. All Rights Reserved.
Showing posts with label Security management. Show all posts
Showing posts with label Security management. Show all posts
Wednesday, November 10, 2010
Monday, October 4, 2010
"Go Blue" Ends D.C. Online Voting Trial
The Washington Post reports that—as part of a security test—a team of students from The University of Michigan hacked D.C.'s new Internet-based voting system. The "White Hat" hackers from Michigan compromised the system so that after a vote was cast the Web site played The University of Michigan fight song, "The Victors."
According to the Post, Jeremy Epstein, a computer scientist working with the Common Cause good-government nonprofit on online voting issues said "the fight song is a symptom of deeper vulnerabilities. ... In order to do that, they had to be able to change anything they wanted on the Web site."
Because of the hack, Paul Stenbjorn, the Board of Elections' chief technology officer said a portion of the Internet voting pilot—which was expected to be rolled out this month—is being temporarily scrapped.
The good news, of course, is that to ensure election integrity, D.C. took the opportunity to open its election web-site to community testing. That the vulnerability was found and exploited by a team of students from my Alma Mater is icing on the cake. That they rigged the system to play The Victors is the maraschino cherry on top. Go Blue!
The bad news—and one that every organization having a web site has to pay attention to—is that web-sites, like software everywhere, is buggy. That's why this story is a good reminder to all organizations of the importance of effectively managing cybersecurity risk.
According to the Post, Jeremy Epstein, a computer scientist working with the Common Cause good-government nonprofit on online voting issues said "the fight song is a symptom of deeper vulnerabilities. ... In order to do that, they had to be able to change anything they wanted on the Web site."
Because of the hack, Paul Stenbjorn, the Board of Elections' chief technology officer said a portion of the Internet voting pilot—which was expected to be rolled out this month—is being temporarily scrapped.
The good news, of course, is that to ensure election integrity, D.C. took the opportunity to open its election web-site to community testing. That the vulnerability was found and exploited by a team of students from my Alma Mater is icing on the cake. That they rigged the system to play The Victors is the maraschino cherry on top. Go Blue!
The bad news—and one that every organization having a web site has to pay attention to—is that web-sites, like software everywhere, is buggy. That's why this story is a good reminder to all organizations of the importance of effectively managing cybersecurity risk.
Friday, October 1, 2010
October is National Cybersecurity Awareness Month
October 2010 marks the seventh annual National Cybersecurity Awareness Month. This year's theme —Our Shared Responsibility—reflects two facts about cybersecurity:
1. The cybersecurity threat has become one of the most serious economic and national security challenges we face. America’s competitiveness and economic prosperity in the 21st century will depend on effective cybersecurity. Every business, not-for-profit, school, government organization and individual is at risk.
2. Every Internet user has a role to play in securing cyberspace and ensuring the safety of ourselves, our families, and our communities online.
Cybersecurity Awareness Month is sponsored by the National Cybersecurity Alliance (NCSA)—a nonprofit dedicated to fostering a culture of cybersecurity—along with the U.S. Department of Homeland Security and the Multi-State Information Sharing and Analysis Center, a cybersecurity prevention and protection collaboration for state and local governments.
As cybersecurity management consultants, Citadel Information Group is proud to join with the Los Angeles Chapter of the Information Systems Security Association, ISACA-LA, InfraGARD-Los Angeles, the LA Chapter of the Open Web Application Security Project (OWASP), and other Los Angeles information security organizations in working together to help keep our community safe from cybercrime.
1. The cybersecurity threat has become one of the most serious economic and national security challenges we face. America’s competitiveness and economic prosperity in the 21st century will depend on effective cybersecurity. Every business, not-for-profit, school, government organization and individual is at risk.
2. Every Internet user has a role to play in securing cyberspace and ensuring the safety of ourselves, our families, and our communities online.
Cybersecurity Awareness Month is sponsored by the National Cybersecurity Alliance (NCSA)—a nonprofit dedicated to fostering a culture of cybersecurity—along with the U.S. Department of Homeland Security and the Multi-State Information Sharing and Analysis Center, a cybersecurity prevention and protection collaboration for state and local governments.
