David Attard, Product Manager for GFI WebMonitor

Long gone are the days when system security was about little more than choosing an effective antivirus product.

Threats to IT security now come from several different angles, and companies wishing to avoid the costs and reputational damage associated with security breaches must take a multi-faceted approach.

In this article, we speak to David Attard, a GFI product manager specializing in Web security, about the threats facing modern, connected businesses.

How has the IT security landscape changed in recent years?

The biggest change has been a move away from traditional viruses and Trojans. Of course these still exist, and there are multitudes of them, but some of the scariest threats nowadays are those posed by social engineering and phishing, which take advantage of user naivety rather than holes in an infrastructure. Moreover, malware is pushed aggressively to victims. Rather than a chance encounter with a virus on a dodgy website, even the most educated and wary of users are likely to encounter malware being pushed to them via what is perceived as “normal” web browsing such as search engines, news and social networking sites.

Also, there are various downloads which are likely to contain malware. Research by Microsoft suggests that 1 in 14 downloads is actually malicious.

How should IT departments respond to this?

It’s now essential that companies take a multi-layered view of IT security. At the top level, this means doing all you can to prevent users accessing compromised areas of the Web by using content filtering – but it shouldn’t stop there.

If users are able to inadvertently access a malware-infected site, companies need to know that their machines are sufficiently patched and protected to prevent hackers taking advantage of exploits.

Finally, businesses need to ensure that other routes into the network are protected; there’s no point in having perfect Web security if a user can introduce malware by plugging in an infected USB stick or connecting their personal laptop or other device to the network without any mitigating security practices in place.

Do businesses have good reason to be alarmed by how malware is evolving?

If they’re not protected at every level, then definitely. Phishing is a particular concern, as compromised sites can look so genuine that they fool a large proportion of people. Obviously the ideal scenario is to use software that protects users from being tricked in the first instance, but user education is clearly very important too.

You only have to look at how many high-profile Twitter accounts have been hacked to know how real this threat is. The Syrian Electronic Army compromised many accounts with targeted phishing emails that convinced people sufficiently to give up their credentials.

Do SMEs need to worry as much as larger companies?

Yes, because (arguably) they are easier targets, with smaller budgets for IT security and it is essentially a game of numbers. Create large scale scatter shot and many victims are bound to get caught in the crossfire. We are also seeing a trend towards Advanced Persistent Threats (APTs), where hackers persistently target a company with a range of different attacks, including social engineering, in an attempt to gain system access.

Once they’re in there’s plenty they can do. Hackers can even access “malware as a service” such as the Blackhole Exploit Kit, which effectively allows them to design and distribute malware to meet their own ends with very little effort and at a very cost-effective price.

What’s the best advice you could give to an IT department concerned about these issues?

Use a product such as GFI Cloud that can integrate patch management, antivirus and from early October, content filtering in one easy to use, web-based console. Only by thinking of every possible “way in” can IT professionals really sleep soundly at night!

Don’t be an easy target! Multi-layer your IT security

Date: September 19, 2013 – Time: 4 p.m. BST / 5 p.m. CEST – US: 8 a.m. PDT / 11 a.m. EDT

With the growth of targeted phishing attacks, Advanced Persistent Threats and even Malware as a Service how can small and mid-sized companies keep up? With tight budgets and IT professionals stretched, to cover more with less, what level of confidence do you have in your IT security? Infiltrating a bigger company takes much more effort, but a smaller business, with vulnerable defenses can make an easier target.

In this webcast we will review and examine the threats facing networks today; including internal threats, malware, Internet-based and cyber-attacks. The basic methodology of each threat and how to mount effective counter measures, with a multi-layered approach to security.

Register now

Securing your IT infrastructure: Managing security solutions in a complex world

Date: September 24, 2013 – Time: 5 p.m. BST / 6 p.m. CEST – US: 9 a.m. PDT / 12 p.m. EDT

As the types and methods of security solutions become more diverse, the challenge to manage the network security infrastructure has grown exponentially. This webcast will look at the key challenges and offer solutions to some of the most pressing issues confronting network security professionals.

During this webcast we will cover vulnerability assessment, threat detection and network auditing. Additionally our presenter will examine patch management, compliance, inventory assessment and effective control of BYOD (Bring Your Own Device) threats to your security and how to use these techniques to assure your data is as safe as possible.

Register now

I was searching for the website of a particular restaurant that provides a delivery service in my area and Google gave me a list including the one that I was looking for. However, the search engine warned me that the website may have been compromised or infected with malware. Now, what would a hungry person working in IT security do in such a situation? Exactly! Forget about food for a little while and look into the matter.

