Women 4 times more likely to give away passwords than men for chocolate

London, UK 16th April 2008 - A survey by Infosecurity Europe (www.infosec.co.uk) of 576 office workers have found that women far more likely to give away their passwords to total strangers than their male counterparts, with 45% of women versus 10% of men prepared to give away their password, to strangers masquerading as market researches with the lure of a chocolate bar as an incentive for filling in the survey. The survey was actually part of a social engineering exercise to raise awareness about information security. The survey was conducted outside Liverpool Street Station in the City of London.

This year’s survey results were significantly better than previous years. In 2007 64% of people were prepared to give away their passwords for a chocolate bar, this year it had dropped to just 21% so at last the message is getting through to be more infosecurity savvy. The researchers also asked the office workers for their dates of birth to validate that they had carried out the survey here the workers were very naïve with 61% revealing their date of birth. Another slightly worrying fact discovered by researchers is that over half of people questioned use the same password for everything (e.g. work, banking, web, etc.)

“Our researchers also asked for workers names and telephone numbers so that they could be entered into a draw to go to Paris, with this incentive 60% of men and 62% of women gave us their contact information”, said Claire Sellick, Event Director, Infosecurity Europe.

As she revealed her details to our researchers one woman said, “even though I have just been to Paris for the weekend I would love to go again.”

Sellick continued, “that promise of a trip could cost you dear, as once a criminal has your date of birth, name and phone number they are well on the way to carrying out more sophisticated social engineering attacks on you, such as pretending to be from your bank or phone company and extracting more valuable information that can be used in ID theft or fraud.”

Workers were also queried about their use of passwords at work, half said that they knew their colleagues passwords and when asked if they would give their passwords to someone who phoned and said they were from the IT department, 58% said they would. Researchers also asked workers if they thought other people in their company knew their CEO's password. 35% them thought that someone else did with Personal Assistants and IT staff being the most likely suspects.

“This research shows that it’s pretty simple for a perpetrator to gain access to information that is restricted by having a chat around the coffee machine, getting a temporary job as a PA or pretending to be from the IT department.” Sellick continued, “This type of social engineering technique is often used by hackers targeting a specific organisation with valuable data or assets such as a government department or a bank.”

One man said, ‘I work for a government department, I would never give my password to anyone else, it could cost me my job’.

Most people used only one (31%), two (31%) or three (16%) passwords at work, but a few poor souls had to use as many as 32! It was also found that 43% of people rarely or never change their password which is very poor security practice.

After the survey was completed, each worker was told ‘We do not really want your personal information this is part of an exercise to raise awareness about information security as part of Information Security Awareness Week which runs from the 21-25 April 2008. We will tabulate results to find out how good people are at securing their information.’ At this one man told one of our pretty researchers you look so well dressed and honest I did not think you could be a criminal, which was a sentiment echoed by many others.

Claire Sellick continued “This is precisely the problem, whether a criminal approaches you on the street or online, they will often not be who they appear to be, a criminal can often look very presentable. Many of the social engineering techniques used by face-to-face fraudsters have been adopted by criminals to encourage people to open spam emails or visit websites that are infected with viruses, trojans or malware collectively known as crimeware. The crimeware silently takes control of PCs and other devices then steal identities and cash or in many cases joins the PCs to a network of controlled PCs as part of a “BOTNET” to launch attacks on other people or organisations.”

The survey was carried out as part of the run up to Information Security Awareness week which starts on the 21^st April. Infosecurity Europe is part of the weeks activities and is the event where those responsible for securing their organisations information can find all the latest technology, services and advice from over 300 of the top security companies from across the globe exhibiting.

The cutting-edge education programme at Infosecurity Europe is the highlight of the Information Security industry's international calendar reflecting the issues that visitors want to hear about. Over three days visitors will have the opportunity to gain an insight from 123 experts in the FREE to attend education programme. Two key pieces of industry research will also be released at the show this year with the launch of the 2008 Information Security Breaches Survey on behalf of the UK Government and the (ISC)² Global Information Security Workforce Study 2008.

