Canadian Security Connection

I thought this article by Kevin West,CEO of Klogix, a data security software company, hits the mark on the Data Loss, the future trend and the general lack of urgency with which companies are protecting themselves.

Here are the general highlights, and you can read the full Forbes article here .

Although he references the US in this post, you can extrapolate the data to get a Canadian perspective. Either way.. this is a  problem north and south of the border that needs attention.

If data loss continues on its current trend, it will cost the U.S. economy $290 billion by 2018. This equates to 1.6% of GDP.

The 2010 U.S. budget allocated $290 billion to Medicaid – that’s a topic that gets plenty of attention. But the $290 billion problem of data protection is largely ignored, even by those most effected by it – U.S. corporate executives.

Here are a few current trends that nearly guarantee data protection costs will continue to spiral out of control. Kevin expands on each one in his article.

•Intellectual Property in Foreign Hands – Globalization has had a dramatic impact on our intellectual property.

•Cyber Security Training – there is little formal training offered in the subject of cyber security.

•‘Bring Your Own Device’ Policies in the workplace – 48% of information workers bought smart phones to use for work purposes without considering the requirements and policies of their IT department.

What Can You Do to Buck the Trend?

•Make this National Problem Personal

•Make Data Security a Competitive Advantage

Wondering how to prove your data security efforts are just average (and thus at risk)? To start, ask your team these simple questions.

1. Do you have a procedure in place for action following a cyber attack?
2. Are you certain your employees do not send intellectual property or private data over any Internet channel, including Gmail and Facebook?
3. Are you certain all corporate access is shut down once a consultant leaves your organization?
4. Do you understand the security policies of your off shore providers?

If you answered “NO” to any of these questions, then you are likely exposed to significant revenue loss.

“2011 proved that in the world of enterprise security, anything and everything goes. This year, as broader adoption of mobile, social and cloud technologies explodes, we will see the bad guys move rapidly to take advantage of this shift” Dan Hubbard, chief technology officer, Websense

With all of the crazy 2011 security breaches, exploits and notorious hacks, what can we expect for 2012? Last year’s Websense Security Labs predictions were very accurate, so these predictions should provide very useful guidance for security professionals. Here are the highlights; the full report can be downloaded here.

1. Your social media identity may prove more valuable to cybercriminals than your credit cards. Bad guys will actively buy and sell social media credentials in online forums.

Trust is the basis of social networking, so if a bad guy compromises your social media log-ins, there is a good chance they can manipulate your friends. Which leads us to prediction #2.

 2. The primary blended attack method used in the most advanced attacks will be to go through your social media “friends,” mobile devices and through the cloud.

We’ve already seen one APT attack that used the chat functionality of a compromised social network account to get to the right user. Expect this to be the primary vector, along with mobile and cloud exploits, in the most persistent and advanced attacks of 2012.

 3. 1,000+ different mobile device attacks coming to a smartphone or tablet near you.

People have been predicting this for years, but in 2011 it actually started to happen. And watch out: the number of people who fall victim to believable social engineering scams will go through the roof if the bad guys find a way to use mobile location-based services to design hyperspecific geolocation social engineering attempts.

 4. SSL/TLS will put net traffic into a corporate IT blind spot.

Two items are increasing traffic over SSL/TLS secure tunnels for privacy and protection. First is the disruptive growth of mobile and tablet devices. And second, many of the largest, most commonly used websites, like Google, Facebook, and Twitter are switching to https sessions by default, ostensibly a more secure transmission. But as more traffic moves through encrypted tunnels, many traditional enterprise security defenses are going to be left looking for a threat needle in a haystack, since they cannot inspect the encoded traffic.

 5. Containment is the new prevention.

For years, security defenses have focused on keeping cybercrime and malware out. Organizations on the leading edge will implement outbound inspection and will focus on adapting prevention technologies to be more about containment, severing communications, and data loss mitigation after an initial infection.

 6. The London Olympics, U.S. presidential elections, Mayan calendar, and apocalyptic predictions will lead to broad attacks by criminals.

Cybercriminals will continue to take advantage of today’s 24-hour, up-to-the minute news cycle, only now they will infect users where they are less suspicious: sites designed to look like legitimate news services, Twitter feeds, Facebook posts/emails, LinkedIn updates, YouTube video comments, and forum conversations.

