Focused on email security, many network managers are overlooking the dangers presented by IM (instant messaging) technology. After all, IMing your sister-in-law an impromptu dinner invitation from your office cubicle seems pretty harmless. But IM in the enterprise is exploding, as 85 percent of organizations in North America report IM use, according to The Radicati Group Inc.

In the past, the security threat from IM was seen as an additional gateway to the enterprise as well as a concern for securing private corporate data. But that’s not the issue anymore. Studies estimate that IM worms and viruses are growing exponentially. In fact, Akonix Systems Inc. tracked 297 malicious code attacks over IM networks in 2007 – a 20 percent increase in IM threats over the previous year. And while 60 percent of organizations monitor and secure email, studies estimate that 90 percent of organizations lack any form of IT sanction or control for IM. That equals exposure to a rash of security threats, data leakages and legal liabilities.

James Quin, a senior research analyst with Info-Tech Research Group said, “The vast majority of companies really aren’t even aware that there’s an issue associated with IM malware. … But when you look at the fact that IM is increasingly being used as a distribution platform for malware – viruses, worms, Trojan horses – and is also a very serious threat in terms of data leakage, organizations simply can’t continue to take the track that IM is not something they need to worry about.”

Flying Under the Radar

Quin said one of the greatest dangers posed by IM is data leakage. Unlike email which is typically logged, tracked and blocked by an organization, IM communications tend to exit an enterprise outside of the watchful gaze of an IT manager. “If I’m sending something through IM on a server that’s not maintained by the company and it goes out through a generic traffic port, as far as the firewall is concerned, it’s plain old Web traffic,” he said. “It’s a bit of a sneaky way to get information out of the enterprise.”

Taking Action

There are steps companies can take, however, to wrest control of enterprise IM and to minimize exposure to security and legal threats. Here are just a handful of precautionary measures:

1. Sure, IM lends itself far more easily to informal conversation than email, rendering it a faster and lighter alternative. But is it really necessary? What business value does it deliver? The first step, said Quin, is “determining if IM is something you feel is an appropriate part of your business communication strategy.”

2. By preventing IM from being sent over public networks, companies can better manage security challenges. “Organizations should look at deploying an internal IM capability rather than using one of the freely available ones outside of the enterprise,” said Quin. Microsoft Corp.’s unified-communications suite, for example, delivers messaging capabilities, which enables companies to manage IM on internal servers and restrict communications to in-house usage.

3. Many public IM networks offer patches to protect against the latest program vulnerabilities. Network administrators need to install and update these IM patches regularly.

4. Turn to a third-party provider for high-level security protection. Symantec Corp., for example, offers an IM-management tool that secures, logs and archives corporate IM traffic on both public and enterprise IM networks.

5. “No technology should ever be deployed without a policy,” said Quin. IM is certainly no exception. Companies must establish best practices for the uses of IM and any restrictions that apply. In addition, organizations should educate employees on the dangers of IM and inform them of important precautionary measures such as storing IM passwords, communicating with unauthorized sources and refusing file transfers and attachments.

I recently sent an email about this to my friends. Here’s the post:

If you receive the below email (Get 2008 Economic Stimulus Refund – $1800), delete it! This is a scam!!!! Please be perceptive enough to check into things before you blindly believe these technological lies. Apparently, a half-witted computer tech without morals is trying to capitalize on the stimulus refund from the government. He/she will be phishing for your bank account information & SSN, and will ultimately rob you of your identity.

Email is never the primary way governments, banking institutions and major businesses communicate with you. Remember, email is like a postcard, it’s not secure unless you use encryption (to answer everyone’s question, “Am I using email encryption?” I guarantee you that you would know if you’re using email encryption because you have to install it-or login to a secure webmail server, and it only works if the other person you’re communicating with uses the same type of encryption or has a private or public encryption key).

All it takes is a few tools and in five minutes I can intercept email as it travels across the internet. Again, email is simply a postcard. As it travels anyone with the right tools can intercept and read it. Never send banking information, passwords, or Personal Identifiable Information (PII) via unencrypted email.

Here are a few free email encryption solutions:

1. Hushmail (free secure webmail solution)

2. Google Gmail Encryption with FireFox: FireGPG (You have to login to https://gmail.com when using this encryption with Gmail.) Here’s the instruction on how to setup and use FireGPG encryption with Gmail: http://www.linux.com/articles/62369

3. Greasemonkey Encryption: Firefox Extension

If you have any questions, please visit my IT Security blog at: www.itsecurityadmin.wordpress.com or email me.

