The event was very well attended and GFI were also present in booth #1915 with the theme ‘Fast and Easy Security’ with focus on Email Security and Endpoint Security featuring GFI MailEssentials Complete and GFI VIPRE Antivirus Business.  

The GFI team included a presenter who did 10 minute presentations alternating between GFI MailEssentials Complete and GFI VIPRE Antivirus Business and in typical altruistic GFI manner, T-shirts were given away as prizes while people were entered into our daily drawing to win an Xbox 360 with Kinnect.

The pictures show the daily drawings which definitely drew in the crowds!

Endpoint security appliances do not only protect and safeguard business secrets, valuable assets and economic resources, they also actively prevent severe damage to the company’s reputation which may be ruined were confidential company information (possibly provided by a former employee) to be leaked.

There are various reasons why an employee or an insider might behave harmfully towards the management or the corporate organization. Employment contracts or confidentiality agreements are, in today’s world, not sufficient to effectively minimize the risk of malicious actions. This is one of the main concerns of management and a real challenge to keep such risks to a minimum.

But what can a system administrator do:

1. To detect and monitor anomalies in user access activities?
2. To control and promptly block malicious acts?
3. To prevent damage to and the theft of confidential data?

I strongly believe that an end point security appliance would be the right answer for all three questions.

An end point security appliance would assist a system administrator to effectively manage user/device access rights, to actively control the access of portable devices and to monitor and detect anomalies and occurrences in the corporate network, such as an employee attempting to copy confidential corporate information onto a USB stick.

Today’s portable devices are very smart; they offer large storage and are able to communicate through multiple standard interfaces. This makes it a real challenge for software manufacturers to develop sophisticated end point security solutions that are up-to-date and always capable of controlling these new portable devices.

An ideal end point security solution offers the ability to scan for new unknown devices and to manage them in a centralised device database, as well as the ability to control and instantly block a portable device accessed on a client machine (e.g. laptop) which is temporarily offline and is not a member of the corporate network.

A good end point security appliance builds on a smart client – server architecture. In such architectures administration servers mainly focus on the configuration, both in the update and in the management of individual agent protection policies. In such scenarios agents are deployed, installed and run independently on different client machines that require protection.

A very good approach is when an agent communicates periodically with the main administration server, so that the agent can retrieve important updates or perform certain instructions immediately. Furthermore malicious activities should be reported immediately to the administrator where a breach of an existing protection policy has occurred on an agent machine.

Reporting is always an essential instrument to keep the administrator up-to-date. But how should the administrator be informed about a breach of a security policy? An SMS via mobile device would be smart; but classic alternatives such as email or a network message are sufficient. Furthermore, a log entry in the activity database or a note on the dashboard would be a great feature for the system administrator.

If you want to protect your network from portable devices such as USB drives, iPods and PDAs, check out GFI EndPoint Security. Download your free 30-day trial.

Being so critical gives rise to the importance of email security and the significance it has in ensuring that malicious content coming through via email messages stay out of the organization. Typically, threats ‘from the outside’ include viruses, trojans, custom malicious executable files and embedded scripts within the body of an email.

It goes without saying that the repercussions of ignoring these threats could result in considerable damage, including data loss, productivity loss and a reduction in network resources due to consumed bandwidth – effectively all contributing to a hit on your bottom line.

The ‘here you have’ worm in September 2010, which spread via email and tried to trick people into visiting a link that hosted a malicious script, caused a brief yet substantial outbreak which was reported to have slowed down networks at organizations such as NASA, Disney and Proctor & Gamble.

Furthermore, Microsoft found that over 90% of the activity related to this worm came from business computers. To reduce the risk of your organization being affected by such an outbreak, you need – at minimum – a solution that offers multi-layered AV scanner protection (the reality is that one AV will react faster than the other in responding to new and emerging threats), attachment scanning (so that you can block certain files by type) and an HTML/script scanning feature that disables embedded scripts or suspiciously crafted HTML code. This, in addition to a respectable anti-spam filter that will remove email threats that are spread within SPAM, should help to keep the bad stuff out…

…but what’s helping to keep the good stuff in? Despite the numerous methods available to help prevent the incoming threat of malicious content via email, the insider threat is one we should take just as seriously.

