EYE ON SECURITY

The World of Secure Development.

July 2007

According to a new report entitled Why Compliance Pays: Reputations and Revenues at Risk from the IT Policy Compliance Group, 9 out of 10 firms are exposed to financial risk from data loss and theft.

Among larger enterprises, the probability of a publicly disclosed data loss is likely once every three years if the firm is ignores security and risk management issues. In contrast, organizations with the best results have delayed the probability of data loss to once in every 42 years, says the organization.

"The vast majority of businesses and public institutions are still struggling with high rates of annual compliance deficiencies, resulting in business disruption, data loss and theft," said James Hurley, senior research manager, Symantec and managing director, IT Policy Compliance Group. "While the probability of data loss and business disruption occurring in an organization is less a matter of 'if' than 'when,' there are a number of compliance, risk and governance practices that, if implemented correctly, could significantly reduce the frequency and impact of these events."

According to the report, organizations with the fewest data losses and thefts focus on improving compliance results, especially in IT general controls and IT security controls and procedures. More notable, the benchmarks show the least data loss among firms that are monitoring and measuring controls against objectives consistently, at least once every two weeks.

Based on what is working among organizations with the fewest data losses, practices the IT Policy Compliance Group sees that will assist businesses in reducing data loss and theft include:

• Implementing more and appropriate IT controls
• Reducing control objectives, making it easier to communicate, measure and report against
• Establishing higher standards for performance objectives
• Encouraging a culture of operational excellence in IT
• Conducting monitoring, measurement and reporting of controls against objectives at least once every two weeks
• Allocating more spend to controls automation

"Control advocates have always been pressed to justify allocating resources on additional controls. This report provides supporting evidence that the appropriate additional controls are not only warranted, but essential to prevent theft and loss," said Rocco Grillo, a managing director in the Technology Risk practice of Protiviti. "The report also links system resiliency with compliance. That is a novel perspective, however, as the paper indicates, there are great linkages between effective controls and resiliency."

Posted by Jon Erickson at 11:01 AM  Permalink |

If you're interested in learning more about how law enforcement investigates computer-related crimes, you have a couple of choices -- watch more CIS on television (and rot your brain) or read the recently release CERT paper The Use of Malware Analysis in Support of Law Enforcement, by Nicholas Ianelli, Ross Kinder, and Christian Roylo (and improve your mind).

As the report points out, malware has become a tool of choice for intruder who want to steal information and other assets, or commandeer your systems for other illicit activities. As such, malware is defined as

software designed and/or deployed by adversaries with malicious intentions as a part of the tradecraft involved in accomplishing a mission. Commonly, the purpose of malware is to gain access to resources or information without the consent or knowledge of the end user. In many countries, including the United States, the actions performed by malware on behalf of an attacker are criminal in nature. Online adversaries use malware as a tool in much the same way that conventional adversaries use firearms, lock picks, and crowbars.

The paper goes on to note that there are different forms of malware, including "Worms," "Trojans," and "Bots", although the authors lump them altogether for the purposes of their research. And central to this research was their examination of malware source code and binaries.

All of all, this is a fascinating paper that (sort of) take you inside the minds of malicious intruders. Well worth reading.

Posted by Jon Erickson at 12:50 PM  Permalink |

During the second quarter of 2007, spam accounted for more than 90 percent of corporate mail received, according to TrustLayer Mail, a managed security service of Panda Software.

At the same time, Trojans and adware accounted for 49.6 percent of infections detected by Panda ActiveScan in June. Trojans, which increased by 0.75 percent in June, causing 26.89 percent of infections, whereas adware was responsible for 22.72 percent. These figures prove that most new malicious code is mainly created to fraudulently obtain financial benefit. With respect to the threats distributed using e-mail, the most frequently detected has been the Netsky.P worm.

Other types of threats move along the same parameters as in May, with worms taking third place in the ranking (8.71 percent) followed by backdoor Trojans (3.87 percent), dialers (3.34percent) and spyware (2.99 percent). Bots appear at the end of the list with 2.58 percent of infections.

"Things have not changed much in June," explains Luis Corrons, Technical Director of PandaLabs. "Figures obtained show once more that cyber-criminals are after financial returns. The fact that Trojans and adware were the culprits in almost half of all infections show that cyber-crooks are mainly interested in online fraud."

In terms of the ranking of June’s 10 most virulent malicious codes, Downloader.MDW is the leader. This Trojan is designed to download other malware onto computers. In second place comes the familiar Brontok.H worm. After this comes Sdbot.ftp, the script used by this family of worms to download themselves via FTP.

Posted by Jon Erickson at 09:02 AM  Permalink |