Here’s the email:

From: service@irs.gov [mailto:service@irs.gov]
Sent: Tuesday, May 13, 2008 3:58 AM
Subject: Get 2008 Economic Stimulus Refund ( $1800 )
Importance: High

Over 130 million Americans will receive refunds as
part of President Bush program to jumpstart the economy.

Our records indicate that you are qualified to receive the
2008 Economic Stimulus Refund.

The fastest and easiest way to receive your refund is by
direct deposit to your checking/savings account.

Please click on the link and fill out the form and submit
before May 13th, 2008 to ensure that your refund will be
processed as soon as possible.

Submitting your form on May 13th, 2008 or later means that
your refund will be delayed due to the volume of requests we
anticipate for the Economic Stimulus Refund.

To access Economic Stimulus Refund, please click here.

© Copyright 2008, Internal Revenue Service U.S.A. All rights reserved.

Commercial businesses, colleges and universities, government offices, and medical facilities of varying sizes share the common label of being hit by identity thieves.

167 breaches revealing over 8.3 million records happened or became public in the first three months of 2008, according to the nonprofit Identity Theft Resource Center. Targets of attacks ranged from a Vermont ski resort to the University of Georgia, and plenty of points in between.

Some of the breaches happened due to internal misuse of customer data. At Bank of the West in Washington state, a loan officer used applications from customers to steal identities. Cassidy Janosky and her mother rang up $16,000 grand in purchases like plasma TVs and electronics from a local Sears store.

Other breaches happened due to laptop theft, like that of the Florida Department of Children and Families. Five laptops stoled from their Orlando office forced them to alert 1,200 staffers that their Social Security numbers, birth dates, and other information was at risk.

Then there was the old standby, the lost backup tape. In one particularly embarrassing case, secure storage business Iron Mountain lost one with credit card information on 650,000 customers. Names, addresses, and Social Security numbers were on it as well.

Oh, there were network breaches as well. One can essentially envision an attack vector, and something probably happened along those lines, since reported incidents for Q1 2008 more than doubled what ITRC picked up on for the same period last year.

Nick Cavalancia of ScriptLogic said in commenting on the report that security pros need near-real time notification of sensitive file system events, especially in environments where regulatory compliance like Sarbanes-Oxley is a reality.

“Businesses must be able to provide reports indicating permission changes, highlighting what changes were made, who made them and when they were made,” he said. Cavalancia also recommended administrators be able to lock down the myriad devices like iPods people bring into workplaces, to mitigate data theft.

Rep. Jim Langevin, D-RI, introduced a bill on Wednesday that aims to hold the U.S. Department of Homeland Security responsible for investigating every cyber attack and for shoring up its network security.

The bill would better define the roles and responsibilities of the agency’s chief information officer, require that the department reduce the number of successful attacks against its networks and mandate that the DHS investigate the state of contractors’ network security before signing a contract with them. The bill comes after more than a year of investigations by the House of Representative’s Committee for Homeland Security into cybersecurity breaches at numerous government agencies. Rep. Langevin heads up the Subcommittee on Emerging Threats, Cybersecurity and Science & Technology, which has held most of the hearings on the issues.

“The security of our federal and critical infrastructure networks is an issue of national security,” Rep. Langevin said in a statement. “Through my many cyber hearings it has become clear that an organization is only as strong as the integrity and reliability of the information that it keeps. Therefore we must make cybersecurity a national priority.”

While U.S. government agencies have shown slow improvement, they have continued to score low grades in the annual report on their compliance with the Federal Information Security Management Act (FISMA) of 2002. Most federal agencies are behind an aggressive timetable for switching over all government desktop systems to a set of standard configurations designed to be more secure. Know as the Federal Desktop Core Configuration (FDCC), the initiative is part of a broader program known as the Comprehensive National Cybersecurity Initiative (CNCI), embarked upon by the Bush Administration in January.

The bill has been designated the Homeland Security Network Defense and Accountability Act of 2008 (H.R. 5983).

Among the many sites impacted by a massive outbreak of code injection attacks, security vendor Trend Micro suffered an embarrassing breach itself.

Not real good news for Trend Micro, but the company confirmed in an InfoWorld report.

“A portion of our site – some pages were attacked,” a Trend Micro spokesman said in the report. “We took the pages down overnight Tuesday night – and took corrective action.”

News of the widespread attacks became public when security vendor McAfee blogged about them. Over 10,000 pages suffered a compromise by code injection.

The numbers soon proved higher than reported, in a followup post, McAfee said the attack has been running for over a week, affecting over 200,000 pages.

McAfee said most of the infected sites were running phpBB, a popular open source bulletin board package. As noted previously, one of the malware packages delivered by the attack looks for online gaming passwords, as criminals attempt to steal virtual possessions and sell them for real money.