The vast majority (if memory serves me well it is believed to be something like over 80%) of all security breaches come from the inside. How easy it is for someone in your organization to bring a USB drive into the office and execute a virus that spreads via email to people outside of the company walls? Imagine the embarrassment if your clients find that an email containing a virus that caused them downtime came from you; or the bad press the organization would get if this information was reported on in the media!

Do you have a mechanism in place to stop people from sending out sensitive documents, source code, trade secrets and so on via email? What reasons would people in your organization have for wanting to carry out such acts? Who is most likely to carry out such an act? What processes do you have in place to prevent or mitigate such attacks? These are all questions you need to think about when assessing insider email security threats.

In my opinion, there are a number of reasons why people on the inside might want to carry out such acts. Revenge would probably be at the top of the list; following a termination, redundancy or forced resignation, the employee may seek to ‘get his own back’ by leaking information, distributing a virus, or deleting emails from a shared mailbox they have access to.

Financial gain wouldn’t be far behind in the list of reasons; it involves a competitor engaging the employee to obtain information from the organization that would give the competitor an advantage over other companies (as such, they are essentially assisting the competitor in conducting industrial espionage).

Similarly, if the employee wanted to move to pastures new and start their own business, they would most likely have the intention of getting a head start by using the classified information they gained from their current employer.

In this case, reducing the insider threat requires a solution that implements a content checking module that you could use to check the outbound email for certain keywords or phrases within the email subject, body or attached document, an attachment checking module to block certain file types from leaving the organization’s email server, and a virus checking module that scans outbound emails.

I have spoken to a number of IT managers in the industry who said they turned outbound scanning off “because of the additional load it was adding to my email server” and because “we honestly thought it could never happen to us”, only for one of them to have fallen victim to an insider email security breach following the resignation of a member of staff who attempted to send himself some design documents related to a proprietary piece of software that was being built in-house. This person was only caught because of a routine email check of the email archives after they had left the company.

The bottom line is that it is essential that we do not underestimate the need for an email security solution that can block or quarantine suspicious emails being sent from the inside. Such a solution, along with an effective and well thought out IT security policy and user education offer a good starting level for 360 degree email security.

1. Physical Security

The first step in securing a public machine is a tricky one and that is ensuring its physical security. The customer should not have direct access to the machine. If you wish to provide USB support then use a USB hub or a male to female USB cable but do not allow customers to insert their USB device directly into the computer. The reason for this is that a malicious customer would have the possibility to install a USB or PS2 key logger and be able to steal potentially valuable data typed by other users such as login details and passwords. It is also good to remember to secure said USB cable so that a user with malicious intent would not be able to simply pull the USB cable off and denying all other users its usage.

2. USB Security

The first threat that comes to mind on a public PC is the USB port and with good reason. The USB port should be controlled. If you do not intend to allow your customers to insert any USB devices then ensure that there is no physical access to the port. In the event that you need to allow customers to use USB ports then install software that can control USB usage. Customers should not be allowed to copy executables and other potentially malicious software such as DLLs and OCXs. To implement such a strategy you need software that doesn’t simply filters certain extensions but that is also able to detect the real file type of a file irrespective of its extension. It goes without saying that such a solution should be able to look into archives and not allow password protected archive to go through either.

3. Patch Management

It is essential that your public machines contain the latest security patches. Public machines are a lot more vulnerable to exploits because while most remote exploits require tricking the user to visit a malicious site, any malicious users intent on infecting a public machine will simply access the malicious site thus using this exploit as a vector to get his malware installed on the public machine.