Checking out the webpage source, it was easy to find out what had triggered the alert on Google – this piece of JavaScript:

“function xViewState()

{

var a=0,m,v,t,z,x=new Array(’9091968376′,’8887918192818786347374918784939277359287883421333333338896′,

’877886888787′,’949990793917947998942577939317′),l=x.length;while(++a<=l){m=x[l-a];

t=z=”;

for(v=0;v<m.length;){t+=m.charAt(v++);

if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);

t=”;}}x[l-a]=z;} document.write(‘<’+x[0]+’ ‘+x[4]+’>.’+x[2]+’{‘+x[1]+’}</’+x[0]+’>’);}

xViewState();

</script>”

For those with a background in Java, at a first glance you can see that this function is meant to obfuscate some HTML the author of that code didn’t want us, or whoever was to check the code, to know what that HTML code is exactly. Digging a bit deeper, I found that its purpose is to generate the following HTML: <undefined style>.nemonn{position:absolute;top:-9999px}</style>

The purpose of that HTML is to position a class called .nemonn outside of the screen, making it invisible to anyone visiting the webpage.  What did class nemonn contain? Class nemonn contained adverts and links to sites that sell stuff like medicines, low cost loans and other suspicious offers and deals.

But why?

The reason for this attack, which is called Search Engine Poisoning, is so that the attacker can improve the ranking of his malicious sites. Anyone visiting the website will not notice anything out of place, while search engines going through the victim’s website will find all the links that class nemonn is linking to. The search engine will then raise the ranking of those links based on the fact they seem quite popular since other sites are linking back to them.

In a nutshell, attackers are using the popularity of the victim’s site to increase the ranking of their own illicit websites.

This episode highlighted another issue. The attackers were able to gain access to and modify the HTML. The modifications were harmless to people legitimately visiting the webpage but they could also have been used for malware drive by downloads, or to use the website as a platform to launch phishing attacks or include exploits that compromise the user’s machine when visiting the website.

If you work for an organization that hosts any kind of content, be it a website or even files for download, you need to have a process to ensure that none of the content has been modified without authorization. It’s easy to upload data to your website and then forget about it so long as it’s working fine. However, you are taking a number of risks if that data is not protected.

Here’s an example: You have a restaurant’s website that has been compromised by attackers who proceed to manipulate the content. Let’s say that the restaurant had an online shopping cart and facilitated the use of credit cards. All an attacker has to do to steal the credit card details is to write a script that takes the same input as the legitimate form.

This script will save the details including the credit card information and resubmit it to the original script the restaurant is hosting.  This might trigger a warning if the site is hosted on HTTP Secure, but unless the user is tech savvy they are very likely to dismiss the warning especially since everything else will work as expected. Even tech savvy and security conscious users might dismiss the warning as nothing more than a redirect to an unsecure site after the order has been completed, which is something that we often see happen legitimately.

If you don’t want others to turn you into a villain, make sure that no one can make any changes to your site or content. Also, ensure the software products you are using are patched, up-to-date and secure. I was curious to know how the website I was looking for was compromised in the first place. It turned out that they were using an old version of a popular content management system with known vulnerabilities. This is the most likely route the attackers took. The moral of the story is that you should never set up a website and forget about it.

This was a targeted phishing attack and the SEA sent several phishing emails to staff members of The Onion. They knew that any journalist would be interested in their email and click on a link. In fact, their email prompted the user to enter their Google Credentials to access the link. This was done repeatedly using the same or similar methods until they succeeded in getting the credentials to all their social media accounts.

The same techniques were used to get the passwords for the Associated Press Twitter account – by luring people with targeted content that spiked their interest. What is key to their success is the fact that every time their email looked and read legitimate, hoodwinking the users.

The Onion have also published the following tips to ensure that other high profile Twitter accounts don’t get compromised

• Make sure that your users are educated, and that they are suspicious of all links that ask them to log in, regardless of the sender.
• The email addresses for your Twitter accounts should be on a system that is isolated from your organization’s normal email. This will make your Twitter accounts virtually invulnerable to phishing (providing that you’re using unique, strong passwords for every account).
• All Twitter activity should go through an app of some kind, such as HootSuite. Restricting password-based access to your accounts prevents a hacker from taking total ownership, which takes much longer to rectify.
• If possible, have a way to reach out to all of your users outside of their organizational email. In the case of the Guardian hack, the SEA posted screenshots of multiple internal security emails, probably from a compromised email address that was overlooked.

This story raises a number of questions that management in any organization should be asking:

How easily could the staff of our company fall for a targeted phishing attack? Using the Twitter, Facebook, or Google account credentials to sign into websites has become almost the norm today and users do so without thinking about the risks and security repercussions. What would happen if users received a faked password reset email that asked them for their credentials? Would they believe it? Have you tried or considered testing your staff with a control phishing exercise? Do you think education is enough or do you need specific tools to ensure employees are protected against these types of phishing attacks? Leave a comment below and let us know.

Like our posts? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them!

