Security Blog

Blog Entry Jan 18, 2012

What Companies can Learn from the Zappos Breach

Companies are under siege from cyberattacks more than ever, with news of data breaches, phishing attacks, and other digital security exploits nearly a daily occurrence. So when news broke that online retailer Zappos (now owned by Amazon) had been the victim of a new cyberattack, I'm sure we shrugged our shoulders and collectively said "Here we go again." While the full details of the how and why of the Zappos attack are still to emerge, an email from Zappos CEO Tony Hsieh to employees earlier this week stated that "We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky." Zappos immediately issued a forced password reset of all 24+ million customer accounts, and also sent an email to consumers telling them about the breach, advising them to reset their passwords, and pointing them to additional resources for information. I think Zappos handled the breach better than most, and could serve as a good example for other companies to follow. Companies that are slow to reveal an attack to their customers, or hide their heads in the sand, or immediately set out with a blame-shifting strategy deserve to be criticized. ESET Security Researcher Cameron Camp goes into more detail about what Zappos did right in a blog post over at the ESET Threat Blog, and I'd suggest that Camp's post should be required reading for the CEO, CISO, and IT/PR departments of every company that maintains a database of customer information. Here's one especially good bit of advice that Camp offers to any company who wants to maintain good relationships with their customers after a breach: Tell users where to find more information: [Zappos] put up a special website to disseminate information as it becomes available. This does two things: 1) established a central clearinghouse for relevant information, and 2) reduced the repetitiveness of the requests their support staff may r
Blog Entry Jan 4, 2012

Check Point Teams with Amazon for Cloud Security

With polls and surveys continuing to show that IT professionals have concerns about security in the cloud, Check Point Software has unveiled a virtual appliance for Amazon Web Services (AWS) that should help alleviate some of the concerns of security-minded system administrators and security officers. According to Check Point, the company will be offering an AWS-friendly virtual appliance that can be configured to handle such security tasks as data loss prevention (DLP), application control, URL filtering, virtual private networking (VPN), and more. In a statement announcing the new products, Stephen Schmidt, chief information security officer at Amazon Web Services, applauded Check Point's decision to support AWS. "We offer a shared-responsibility security model that enables customers to choose a security solution that best meets their application’s needs, while AWS remains focused on providing a safe and secure infrastructure," Schmidt said. "We are excited that Check Point has embraced this model and is providing an innovative solution for customers." Check Point Software VP Network Security Products Oded Gonda stressed that while IT departments are moving to the cloud, most IT organizations are adopting a hybrid approach that leverages both on- and off-premise IT resources. "As many businesses plan to manage their IT infrastructure in the cloud, it’s important to protect both cloud and on-premise infrastructure to ensure that all corporate assets remain secure," Gonda said. "One of the best ways to achieve this is to enforce a consistent security policy across the organization." Check Point's announcement states that the new virtual appliance is available now, and pricing is "based on the existing software blade licensing and can be purchased through the Check Point worldwide network of value-added resellers." Find out more about the new Check Point virtual security appliances for AWS by visiting the Check Poi
Blog Entry Dec 13, 2011

Smartphone Security, Cybercrime, and Fraudulent SSL Certificates Top Symantec 2012 Security Trends

2011 will likely be remembered as one of the most infamous periods in IT history from a security standpoint. From attacks by Lulzsec and Anonymous to questions about mobile device security, 2011 had plenty of ulcer-inducing security episodes. The new year will likely have its own share of security headaches, and Symantec Senior Intelligence Analyst Paul Wood recently posted his take on what IT professionals may be losing sleep over in 2012. First on Wood's list is the continuing threat from advanced persistent threats (APTs) that target business and government infrastructure. Wood points out that many companies aren't paying attention to critical infrastructure prevention (CIP) programs developed by state and federal governments: "A recent Symantec Critical Infrastructure Protection (CIP) Survey found that companies are generally less engaged in their government’s CIP programs this year when compared to last. In fact, only 37 percent of companies are completely or significantly engaged in such programs this year, versus 56 percent in 2010." We've written a lot about mobile security issues in 2011, ranging from multiple cases of malware targeting Android devices to controversy around Carrier IQ, a company that develops programs that track subscriber data for wireless carriers. Woods quotes a Gartner report that indicates more that 461 million smartphones will be sold by the end of 2011, surpassing PC sales for the first time in history. The growth of cybercrime is another security trend to be wary of for 2012, with large criminal organizations developing tactics and strategies to separate businesses from their most important data. Woods sees that trend continuing in 2012: "Cybercrime’s spread from the criminal underground to the business mainstream was highlighted by a surge in targeted attacks. Symantec’s November Intelligence Report shows that targeted attacks are becoming more prevalent in 2011. Large enterprises, with more than 2,500 employees
Blog Entry Nov 9, 2011

McAfee Warns Consumers about Holiday Scams

With the holiday season fast approaching, security vendor McAfee has released information about the “12 Scams of Christmas,” a list of what McAfee believes will be the most dangerous online scams of the holidays. Malware targeting mobile devices (particularly smartphones and tablets running Android) and social media threats topped the list, which was posted by McAfee's Gary Davis. In his blog post, Davis points to a survey by the National Retail Federation that indicates more than 52% of American smartphone users will use their phones for holiday research and shopping. A McAfee survey reveals that there has been a 76% increase in "malware targeted at Android devices in the second quarter of 2011 over the first, making it the most targeted smartphone platform." Read: Tips for Securing Android Phones Phony promotions on Facebook and other social media platforms are also an ongoing risk, with items like fake giveaways for airline tickets and other gifts being commonly used by cybercriminals to lure unsuspecting consumers into revealing their banking details, credit card numbers, and other personal information. Two particularly useful tips involve keeping an eye out for scams centered around delivery services like FedEx and UPS, as well as banks and other financial institutions. Davis describes these in additional detail in his post: A common holiday phishing scam is a phony notice from UPS, saying you have a package and need to fill out an attached form to get it delivered. The form may ask for personal or financial details that will go straight into the hands of the cyberscammer...Banking phishing scams continue to be popular and the holiday season means consumers will be spending more money—and checking bank balances more often. From July to September of this year, McAfee Labs identified approximately 2,700 phishing URLs per day. All of us know at least a few friends, family, and co-workers who tend to click first and think later, so all of these
What's Security Blog?

Security news, views, product reviews, and solutions for Microsoft Windows IT professionals.