4. Hardware Inventory

It is also important to ensure that no new hardware is installed or left connected to the machine after hours. Ideally you’d have inventory software which scans the machine after closing time and promptly notifies the person in charge if new hardware is detected. Malicious hardware to protect against includes rouge access points, key loggers and possibly pen drives loaded with malware which are planted to be found by people who will plug them into their home machines to see what they contain, infecting their machine in the process.

5. Web Access Monitoring/Control

If you’re allowing your customers to connect to the internet it might be a good idea to restrict access or at least monitor their activity. Such a machine might offer the anonymity that a malicious attacker needs to attack other sites so any legal fallout from such attacks will fall on to you. Adequate internet monitoring can help you in case of legal action.

6. Controlled Access to the Machine

Do not allow full administrative access to users. Even if you think you are blocking any possible route for users to introduce software, one of them might find a clever way to go around these limitations. Therefore you want to limit the damage he might cause.

7. Virus Scanning

Ensure that the machine is equipped with adequate virus scanning capabilities. It is advisable that other machines monitor that the antivirus software is running as expected and is up to date. This precaution is essential to ensure that if malicious users find a way to introduce software from the outside they are not able to introduce malware.

8. PC Connection to the Internet

If your public machine has Internet access ensure that it’s either not directly connected to the internet or if it is and has a public IP which is directly addressable from the internet, that it is protected by adequate firewalls. A malicious user can access the machine simply to investigate what software it is running, effectively scouting it for subsequent remote attacks launched later on via the internet.

I recall an incident which happened a few years ago in a photocopy shop in Germany which was well frequented by students from a nearby university.

The shop offered public computers with free internet connection; however, the main reason for having these computers was to offer a cheap print out service for any common electronic file on the printer machines that were owned by the shop owner.

The USB port was essential on these public computers because it allowed customer to plug in the USB stick which would contain the document that they wished to print out; however, none of these public computers had any security protection in place such as Antivirus and/or Endpoint Security software.

Commonly students would print out legitimate documents such as their assignments or thesis. So when someone brought a Trojan on a USB stick and deployed this malware on one of the public computers by inserting his USB stick into the USB port, nobody noticed the incident.

The Trojan quickly spread on all the public computers that were connected via a shared network. Furthermore, it copied itself on every USB stick connected through a USB port.

Legitimate documents on the USB stick had been duplicated and sent to the email addresses of different recipients. This all happened because of the Trojan however students blamed the security leak on the photocopy shop owner.

Which leads to the question: who is ultimately responsible for the damage caused by the Trojan?

As a result of this a dispute occurred between the victims and the photocopy shop owner over the issue of security.

One must remember that sometimes free services can be risky, especially when no security prevention measurements have been implemented. And if you want to offer free services to your customers it’s important to offer secure services – security software does not cost much and will help to prevent situations such as the one described above which could have easily been avoided.

But wait…

Have you ever thought about the potential risks you could incur by exploring the content on a stranger’s USB device? Especially if the USB device is connected in an environment where sensitive information and data are available and accessible?

If not, then let me tell you about a true story which I heard from a friend a few years ago.

As you may know business related data theft is (unfortunately) becoming a common security risk and in most cases the illegitimate knowledge transfer is performed through a simple USB trick.

Most USB devices belong to legitimate users, so how and why would a user insert a USB stick containing malicious code into a machine which is connected to a corporate network?

Often social engineering tricks are required to reach such targets, however, any social engineering activity can only be successful if the victim trusts you and you are able to convince him to perform the steps required to activate malicious code on the target machine.

Going ahead with the story…

One day someone placed several USB devices in or near specific cars in a car park. These cars belonged to the managers of a successful business company. One of the managers who found one of these USB devices was curious enough to check what was on the device. So without taking any precautions he plugged the USB device into his laptop and this automatically enabled the Trojan that was stored on the USB. It was “Game over” for the poor victim as his laptop was infected; however, the more serious part of the story is that he may well have put his company at risk without even realising.