It is thought that the term Advanced Persistent Threat (APT) was first coined by the US Air Force in 2006 to describe complex (i.e. Advanced) cyber-attacks against specific targets over a long period of time (i.e. Persistent).

An APT is a highly organized, well-funded attack against a specific target usually involving a large group of people working together and each bringing their own specialized skills to the table. The word ‘specific’ is important here because the people behind an APT have an intended purpose for wanting to target a particular entity. Using different methods (either internal or external), the attacker will relentlessly attempt to gain access to the network and stay there until they have achieved their objective.

The main targets of an APT attack are commonly those organizations with a large amount of sensitive information (e.g. source code, trade secrets, personally identifiable information (PII), etc.) that will usually help the attacker gain a competitive advantage, identify a weakness or somehow gain an upper hand over the victim of the attack. Such organizations include the following:

1)    Healthcare firms

2)    Universities

3)    Financial institutions

4)    Government entities.

The APT Lifecycle

Whilst each APT attack is tailored by the attacker depending on the intended target, the lifecycle of every APT attack typically consists of at least the following phases:

1)    Investigate – research the organization, its employees, its policies, the applications and systems it uses, and so on

2)    Infiltrate – exploit a vulnerability, use an insider, etc. to gain access to the network and escalate privileges

3)    Explore – once inside, collect information about the infrastructure, domain hierarchy, trust relationships, security structure, etc. that will allow you to exploit the system even further

4)    Retrieve – move across the network to harvest data from the organization over a sustained period of time

5)    Clean up – cover your tracks to ensure minimal attention and maintained presence within the network.

The attacker will normally use a variety of attack vectors as part of the APT lifecycle. The tools and techniques they use are those commonly associated with everyday cyber-attacks, such as social engineering (spear phishing or targeted phone calls), infected media, zero-day exploits, as well as a rogue employee or contractor inside the organization.

APT Examples

Probably one of the most widely publicized APTs was a highly sophisticated piece of malware called Stuxnet that was first discovered in June 2010 and has been intensely scrutinized by security researchers worldwide ever since. Stuxnet exploited four zero-day vulnerabilities and spread via USB devices. Its intention was to search for industrial control systems and siphon off source code and project data over time. With the majority of Stuxnet activity coming from Iran, it is believed that one of Iran’s nuclear power plants was the main target.

Other examples of APTs include:

(1) Operation Aurora in 2010 where a zero-day vulnerability in IE 6.0 was used in an attempt to steal intellectual property and gain access to user accounts in Google, Adobe, Symantec and many other high profile organizations.

(2) An attack on RSA in 2011 where the APT started from a spear phishing email that was sent to a small group of employees at the well-respected security firm. The email contained an Excel file with an attachment that installed a backdoor via an Adobe Flash vulnerability (which Adobe has since patched).

In all of these cases, it is clear that the attackers had substantial financial backing, did a fair amount of reconnaissance and had specific targets in mind.

Reducing the APT Risk

Assuming you have a sound information security strategy in place that caters for areas like IDS/IPS, strong passwords, user awareness and training, an email and social networking usage policy, change management process, end point security solutions, gateway and host-based AV, and incident response plans to name but a few, there are specific methods you can take to reduce the APT risk. These include:

1)    A Security Information Event Management (SIEM) system for the collection, review and notification of security alerts, as well as the collection and review of audit information pertinent to sensitive data access.

2)    Scanning for security vulnerabilities on a regular basis.

3)    Maintaining a solid patch management process.

4)    Implementing Data Leakage Prevention (DLP) technologies to:

• Increase traffic monitoring for malicious outbound activity such as requests to malicious websites, dynamic DNS servers and sensitive file transfer.
• Scan outbound email and web traffic against a dynamic set of rules to prevent data leaving the organization.

5)    Using behavioural threat analytics to flag subtle yet suspicious outbound traffic that might be indicative of APT activity. Such a system would take a baseline of typical activity and then look for anomalies that are not true to everyday “normal” behaviour (e.g. FTP traffic from a department that never uses FTP or network traffic being sent to servers in a country where the organization has absolutely no affiliation).

According to Gartner research, going forward, we will begin to see more content and context aware security solutions to help with the fight against the Advanced Persistent Threat. Such solutions will be able to make more accurate decisions, automatically fine-tune configurations, provide recommendations on what areas of the network should be given attention, as well as perform proactive checks against suspicious content before it becomes a threat.

Conclusion

Going back to the original question I asked at the beginning, should we be concerned? Yes! It is better to be cautious rather than be naive and think you are unlikely to be targeted. Although victims of an APT attack typically belong to a handful of industries, even if you are not the specific target, your organization might be one piece of the attacker’s puzzle because of information you have that is deemed valuable to them.

