WindowSecurity.com Newsletter of January 2012
Sponsored by: Collective Software <http://www.collectivesoftware.com/windowsecurity.newsletter.201201.authlite>
-------------------------------------------------------
Welcome to the WindowSecurity.com newsletter by Stu Sjouwerman, Founder of Sunbelt Software & CEO of KnowBe4.com . Each month we will bring you interesting and helpful information on the world of Security. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: feedback@windowsecurity.com
1. Editor's Corner
-------------------------------------------------------
*Introduction*
My name is Stu Sjouwerman (pronounced shower-man, originally Dutch) and as I'll be taking over as editor-in-chief for WindowSecurity.com Monthly Newsletter. I thought it would be a good idea if I started by introducing myself. I have been in IT since '79 and wrote four books about Windows Operating systems, and recently a book about cybercrime <http://www.cyberheist.com/>. Apart from that, I have been the editor-in-chief of WServerNews since 1997. Here are the archives if you are interested <http://www.wservernews.com/archives.htm>
WServerNews was originally published by Sunbelt Software, and now by TechGenix. The last 10 years it was focused on IT security and system administration. I was part of the management team that decided to build a new antivirus product from scratch: VIPRE Antivirus, so I have been knee-deep in spam, malware and cybercrime since 2003. At the moment I'm the CEO of KnowBe4.com, again an IT security company. I'm excited to be taking over the editorial reins of this newsletter. I hope that the new layout, content, hints and tips will help you keep your domains secure, and your users trained to not fall for social engineering tricks. I always like feedback, so please feel free to email me at feedback@windowsecurity.com
Warm regards,
Stu Sjouwerman
Editor, WindowSecurity.com Monthly Newsletter
2. Security Detail
----------------------------------------
*Small Fish In Big Pond Invulnerable? Nope.*
Douglas Bonderud wrote an article over at the InfoBoom site about Small and Midsize enterprise that caught my eye. Reason? He correctly stated something that most of us are guilty of:
"But it's just this attitude that makes the jobs of malware creators and hacktivists easier: Overconfidence by their targets simply paves the way for future attacks. SMB IT managers, by virtue of their position as small fish in a big pond, often take this attitude unknowingly, and it can lead to data being compromised, especially when that data is stored by a virtualized or cloud provider, off-site, and partially under the control of other hands. With one in six SMBs reporting an IT security breach in 2011 and a third of those affected having lost access to files or software, security awareness and the integration of a streamlined, effective, and constantly evolving set of security protocols is essential, whether they take a professionally managed or locally developed form." More:
<http://www.theinfoboom.com/articles/smb-security-awareness-increasing-as-breaches-continue/>
*Microsoft to launch real-time threat intelligence feed*
Redmond is looking to share its wealth of security information with the world through a new real-time threat intelligence feed, the company recently announced at the International Conference on Cyber Security in New York. The project, which is still under development, aims to stream Microsoft's security information on high-profile and dangerous threats to organizations ranging from business partners and private corporations to domestic and foreign governments. Eventually, based on the success of beta testing, Microsoft will consider opening the threat intelligence feed to the public, officials said. More at NetworkWorld:
<http://www.networkworld.com/news/2012/011212-microsoft-intelligence-254846.html?>
*BYOD: How To Minimize Risk*
When it comes to mobile devices, accommodating BYOD, or Bring Your Own Device, is a fact of life for organizations in all industry sectors worldwide. So, what can information security professionals do to minimize the risks involved in enabling staff members to use personally-owned tablets, smart phones, USB drives and other mobile devices for business purposes?