LINK:

Unfortunately, many businesses fail to take advantage of encryption technology, fearing that it’s too complex and difficult to use on a routine basis. In reality, encrypting vital data isn’t much more difficult than running a virus scanner or a data-backup program. Here’s how to get started.

The Basics

There are two basic ways to encrypt data. One approach is to use asymmetric PKI (public-key infrastructure) encryption. PKI cryptography is based on a pair of cryptographic keys: One is private and known only to the user, while the other is public and known to the opposite party in any exchange.

PKI technology provides privacy and confidentiality, access control, proof of document transmission, and document archiving and retrieval support. While most security vendors currently incorporate some type of PKI technology into their software, differences in design and implementation prevent interoperability between products.

The other method of encrypting data is symmetric key protection, also known as “secret-key” encryption. Generally speedier yet less secure than PKI, symmetric encryption uses the same key to both encrypt and decrypt messages. Symmetric technology works best when key distribution is restricted to a limited number of trusted individuals. Since symmetric encryption can be fairly easy to break, it’s primarily used for safeguarding relatively unimportant information or material that only has to be protected for a short period of time.

Applying Encryption

The easiest way to use encryption is to purchase a business application or a hardware product that incorporates some form of encryption technology. Microsoft’s Outlook Express email client, for example, provides built-in encryption support. Meanwhile, vendors such as Seagate Technology LLC and Hitachi Ltd. have started incorporating encryption technology into their hard drives.

Since most software applications and hardware products don’t include any type of internal encryption technology, business owners and managers need to look for stand-alone encryption products. This can be a confusing process, one that’s best approached by first determining the business’s precise security requirements, then finding an encryption product that fits each need.

Microsoft Vista Enterprise and Ultimate users can take advantage of BitLocker Drive Encryption, a full disk tool that offers powerful 1024-bit encryption. Another Windows offering is EFS (Encrypting File System), which uses symmetrical PKI technology to provide file encryption.

Beyond Microsoft, leading encryption vendors and products include PGP, open-source TrueCrypt, DESlock+, Namo FileLock and T3 Basic Security.

What to Encypt

So how do you know what to encrypt? Here are some places to start:

• Hard Drives: A business may choose to encrypt entire hard drives as a way to reduce or eliminate data theft.
• Individual Files: In cases where full disk encryption is overkill, file-by-file encryption provides added security on an “as-needed” basis. Many leading encryption products offer drag-and-drop encryption capabilities.
• Laptops: Unlike office systems, laptops are easy to lose and are prone to casual theft. By ensuring that the system’s data content is unreadable, a business can limit its loss to the cost of the laptop. A growing number of government regulators and insurance companies are demanding that businesses encrypt any data that leaves their premises.
• Removable Media: Memory sticks, thumb drives and similar portable storage technologies provide portability, convenience, and an opportunity for data loss and theft. As with laptops, encryption limits a business’s loss to the cost of the device itself. A growing number of removable-media devices come with built-in encryption support.
• File Transfers: Sending files over unsecured wired or wireless links can expose sensitive information to data thieves. Encryption provides an additional layer of security, even when a secured network is used.
• Email: Encrypted email is kept secure during the transmission process and while sitting in its recipient’s mailbox.
• IM (Instant Messaging): A growing number of businesses are using IM to swap confidential business information. Encryption helps secure these critical transmissions.

Encryption’s Limitations

Like any technology, encryption software isn’t perfect. Even the best products consume both processor speed and storage space. Users can also lose or forget passwords, thereby potentially locking systems forever.

Before purchasing any encryption tool, carefully research the product. Make sure that the offering addresses your company’s needs, is compatible with your systems and has a good track record concerning reliability and support. If possible, check with your friends and colleagues for their opinions on various encryption tools.

With the new year upon us, the bad guys continue to improve their computer attacks, refining their outdated techniques and introducing new twists. Let’s look at some of the trends that will likely dominate the information security threat landscape in 2008:Increasing effectiveness and complexity of large-scale botnet management
Right now, there are multiple active botnets that each contain more than 1 million infected machines. Medium-scale collections (100,000 to a million infected machines) and small-scale ones (less than 100,000) are even more numerous.

Attackers can use annoying but relatively benign schemes — like pop-up ads, spam and search bar installations — to harvest money via such an infrastructure. More insidious attacks include pump-and-dump stock scams, denial-of-service floods, phishing schemes and form-scrapers that gather bank account numbers and passwords from browsers.