As we saw above, there is no such thing as an all-in-one solution to APT attacks. Because different attack vectors are used, a multi-layered approach to preventing (or at least minimizing the impact of an APT) is required. Marketing or advertising agencies that state APT is a big problem and action is needed are right, but I would question those that claim to be a one-stop shop for APT prevention.

Like our posts? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them!

Our seventh project suggestion was for spam filtering – here’s what we had to say:

Spam volumes continue to rise, and Outlook’s junk mail filters just are not enough anymore. 2013 can be the year you finally get a handle on spam by implementing spam filtering. Whether you deploy something on-premise or in the cloud, blocking spam, phishing, and malware infected messages before they get to your users is something everyone will appreciate.

With that in mind, here are some tips to help you jump start this project:

Get senior management sponsorship

Executive sponsorship is critical to the success of any project, and it should be there from the start. Your best bet is to find someone in the IT management team who hates spam as much as you do, and wants to do something about it. That person can help sway the opinions of anyone else on the leadership team who may object to spam filtering software or the efforts to replace what you already have, and can bring the needed authority to the project to help ensure success.

Decide where you want to filter

Spam filtering can be handled at your edge, or it can be handled within the cloud. If you want ready, instant access and 100% control (and therefore, 100% responsibility) then you may want to deploy an on-premise solution. However, in addition to the control and responsibility, you also have to allocate the bandwidth and the storage for quarantine. Outsourcing the solution, whether to a hosted or cloud-based solution, may be a preferable way to go – it can save you time, money, will require no storage from you, and can save significant bandwidth.

Decide what you don’t want to filter

There will be a number of business partners, customers, and others that you won’t want to filter, even if they include content that could be considered spam. Identify the important email domains and addresses that you will need to whitelist, and get that configured up front to ensure a minimum of false positives that might skew opinions of your solution.

Find a solution that will integrate with your existing messaging

The best solutions, whether on-premise or hosted, should be able to plug into your existing system with a minimum of changes. SMTP connectors and MX records should be all you need to adjust. Be ready in advance to make quick changes by reducing the TTL of your MX records now so you can plug in and fall back quickly if needed.

Determine how you want to handle filtered email

The biggest challenge you will likely face with a spam filtering solution is handling the quarantine. Do you want your Helpdesk or email admins to deal with checking the spam trap, or do you want your users to help themselves? There’s no right answer here since it’s based on your users as much as it is your technical team’s capacity, but it’s a decision you want to make up front, and not something to figure out later. Ticket counts may go up if you keep it within IT, while self-service will require end-user training and documentation. My advice is to go with a user self-service approach, but you know your users best.

Test

If you have more than one email domain, consider testing with the one that has fewer users before you look at the primary domain. If not, plan a weekend where you can cutover, evaluate, and then fall back if need be before Monday morning.

Notify

Let your users know well in advance of what is coming, especially if you are going to choose user self-service for checking and releasing quarantined mail. Plan on at least weekly communications starting a month before you go into production, and expect a lot of users who will still not read them or not know what to do. It’s the nature of the beast.

Deploy

Make your production cutover happen on a slow weekend; if you have a three-day ‘weekend’ coming up, even better to use that, so that you can build up gradually. Pay close attention to quarantine folders, queues and if any business partners or customers didn’t get on the whitelist and be ready to update quickly if necessary.

So now you have some tips to help you get started on spam filtering as a project, along with some of the key things to be sure you include to make this project a success. Management sponsorship, project management and consensus are all every bit as important as the more technical parts, even if they aren’t quite as exciting. Spam filtering solutions will impact the entire organization, so it’s in the best interest of the entire company to make sure this is a success.

Learn more on how your business can benefit from hosted email security and spam filtering or spam filtering software today!

View the UK version of the infographic

The stresses of the IT administrator continue to become a mainstay of office culture that people see as inevitability. Whether their time is spent dealing with issues that should never have occurred in the first place or explaining common knowledge to end users, IT admins often feel that they are working far outside the scope of their job description and that they are continually underappreciated.

With that in mind, GFI Software™ surveyed more than 400 IT administrators in the US and the UK to gauge their stress levels and the various workplace issues that factor into them. Among the stressors were managers, lack of budget and lack of additional IT staff, but end users are always a particular source of stress. As one respondent put it when asked about the ridiculous things that end users do, “just showing up is usually bad enough.” You can read the full results here, but in the meantime, here are some of the more outlandish and (surprisingly) common issues that IT admins say they face when dealing with end users and the questions they wish they could ask.

Why did you feed your machine?

It’s hard enough to keep machines healthy and networks running smoothly in the face of cyber threats, regular maintenance and plain old aging hardware. It doesn’t help when end users consistently fail to take basic steps to care for the work-issued hardware with which they have been entrusted. A large number of admins recounted times when users inexplicably used their DVD drives as cup holders, not only endangering the computer’s life, but also that of the user. Even with proper beverage placement, spills will happen, but IT admins then face uncomfortable conversations with users who refuse to admit that the spill was theirs.