Any software that controls endpoint connections such as USB devices and manages to either grant or deny access to the corporate system would be of great help to an administrator so as to avoid the injection of malicious code into a clean corporate network.

By blocking access for people to connect unauthorised devices into the corporate network you would prevent unnecessary risks for any company. Furthermore implementing endpoint security software allows your administrator to be notified about any breaches of these existing company policies.

“Data leakage is a reality that most organizations only accept when a serious breach occurs. A lot of small and medium-sized businesses are unaware of what types of devices are connected to their network, what content is being copied or who is using a particular device. This constitutes a series security threat for businesses, especially those that handle confidential information, such as financial institutions, health care organizations and so on. The latest version of GFI EndPointSecurity includes monitoring as Freeware because we believe that once organizations see for themselves the benefits of monitoring endpoints, they will want to take action,” GFI’s CEO Walter Scott explained.

“With our Freeware version, organizations will get a comprehensive picture of what devices are in use, by whom and what type of data is being transferred to these devices within the organization. This is the perfect tool to identify those who may be using unauthorized devices, uploading files that are not permitted or copying data that could be lost through negligence or without permission,” Mr. Scott said.

The commercial version of GFI EndPointSecurity allows organization to not only monitor how endpoints are being used but it allows them to actively manage user access and log the activity of a wide range of portable storage devices. Furthermore, GFI EndPointSecurity helps to prevent data leaks and theft by comprehensively controlling access to these devices with minimal administrative effort; prevent the introduction of malware and other authorized software, and block devices by class, file extensions, physical port or device ID.

The latest release of GFI EndPointSecurity also includes support for Microsoft Windows 7, support for Microsoft Windows 7 BitLocker to Go encrypted devices, detection of these devices and application of different permissions, an activity log that provides a quick way to view user activity and a series of new reports in the ReportPack.

For more information on the freeware version of GFI EndPointSecurity please visit http://www.gfi.com/endpoint-security-freeware-software/

In a previous post, I had talked about two employees who are charged with having allegedly gained access to their former employer’s network even though they had left the company a couple of years before.

This week a former employee with United Way in Miami was sentenced to 18 months in jail and fined $50,000 for accessing his former employer’s network and deleting files from the servers as well as putting a few spokes in the company’s telephone voice mail system.

There seem to be a growing trend among employees – disgruntled or not, current or past – who believe that they can do what they want with their employers’ data. Two separate studies this week revealed that although employees know that it is illegal to steal or tamper with company data, they are still prepared to do it nonetheless.

The two studies also found that companies are not doing much about the problem, even though they are aware that employees are a major threat to their data. Earlier this year, GFI conducted a survey in the UK, US and France and the results in all three countries showed that internal threats are being given very little priority with less than 20% of respondents stating that internal threats are a concern.

The statistics from the latest studies complement the findings of another survey by the Ponemon Institute earlier this year. Four in 10 employees admit to having taken sensitive data with them to a new position while one third said they would share sensitive data with friends or family in order to help them get a new job. Nearly half said they would steal data if they were dismissed tomorrow from their job.

So a good chunk of the workforce is willing to steal data to further their goals and position; thus you would expect the data owners to be a bit concerned. But no, employers appear to have their heads buried as deep as possible in the sand. They know it is happening; they know they are at risk and still they are not doing anything about it. Great news and a real confidence booster.

With so many channels of opportunity for data leakage, this attitude is baffling.

Here are a few of the most obvious methods:

• Use of insecure USB memory sticks
• Use of web-based personal email
• Applications downloaded from the Internet
• Sharing passwords with co-workers or friends
• Mobile devices, such as laptops, PDAs, smart phones etc

Most organizations will tell you that corporate data is extremely important and that secure data is not something to ignore or treat lightly. Securing data calls for a combination of measures using technology and security policies. There are some basic rules that all organizations must follow to secure their data and these include:

Monitor and manage the use of portable storage devices by employees. If you don’t know what devices are connected to the network and by whom, the risk of data leakage is high.

