Yes, it’s a cheap trick and not even close to original. But the lesson here is that even obvious social engineering tricks can get people to click on a link. We can’t help ourselves. We love to click. Clicking on links and attachments that are accompanied by just the slightest bit of social engineering appears to be a basic human need. I expect it to show up in a revision of Maslow’s Hierarchy of Human Needs any day now—behind love, but certainly ahead of safety.
I do have a point to all this. Two actually. As we compiled the Security Trends to Watch in 2010, what occurred to me is that the people who most needed to read this information never will. At least not without some social engineering on my part. And since social engineering plays such a prominent role in future trends, it seemed appropriate. So I’ve decided to use this little trick to get people to...
The Security Response team has compiled the top security trends of 2009. We pulled data from the Global Intelligence Network and the experiences of the thousands of analysts and security experts at Symantec to come up with the top trends for the year. While none of these trends will be a surprise to anyone even casually following the threat landscape, when compiled and summarized, it is clear that the breadth of security problems in the past year was pretty stunning.
For example:
• Toolkits and threat recycling have made malware easier to create than ever
• Polymorphic technology is being applied to make threats harder to catch
• Botnets, large and small, are used as the foundation of attacks making most attacks complex
• All major news events are used for social engineering
• Major brands are being appropriated by cybercriminals...
One thing I see again and again in this job is that people usually don’t think about security until after they are hit with an incident. Companies create disaster recovery plans after the disaster. They come up with incident response teams after the incident. And consumers get antivirus software after they’ve had a virus infect their system.
People, here is a chance to turn that all around. We’ve seen several incidents of mobile phones being hacked. So far it’s been by old school hackers, those that are doing it just to prove that it can be done. But history shows us that the cyber criminals follow closely behind the old school hackers, and they will not be doing it for kicks—they’ll be doing it to rip you off.
Security professionals approach any situation like this by a risk assessment; in other words, they try to figure out what bad things could happen. Then they can hope for the best, but prepare for the worse. If...
In Security Response, our primary objective is to provide virus definitions and firewall signatures to protect our customers from threats in the wild. On the flip side of the coin is Symantec’s Support organization, where we help customers install and configure their security software and, in cases where the worst has happened, help remove threats from a computer or network.
Symantec’s Support organization often receives requests to provide threat outbreak information. In some cases the request is for content aimed at a management level, detailing what their security teams have to do in these cases, which they could use to explain the situation at say, the next board meeting. In other cases the requests come from small business folks who are not necessarily IT or Security managers, but may be the office “computer guy/girl” put in charge of cleaning up an outbreak.
It can be difficult to comprehend what’s happening when a computer is...
Organizations of all types are concerned with threats that could compromise information security. Managing this aspect is usually a primary concern for information technology (IT) departments. In this context, Information Security Risk Management should be an integral part of all information security management activities and should be applied both to the implementation and the ongoing operation of an Information Security Management System (ISMS). In fact, a systematic approach to information security risk management is necessary to identify organizational needs regarding information security requirements and to create an effective ISMS.
The ISO/IEC 27005:2008, a new standard from the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), describes the Risk Management Process and its activities for information security and provides guidelines for Information Security Risk Management and supports the...
In the first two blog posts in our series on the Managed Security in the Enterprise report, we established that cyber security is still a problem and respondents have experienced real loss (see It’s Tough Out There and Threats Equate to Actual Loss). Exacerbating the problems of frequent cyber attacks and mounting losses is the fact that 49 percent of American organizations reported that it is getting somewhat/significantly more difficult to provide security. Our survey respondents attributed their challenges to four...
In part one of our blog series based on Symantec’s new research report, Managed Security in the Enterprise, I provided an overview of the challenges organizations are facing from cyber attacks. While we aren’t surprised that almost all U.S. respondents (88 percent) stated that their organizations have experienced cyber attacks over the past two years, the cyber loss they’ve experienced is staggering.
Incredibly, 97 percent of respondents reported real, tangible loss as a direct result of cyber attacks. When asked about the kind of cyber loss experienced, 46 percent of respondents in the United States claimed that they experienced downtime of their...
Most security practitioners won’t be surprised to hear this: security is tough, and getting tougher. In fact, at times, I’m sure it seems like a perfect storm of problems; the threats are getting worse, losses are mounting, and—in the midst of the global downturn—there are very real concerns around staffing and budgets.