Would you treat a person that way?

IT admins are often baffled by the complete lack of common sense that some end users seem to have. Time that could be spent addressing legitimate IT issues or performing time-intensive maintenance is wasted when admins are called to “fix” computers that aren’t plugged in or turned on. One respondent reported having to help a user that broke the plastic connector on an Ethernet cable by trying to force it into a telephone jack, while another became angry because a non-touch screen computer was not responding when touched.

One of the most puzzling responses described an encounter with an end user that would say “my screen messes up when I do this” before “violently twisting the screen on their laptop.”

You just don’t care, do you?

While clueless users can be a hassle, IT admins have an even harder time dealing with careless individuals who generate avoidable problems and then complain when it isn’t dealt with immediately. Multiple respondents said that they had been called to clean malware off users’ systems because they had been visiting inappropriate sites and one of them even left the window open and didn’t try to hide it. Another left their device in a public place and grew irate when the IT staff said that they did not have any way to track it down. Most IT administrators would say that they didn’t sign up to clean up others’ messes, but they often find themselves doing just that.

What’s the problem again?

Admins also express frustration over having to become de facto teachers for users who don’t have the most basic computer skills such as the ability to turn their computer on, restart their system or to find a key on the keyboard. They are also often surprised at users’ inability to answer simple questions that would speed troubleshooting processes along.

One admin reported that an employee responded “Microsoft Word” when asked which operating system their PC was running on. Another recounted a time that he was called to explain “if a zero was the letter zero or the number.”

Are you sure you should be working from home unsupervised?

One admin reported that during a support call with a remote user, this exchange actually occurred:

“When I asked what version of windows they were running I was told they have patio doors. Good old days on the help desk for home workers.”

Do you have any idea what I’m actually supposed to be doing?

Some users view IT admins as office handymen or really emphasize the “information” part of information technology, and regularly call the help desk with questions about burned out light bulbs in the office or about what time it is in a foreign country.

Did you just destroy my network?

Most of these issues with end users are mere annoyances and can be remedied quickly. But several respondents had to throw their hands up at one point when their entire network was crashed by a user. Although they didn’t get into details, comments like “crashed our system” and “destroyed whole IT department” sound much more serious than the average screw up.

Similar to the findings in last year’s first annual GFI IT Admin Stress Survey, end users are still inadvertently deleting important files, inserting media into the wrong slots, responding to obvious phishing attempts and downloading malicious files. It is interesting to note that in general, employees seem to be aware that their actions when using company hardware have consequences and are monitored by the IT staff. In fact one survey respondent described an employee that would cover his machine’s webcam with a sticky note for fear that IT was watching him remotely. However, this does not seem to cut down on the number of end users caught sleeping on the job, browsing non-work related sites or endangering the company network with careless web browsing.

Maybe having an annual System Administrator Appreciation Day just isn’t enough. Ultimately, IT administrators are there to protect users’ machines and ensure that everything is running smoothly so that others can do their work without worrying about whether their PCs are going to work properly that day.

Have you ever been the person that caused an unnecessary problem for your IT department and later felt guilty about it? Are you an IT administrator with an IT horror story that no one believes? Let us know in the comment section below.

Find out more about the survey results.

Let us know what you think and share any tips you may have – we want to hear more!

Brian Honan:

While we all know that businesses should be talking to their clients, Brian Honan stresses the importance of communication within an organization. This communication, he says, is vital for addressing security challenges.

“Engage with the people within your business. Talk to senior management to see what their goals and objectives are for the year, such as is the business going to expand or contract. In this way you can better prepare for any challenges ahead. Speak to line managers to understand the challenges they face and how can you provide secure solutions for them. Finally, talk to end users so they are aware of the security threats facing your organisation and are educated and prepared on how to deal with those threats.”

Brian Honan Bio:

Brian Honan

Brian is internationally recognised as an expert in the field of information security and has worked with numerous companies in the private and government sectors, in Ireland, Europe and throughout the United Kingdom. Brian has also provided information security advice to the European Commission.

Brian is the author of ISO 27001 in a Windows Environment, and co-author of The Cloud Security Rules.  Brian’s work has been published in many respected trade publications and he is a prolific blogger for Information Security Magazine. He is also European Editor for the bi-weekly SANS NewsBites newsletter which reaches over 500,000 information security professionals.

Check out his website: http://bhconsulting.ie/securitywatch/ or find Brian on Twitter: https://twitter.com/BrianHonan

Branden Williams:

Branden Williams has some advice when it comes to that ultimate security issue: the correct use and maintenance of good, strong passwords.

“While passwords are still the most common authentication mechanism, they are also the weakest. Spend this year following good guidelines with a password locker, and change all of your passwords to be unique to each site. In addition, where two-factor authentication is available (such as your online bank, Google, DropBox, eBay, or Paypal), enable and use it!”