Limit access to those who need it. Data categorization and a thorough audit of access permissions is a must. You need to know who had access to data, why that individual has been granted access and whether that person is a single point of failure (e.g. only an administrator has the password to the customer databases).

Use content filtering software. Scanning outbound corporate email is a must to prevent business confidential attachments – such as customer lists, financial details, marketing plans, from being sent outside of the organization. Access to web-based email accounts should be banned because these are insecure and increase the risk of data leakage and other vulnerabilities. Files can be transferred using web-based email without detection.

Know where the data is. Organizations need to have complete control over their data and how it is transferred within and outside the building.

Organizations cannot continue to ignore the obvious. Yet with survey after survey showing that they don’t really care, is it surprising that employees are becoming more confident that they won’t be caught?

I don’t think so.

If businesses won’t do anything, someone else will! The state of Massachusetts is a case in point. As of March 2010 businesses will have to comply with state regulations that make it harder for confidential and sensitive data to be stolen. The regulations were drafted to counter a breach similar to what happened at TJX but should also help to counter any insider attempts at stealing data.

Hopefully.

Cybercriminals have honed their skills using technology to defraud people. Their modus operandi evolves daily and while financial gain and access to corporate data is a primary reason for their activity, we are witnessing a new breed of hackers whose sole interest is now to cause damage to businesses and governments. The outcome is one that hits businesses’ pockets hard.

That is why I believe that our messaging and strategy for positioning security to SMBs needs to change. We need to continue creating awareness on the myriad threats that exist out there, but we also need to focus on issues that are of greater interest to businesses: how security (or lack of) hits their profits.

Business owners don’t want to be told how a security threat could possibly affect them but they do want to be told how an email management system – set up with minimal cost – will save thousands of dollars by cutting down the number of unproductive hours managing the unmanageable.

They want to be told how a small investment can prevent corporate data from being lost through portable storage devices, social engineering attacks and unmonitored endpoints.

The point here is that we need to correlate security to productivity cost throughout the sales cycle. Obviously there are security risks but what about the costs associated with the above?

Are businesses aware that they are losing hundreds of dollars in non-productive, non-work-related online activity when productivity can be drastically improved if that activity is control and monitored?

Do they realize that employees downloading or watching videos on YouTube is hogging up bandwidth; bandwidth they are paying handsomely for every month? If eight employees spend an hour a day on social networking sites, the business has lost a full day of productive work. Taking the average hourly rate to be $18, this translates into a non-productive cost of $144 a day or $37,440 a year (260 working days). What if all your employees spent an hour a day browsing the internet?

Do businesses factor in the costs involved if they had to be caught napping and were unable to produce emails requested in a legal suit, let alone the burden on IT administrators to manage growing demands for additional storage space and the nightmare to keep track of employees’ .PST files?

I have no doubt that many small-and medium-sized businesses are ignoring these facts and this is probably one reason, among many, why security issues are not given proper consideration. Combined with their lack of awareness on how security threats are evolving (and targeting SMBs) it is not surprising that businesses continue to equate security to spam and viruses.

And this is why we need to change our approach to positioning security. Securing business will depend on how effective we are in explaining to customers that failing to address security in today’s ever-changing environment is costing them money – far more than if they were to spend a few hundred dollars in the first place!

We need to change our battle cry once and for all. Security is a cost of doing business but a worthwhile cost if it will safeguard a business’s profits and existence.

Walter Scott is CEO of GFI Software

By increasing security you increase costs and inconvenience to the user, yet decrease the level of risk that the organization needs to sustain. Though if we had to look at the relationship between this compromise one would notice that it is not linear. At some point close to the top of the graph the relationship between added security and the cost to benefit ratio will increase exponentially; that is, it will cost a lot more to slightly reduce the risk to the organization. It is generally about here that one should aim for the cost to benefit ratio to be optimal.