It all boils down to this: Conduct an inventory of all the types of personally-owned devices employees want to use for work-related tasks. Take every possible step to apply as many of the same precautions to these personally-owned devices as you apply to corporate-owned devices. And be sure to enter a clearly spelled-out legal agreement with those who use personal devices for work-related purposes, and then provide them with extensive ongoing training. More detail at Healthcare Infosecurity:
<http://www.healthcareinfosecurity.com/articles.php?art_id=4372>
*WinServer 8 New File System More Secure*
The new filesystem in WinServer 8 is more secure. It's called ReFS for 'Resilient File System', and gets you a much higher level of data security than with the existing NTFS. One of the design goals of ReFS should make you very happy: to detect and correct corruption, which not only ensures the integrity of your data, but also improves system availability: less downtime. Redmond's' Building Windows 8 Blog' gives all the details, and this is a recommended read, especially the FAQ! Have a look at it:
<http://blogs.msdn.com/b/b8/archive/2012/01/16/building-the-next-generation-file-system-for-windows-refs.aspx>
3. SecureToolBox
-----------------------------------------------
* Free Service: Email Exposure Check. Find out which addresses of your organization are exposed on the Internet and are a phish-attack target:
http://www.knowbe4.com/eec/
* Frustrated with gullible end-users causing malware infections? Find out who the culprits are in 10 minutes. Do this Free Phishing Security Test on your users:
http://www.knowbe4.com/phishing-security-test/
* SANS has a very useful end-user security newsletter that they make available as a PDF you can send to all your employees. Here is the link:
http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201201_en.pdf
4. ViewPoint – Your Take
-------------------------------------------
Write me! This is the spot for your take on things. Let me know what you think about Security, tools, and things that need to be improved.
5. SecOps: What You Need To Know
--------------------------
*Social Engineering – The Elephant In The Room*
Familiar with www.spiceworks.com? It's a site for system adminsthat use the spiceworks software to manage their networks, discuss many IT topics, and help each other to keep things up & running. It's a "Facebook for admins" if you will. There are many communities on spiceworks, and one of them is the security group. One topic that I think you will like is Social Engineering, and a few days ago there was a great submission that started with:
"Wikipedia's definition of Social Engineering <http://en.wikipedia.org/wiki/Social_engineering_%28security%29> is: "the art of manipulating people into performing actions or divulging confidential information. While it is similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victims."
"I'm sure you all have cases you can recall where issues have occurred involving some detail, information or security that was breached using Social Engineering techniques. I've been married for more than 33 years and supporting my in-laws' IT needs for most of that time. My mother in law, in her 80's, was recently persuaded over the phone by a young man "claiming" to be from Microsoft to provide $285 on her credit card to resolve non-existent problems on her computer. After I explained to her that it was a scam and there was nothing at all wrong with her computer, they contacted her a second time and convinced her to pay yet more money, despite having been told they were cyber criminals and she had paid the money for nothing at all. Their ability to convince her to pay appears to have been better than my ability to show her and explain she had wasted her money. A poor example of business risk, but a very good example of how widespread and effective Social Engineering is, and how less proficient computer users and generally older people are at greater risk." Read the rest of the article here:
<http://community.spiceworks.com/topic/190621-social-engineering-the-elephant-in-the-room>
*January Patch Tuesday Summary*
Microsoft issued seven security bulletins Tuesday, addressing eight vulnerabilities, and here are the breakdowns by Symantec and Qualys:
<http://blogs.csoonline.com/1890/january_patch_tuesday_summary?>
*Who Are The Go-to Cybersecurity Help Groups?*
Mike Cooney at the Layer 8 Blog wrote: "There are a ton of groups out there that offer cybersecurity help and guidance, the trick, it seems is finding the right one for your organization.
The Government Accountability Office this month issued a report <http://www.gao.gov/products/GAO-12-92> on just that notion saying: "Given the plethora of guidance available, individual entities within the sectors may be challenged in identifying the guidance that is most applicable and effective in improving their security posture. Greater knowledge of the guidance that is available could help both federal and private sector decision makers better coordinate their efforts to protect critical cyber-reliant assets."
"Such information though is valuable in that these myriad groups offer guidelines and principles as well as technical security techniques for maintaining the confidentiality, integrity, and availability of information systems and data, the GAO stated.
"When implementing cybersecurity technologies and processes, organizations can avoid making common implementation mistakes by consulting guidance developed by various other organizations. Public and private organizations may decide to voluntarily adopt this guidance to help them manage cyber-based risks," the GAO stated. Who are some of these key organizations?"Read the story at NetworkWorld:
<http://www.networkworld.com/community/blog/who-are-go-cybersecurity-help-groups?>
6. Hackers' Haven
--------------------------
*Why Internet Crime Goes Unpunished*
Roger Grimes, InfoWorld Security Pundit tells it like it is: "Until we make the Internet secure, cybercriminals will continue to pull off high-value, low-risk offenses. For cyber criminals, the idiom "crime doesn't pay" is laughable. Internet crime is worse than ever, and the reasons are clear: It's highly lucrative and far less risky than, say, an old-fashioned bank heist. Until we take the necessary steps to increase the risk and lower the value of cybercrimes, we won't be able to stop them.