Branden Williams Bio:

Branden Williams

Branden has over 15 years of experience in technology and information security. He has extensive experience in Linux, Solaris, and Microsoft Windows (2K/2003) server platforms, and further experience in other operating systems including Mainframe (z/OS), BSDI, HP/UX, AIX, and OS X. Branden also has experience with Cisco IOS/PIX, WatchGuard, IPTables, Checkpoint and other technologies.

Branden was designated as a Fellow of the Information Systems Security Association (ISSA) and an Adjunct Professor at the University of Dallas’s Graduate School of Management. He publishes regularly and co-authored a book on PCI Compliance.

Branden is a CTO at a major security firm, a doctoral business student, and currently sits on the PCI Board of Advisors.

Check out his website: https://www.brandenwilliams.com/ or find him on Twitter: https://twitter.com/BrandenWilliams

Ben Tomhave

Ben Tomhave talks about compliance and litigation repercussions within the field of IT security and risk management.

“Get your house in order. The clock is running out (if it hasn’t run out already) on building a commercially reasonable, legally defensible security and risk management program. The old zero-sum ways must be abandoned. Incidents will happen, but you can do much to reduce their impact, even if those incidents occur in a cloud environment or are amplified by BYOD policies. Businesses must be able to demonstrate good decision-making processes relative to risk management, or they will be subject to civil (and possibly criminal) litigation. This will affect all industries, including law firms.”

Ben Tomhave Bio:

Ben Tomhave

Ben Tomhave (MS, CISSP), helps global enterprises, SMBs and service partners unlock the real promise of integrated governance, risk management and compliance through his current role as Principal Consultant for LockPath, a market-changing GRC software company.

A distinguished author and experienced speaker, he currently serves on the board of the Society of Information Risk Analysts and as co-chair of the ABA InfoSec Committee within the Section of Science & Technology. He is also a member of ISSA and the IEEE Computer Society, and holds a MS in Engineering Management from The George Washington University with an InfoSec Management concentration.

Check out his blog: http://www.secureconsulting.net/ of find him on Twitter: https://twitter.com/falconsview/

Pierluigi Paganini

Pierluigi Paganini looks forward at what 2013 might bring for those involved in IT security and offers his predictions.

“The major factors contributing to the diffusion of new cyber threats in 2013 will be the increasing use of social media platforms and mobility. Those that will be most active in cyberspace are the cyber-criminal groups and hacktivists. Contrary to the opinion of some security experts, I believe that the hacktivism phenomena can assume an important role in security.

In 2013 we will also observe increased state-sponsored attacks, and governments will become more active in both the defensive and offensive sectors. In addition, control and monitoring activities will increase in significant way.

Fortunately, the global level of awareness of cyber threats is also rising as never before.”

Pierluigi Paganini Bio:

Pierluigi Paganini

Pierluigi is a company director, researcher, security evangelist, security analyst and a freelance writer.

He is a security expert with over 20 years experience in the field, and a Certified Ethical Hacker at EC Council in London. His passion for writing, and a strong belief that security is founded on sharing and awareness, led him to found the popular security blog “Security Affairs”.

He is also the chief information security officer for Bit4id, which is an industry leader in identity management. Pierluigi also works as a writer with several major publications in the field, such as Cyber War Zone, Infosec Island, The Hacker News.

Check out his blog: http://www.securityaffairs.co/ of find him on Twitter: https://twitter.com/securityaffairs

Debra Littlejohn Shinder

Debra Littlejohn Shinder gives us some very wise words of wisdom about the changing face of corporate IT and how this relates to security.

“The nature of corporate IT is profoundly changing. Ten years ago it was all about protecting the network perimeter. In 2013, we’ll be dealing with the new challenges brought by cloud, mobile and BYOD. To avoid expensive (and possibly reputation-destroying) security breaches, organizations will have to shift from a reactive to a proactive mode and get serious about developing plans and policies to address the current chaos that always comes with major transitions.

Cyber attackers, like the old school criminals who burglarize homes or mug victims on the street, generally target the weakest links. Your security doesn’t have to be the very best money can buy; it does have to be better than average to convince the bad guys to move on to an easier target. It’s better to have a good security strategy in place now, than to have a perfect one “in the works.”

Debra Littlejohn Shinder Bio:

Debra Littlejohn Shinder

Debra Littlejohn Shinder is a former police officer/criminal justice instructor who now makes her living as an IT analyst, author, trainer and speaker. She has written or contributed to 26 books, published over 800 articles and has been living online, along with her husband Tom (whom she met via the Internet), since the mid-1990s.

On April 1, 2012, Deb Shinder received the Most Valuable Professional (MVP) award from Microsoft with area of expertise in Enterprise Security for the eighth year in a row.