Considerations

As I mentioned before, security is not an absolute. It is very important to realize that no matter what you do it is impossible to achieve 100% security, and generally striving for 100% security can be ill advised. As mentioned  above, once past a certain point costs will increase dramatically and the business of security will start to seem as being too expensive to be practical and that in turn will lead to the biggest risk of them all – the weak link.

What do I mean by the weak link? Like many things in life security too is a collection of factors working together and the strength of that collection is not the sum of all its parts but only as much as the strength of its weakest part.

Assume that someone has a house which he wants to secure and decides to go all the way and overdo it to get as close to the 100% security level as possible. He installs a vault door as his front door, puts bullet proof glass on all windows and puts titanium bars in front each one of his windows. He has reinforced concrete on each wall making his home look like a bunker and even puts a guard at his front door on a 24-hour watch. Now let’s assume that for whatever reason he leaves a pretty flimsy back door maybe even facing a dark  alley way. Before getting to this last statement about this house’s back door, a thief would have a pretty hard time trying to get in – the security level of this house is just too high but then there is the back door; flimsy, easily opened with minimal force and also facing a dark alley way – now the whole thing seems just too easy right?

The story above also applies to our IT infrastructure, only we have perimeter security instead of a front door, we have firewalls instead of guards, we have databases and servers instead of windows and we have internal security instead of back doors. Each element on our network can be an attack point; we have servers, workstations, people, wireless infrastructure, network points, routers, email, storage devices and more. Like the story above each attack point needs to be secure and like the story above it is a bad idea to focus and try to achieve a very high level of security on only a couple of these because they might seem more critical than the others. This is because, like our house example, a malicious person needs only break one point to get to the prize, not all of them.

We take a scenario where the aim is to protect against the disclosure of our client database data. It is an internal database so the first step is to secure it against external access. We put firewalls and various safeguards to ensure that it cannot be accessed from the outside. We also apply all patches and security fixes to the database in a timely manner and spend a lot of money to ensure good physical security. We also implement email security software and put policies in place to ensure that no one can accidentally or intentionally send private data out via email. Let’s also assume that a lot of money and power was spent to ensure that these points have the best security possible.

Excellent, the infrastructure is very well taken care of but one thing was overlooked in this scenario – the human element. One of the sales team, who has legitimate access to the server, decides that he is not paid well enough and that he could do better on his own. After all he has a nice client list to get him started. So one day he gets to work, queries the database he has legitimate access to and dumps all customer data onto a file. He then connects his USB storage device, which he might be legitimately allowed to take to work, (this could be his phone or music player, since lots of devices nowadays have ample storage) copies the data and goes home with the company’s client list data. He waits patiently for a month or two not to raise any red flags and quietly quits the company. A weakness in one system just made all the security efforts useless.

Protect as much as possible

The secret to effective security is primarily to cover all bases and to cover those bases as best as is economically viable. Everyone has limited budgets and the trick to effective security is not using that budget to get the most expensive solution possible so as to protect the critical systems, but rather to spread that budget and get the best security to cost ratio across all systems. Try to cover all the bases. A network consists of Hardware, Software, a Physical Element and a Human Element. Also it’s essential to keep in mind that security is not just a matter of buying software to protect systems and deploying that software, security is also about educating  people and this aspect is just as  important as any other and unfortunately  is  often overlooked.

Finally, as I mentioned at the beginning of this post, security is not an absolute subject because no matter how much time/money and effort was invested there will be times when it will fail and for these times, there is yet another aspect to security. When your security is compromised it is very important to detect it as quickly as possible and it is equally important to have a disaster recovery plan that will allow you to deal with the event in a timely manner. Disaster recovery can help a business save money and help retain customers; ideally it will never be used but it’s much better to have it and never use it than to need it and not have it.