 7. Social engineering and rogue anti-virus will continue to reign.

Scareware tactics and the use of rogue anti-virus, which decreased a bit in 2011, will stage a comeback. Except, instead of seeing “You have been infected” pages, we anticipate three areas will emerge as growing scareware subcategories in 2012: a growth in fake registry clean-up, fake speed improvement software, and fake back-up software mimicking popular personal cloud backup systems.

 You can also watch a video of the Websense Security Labs discussing the predictions here:

There is a huge gap between the acknowledgement of risk associated with the use of Social media vs. the mitigation of that risk … esp in Canada!

The use of social media in the workplace is growing at a rapid pace. Savvy businesses are using blogs, social networks, wikis and other vehicles to and quickly share information with target audiences and reap the benefits.

It is clear that social media presents a business opportunity—and not embracing it results in organizations being left behind.

Having said that, along with these benefits come risks. ISACA (Information Systems Audit and Control Association) has identified the following as the top 5 risks of social media:

 1. viruses/malware

2. brand hijacking

3. lack of control over content

4. unrealistic customer expectations of “Internet-speed” service and

5. non-compliance with record management regulations

We wanted to conduct a study to determine what IT and IT security practitioners throughout the world think about the importance of social media as a business tool and the security risks associated with employees’ use of these tools.

The Survey

Websense recently partnered with the Ponemon Institute to assess the social media readiness and risk profile of more than 421 IT and IT security practitioners in Canada.

This was part of a global survey of more than 4,640 IT and IT security practitioners in 12 different countries

We asked the following:

1.Do you think the use of social media is important in meeting today’s business goals?

2.Do you think there are security risks created by employee usage of social media tools?

3.Do you have enforceable policies governing the use of social media tools in the workplace?

4.What security technologies do you have in place to enable the use of social media while reducing or mitigating the associated risks?

The Findings

• Based on the responses we got back, it seems that the rapid spread of social media usage may have caught many organizations off guard…and resulted in a dangerous gap in corporate social media security.Here are some specifics to illustrate this gap..

o 70% agree that employee use of social media puts their organizations’ security at risk.

o According to 51% of respondents, viruses and malware infections are increasing as a result of social media use – so Malware is increasing

This ranks Canada as one of the countries that is most likely to see social media as a serious threat to their organization

o In contrast, only 31% say that they have the necessary security controls in place to mitigate or reduce the risk posed by social media.

o Ironically, 64% of the respondents increased internet bandwidth to support social media usage.

 Singapore, United Kingdom, Canada, Australia and France are countries where the greatest percentage of organizations invested in bandwidth to enable the use of social media

Here’s what I took from the above stats… “majority of Canadian organizations see the benefits of social media, acknowledge that it has security risks and that these risks are growing, have spent money to increase bandwidth to allow increased usage and threat exposure from these sites, but only a third of these organizations have any sort of security controls in place to mitigate these risks and protect their organizations!”

That is where we see a huge gap in security!

I’ll expand on this topic on my next post and cover off the results from our questions regarding social media policy and some recommendations.

Guest Post:  Jason Clark – Cheif Security and Strategy Officer

Ten years ago a great security program consisted of anti-virus, IDS, and firewalls – but now those protections have lost their effectiveness. Unfortunately, those three outdated security technologies now make up a huge portion of InfoSec spend. And the remaining small pittance is allocated to deal with the most advanced threats we have seen. Doesn’t seem like a fair fight does it?

Research from Poneman says 90 percent of all companies have been compromised in the last year. Many were targets of advanced malware that compromised web and email channels. Traditional signature-based security measures DO NOT catch these threats. They are too complex and change too fast for those old security measures to keep up.

Compound that with the fact that IT security is now on the CEO’s radar and the board is asking questions about security strategy. I’ve spoken to hundreds of CISOs and CSOs over the last year and the recent data breach headlines are catching their attention. More than ever the IT team is being asked: What is our current risk posture? How do we reduce risk? What is our situation? Are we going to be compromised? What is our strategy? This is our chance. Using this momentum and interest we must change the way we operate and the way executives think about security programs.

The first step is acknowledgement:

You have to realize that at some point you will be compromised and the bad guys will get in. It’s not a matter of IF an APT or a targeted attack will strike; it’s a matter of WHEN. There is no silver bullet.