With large-scale distribution of a botnet’s infected computers, these bad guys are encountering the same infrastructure problems that large enterprises have — distributed remote management en masse is not easy. However, the attackers are a crafty lot, and they are developing robust peer-to-peer communications and control mechanisms to avoid single points of failure in their botnets. Attackers are also using fast flux techniques to rapidly shift critical servers’ domain name-to-IP address mapping, making it hard for investigators to hunt down phishing Web sites, control servers and other parts of their infrastructure. Look for such peer-to-peer and fast flux techniques to be included in almost all of the big botnets — and quite a few of the small- and medium-sized ones — in the year ahead.

More event-driven, targeted email containing malware
In early 2007, the Storm Trojan infected hundreds of thousands of machines by simply duping email recipients into reading an attachment that contained the malware. The message’s subject line exploited concerns about a string of floods in Europe. The malware’s authors continued throughout the rest of the year, modulating their headlines with the latest news stories. As a result, more than 1 million systems became part of the Storm botnet.

Look for more of the same in 2008. Numerous email worms will be spread with bogus — and sometimes even real — news stories about the upcoming U.S. primary and general election campaigns, or perhaps other gripping headlines, such as war and unrest in the Middle East.

Information security practitioners should educate users to be extra diligent when reading email and viewing attachments, even from users that they know. When sharing email, users should include the text of news stories pasted in the message, instead of forwarding links or sending attachments. It’s also important to redouble efforts for effective email antispam and antimalware deployments.

Security pro Michael Cobb explains how future application development processes will be corrupted.

Mike Rothman, our resident security management expert, reveals the emerging compliance issues in ‘08.

Leaked high-profile stories of executives nailed by spear-phishing attacks
Civilian and military organizations have reported a significant number of targeted phishing incidents. The attacks use specially crafted email messages to trick a target organization’s users into visiting a site that looks friendly, but will actually attack any browser that surfs there. Some targeted attacks also include infectious email attachments.

In these so-called “spear-phishing” attacks, the bad guys trick humans into installing a Trojan horse backdoor in the target environment. With malware planted on a victim machine, the attacker has a software sentinel inside the target organization, which can be used to control that system, take over others and exfiltrate sensitive information.

Some of the attackers look for low-hanging fruit, just any old user who they can trick into providing access inside a particular organization. Craftier attackers have set their sites on more important targets: corporate officers and higher-up military personnel.

In 2008, we may see some leaked information about targeted, high-profile individuals who fell victim to such attacks. Incident handlers working on the case may inadvertently reveal more information than they should. Leaks could also be intentional, too, due to possible vendettas or legal requirements for breach disclosure. Make sure that your internal incident-handling team has a clear set of non-disclosure agreements, along with documented plans and policies for dealing with the press.

Increasing cyber-attack activity attributed to nation-states, not organized crime groups:
Spear-phishing has occurred against major U.S. and European enterprises, and many allegations have cited China as one of the attacks’ major sources. Chinese officials have countered by saying that similar attacks are waged against their country as well.

In the spring of 2007, a barrage of packet floods hit the highly wired, eastern European country of Estonia, taking down much of its electronic government and banking sites. Some observers claim that the flood was directed by the Russian government for political reasons, but the Russian government denies this and blames Russian nationalists.

This year, look for more suspicions of government involvement in cyberattacks. The continuing packet floods, cyber espionage, and infiltration of military and commercial networks will receive more press scrutiny than ever. We are now in the midst of a shift that will not supplant cybercrime, but augment it, as nation states increasingly use computer attacks to further their interests.

Decrease in disclosure rate of credit card compromise — not because of fewer breaches
If an enterprise suffers a breach that exposes personally identifiable information (PII) to an attacker, state notification laws may require an organization to alert citizens whose data was compromised. For a computer attack to be considered a breach, however, the data actually has to be exposed to the attacker. With an increasing number of enterprises using desktop and laptop encryption tools, there is a chance that attackers cannot actually view the data that they receive from a hacked system or stolen laptop.

But some desktop and laptop encryption tools aren’t very good. Microsoft’s Encrypting File System, for example, leaves clear-text copies of data shortly after it is encrypted. Some tools (including Microsoft’s EFS) only use an operating system password to protect file encryption keys, instead of a separate and carefully guarded password just for the cryptographic function or even an authentication token or smart card. If attackers can crack a user’s operating system password, they can then decrypt files with EFS and similar tools.

If an organization suffers a breach, management must discern whether there was a reasonable chance that data was exposed. Even if the data is encrypted with a weak encryption product, management will likely respond that the sensitive information wasn’t compromised.

In 2008, we may see less disclosure, but not fewer breaches. Such a trend will unfortunately hide the magnitude of real security problems. Enterprise security personnel should make sure that they use strong laptop crypto products. They should also verify and review the disclosure decision-making process with management and legal personnel.

