Two in Five Social Networkers Have Been Sent Malware

Does this alarm you? It should. Malware can take over your browser, redirect your searches, deliver frustrating pop-up ads, and slow down the performance of your PC. These effects are not only annoying, they are costly to remove. Think upwards of $50 per effected PC and even more for malware removal on a server. 

Approximately half of US employees can use social networks from their work machine without any restrictions. Total bans on access to social networking sites is becoming rare as firms recognize the value such sites can bring in raising brand awareness and promoting social media marketing campaigns.

"Over the year, we saw an average of 30,000 new malicious URLs every day - that's one every two to three seconds. More than 70 percent of these are legitimate websites that have been hacked - this means that businesses and website owners could inadvertently be infecting their patrons unintentionally and without their knowledge." 

- Graham Cluley, Senior Technology Consultant, Sophos

So what’s a solution that will allow you to continue realizing the benefits of social media while protecting your organization from malware? Can your current anti-malware solution keep up with the 30,000 new malicious URLs per day? A data loss prevention solution with real-time security scanning is ideal. This technology detects threats and analyzes user-generated content in real-time as it is posted to blogs and Facebook pages, to protect visitors from being exposed to malicious links and spam. Real-time scanning can allow you to continue reaping the benefits of using social networks while preventing nasty malware from slowing you down.

Risk Management Strategies Shifting Towards a Data-Centric Protection Model

In response to our Smartphone Security post from last week, Mark Mahovlich, Director at Attevo, provides the following insight:

The introduction of smart phone technologies into the corporate environment is creating a shift in how we design our risk management strategies.  The most fundamental change in focus is the movement from the traditional networked-based protection model to one that is data-centric.  The ability to "wrap" security policies around an individual data element allows an organization to protect its assets and its client’s Personally Identifiable Information from malicious intent, or simple misuse.  If a device (Smartphone) can be anywhere at any time, then the same holds true for your data.  Data-centric security tools, such as DLP make it possible to minimize risk no matter where your data resides or how it is being used.  DLP is not only about breach prevention, it’s about security best practices in an ever more mobile world.

WikiLeaks - Lessons Learned

Reputation and brand are crucial to an organization’s success.  A single data breach can be crippling to an organization’s image. Brand loss alone is 49% of the cost of a data breach.  Therefore, protection of sensitive data should be a priority for all organizations.  WikiLeaks has caused anxiety for leaders of many organizations, and many are left wondering if their organization is protected.  Just the thought of someone having access to your organization’s or employees’ confidential information is troubling.

Those leaders who have implemented DLP tools are free from the WikiLeaks anxiety.  DLP tools enable us not only to protect standard data types such as PCI or PII data, but fingerprinting techniques enable organizations to protect all data deemed sensitive.  This technique allows for detecting and protecting sensitive data despite alteration, reformatting, or other modification.  Fingerprints enable the protection of whole or partial documents and derivatives of the protected information. Some examples of data organizations fingerprint are executive summaries of documents or specific customer records.

How does fingerprinting work?

“Fingerprinting technology examines the content of documents or raw data and extracts a set of mathematical descriptors or "information fingerprints." These fingerprints are compact and describe the underlying content. By assigning unique identities to each information asset, fingerprinting technology can track information in motion with great precision.”

-          Websense

Start thinking about how a DLP solution might ease some of the concern in your organization. 

Hot Topic: Smartphone Security

Cell phones have come a long way, from the Gordon Geckko 80's brick phone to today’s smartphones which are essentially pocket-sized computers.  Cell phones are no longer "just" a phone, they help us organize our lives, stay in touch via social networking, waste time. As more and more people adopt "smartphones" it is becoming an enticing frontier for hackers everywhere. Smartphone security is going beyond protecting against physical loss.  Many organizations that have employees who use smartphones to store company data often overlook simple security measures that are standard for any laptop or any other device with access to the internet.  