Nearly 12,000 visitors are expected to attend this year's event with many travelling from overseas to participate in the education programme that addresses both strategic and technical issues. It draws on the skills and experience of senior end users, technical experts and real world case studies. Infosecurity Europe takes place at the Grand Hall, Olympia, London from 22^nd to 24th April 2008 www.infosec.co.uk.

If you can’t trust the Compliance Officer who can you trust?

Or is the temptation these days too great for anyone to resist?

Written by Calum Macleod, European Director for Cyber-Ark

I often wonder if I’ll get to an age where I’m not disillusioned by the world around me. It started so early in life when I experienced corporal punishment, got the belt!!, from my father for bringing home a bottle of soft drink without paying for it! I discovered that you just didn’t walk into the store and pick something up and walk out. It went downhill after that; Santa Claus didn’t exist, you had to learn stuff in school and write the letters between the lines, or else you got the belt! In 2008 this would be called child abuse but back then it was called preventative medicine. Then having finally entered the world of the employed I discovered that half my salary had been allocated to pay for speed cameras and various other “useful” items. And having thought I’d seen it all I just found out that Compliance Officers cannot be trusted!!

Here I’ve been for years advising supposedly concerned Compliance Officers about the risks posed by their IT staff, or even worse their For-Ex dealers, who are all petty criminals waiting to steal company secrets and misappropriate funds, and then lo and behold I walk into a company a few weeks ago and discover they’ve just fired their Compliance Officer. It was a minor indiscretion. He had simply accessed every contract that the company had to ensure that the company was complying with all the relevant policies. And everyone was convinced that their CO was just doing his job in the diligent pursuit of internal evil doers only to discover that he was being handsomely rewarded by the competition. After all you can only lose so many deals and blame it on bad luck! He was the biggest evil doer of them all!!

It seems that it doesn’t matter where you look these days; you can’t trust anyone and herein lies the crux of the problem faced by many organizations. They assume that their employees can be trusted not to do something stupid or they can trust their employees because they’re all basically honest.

Unfortunately it’s the honest ones that are most often the victims and very often an organization’s failure to grasp the magnitude of the damage one dishonest or careless employee can cause that results in the disasters we keep hearing about. Whether it’s careless employees working for the Government or unscrupulous employees working in the financial sector the end result is the same.

Every organization today, no matter how small or large needs to ensure that privileged access to systems is controlled and that confidential data is secure. And a key factor in this is ensuring that people in positions of responsibility understand what they’re doing. The example of the CISO of a UK Fortune 100 company who stated that the M&A data about planned acquisitions was secure because the server was in the boardroom may not be typical of the level of CISOs but it only takes one idiot to give you all a bad name – or for that matter one Compliance Officer on the take to have every Compliance Officer labeled as a crook.

The lack of sufficient internal controls result in data breaches, denial of service attacks, and compliance review failures and the key areas of vulnerability are Privileged Users access controls both inside and outside the network, confidential data exchange via public networks, and securing highly sensitive data inside the network. The insider threat is the #1 security risk enterprises today, primarily because it is clear that insider incidents perpetrated by using system administrator or privileged account access are responsible for 9 out of 10 breaches in data security.

Information leaks in all forms are occurring with increasing frequency today within some of the largest and most important organizations and enterprises. These breaches, whether inadvertent or as part of a coordinated attack, release highly sensitive information into the larger market where it is used to damage the originating organization’s business, competitiveness and reputation, and also significantly impacts the privacy and confidence of their customers, partners and vendors.

Common solutions such as mail (CDs in the post for example), e-mail or FTP suffer from several disadvantages. Distributing vast number of documents via mail is cumbersome and hard to track. FTP solutions are not reliable or secure. E-mail solutions, including encrypted e-mails, are also not reliable because they are dependent on the recipient's e-mail infrastructure. Large files or encrypted files often tend to fail e-mail security policies and bounce back. Organisations need global accessibility and connectivity while maintaining security.

As an IT security advisor at Cyber-Ark, this is the advice I give my clients to suggest how they should go about protecting their data.