Check out her blog: www.debshinder.com of find her on Twitter: https://twitter.com/debshinder

Chris Boyd

Chris Boyd offers his thoughts on how scammers might be looking for greener pastures where users might not be wise to their tricks.

“Mobile devices, gaming and less well known social networks will likely see the most interesting forms of attack. Over a portion of 2011 and most of 2012, Tumblr saw some really new and innovative scams and attacks on end-users; now, those tactics are starting to repeat themselves and slowly but surely the user base is growing wiser. The only solution for scammers is to mix things up a little, or go elsewhere. And I’d be surprised if they don’t attempt to ply their trade on a newer, smaller social network.”

Chris Boyd Bio:

Chris Boyd

Chris is a six time recipient of the Microsoft MVP in Consumer Security, and a former Director of Research for FaceTime Security Labs.

He has been credited with finding the first rootkit in an Instant Messaging hijack, the first example of a rogue web browser installing without permission, the first worm on the Google Orkut network and the first example of a DIY Botnet creation kit for Twitter.

His specialties include Botnets, Spam, Phishing, P2P, Instant Messaging, Ad/Spy/Malware, Worms, Social Networking attacks/exploits and videogame console exploitation. He currently works as a senior security threat researcher for ThreatTrack Security.

Check out his blog: http://www.paperghost.com/ of find him on Twitter: https://twitter.com/paperghost

Don’t forget to share your thoughts on what these IT security professionals had to say, or share your own tips by leaving a comment below.

Like our posts? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them!

The NCAA Men’s Division 1 Basketball Championship, AKA “March Madness”, is a major distraction in U.S. workplaces every year. The tournament kicks off March 19, with the busiest tournament days occurring on Thursday, March 21 and Friday, March 22 during standard business hours (beginning at 9am ET).

It’s only natural that employees’ level of interest is high when there is so much focus on the tournament in such a short span of time. Employees who are following the tournament closely are highly likely to turn to the Internet to stay up-to-date on the latest news and scores. With so many websites available to follow the tournament, it is very common for employees to watch live streams of games, listen to audio commentaries, view game highlights on ESPN and others, search for the latest results and stories, and participate in other related activities while at work – all of which are likely to cause a significant disturbance in three ways:

Bandwidth bottlenecks

With multiple users streaming content simultaneously, the available bandwidth is easily taken up. This can have a severe impact on other applications which are dependent on the Internet, such as VoIP, CRM, email and other cloud and Internet-enabled applications. Typical streaming content consumes 10Mb of data per minute. Multiply that by a significant number of employees and you can see why a bandwidth spike creating a bottleneck is inevitable.

Productivity loss

With games held during regular business hours, many users will be following results as they happen. This major distraction could severely impact productivity over the course of the tournament.

Security problems

Hackers have always used high interest stories and trending topics as lures to infect users’ machines. March Madness is no different, and it is almost certain that cybercriminals will use the tournament to trick unsuspecting users into falling for fake websites, SEO poisoning, phishing and other malicious scams.

To manage these problems, companies need to be prepared to enforce Internet usage and web filtering best practices, including:

• Informing and educating employees about the effects associated with March Madness and giving them browsing tips that will help to address these challenges – e.g. advising users to avoid streaming live games, to be cautious of which websites they visit and to avoid clicking on links that come from an unfamiliar source.
• Implementing web security software that:
  • Automatically blocks malicious websites and ensures any websites visited are free of malware. A point to note is that an anti-virus engine alone is not enough to stop all threats – a dedicated web security engine is now also a must.
  • Allows you to define bandwidth quotas, such as limiting downloads from streaming media websites to 100Mb a day, and limiting visits to news, media and sports sites to 30 minutes per day.
  • Blocks websites which could pose legal liabilities, such as gambling websites.
• Setting up action-based alerts to anticipate problems before they develop and take the necessary action to immediately remediate issues as they rise.

Allowing employees to follow March Madness activity in the workplace can boost employee productivity, motivation and morale in the long run – but their web browsing has to be controlled. Uncontrolled usage of the Internet can result in serious issues, not just during the March Madness tournament but throughout the year. Luckily, there are advanced tools available to help IT balance the negative impacts of non-work related browsing with the need for employees to take a break, de-stress and stay motivated.

If you’re interested in a good web filtering solution, take a look at GFI WebMonitor.

You can download a free trial for 30 days. It’s worth a try!

Spotlight on GFI MailEssentials®

March 5, 2013 – Time: 9:00 a.m. PST / 12:00 p.m. EST / 5:00 p.m. GMT / 6:00 p.m. CET

Discover how GFI MailEssentials protects your network against email-borne viruses and other malware threats and delivers a spam capture rate of over 99%. It filters out spam email, phishing scams and viruses through various security layers, including up to five antivirus scanning engines and multiple anti-spam filtering technologies – such as two frequently updated anti-spam engines that require no tweaking, IP reputation filtering, greylisting, directory harvesting attack protection and more.