As cybersecurity management consultants, Citadel Information Group is proud to join with the Los Angeles Chapter of the Information Systems Security Association, ISACA-LA, InfraGARD-Los Angeles, the LA Chapter of the Open Web Application Security Project (OWASP), and other Los Angeles information security organizations in working together to help keep our community safe from cybercrime.
Saturday, September 4, 2010
What's More Powerful than a Strong Password?
Keyloggers are computer programs that capture every keystroke a user types. This includes user-ids and passwords to sensitive information, like a user's online bank account. When used by cybercriminals, these captured keystrokes are secretly transmitted back to the cybercriminal for their own dishonest use.
It was a keylogger that enabled cybercriminals to steal $400,000 from Village View Escrow last March. (See our blog post: e-Banking Bandits Target Title and Escrow Companies.) Most, if not all, of the online bank theft stories we've covered involve a keylogger used to steal online bank credentials.
There are several ways users can get their computers infected by a malicious keylogger. They are often surreptitiously installed as part of a virus or malware attack. Inadequately protected web sites can infect visitors with a keylogger. (See our blog post from April: Visitors to Web Sites Hosted by Network Solutions Again at Risk and August: Network Solutions Once Again Serves Up Malware.) There are even physical keyloggers that can be installed on a user's workstation.
There are three specific things you need to pay attention to keep a malicious keylogger off your workstation.
It was a keylogger that enabled cybercriminals to steal $400,000 from Village View Escrow last March. (See our blog post: e-Banking Bandits Target Title and Escrow Companies.) Most, if not all, of the online bank theft stories we've covered involve a keylogger used to steal online bank credentials.
There are several ways users can get their computers infected by a malicious keylogger. They are often surreptitiously installed as part of a virus or malware attack. Inadequately protected web sites can infect visitors with a keylogger. (See our blog post from April: Visitors to Web Sites Hosted by Network Solutions Again at Risk and August: Network Solutions Once Again Serves Up Malware.) There are even physical keyloggers that can be installed on a user's workstation.
There are three specific things you need to pay attention to keep a malicious keylogger off your workstation.
- Diligently keep your workstation updated with security fixes. This includes your operating system (Windows or Apple), your application programs (like Adobe reader), and your browser add-ons (like Flash).
- Keep your anti-virus anti-malware up to date, Consider a modern intrusion prevention system able to counter the attacks that get by your anti-malware defenses.
- Be very suspicious of emails, particularly those containing attachments. If the email is not from someone you know and is not something you expect, then treat it the same way you would treat a suspicious package you discover ticking in an airport bathroom.
Tuesday, June 29, 2010
New CyberSecurity Study says "Most senior execs unaware of impact from cyberattacks." ISSA-LA Committed to Doing Something About It.
According to an article in USA Today, a new Ponemon Institute poll of 591 technology managers shows that 83% indicated their organization has been a recent target of advanced threats while 81% felt that senior execs lacked awareness of the seriousness of advanced threats. Our experience confirms the validity of these statistics. The cybercrime problem is only going to get worse as more and more small and medium size businesses fall victim to online bank fraud.
The biggest challenge we see is helping the men and women who have to dedicate resources (people or money) understand (1) why they need to improve the security of their information systems, (2) the basic steps involved in improving systems security, and (3) the ancillary competitive benefits they can get from improved information systems security management.
It's to meet this challenge that we in the Los Angeles Chapter of the Information Systems Security Association (ISSA-LA) have embarked on an aggressive Community Outreach Program. Our objective is nothing less than to raise information security awareness throughout the Los Angeles community. This is the most important thing we can do to help our community protect itself from the scourge of cybercrime. Having successfully concluded our 2nd Annual Information Security Summit we know the time is right to bring the community together around this problem and we are dedicated to doing so.
The biggest challenge we see is helping the men and women who have to dedicate resources (people or money) understand (1) why they need to improve the security of their information systems, (2) the basic steps involved in improving systems security, and (3) the ancillary competitive benefits they can get from improved information systems security management.
It's to meet this challenge that we in the Los Angeles Chapter of the Information Systems Security Association (ISSA-LA) have embarked on an aggressive Community Outreach Program. Our objective is nothing less than to raise information security awareness throughout the Los Angeles community. This is the most important thing we can do to help our community protect itself from the scourge of cybercrime. Having successfully concluded our 2nd Annual Information Security Summit we know the time is right to bring the community together around this problem and we are dedicated to doing so.