Information needs to protected from unauthorized modification, deletion, and exposure. Encryption and other security mechanisms are not helpful if someone hacks the computer and circumvents the security layers. For instance, encryption is good for confidentiality, but does not protect data from intentional deletion or accidental modifications. In order to build multi-layered security, a sterile environment must exist to accommodate and protect the security infrastructure.

Ensure you have visual Auditability – Owners of information need to actually see what happens with their information at all times. Combined with auto-logging and auto-alerting, it ensures that an organisation has a prevention and detection mechanism.

Separation of Duties must be possible between the owners of the information and the administrators of the information. In other words there is no need for IT staff to be reading employee contracts, unless of course he or she is doubling as head of HR!

Dual Control ensures that highly sensitive data can only be accessed provided it has been authorised by another person.

Data should always be backed up in encrypted form, and kept encrypted even while on backup media, to prevent unauthorized disclosure.

And access should be controlled based on user location. In other words it’s not the employers’ responsibility to help an employee show-off to the cute blonde in the Internet Café. Make sure that if the information is for internal use only then that’s exactly where it stays

No organization is immune to the risk of exposure, embezzlement, embarrassment. There is no such thing as the 100% trustworthy work force, and especially when you’re outsourcing or using contract staff. How many organizations can echo the sentiments they been cheated by someone and they have no idea when. And they make up their mind that it has to come to an end.
So let’s just say that since people have a habit of letting you down its time you ensured your data is secure and locked away. As someone wants famously said“I generally avoid temptation unless I can't resist it”.

www.cyber-ark.com

A matter of personal security

Gary Clark, VP EMEA of SafeNet, discusses how the Government is fuelling the UK’s rate of ID fraud, and what needs to change

In the last year, the Government and public sector bodies have lost 37 million items of sensitive data. In most cases, this wasn’t due to a skilled computer hacking operation. But rather, it was down to basic public sector mistakes, including courier error of unencrypted discs, theft of laptops from parked cars and the accidental upload of very private personal details to public websites.

HMRC quickly established itself as a serial offender. In the space of a few months it lost details of 15,000 Standard Life customers, a laptop containing sensitive information of thousands of taxpayers and, infamously, 25 million unencrypted citizen’s benefit records went missing.

But, while HMRC is particularly prolific in the data loss stakes, it is not unique. Organisations such as the NHS, DVLA and Ministry of Defence have also admitted to losing sensitive data of employees, citizens and army personnel.

Not surprisingly, the public’s faith in the Government’s ability to secure personal data has fallen to an all time low. This is particularly worrying, as a person’s identity has never been so valuable to a criminal. Last year there were 77,500 reported cases of identity fraud in Britain. That is 68,500 more than were reported in 1999. Meanwhile, the cost of the problem exceeds £1.5 billion annually. Considering the rate of errors in the UK public sector, both these figures are likely to be higher for 2008.

While the Government’s ID card initiative is designed to combat ID fraud, I do worry it will create more problems. After all, the Government’s track record in the last year raises serious concerns about its ability to secure the National Identity Register. Can we be 100 per cent assured that personal data held will be safer than, for example, the NHS patients’ data which were held on a laptop?

Quite simply, to ensure the National Identity Register does more good than harm, the data protection culture requires an overhaul – and quickly. The public sector needs to start taking the responsibility of protecting data seriously. In my view, organisations – public and private – that deal recklessly with the personal details they trusted to hold must be held accountable by law.

Recent recommendations from the Justice Committee, which call for criminal charges to be brought for reckless data loss, are on the right track, but do not go nearly far enough. There must be significant steps taken to prevent the loss from happening in the first place.

Organisations should be penalised not only for losing the information they hold on citizens, but for failing to have necessary safeguards in the first place. These include identifying process weaknesses, adopting robust security standards and encrypting all sensitive data. Quite simply, charges must be brought against those organisations which aren’t meeting required standards.

Perhaps the UK public sector should look to the United States for direction. The Government there has already taken steps in this direction. It has mandated encryption protection for all sensitive data for its population, held on discs, laptops and workstations. We know that Government departments already encrypt data in the effort to protect intelligence for the purposes of national security – and rightly so. However, at a time when the level of ID fraud is rising, this same level of security and caution must be applied to ensure the personal security of citizens, patients and employees.