There are many companies that see this space for what it is, a relatively un-penetrated market with room for growth. Virtualization giant VMWare has partnered with smartphone manufacturer LG and they have begun building a smartphone with two virtualized machines, one for work and one for personal usage. These machines would be completely isolated from one another and allow an organization to support, distribute, and secure one type of smartphone while allowing employees to use the phone for personal use as well without risking exposing company data. Internet security firm Check Point Software found in a global survey that 64% of organizations are concerned that the growth in remote users will result in exposure to sensitive data and as a result are looking to encrypt and protect mobile devices. Smartphone manufacturers have also begun building proprietary encryption for their phones, or partnering with encryption companies. The gold standard for secure, encrypted smartphones is Blackberry which has been deemed secure for use in some of the highest levels of government.

Moral of the story is, protect yourself against these developing threats by installing anti-malware software on your smartphone and beware inherent threats when downloading mobile apps and clicking on mysterious links on social networking sites. Treat your cell phone like you treat your laptop, after all, the delineation between these devices is getting fuzzier and fuzzier.

Bank of America Prepares for WikiLeaks Disclosure

The Bank of America is on edge about a statement made by WikiLeaks founder, Julian Assange. The statement claims that early this year (2011), a major American bank will suddenly find itself turned inside out. In response to this statement, Bank of America has created a team of 15 to 20 internal and external experts to come up with a damage control plan in the event that WikiLeaks releases documents that would affect its reputation and brand. An internal investigation to determine what internal documents have been leaked to WikiLeaks has already begun.

Since Assange has announced that a company in the banking industry will be affected next, there has been speculation within the industry that the bank he is referencing is Bank of America. Bank of America has stated that its investigations have not lead to any information regarding what documents WikiLeaks may have, but it wants to be prepared.

FinallyFast.com to Refund Thousands for Deceptive Advertising

Finallyfast.com is a company who promised viewers of their late-night commercials downloadable software would “make your computer run fast – the way it’s supposed to.” This company was able to successfully sell its software to thousands of customers, but will now pay tens of thousands of dollars in fines and refunds for its deceptive advertising.

The company will pay $78,000 in penalties and offer refunds to customers who purchased the FinallyFast.com software but did not use it. The company was selling “scareware” or software that claimed to find problems with computers tested, no matter what the condition of the computer actually was.  Companies should be cautious of trusting just any vendor.  This is true in the DLP space as well. Make sure you are working with reputable software providers and thoroughly research software tools before they are used.

Would an employee at your office be able to download software similar to the product FinallyFast.com offers? Do you have any processes or policies in place to prevent an unwanted software from being downloaded? This is an important aspect of computer use organizations should consider.

Geisinger Health System Breaches Protected Health Information

Physician led Geisinger Health System (GHS) is a healthcare system based in Pennsylvania. GHS stated approximately 2,928 patient names, medical records, procedures, indications, and physicians’ patient notes were emailed by a former physician to his home email account. The email, which was sent in early November, was unencrypted. 

Although the email did not contain addresses, telephone numbers, Social Security numbers, or any financial information, GHS sent notification to affected patients to comply with the Health IT for Economic and Clinical Health (HITECH) Act of 2009. The HITECH Act broadens the scope of protection available under HIPAA. It also increases the potential legal liability for non-compliance and provides more enforcement. 

Reported Data Breaches in 2010 - Numbers to Increase in 2011

In 2010, 662 breaches were reported exposing a total of 16,200,000 records. This equates to approximately 24,471 records per breach. Sixty-two percent of these breaches involved Social Security numbers and 26% of 2010’s breaches involved credit or debit cards.

The most common ways breaches occurred include hacking into computer systems (17%), theft or loss of laptops, flash drives (16.6%), insider actions (15.4%), and accidental exposure (10.7%).

According to an article published by Identity Theft Resource Center, an estimated 10% to 15% of breaches are actually reported. With cybercrime and data thefts on the rise, breaches will increase, but will the number of reported breaches also grow?  As state and federal government data breach regulations and PCI and FTC rules become more stringent and are enforced, we will likely see more publicized breaches.