Tuesday, June 22, 2010
Security Risk: Time to Move Off Windows XP SP2
Microsoft will stop supporting users of Windows XP SP2 as of July 13, 2010. This means that the company will no longer provide security patches for SP2. All Windows users should immediately upgrade to SP3 or Windows 7. According to a Computerworld article, Windows XP SP2 is still in use in more than 75% of organizations with 36% of the PCs in every organization run SP2.
Monday, June 14, 2010
Free WiFi at Starbucks — Reminder of Cybersecurity Risk
The New York Times reports that Starbuck's will begin offering free WiFi on July 1. This makes it a good time to remind everyone about the need to be cautious when using public Wi-Fi. While the most common risk is eavesdropping, one cannot overlook the risk of computer compromise. Here are five basic rules anytime you're on a WiFi network whose security cannot be verified:
- No online banking or other eCommerce
- No email containing sensitive information except via an approved encrypted link from PC to Mail Server
- Keep anti-virus or host intrusion prevention software (better) up-to-date
- Make sure software patches are up-to-date
- Use VPN for access to office
Thursday, April 22, 2010
White House Moves to Focus Cybersecurity Strategy on Protection, Not Auditing
In a sign that the traditional information security audit was failing to control increasing cyber-risk, the Office of Management and Budget has ordered federal agencies to adopt a real-time approach to cyber threats. In a memo issued Wednesday, Agencies will be expected to constantly collect information on cyber threats and submit it to the Homeland Security Department, which will analyze the data and offer advice on best practices.
"Agencies have spent too much time, money and energy on generating paperwork that they end up filing away in these secure cabinets and they don't end up protecting systems," said Vivek Kundra, the government's chief information officer, in an interview published in Federal Times.
Kundra and Howard Schmidt, White House Cybersecurity Coordinator, said that the new policy points toward continuous monitoring and patching of federal systems, and also toward the deployment of cybersecurity systems that better position the government against constantly evolving threats.
Read the entire story and download the OMB Memo at Information Week ...
"Agencies have spent too much time, money and energy on generating paperwork that they end up filing away in these secure cabinets and they don't end up protecting systems," said Vivek Kundra, the government's chief information officer, in an interview published in Federal Times.
Kundra and Howard Schmidt, White House Cybersecurity Coordinator, said that the new policy points toward continuous monitoring and patching of federal systems, and also toward the deployment of cybersecurity systems that better position the government against constantly evolving threats.
Read the entire story and download the OMB Memo at Information Week ...
Wednesday, April 21, 2010
Social Engineering Case Study: Google Hackers Duped Their Victims
So how did Google and 30 other large companies get hacked? (See our blog post: Google Attacks Highlight Growing Problem of Cyber Security Threats.) Part of the answer is that the attackers duped everyone from system administrators with access to passwords to executives with access to intellectual property and other information, according to a report in the Washington Post. Social engineering attacks, where the cybercriminals take advantage of gullibility and other human weaknesses to gain illegitimate access to sensitive information, have becoming an increasingly common component of cybercriminal attack.
Read the entire story at the Washington Post ...
Read the entire story at the Washington Post ...
Tuesday, April 20, 2010
China-Google Controversy Illustrates Cloud Security Risk
Terry Corbell, The Biz Coach, explores the security implications of the China-Google controversy. Terry was kind enough to quote me about particular Cloud security challenges. Here's what I told Terry:
“As the story makes clear, businesses considering cloud services like those offered by Google, Amazon and others must ‘look before they leap’,” warns Internet security expert Stan Stahl, Ph.D., Citadel Information Group, Inc. “While it’s probably obvious to look at the security provided by the cloud provider, less obvious is that the business needs to also look at that part of security that will still be its responsibility, the part of security that the cloud service provider isn’t providing,” says Dr. Stahl, as the go-to security authority. “Security can never be a matter of looking at ‘this’ or ‘that.’ Security must always be about looking at ‘this’ and ‘that’,” he adds.
Read Terry's blog ...