Half-hearted pledges will not regain public confidence, and we need to see meaningful legislation, which puts data protection at the heart of the Government. Otherwise we will continue to make it easy for criminals, and leave the entire UK population vulnerable.

<><><>

Now in its 13th year and held on the 22nd – 24th April 2008, Olympia, London, Infosecurity Europe remains Europe’s number one, dedicated Information Security event. For further information visit www.infosec.co.uk

Eyes & ears best defense against home invasion

by Michael Smith (Veshengro)

Keeping an eye on unusual activity in your neighborhood can often be the best prevention against a home invasion or other crimes. This is often the best way to preempt and prevent such crimes and the best initial defense.

The problem is though that people tend to just behave like victims, in the main. They often walk around with this to them invisible sign around their necks that reads “I am a soft target”, “I am a victim”.

People have to be alert. The best eyes and ears for the law enforcement are the residents. They know better than anyone if something appears out of place.

Be aware of, say, any unfamiliar vehicle(s) in the neighborhood or a stranger or strangers who seems to be paying close attention to a particular home or homes.

Then, depending on the circumstances, follow the rule of “observe, record and report” or, where you are permitted by law and are happy to do so, act, as appropriate.

Be aware of your surroundings at all times, lock your doors, and not leave the keys in your cars in the driveway. If you see something suspicious, call your local police department, or, if this is not a feasibility, act in a manner permitted and with caution.

A home invasion can happen anywhere, at any time, but your own precautions can make this crime happening to you less likely. This is the same also for muggings. If you keep and eye on your surroundings, watching your “six o'clock” as the military guys call it, then all the likelihood is reduced. But bad things do happen to good people, so it's good to be prepared.

Things a homeowner can do to avoid such an incident include keeping bushes near the home trimmed to prevent hiding spaces for burglars, having outdoor lighting on motion sensors, and keeping an eye on your neighborhood. In addition to that I would suggest defensive landscaping.

What is defensive landscaping?

Defensive landscaping are thorn hedges, spiky shrubs and such like, including plats such as “Spanish Bayonet”, that people just will not want to want through. In addition, have gravel pathways and gravel areas surrounding your home. The noise of someone walking across such areas should be enough to put a resident on his or her guard and also alert neighbors in case that no one is home next door.

If you have a security system installed turn it on. It does no good if it is not turned on. Even if you only go to the stores, turn on the alarm.

Always be aware of your surroundings and those of of your neighbors. Keeps your doors locked, even and especially when you are at home. Use a door chain and have it in place at all times. It is easier to take it off to let someone in rather than to have it put on as and when needed. Often you may forget to put it on and then it is too late. Fix a spyhole in the door and use it.

Do not answer the door if you do not know who is on the other side, and even if you can see the person through the spyhole. You don't know him or her and are not happy about the situation then you do not open the door. If you have have a bad feeling about someone outside your door or in the neighborhood, call the police right away. That's what they're there for.


Home invasion prevention tips

• Keep your doors locked.
• Install motion-sensor lighting.
• Keep hedges trimmed near the home.
• Install deadlocks and sturdy window locks, as well as a peep hole in your door.
• Don't answer the door when home alone unless the person is known to you.
• Have a neighbor collect the mail and watch your home when you're away.
• Never leave notes on the door, even when home.
• Be creative and careful about where you hide spare keys.
• Install a security system -- and turn it on.
• Start a Neighborhood Watch program.
• Make sure garage doors are secure.
• Report any suspicious activity to the police.

In addition to the above, let me add that, if it is legal in your area to own a firearm and to use it for defense then I would suggest you get the best you can afford and you learn how to use it in the defense of your person, your family and your home.

© M Smith (Veshengro), April 2008

Business Continuity Market Comes of Age as 2008 Event better than ever

London, UK, April 11, 2008 - Last week’s Business Continuity Expo– the definitive event for risk, resilience and recovery finished on a high note with 6% increase in numbers of visitors attending. The conference & exhibition attracted 2457 visitors (pre- ABC audit) from top level positions across a wide range of industries including local government, the forces, pharmaceutical, finance, telecoms and aerospace. The majority of these being directly responsible for their companies risk management and business continuity plans.