But, all is not lost! Once you’ve accepted this, the next step is to begin to change the way you plan. You need to be able to get the tools in place to be able to communicate to executives:

“I am going to prevent X amount of attacks. And of the guys that get in, I’m going to know in X amount of time, and I will have them contained in X amount of time. We can significantly reduce the probability that they will be able to access, our most important data.” Make sure you have the technology, people, and processes to back up your claims.

This is the new strategy we have to adopt and share. In the next blog, I’ll share the successful strategies I’ve seen from some of the best organizations and CSOs who have adopted this approach. We’ll look at the most common entry and exit points of attacks and how these successful CSOs are focusing their technology investments in those areas.

In the meantime, how many of you have had conversations with your executive team about your security posture? Has this increased in frequency in the last year? Let me know in the comments below.

A good article in CDN  by Ellen Messmer that I was compelled to share.  I’ve only listed them, but you can read the complete article here. I would also argue that there is a 6th mistake that I have added social media to this list.. see below…

To keep IT going in the era of virtualization, smartphones, social media and cloud computing, you’ve got to avoid these mistakes

Like cleaning the windows, IT security can be a thankless task because they only notice when you don’t do it. But to get the job done in the era of virtualization, smartphones,social media and cloud computing, you’ve got to avoid technical and political mistakes. In particular, here are five security mistakes to avoid:

1. Thinking that the business mindset of the organization is the same as five years ago

2. Failing to build working relationships with IT and upper-level managers

3. Not understanding that virtualization has pulled the rug out from under everyone’s security footing

4. Not preparing for a data breach

5. Complacency with IT security vendors

6. Underestimating the prevelance and advantage of providing access to Social Media and Web 2.o sites 

Today’s generation is joining the workforce and they have grown up using social media. Restricting access based on a traditional binary yes or no policy is mistake and could hurt your business.

 Read the complete descriptions on the other 5 mistakes here.

As a Canadian, I was surprised to hear that cyber criminals are moving their operations to Canada, a country known for global citizenship, hockey, and great beer! But a recent analysis of Canada’s cyber security risk profile clearly pointed to Canada as the new hot launching pad for cyber criminals.

Why? Partly because of our squeaky-clean reputation. IP addresses in China and Eastern Europe are highly scrutinized and undergo intense evaluation and filtering. So hackers are reacting by moving their networks to Canada. Given Canada’s great internet infrastructure, bandwidth and clean cyber slate – it makes for an ideal host.

Apparently, the word is out, and the ‘bad guys’ are infiltrating legitimate computers across all provinces. The PCs in our homes and businesses are being remotely controlled and making Canadians unknowing cyber crime hosts.

As a result, Canada’s ranking for hosting cyber crime has dramatically increased from #13 in 2010 to #6 in 2011.

Read the rest of my blog on IDG Connect.

I was thinking about how to best articulate my feelings/thoughts when i heard this news.

Then I read Paolo Del Nibletto’s blog post, and he articulates my very exact sentiments on this move by Cisco.

Granted I don’t know the specifics of the numbers, but I am as Paolo says… very disappointed.

Here is his blog post… you can read more on this story at itworldcanada.com …

BTW Paolo – I am venturing a guess that you are not alone in your disappointment with this move – there’s got to be a company out there willing to pick up this technology at a steal !?

I have never been more disappointed in Cisco Systems as I am today.

As you are probably aware by now Cisco decided to put an end to its popular Flip digital camera and Flip share software. I am a big fan of the Flip. I have several of them including one from the original PureDigital days. Cisco acquired PureDigital a few years ago for $590 million.

I think the Flip is a perfect solution for me both professionally and personally. I really enjoy using the product. It’s super easy. But I guess I’m in the minority.

Cisco said that some aspects of it’s consumer business will still move forward – mainly its Linksys products – the motivation behind the move is to bring all of its technologies back to the enterprise and service provider business.

So what happened to Cisco’s consumer play and long term strategy that started with acquisitions of Scientific Atlanta and Linksys and others?

The big trend these days is the consumerization of IT. I pretty sure I heard John Chambers, company CEO, says that a number of times in keynotes. He has also told me during press interviews that if you had to fail; he would rather fail fast. And, this looks like a fast dare I say even hasty decision.