“As the story makes clear, businesses considering cloud services like those offered by Google, Amazon and others must ‘look before they leap’,” warns Internet security expert Stan Stahl, Ph.D., Citadel Information Group, Inc. “While it’s probably obvious to look at the security provided by the cloud provider, less obvious is that the business needs to also look at that part of security that will still be its responsibility, the part of security that the cloud service provider isn’t providing,” says Dr. Stahl, as the go-to security authority. “Security can never be a matter of looking at ‘this’ or ‘that.’ Security must always be about looking at ‘this’ and ‘that’,” he adds.
Read Terry's blog ...
GAO report says IRS Blase' about Cybersecurity
There's so much anger at the government that I'm almost embarrassed to post this, but it's an important illustration of just how bloody hard it is to effectively manage information systems security ... and why leadership is so very important. And why, perhaps, some of the anger is well-deserved. The GAO reports that sixty-nine percent of 89 security weaknesses and deficiencies identified by the GAO during a 2008 fiscal year audit remain unresolved and depicts the IRS' attitude toward security as rather blasé.
Read the story at Information Week ...
Read the story at Information Week ...
Wednesday, April 7, 2010
Cybersecurity Coordinator Howard Schmidt: Private Sector Key to Stopping Google-style Attacks
Speaking at CSO Perspectives 2010, White House Cybersecurity Coordinator Howard Schmidt says the information security community is right to be spooked by massive, coordinated attacks that recently targeted Google. But he believes the best defense remains in the hands of the private sector."You guys have been carrying the water," Schmidt told attendees at CSO Perspectives 2010. "The government can do a lot to improve the nation's cyber defenses. But ultimately," he said, "the key to warding off attacks like the one Google experienced remains private-sector vigilance." ... "I see this as a whole range of threats we have to deal with -- everything from script kiddies to organized crime and everything in between," he said. "There are a lot of different actors we need to worry about, and we have to work harder to reduce the number of vulnerabilities out there so we can stop all of them, whoever and wherever they are."
Read more at Network World ...
Read more at Network World ...
Monday, April 5, 2010
Cyber Security Survey Finds Businesses' Most Valuable Data at Risk
The survey, conducted by Forrester Consulting, identified two primary types of information needing to be secured: (1) Sales lists, strategies and other secrets conferring competitive advantage and (2) custodial information, like credit card numbers, requiring protection. One of the conclusions of the survey: Investments are overweighed against protection and toward compliance.
Read more at eSecurity Planet ...
Read more at eSecurity Planet ...
Tuesday, March 30, 2010
FBI: Business Can Help Fight Cybercrime by Reporting Breaches to Law Enforcement
One of the things helping cybercriminals is that organizations that have been hit don't often go to law enforcement. FBI director Robert Mueller acknowledged as much in a recent speech at last month's RSA Conference when he said that disclosing breaches to the FBI is the exception and not the rule today.The problem according to acting deputy assistant director for the FBI's Cyber Division Jeffrey Troy is that it helps the attackers if companies aren't disclosing breaches to the FBI or law enforcement. "We are most concerned with gathering that information and sharing it with everyone else [affected] so we can harden the systems," Troy says. "If you are not telling us you have been penetrated ... that [may be] another attack vector we can't protect everyone else from.
Read the story at DarkReading ...
Thanks to Michael Zweiback for this.
Read the story at DarkReading ...
Thanks to Michael Zweiback for this.
Wednesday, February 10, 2010
How to Protect Yourself from the Internet Crime Wave by Dr. Stan Stahl
Thanks to my friend and colleague Joey Tamer for posting this article of mine on her blog. You can read it at information security blog post.
Joey provides strategic consulting to entrepreneurs in software, internet, technology and tech/media. Her Blog contains a wealth of information, not just for the entrepreneur but for anyone interested in strategy.
Joey provides strategic consulting to entrepreneurs in software, internet, technology and tech/media. Her Blog contains a wealth of information, not just for the entrepreneur but for anyone interested in strategy.