As a result of the high calibre and purchasing power of visitors, the exhibitors were delighted with the event, with many of them already re-booking for the 2009 event.

The on-floor seminars were especially popular this year, with standing room only in almost every session. The seminars gave visitors the opportunity to pick up the advice of other business continuity professionals and learn about the most cutting edge solutions and technologies available. One senior executive from a major retailer said “I scheduled my visit so that I could meet with the companies that I knew had the solutions I was looking for, but I also made the time to attend 4 of the sessions which turned out to be well worth the time and effort as they were incredibly informative and beneficial.”

The Conference, which runs alongside the exhibition also attracted a wide range of high level delegates and speakers drawn not only from the UK but also across Europe. The panel discussions were particularly well attended, and included speakers such as Bruce Mann CB, Director of Civil Contingencies Secretariat with Gerald Corbett, Chairman, SSL International and Brett Lovegrove, Head of Counter Terrorism, City of London Police, Stephan Shakespeare, CIO and Co-founder, YouGov and Gary Locker, Permanent Liaison, ACPO and The Cabinet Office. Of special interest were the end-user sessions which included speakers such as: Colin Clark, Head of Corporate Business Control, Somerfield Supermarkets and Jeremy Quick, Deputy Governor, Guernsey Financial Regulator.

Anna Campagnoli – Event Director for Business Continuity Expo said, “A few years ago the Business Continuity Manager was an almost unknown entity, the title just didn’t exist. However, at this year’s event we saw almost 1500 visitors with this title, from some of the largest companies in the UK, which shows it is very much a thriving profession. Judging by the attendance levels in the 50+ seminars, there is clearly a real thirst for knowledge and we were glad that the combination of seminars and cutting edge products and solutions created an ideal event for them.”

The exhibitor’s response shows that it was one of the best shows ever:

Richard Leyland – Marketing Manager – Stratus Technologies
"It’s been brilliant as far as attendance numbers. We've been surprised by the seniority of the visitors and delegates. We've already signed up for next year."

Continuity Shop – Geoff Howard – CEO
“BC Expo brings us more revenue than any other single marketing exercise that we do. At a conservative estimation 40% of our sales comes from business generated at the show.”

Piper Shields – SunGuard
“There have been twenty five SunGuard people working on a shift basis and they've all been busy all the time. Quality and calibre of visitor has been higher than ever before – no time wasters, everyone is looking to have a sensible business discussion.”

Stephen Teare – Head of Telemarketing – MTI
“It's been absolutely cracking – in the first day we had 154 fantastic leads in the 1st day. As an event that we've never considered before we have been absolutely amazed at the people who have come to our stand that they all have had a need for BC, whether it be back-up & recovery, disaster recovery or compliance issues, they all realised they have to do something now. We’ve even met with CEO's from financial services companies and mostly high level BC managers. 12 months ago they just didn't exist in these numbers.”

Lorraine Darke – BCI
“BC Expo has been a great success for the BCI this year. We have been very pleased to receive positive reaction to recent developments and changes such as BCI certification and the introduction of the first in the series of our training DVDs. We look forward to BC Expo 2009.”

David Teed -Teed Businesss Continuity
“This is our third year and it’s been our best year ever.”

Terry Hewett -Easy2Solve/RU Secure:
“An amazing amount of interest, absolutely phenomenal, completely knocked out on Wednesday with such a great turn out we nearly ran out of brochures! We will be returning next year to continue receiving top grade results!”

Next year’s event will take place in March 2009 at London’s Excel.
For further information please visit www.businesscontinuityexpo.co.uk.

THREE QUARTERS OF ORGANISATIONS THINK APPLICATIONS CAN BE EXPLOITED BY CRIMINALS

London, UK 9th April 2008 - A survey by Infosecurity Europe of 757 organisations has found that 75% think their applications contain security holes that can be exploited by criminals. Further, interviews conducted by Infosecurity Europe with a panel of 20 Chief Security Officers (CSOs) of large enterprises on the topic revealed that they are very concerned about the security of application code. They were especially concerned about the work carried out by developers working on mission critical web applications outsourced to third parties. Many of them said that they would welcome an initiative to raise awareness of security amongst the developer community and change their behaviour to make secure software applications a priority.

