Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with IT Risk Management
Showing posts in English
RyanWhite | 15 Jul 2011 15:20:57 GMT

Surveys are a great window into people’s minds, especially when they can illuminate contrasting, and even contradictory, behaviors in the same group. Results from the Symantec Online Internet Safety Survey have done just that. The most compelling finding—that respondents frequently proceed with online transactions they know might be insecure—inspired me to ask not just, “What are they thinking?” but “What are they thinking?!?”

The survey’s focus must be on many people’s minds, as we’ve had an extraordinary response: 301 people in just a few days! My initial impressions of the results are below. Feel free to share your comments and questions on the original edition of this post.
 

Findings

Risky behavior remains common despite respondents knowing better

...

khaley | 20 May 2011 20:25:20 GMT

At first, I was just plain annoyed. Someone forwarded a hoax email to me twice in the same week. I am often asked about hoax email: “Kevin, you work at Symantec, is this true?” That’s fine; that’s not what annoyed me. What set me off was that both emails had been forwarded to warn me. The forwarder wasn’t even questioning the content of the email. They had accepted clearly bogus warnings about the “world’s worst virus” as fact.
 
Then I started thinking about the Twitter discussion I recently had about education. Some security professionals are turned off by education because they don’t believe it works. The rest feel it’s important, but never done right. (I fall into the latter category.) And, I decided that my previous approach to educating people about these hoaxes was not working. Just giving people a link to a Web page...

khaley | 17 Nov 2010 13:50:44 GMT

My prediction is that we are all going to become nostalgic for the days of fame-seeking mass mailers and network worms. Think of LoveLetter, SQL Slammer, and Melissa all crashing millions of systems within hours of being released into the wild. Those threats seem quite quaint these days as we enter the third significant shift in the threat landscape.

We moved from fame to fortune (which we have dubbed “crimeware”) in the last ten years. Mass mailers were replaced by malware that steals credit card information and sells phony antivirus products. Malware has become a successful criminal business model with billions of dollars in play. The goal became stealth and financial gain at the expense of unsuspecting computer users. And Trojans and toolkits, like Zeus, are the modern tools of the trade.

We have now entered a third stage—one of cyber-espionage and cyber-sabotage. Cyber-espionage did not begin with Stuxnet, and crimeware does not end with it. In...

khaley | 15 Sep 2010 13:29:02 GMT

“It can’t happen to me”

Hunters and gatherers. Most people think of cybercrime against business to be the work of hunters such as cybercriminals who target then infiltrate a company to steal from it. Reading the newspaper, it’s easy to convince yourself that these hunters are after big game and a small business does not have to worry about these targeted attacks. Maybe; however, we’ll talk more about that later. The majority of cybercriminals can best be described as gatherers. They throw wide nets and take advantage of whatever victims land in those nets. Small businesses really must watch out for the gatherers.

Because the barrier of entry is low, there are many gatherers. A gatherer doesn’t have to be a criminal genius. They don’t even need advanced computer skills. They really don’t need to know much at all—except where to buy a toolkit. Toolkits allow criminals with limited skills to get...

Gary Phillips | 13 Aug 2010 13:49:04 GMT

Following an industry conference, I find it a good practice for me to reflect back on what I learned and observed and see how I can apply it to my current work. At the conference there is so much to learn and take in, so I find it helps to let it all marinate for a bit of time and then I can start to uncover the new learning once I’m back at my desk and away from the conference buzz. It’s now been nearly two weeks since BlackHat wrapped up and these are the topics and observations from the conference that have been swilling around in my head. I hope to explore these thoughts more with my industry colleagues and find my way to contribute to improving security industry best practices.
 
Cyber security professionals need an education

Education remains an area of concern for cyber security professionals. The perception is that universities are graduating computer scientists and other degreed professionals inadequately prepared to...

Vincent Weafer | 27 Jul 2010 13:18:56 GMT

As 2009 came to a close, we at Symantec looked into our crystal ball and made a few predictions regarding what online security trends we expected to see in 2010. Now that we’re halfway through the year, we’re taking a look back and evaluating ourselves based on how our forecasts are panning out thus far.

Here’s a brief recap of how we think our trend predictions are fairing. We’ve rated each of them as either “on track,” “mostly on track,” “still possible,” or “more likely next year.”

To view an interactive version of this graphic that provides more detail, please click here. Once you do, you can click on each of our predictions and the corresponding mid-year statuses to read more.

...

khaley | 01 Jul 2010 11:56:13 GMT

Despite threats, companies lack policies on social media at work

Nothing has happened to change the mind of IT management in the last several years; social networks remain a major security concern. What has changed is that social media has become more established, and the ability for IT management to block access to social media is less and less likely. According to some survey work we did, there is only a 1 in 20 chance of your company blocking access to social networking sites.

Part of this is no doubt because of the rush by businesses to adopt social networking in their marketing efforts. Companies have started Twitter accounts, created Facebook fan pages, and established a presence in online communities. What’s clear from our survey is that simply having a presence on social networks is good for business. In our survey, 52% of respondents said that a company’s presence on social media positively impacts their opinion of the company. As for keeping...

Marco Ceccon | 21 May 2010 19:30:24 GMT

IT Governance, Risk, and Compliance: A method of analysis based on the Symantec Response Assessment Module (RAM)

Part I of this blog series introduced the concepts of IT governance, risk, and compliance (GRC). To quote:


“In recent times, companies, organizations, and consulting firms from various sectors have started to address the great issues that lie at the base of IT. These issues are governance, risk management, and compliance. Every organization should be able to transform these problems into opportunities to continually improve IT. In practice, everyone realizes that these three issues are related.”

Here I will continue to expand on GRC issues by touching on phases 1.2.1: Design and 1.2.2: Build.

1.2.1    Phase 1: Design

In the Design phase, datacenter security analysis begins and a...

Marco Ceccon | 08 Apr 2010 23:24:09 GMT

IT Governance, Risk, and Compliance (GRC): A method of analysis based on the Symantec Response Assessment Module (RAM)

1.1    Introduction
1.2    GRC Analysis: a new method based on the Symantec Response Assessment Module
          1.2.1    PHASE 1: Design
          1.2.2    PHASE 2: Build
          1.2.3    PHASE 3: Assess
          1.2.4    PHASE 4: Operate
1.3    Final conclusions


1.1   Introduction

In recent times, companies, organizations, and consulting firms from various sectors have started to address the great issues that lie at the base of IT. These issues are...

khaley | 26 Mar 2010 13:29:33 GMT

I am convinced that the readers of the Symantec Security Response blog are the smartest around! The results from our Password Survey prove it. Actually, the number of responses itself proves it to me. At best, I thought 20 or so of you would take the time to fill out the survey—and that would include most of my close relatives. Instead, we got more than 400 responses in a few short days (not even including my relatives). So, thank you to all who took the time to complete the survey.

I want to comment on some of the results. It may be a stretch to draw too many definitive conclusions from the data, but it will be fun nonetheless. If anyone wants to comment, correct, or vehemently disagree with any of my conclusions, I’ve set up a place to do all that here.

Let’s get started!

My answer to question 1...