Wednesday, January 20, 2010
NY Times: If Your Password Is 123456, Just Make It HackMe
Back at the dawn of the Web, the most popular account password was “12345.” ...Today, it’s one digit longer but hardly safer: “123456.” ... Despite all the reports of Internet security breaches over the years, including the recent attacks on Google’s e-mail service, many people have reacted to the break-ins with a shrug. ...According to a new analysis, one out of five Web users still decides to leave the digital equivalent of a key under the doormat: they choose a simple, easily guessed password like “abc123,” “iloveyou” or even “password” to protect their data.
Read more ...
Read more ...
Thursday, October 1, 2009
Protecting Your Business from Social Networking Attacks
Sally, the accounting manager of Acme Enterprises, a medium-sized business, regularly checked her Facebook account while at work. One day she received an email. The email said that a long-lost friend, Bob, had added her as a friend in Facebook. There was a link in the email for Sally to follow to confirm the friend request. Sally clicked the link. Over the next week, cyber-thieves withdrew nearly $1,000,000 from her employers' bank account.
Welcome to the newest nastiest twist in cybercrime.
You see, the email wasn't from Bob and the link didn't go back to Facebook. Bob's on Facebook just like Sally is. That's how the cyber-thieves found them and discovered that they might know each other. That's also where they learned that Sally worked in the accounting department.
After that it was a simple matter to set the trap by sending Sally a friend request from Bob. "How great," thought Sally, "an email from Bob. Let me just follow this link and we can be friends again."
Link followed. Trojan horse installed. $1,000,000 stolen.
According to Breach Security, the number of web security incidents was up 30 percent in the first half of 2009. And social networking sites like Facebook, MySpace and Twitter were the target of 19% of all attacks, more than any other category. That's a big change from last year's report when government networks were the most often attacked and social networks weren't even on the list.
Making matters worse, many of these attacks succeed by taking advantage of missing patches and using obscure technology like "0-day exploits" that get past traditional antivirus and antispyware defenses.
As if that's not bad enough, businesses shouldn't expect their banks to cover losses. Regulation E of the Federal Deposit Insurance Corporation (FDIC) stipulates consumers are protected by cyber crime involving their banks. The FDIC regulation does not cover businesses, however.
Here are five things you can do to inoculate your business against social network attacks:
Thanks to our friends at Lighthouse Consulting who were kind enough to publish this in their newsletter.
Welcome to the newest nastiest twist in cybercrime.
You see, the email wasn't from Bob and the link didn't go back to Facebook. Bob's on Facebook just like Sally is. That's how the cyber-thieves found them and discovered that they might know each other. That's also where they learned that Sally worked in the accounting department.
After that it was a simple matter to set the trap by sending Sally a friend request from Bob. "How great," thought Sally, "an email from Bob. Let me just follow this link and we can be friends again."
Link followed. Trojan horse installed. $1,000,000 stolen.
According to Breach Security, the number of web security incidents was up 30 percent in the first half of 2009. And social networking sites like Facebook, MySpace and Twitter were the target of 19% of all attacks, more than any other category. That's a big change from last year's report when government networks were the most often attacked and social networks weren't even on the list.
Making matters worse, many of these attacks succeed by taking advantage of missing patches and using obscure technology like "0-day exploits" that get past traditional antivirus and antispyware defenses.
As if that's not bad enough, businesses shouldn't expect their banks to cover losses. Regulation E of the Federal Deposit Insurance Corporation (FDIC) stipulates consumers are protected by cyber crime involving their banks. The FDIC regulation does not cover businesses, however.
Here are five things you can do to inoculate your business against social network attacks:
- Prohibit use of social network sites from the office. These sites can be blocked at the corporate firewall. This can become particularly challenging if employees work remotely as it may not be feasible to block access to social networks from home computers. Making matters worse, Trojan horses are like communicable diseases and Sally's work-at-home computer can be infected from her son's. That's why the next four recommendations are so important.
- In addition to antivirus / antispyware defenses, add advanced defenses like intrusion detection and prevention designed to block internet-based attacks like the link in Sally's email and 0-day exploits.
- Your IT staff can block known internet-based attacks by comparing links against a database of known bad links like www.stopbadware.org/home/reportsearch.
- Keep your systems patched. This means not just Windows patching but all your applications, those you know about - like Office and Adobe Reader - and those you might not even know about - like Flash and Java. This also includes your Macintosh computers as they are every-bit as vulnerability-prone as Windows PCs.