To fully appreciate the risks and rewards of cybercrimes versus traditional crimes, consider the following statistics from the FBI: In 2010, bank robbers pulled off 5,628 heists http://www.fbi.gov/stats-services/publications/bank-crime-statistics-2010/bank-crime-statistics-2010 and ran off with $43 million. The average robbery netted $7,643." Now, read the rest of the article (not long) and check out the Internet crime stats. They make old fashioned bank heists seem lime amateurs -- scary:
<http://www.infoworld.com/d/security/why-internet-crime-goes-unpunished-183605?>
*Are Passwords Better Off Dead?*
This is an interesting discussion in view of the recent spate of hacking attacks, using social engineering tricks to get passwords and break into large company domains:
"Cormac Herley, a principal researcher at Microsoft Research, says passwords aren't dead but they need fixing. I think passwords are better off dead. Hell, even Bill Gates called for the death of passwords, and that was six years ago.My Network World colleague Tim Greene wrote about Herley's thoughts recently and this is some of what he said. While many call for replacing passwords altogether with something else, they may be doing so based on little or no hard evidence, says Cormac Herley, a principal researcher at Microsoft Research. Keystroke logging, brute force attacks, phishing and session hijacking are all used to get around passwords, but it would be impossible to draw a pie chart of how much each method was used because nobody knows, he says in a paper on the subject. "We don't know the slice sizes not even approximately," he says.In addition to finding out, he recommends other steps that could make password use more effective": <http://blogs.csoonline.com/1882/passwords_are_better_off_dead?>
*2011 Was The Year Of The Cybercriminal*
Yes, I am a Roger Grimes Fanboy. He's a great writer and usually spot on when it's about security. So this article summarizes the last year, and why it was a great year for cyber criminals: "Cyber crooks raided networks, pillaged data, and wreaked havoc in 2011, thanks to our persistently shoddy IT security practices. It's a great little article that clearly summarizes our collective sins, and puts the finger on the sore spot. Very instructive:
<https://www.infoworld.com/d/security/2011-was-the-year-the-cyber-criminal-182588?>
7. Fave links & Cool Sites
--------------------------
Electric skateboard with 'Kinect Sensor' uses the gestures of the rider to control its 800 watt electric motor and accelerate it to speeds of up to 32 mph:
http://www.flixxy.com/tablet-controlled-electric-skateboard.htm
---
The purpose of a Rube Goldberg Machine is to make a simple task as complex as possible - turning a newspaper page for example:
http://www.flixxy.com/rube-goldberg-page-turner.htm
---
Welcome to the Future: Samsung just announced a transparent touch-screen which is completely see-through and fits any window up to 46 inches:
http://www.flixxy.com/samsung-smart-window.htm
---
Need a smile? Awesome people and amazing animals:
http://www.flixxy.com/awesome-people-and-amazing-animals.htm
---
Cranes flying over Venice (Italy), filmed from a microlight airplane flying alongside the birds:
http://www.flixxy.com/cranes-fly-over-venice.htm
---
A prototype of a digital carpet that changes patterns as someone walks over it. This is pretty cool!
http://www.flixxy.com/digital-carpet.htm
---
Cat is hat. Look at that! Sophie the cat likes the view from the top:
http://www.flixxy.com/cat-is-hat.htm
TechGenix Sites
----------------------------------------------------------------
ISAserver.org <http://www.isaserver.org/>
MSExchange.org <http://www.msexchange.org/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>
----------------------------------------------------------------
Visit the Subscription Management (http://www.techgenix.com/newsletter/) section to unsubscribe.
WindowSecurity.com is in no way affiliated with Microsoft Corp.
For sponsorship information, contact us at advertising@windowsecurity.com
Copyright c WindowSecurity.com 2012. All rights reserved.
No comments:
Post a Comment