Earlier this week, we announced the findings of a new study, Managed Security in the Enterprise, based on surveys of 1,000 IT managers in U.S. and European enterprises in January 2009. We used this to complement the Symantec Internet Security Threat Report, vol. XIII in order to obtain qualitative data through feedback from security practitioners about changes in the...
This is an issue I explored in a blog post several months ago, IT Risk and the Millennials, which really seemed to resonate with customers and industry peers. Feedback ranged from "great article," to "how are others addressing this choice vs. control dilemma?" to skepticism about this theory and the desire to see more quantifiable research validating my previous thoughts.
So, with all of this in mind, we did just that. We went out and commissioned a study with Applied Research-West to measure IT risk issues surrounding the emerging millennial workforce within companies. The study was conducted with 600 people, including three groups of 200 respondents each: IT decision makers, millennial workers (born after 1980), and older workforce (born before 1980). Our goal was to measure millennial workers' perceptions...
So you think IT risk management is a science? Or maybe you’ve never thought about it—you've just assumed that some clever expert has worked out all the angles. Unfortunately that’s not the case. The latest Symantec IT Risk Management Report gives some figures about how organizations manage (or fail to manage) their IT risk. It makes for interesting reading and includes some data about real incidents, analyzed jointly by Symantec and MIT’s Center for Information Research. However, what is clear is that IT risk management, although not a science, is evolving as a business discipline.
Correlation analysis of the data in the report shows that organizations are beginning to follow a natural progression in the way that they treat the management of their IT risk. They tend to start by looking at the security risk, then move on to consider availability and delivery risk, and finally address performance and compliance risk by implementing the more strategic...
So, you think that there’s a magic bullet to deal with IT risk? In fact you probably wish there was, but since you don’t believe in Santa Claus, you know there isn’t! Of course that doesn’t stop people from looking for a quick technology fix. However, the latest Symantec IT Risk Management Report reveals that technology is not necessarily the issue. The report cites a study conducted jointly by Symantec and MIT’s Center for Information Research, showing that the majority (53 percent) of IT incidents have a process-based cause. Interestingly, the report also shows that organizations believe their technological effectiveness is declining. Last year’s number one effective control set was network, protocol, and host security. It’s still up there at the top, but there’s been a reduction of 16 percent in those who think they’re more than 90 percent effective (down from 47 percent to 31 percent).
Experience shows that it’s a balance of technology, process, and...
So you’ve got a project to manage the risk to your IT systems? Well, in actual fact you probably haven’t! (It’s more likely that you’re too busy dealing with incidents.) The latest Symantec IT Risk Management Report suggests that bad things are going to happen to your IT and information pretty often. In fact, 69 percent of people thought they would probably have some sort of IT incident about once a month or more (2 percent thought they’d have them every day). Sixty-two percent of people thought they would have a major IT incident and 26 percent expected to have a regulatory non-compliance incident at least once a year, while 25 percent expected data leakage from their IT systems and 8 percent thought they would have a major information loss at least once a year.
From this it’s pretty obvious that a single project isn’t going to address your risk management...
So you think that risk is all about security? Well, we deal with risks to our personal security every day – each time we cross the road! But ask someone to think about more impersonal risk, like that to IT, and it becomes difficult to define what we mean.
The latest Symantec IT Risk Management Report aims to build a common understanding about IT risk, which it views as consisting of four elements: security, performance, availability, and compliance. When most people consider the risk to their IT systems, they immediately think about security and the need to keep bad things out and good things in. However, the report shows that concerns about availability risk have now come to the fore—78 percent of participants saw it as a serious or critical risk to their business. This makes a lot of sense when you know what it can cost your business if you lose the...
Today Symantec launched Volume II of the IT Risk Management Report, entitled “IT Risk Management – From Myth to Reality.” It analyzes the results of interviews with more than 400 IT executives and professionals from around the world during 2007. As the title implies, the report takes a look at the truth behind four common myths around IT Risk Management.
Myth One: IT Risk = Security Risk
The report clearly demonstrates that people really don’t believe this myth any more. In fact, most (78 percent) of those participating in the survey thought that availability was the most important aspect of IT risk. While more than half of the participants rated every risk element serious or business-critical, only 15 percentage points separated the highest and lowest elements.