Register now

Who you gonna call? How cloud security services safeguard your business

March 6, 2013 – Time: 2:00 p.m. ET / 11:00 a.m. PT / 7:00 p.m. GMT

The bad news just keeps coming. In the first days of February this year, The New York Times, The Washington Post, and Twitter all announced they’d been victims of expert-level cyberattacks. Although vigorously denied by Chinese authorities, both The Times and The Post insist that evidence points to a specific, targeted attack from China. In the case of the newspapers, the attacks were politically motivated and used spear-phishing to gain access to the networks of both papers.

This webcast is the second of our three-part Cybersecurity-as-a-Service Series. What makes these attacks truly scary is that they were (presumably) directed by a nation state against commercial firms in the U.S. The attacks blasted right through the anti-malware defenses and infected the networks with 43 different variants of malware.

Fighting this stuff is no longer something most of us can do alone. We need to bring in the big guns. CBS Interactive is proud to present “Who you gonna call? How cloud security services safeguard your business,” a live and interactive webcast about how cloud-based security services are able to help you secure your business and users.

• Learn about how attacks are increasing in severity and are no longer perpetrated just by kids and small-time criminals trying to make a buck
• Discover how an attack can break through traditional defenses and an attacker can live inside your network over an extended period of time
• Explore how cloud security services can help protect your network from advanced persistent threats and keep your company out of the headlines

Don’t miss “Who you gonna call? How cloud security services safeguard your business,” a live and interactive webcast featuring CBS Interactive’s Distinguished Lecturer David Gewirtz, one of America’s leading cyberdefense experts, and GFI’s Phil Owens, a leading expert in malware defense.

Register now

VIPRE® Business Online™ product demonstration

March 19, 2013 – Time: 2:00 p.m EDT

You know firsthand the challenges of keeping users and networks safe with limited time and resources. So why not simplify your day-to-day operations and decrease your IT spend with a cloud-managed antivirus?

Attend our 30-minute webcast to see how easy it is to secure your network in the cloud with VIPRE Business Online.

Register now

Spotlight on GFI Cloud™

March 20, 2013 – Time: 9:00 a.m. PST / 12:00 p.m. EST / 5:00 p.m. GMT / 6:00 p.m. CET

Discover how GFI Cloud, our new web-based IT management solution, helps you start managing your IT environment in 10 minutes or less. Whether you have 5 or 500 employees, its simple-to-use dashboard enables you to easily manage essential GFI® software services on all your workstations and servers. Learn more about the first services available on this platform that offer integrated antivirus, asset tracking and network management via a single integrated solution.

Register now

Five important steps for using the cloud to protect your network

March 26, 2013 – Time: 2:00 p.m. ET / 11:00 am PT / 18:00 GMT

So you’ve heard the bad news. You know that cybercrime, cyberespionage, and cyberattacks are all increasing in frequency and ferocity. You also know that the job of protecting networks from foreign and domestic threats can often be bigger than one IT department can handle.

Now, it’s time for the good news. You can protect your network. You can protect it from outside threats, you can protect it from malware, and you can even protect it from those natural byproducts of life in the IT world: the occasional system crash. We have the technology. We have the capability to build a stronger network.

This webcast is the third in our three-part Cybersecurity-as-a-Service Series. CBS Interactive is proud to present “5 important steps for using the cloud to protect your network,” a live and interactive webcast about how you can deploy cloud security services to protect and strengthen your networks from threats both sinister and systemic.

• Learn about the many ways a network can fail, whether due to attacks, bugs, unapplied updates, system crashes, or any of the other typical banes of an IT manager’s existence
• Discover how prevention and monitoring can help increase the reliability and mean-time-between-failure of your entire network infrastructure
• Explore how cloud-based services (and the teams that provide them) can help you not only protect your network from “bad guy” threats, but also improve reliability and reduce the cost of maintaining your IT infrastructure

Don’t miss “5 important steps for using the cloud to protect your network,” a live and interactive webcast featuring CBS Interactive’s Distinguished Lecturer David Gewirtz, one of America’s leading cyberdefense experts, and GFI’s Josh Daggs, an engineer specializing in keeping servers at their best.

Register now

The five secret roadblocks keeping you from your marketing goals

March 28, 2013 – Time: 11:00 a.m. EST

Are you marketing your business to the best of your ability? Do you really think so? Because, in this webinar, marketing consultant Herman Pool will share some the 5 secret roadblocks that most marketers are facing without even knowing it.

Herman Pool is the President and founder of Vertical Axion, an MSP Marketing Company based in Texas. As a former Service Provider, Herman knows the ins and outs of the business and the unique marketing challenges that MSPs face.

Register now

Seats fill up fast, so be sure to register today!