I know that Apple with its iPhone can act as a camcorder, but there is something to be said for a specialty product like the Flip. The Flip was the best product in its class and users look for these types of products.

The Flip’s audio capabilities was lacking, but its latest version with its new port did address that problem through alliance partners.

The writing was on the wall when Jonathan Kaplan head of Cisco’s consumer products business left the company recently. He was the one time CEO of PureDigital.

Cisco also continue tocarry theconsumer version of TelePresence videoconferencing system called Umi.

We are deep into the YouTube generation and Cisco no longer has a product that’s perfect for YouTube. I hope Cisco does not shelve the Flip and sell it to another company. I doubt they will do that.

Cisco said it would continue to support Flip users like me, but at the end of the day the Flip is no longer a priority for Cisco and that makes me sad!

I finally got to see Steve Jobs’ keynote late last night. I love the fact that the form factor is thinner and comes in white and black. I love that the battery life and pricing has remained the same. Also am impressed with the two cameras and the $49 apps that they released. The hdmi connection that mirrors what’s on your iPad on your TV is also a welcomed update… Angry Birds on a 47″ LED TV… gotta love it !

Having said that, I do agree with Jared Newman who wrote the following article on CDN / ITbusiness.ca

He points out 5 ‘disappointments’ that include…Pricey dongles, too few OS improvements and still having to use iTunes on your PC.

Here is the article…

Apple Inc.’s (NASDAQ: AAPL) iPad 2 is the lighter, thinner and faster tablet we were all expecting, but it’s no revolution.

Even though the new iPad is enough to beat most of the competition, Apple left enough features off the table to yearn for whatever’s next.

If 2011 is the year of the iPad 2, as Apple claims, here’s what I’ll be beefing about until 2012:

1. You’re Still Tethered to iTunes

Dave Schumaker of gdgt zinged Apple with a pithy Tweet: “‘The iPad is a true post-PC device.’ First thing you have to do when you turn on an iPad? Hook it up to a PC.” Even if you never sync a single piece of media from a computer to an iPad, you still need iTunes on a PC or Mac to keep the tablet’s software up to date. This needs to change.

2. The Software is Mostly the Same

Apple added a few bells and whistles in iOS 4.3, including iTunes Share and the optional restoration of an orientation lock switch, but fundamentally the iPad OS is the same. Between Android Honeycomb’s widget support, the HP TouchPad’s neat interplay with WebOS phones and the Blackberry Playbook’s powerful multitasking, the iPad is looking more like an oversized iPod Touch than ever. Here’s hoping iOS 5 brings the necessary overhaul.

3. Not a Peep on MobileMe

With MobileMe removed from retail channels, a revamped free version seemed like a safe bet for Apple’s iPad 2 event. The rumor mill was predicting a digital locker for multimedia, and maybe even wireless syncing to iTunes, but no dice.

4. Pricey Dongles

Want to connect your iPad to a television through HDMI? That’ll be US$39 for the Apple Digital AV Adapter. Want to transfer photos directly to the iPad without going through iTunes? That’ll be US$29 for the Apple iPad Camera Connection Kit. Maybe I’m a bit spoiled to complain about these things given that the iPad 2′s main competitor, Motorola’s US$800 Xoom, doesn’t come close on pricing for the tablet itself, but US$68 for a pair of connectivity dongles seems a little unfair.

5. No Retina Display

I’m putting this gripe low on the list because the rumor of a display that doubles the last iPad’s resolution was more or less debunked going in. But you can be sure that some fence-sitters will hold out on the iPad 2, hoping for a screen resolution that makes their eyes cry with joy. Fortunately for them, the iPad 3 speculation is already well underway.

Triton: a unified solution to safely enable use of the social Web and cloud computing, and prevent data loss and extend coverage to the branch office and mobile worker

A whole new type of security has emerged to combat modern threats that evade legacy solutions: The all new Websense® TRITON™ solution, now available with three new solution modules.

This marks the beginning of the era of the content-secure enterprise. Antivirus, firewalls, and network intrusion prevention solutions fail to protect against today’s targeted, blended attacks. And these point solutions are complicated and costly to manage. It’s time for a new solution.

Read more about the all new Websense TRITON solution.

Join the upcoming webcast to learn more.