- Finally, don't expect to rely on technology alone. Users are often the weakest link so it's very important to train them to detect the subtle signs of an attack so they can keep from becoming victims. They also need to be given guidance on what information is safe to put on a social networking site. Sally put a big bulls-eye on her back when she wrote that she works in Acme's accounting department.
Thanks to our friends at Lighthouse Consulting who were kind enough to publish this in their newsletter.
Tuesday, September 15, 2009
Like Generals, in Battle Against Cybercrime IT Staff Are Fighting Yesterday's War
What's happening: A new study from the respected SANS Institute finds that as IT departments have become better at defending against yesteday's cyberthreats, cybercriminals have moved on to a new generation of ever-more sophisticated attacks.
What it means: Sensitive corporate information — including access to the corporate coffers — is not being adequately protected.The security-software company McAfee estimated that companies around the world lost more than $1 trillion to cybercrime in 2008, .
What to do: Senior management must proactively manage the way IT staff manages network security. Review IT vulnerability management plans. Consider investing in a modern intrusion detection / prevention system. Since technology defenses alone are inadequate, make sure staff is trained to meet their security responsibilities and that they know cybercrime warning signals. Talk to your insurance broker about cybercrime insurance.
**********************************
Security Pros Are Focused on the Wrong Threats
By Riva Richmond
New York Times
Corporate information technology departments are prioritizing the wrong threats to their computer systems, focusing on old problems and leaving their companies open to a raft of new cyberattacks aiming at private customer and corporate information.
http://bits.blogs.nytimes.com/2009/09/15/security-pros-are-focused-on-the-wrong-threats/?hpw
What it means: Sensitive corporate information — including access to the corporate coffers — is not being adequately protected.The security-software company McAfee estimated that companies around the world lost more than $1 trillion to cybercrime in 2008, .
What to do: Senior management must proactively manage the way IT staff manages network security. Review IT vulnerability management plans. Consider investing in a modern intrusion detection / prevention system. Since technology defenses alone are inadequate, make sure staff is trained to meet their security responsibilities and that they know cybercrime warning signals. Talk to your insurance broker about cybercrime insurance.
**********************************
Security Pros Are Focused on the Wrong Threats
By Riva Richmond
New York Times
Corporate information technology departments are prioritizing the wrong threats to their computer systems, focusing on old problems and leaving their companies open to a raft of new cyberattacks aiming at private customer and corporate information.
http://bits.blogs.nytimes.com/2009/09/15/security-pros-are-focused-on-the-wrong-threats/?hpw
Tuesday, September 1, 2009
Blog Purpose: Assist Senior Management Secure Organization Against Cybercrime Threat
"The secret of success lies in managing risk, not ignoring it.”
Merrill Rukeyser
Cyberspace has become the new Wild Wild West. Cybercriminals roam at will. They steal our money. They steal our identities. They steal our business' intellectual property. They control our computers. They threaten our children. They even threaten our national defense.
In the earlier days of the internet, threats to information systems rarely drew the attention of senior management. The mantra of the day was firewall and anti-virus. And most of the time that was enough.
That’s changed. Just glance at four of our recent bloglines:
· Cyber Thieves Steal $447,000 From Wrecking Firm
· More Business Banking Victims Speak Out
· Eastern European cyber gangs stealing millions from small to mid-sizes businesses through online banking fraud
These aren’t the stories of pimply-faced 14-year olds proving their manhood by launching I Love You viruses on the still-pure internet. No. These are the stories of criminals stealing money from corporate bank accounts.
If this isn’t business at risk, we don’t know what is!
Senior management can no longer ignore the risk of cybercrime. The price of inattention has grown too high.
Senior management must take responsibility for managing the risk of cybercrime.
CitadelOnSecurity is all about how to do this.
Effectively managing cyber-risk requires understanding the cybercrime challenge. It requires knowing the information security management strategies and tactics required to meet this challenge. And it requires insightful leadership to integrate these strategies and tactics into the broader organizational culture.
It is the purpose of CitadelOnSecurity to provide you this understanding, knowledge and insight.