This new year will likely spell busy times for information security professionals, as attackers continue to ramp up their abilities. Keeping up with the bad guys won’t be easy, but it is vital that we understand their latest tactics and work diligently to thwart them. Don’t get discouraged. Instead, remind yourself about how exciting these times are, and how we are fighting the good fight.

SAN FRANCISCO — Jim Raub, director of IT security at broadband services provider Paetec Communications, had limited time to get Oracle’s Identity Manager rolled out to streamline naming conventions and user provisioning to tighten access control across the company.

Business has been growing steadily for Paetec. With a number of planned acquisition targets, Raub was under pressure to get an identity management solution in place to meet compliance demands and scalability issues.

Like many companies implementing identity management tools, the company experienced a number of problems Raub attributes to the need to get a system online quickly. The company didn’t have an adequate test environment, data cleansing was an issue, getting various data holders to agree on an ID format also was a challenge, he said. And custom connectors had to be built to connect to several Unix-based applications.

More information on identity management Implementing ID and access management (Part 2)IT Management Guide: Identity management for the SMB

“There was just too much going on and some upheaval because we had to get it in quickly,” he said. “If we weren’t trying to integrate the company so quickly, the whole process would have been easier.”

Raub shared his Oracle Identity Manager implementation experience during a panel discussion Tuesday at Oracle’s OpenWorld user conference. Despite their challenges, employees are seeing the value of identity management software. While companies have been struggling with various problems implementing an identity management software — whether it be during the data cleansing phase or instituting a common naming structure — the best way to begin an implementation is just before company growth, when the company is small and agile, the panelists said.

Oracle has done a good job buying its way into the identity market. It acquired provisioning software from Thor Technologies in 2005 and since then analysts say it has become a big player. It threatens CA, IBM and Sun for outright leadership, said Mark Diodati, an analyst with Midvale, Utah-based Burton Group.

Oracle security: Podcast: The state of Oracle security Oracle bulletins will rank patches, offer more detailOracle DBAs mixed on security progress

“Oracle has made a whole slew of acquisitions in 2005 from purchasing Web access management products and federation,” Diodati said. “You can tell by the acquisitions that they’ve done that they clearly value the identity management space. They are a full-fledged player and arguably with the most complete set of identity management products in their suite.”

And Oracle has been making progress selling their identity manager to their own customers as well as marketing the products to new customers, Diodati said. Still, point solutions exist and companies should examine their options.

Kenny Gilbert, director of technology solutions at Sunnyvale, Calif.-based semiconductor installations provider Silicon Image, said his company didn’t even consider other vendors for identity management. The company recently completed a $120,000 five-month implementation.

“Compliance absolutely was a major driver for us,” Gilbert said. “It was also critical to have a single source for employee information.”

Gilbert said if he had to do the project over, he would have tweaked the naming convention to avoid issues with multiple systems. The company could have also been more proactive to get its Unix systems all on the same patch set, he said.

Rex Thexton, chief technology officer of Bedminster, N.J.-based consulting firm Entology, said most of his firm’s customers are driven to identity management to meet Sarbanes Oxley and other regulations.

“Either they are planning acquisitions or getting ready to go public,” he said.

Raub said the company is so pleased with its implementation that the plan is to start rolling it out to other non-Sarbanes Oxley systems, such as the company’s ID badge system.

“They improved their processes and the result has been a much better company,” he said.

Global spam levels measured by Commtouch swelled through the fourth quarter of 2007, hitting a high of 96 percent of all email in October 2007.

While we can’t speak for the rest of the Internet, we do see the inbox sift out roughly six good messages out of 300 at any given time at SecurityProNews.

That puts us in the neighborhood email security vendor Commtouch observed. Global spam levels measured by the company for the year hit an astonishing peak of 96 percent.

Astonishing unless one is sitting in the lead-lined writing room at our international HQ, watching the wonderful SpamBayes plug-in go to work on an inbox freshly opened in the morning. Commtouch said on their blog they “monitor unfiltered data streams of Internet email traffic, not including internal corporate traffic. This open traffic is analyzed to find the ratio of spam to legitimate email messages.”

The cruft collecting in inboxes, unless one has a product cleaning it on a continual basis, can contain any number of unwanted pests. Minor annoyances like plaintext stock-pumping emails pale in comparison to the malware-linked spam leading to infections and possible takeover by a remote server.

Those takeovers tend to connect a victimized PC to a broad network of other corrupted machines. These devices function as a botnet, which increasingly in these times provide outlets for the distribution of the Storm worm, a ferociously prolific pest that could be on millions of computers worldwide.

Link