CitadelOnSecurity is organized into three main elements:
The lemons of cybercrime provide the ingredients for competitive advantage. As the threat of cybercrime grows, consumers and businesses alike are increasingly insisting that the organizations they do business with take effective steps to manage the security of their information. This means that organizations with strong security management will have a competitive advantage over those that do not. Thus, investments in information security management have the opportunity to translate into a positive return on that investment. Sometimes good deeds are rewarded.
Stan Stahl, Ph.D.
President
Citadel Information Group
Merrill Rukeyser
Cyberspace has become the new Wild Wild West. Cybercriminals roam at will. They steal our money. They steal our identities. They steal our business' intellectual property. They control our computers. They threaten our children. They even threaten our national defense.
In the earlier days of the internet, threats to information systems rarely drew the attention of senior management. The mantra of the day was firewall and anti-virus. And most of the time that was enough.
That’s changed. Just glance at four of our recent bloglines:
· Cyber Thieves Steal $447,000 From Wrecking Firm
· More Business Banking Victims Speak Out
· Eastern European cyber gangs stealing millions from small to mid-sizes businesses through online banking fraud
These aren’t the stories of pimply-faced 14-year olds proving their manhood by launching I Love You viruses on the still-pure internet. No. These are the stories of criminals stealing money from corporate bank accounts.
If this isn’t business at risk, we don’t know what is!
Senior management can no longer ignore the risk of cybercrime. The price of inattention has grown too high.
Senior management must take responsibility for managing the risk of cybercrime.
CitadelOnSecurity is all about how to do this.
Effectively managing cyber-risk requires understanding the cybercrime challenge. It requires knowing the information security management strategies and tactics required to meet this challenge. And it requires insightful leadership to integrate these strategies and tactics into the broader organizational culture.
It is the purpose of CitadelOnSecurity to provide you this understanding, knowledge and insight.
CitadelOnSecurity is organized into three main elements:
- Cybercrime news stories categorized into topical elements for easy browsing. We post these stories because they say something important about the cybercrime threat and what’s required to successfully manage cyber-risk.
- Citadel information security management guides designed to provide practical usable information and guidance on managing cyber-risk.
- Citadel thought-pieces—like this one—designed to provide more of a big-picture perspective about information systems security.
The lemons of cybercrime provide the ingredients for competitive advantage. As the threat of cybercrime grows, consumers and businesses alike are increasingly insisting that the organizations they do business with take effective steps to manage the security of their information. This means that organizations with strong security management will have a competitive advantage over those that do not. Thus, investments in information security management have the opportunity to translate into a positive return on that investment. Sometimes good deeds are rewarded.
Stan Stahl, Ph.D.
President
Citadel Information Group
Monday, July 13, 2009
What CEOs Don't Know About Cybersecurity: A new study hints at how often cyberthreats aren't communicated to the boss.
Forbes Magazine: Being the chief executive has its privileges. And one of them may be a blissful ignorance of your company's data breach risks.
According to a study to be released Tuesday by the privacy-focused Ponemon Institute, companies' chief executives tend to value cybersecurity just as--if not more--highly than their executive colleagues. But ... the CEOs interviewed in Ponemon's survey seemed especially unconcerned about cybercrime as a source of data breaches. While 31% named stolen PCs or thumb drives as a source of data loss, only 3% cited malicious hackers as the top threat for their company's data security--about a fifth as many as the lower level employees who cited cybercriminals as the most important threat.
http://www.forbes.com/2009/07/13/poneman-cybersecurity-breaches-technology-security-poneman.html?partner=alerts
According to a study to be released Tuesday by the privacy-focused Ponemon Institute, companies' chief executives tend to value cybersecurity just as--if not more--highly than their executive colleagues. But ... the CEOs interviewed in Ponemon's survey seemed especially unconcerned about cybercrime as a source of data breaches. While 31% named stolen PCs or thumb drives as a source of data loss, only 3% cited malicious hackers as the top threat for their company's data security--about a fifth as many as the lower level employees who cited cybercriminals as the most important threat.
http://www.forbes.com/2009/07/13/poneman-cybersecurity-breaches-technology-security-poneman.html?partner=alerts
Subscribe to:
Posts (Atom)
Posts