According to Professor Howard A. Schmidt, Director, Fortify Software and former Cyber Security Adviser to the White House, "this figure of three quarters of organisations having security holes based on application vulnerabilities, while dramatic, is unfortunately not that surprising. When organisations develop applications, quality is one of the highest priorities but security vulnerabilities are seldom recognized or fixed. Priority is often given to delivering application features and business benefits without the understanding of fundamental coding errors that lead to security issues. Cybercriminals are targeting applications to steal money and information, and they know all too well how to exploit vulnerabilities not only in commercial software but are also very adept in finding security holes in applications that are developed "in house". Business leaders need to set in place business software assurance processes including development practices designed to ensure that their applications are secure to protect the data of citizens, customers and shareholders from the new wave of threats from cybercriminals."

At Infosecurity Europe 2008 the subject of cybercrime and application security will be covered in a number of keynotes and seminars. In the interactive theatre, Fortify Software will present their new documentary, “The New Face of Cybercrime”. Visitors can be among the first to watch this groundbreaking feature. Directed by Academy Award®-nominated filmmaker Frederic Golding, it highlights the impact cybercrime has on consumers and businesses, and is tipped to win awards at independent film festivals this year. The film will be followed by an interactive panel debate led by Professor Schmidt, who also sits on Fortify Software’s Board of Directors.

The main focus of the film is to emphasis that the criminal, as well as the crime, has evolved. Where hackers were once young nerds who did it for fun or experimentation, now e-crime is the domain of organised gangs, often from Eastern Europe or China, who simply want to make money. Gone is any desire to embarrass website owners or just cause mindless e-vandalism. It's no longer an ego boost or a method of earning bragging rights. It’s just about the cash. Their main targets are ecommerce web sites and the customer databases behind them. Databases that hold credit card numbers, expiry dates, PINs, addresses, and everything else that’s needed to empty a victim’s bank account. In many cases, the data isn’t used directly by the hackers, but is sold to other gangs.

“Today's cybercriminals are highly sophisticated”, says Richard Kirk, VP EMEA for Fortify. “Their technical expertise is extremely good, as is their knowledge of the systems they're trying to break into. They know the thresholds at which an online ordering system will seek additional verification of a customer's identity, and take care to stay below it when placing fake orders. They also have at their disposal the resources of large organised crime gangs who are fully aware that the world's police forces are woefully under-resourced for tracking down internet fraudsters. In the panel debate we will discuss the solutions to the problem of cyber-crime and application security.”

Claire Sellick, Event Director, Infosecurity Europe said, “The internet is here to stay, as is internet crime. With the relentless move online by all sorts of business and government agencies, e-crime will continue to evolve. As more coffee shops and libraries offer free, anonymous WiFi access, tracking down cybercriminals will get harder. So as hackers evolve, so must your efforts to defeat them.”

Infosecurity Europe is the number one event dedicated to information security. With over 300 exhibitors, the event is the most comprehensive showcase for the most diverse range of new and innovative products and services from the World's top information security experts and vendors. The event enables security professionals and business managers to establish a commercial justification for information security, refine their security policies and select the most appropriate solutions to support their security strategy in order to safeguard their company's reputation and assets. Over 11,000 visitors are expected to attend this year's event with many travelling from overseas to participate in the FREE education programme that addresses both strategic and technical issues. It draws on the skills and experience of senior end users, technical experts and real world case studies. Infosecurity Europe takes place at the Grand Hall, Olympia, London from 24th to 26th April 2007.

To register to attend or for more information please visit www.infosec.co.uk

Finjan Identifies the Latest Cybercrime Business Model – Crimeware-as-a-Service

In its Q1 2008 Web Security Trends Report, Finjan signals Crimeware-as-a-Service as the latest development in the ongoing commercialization of cybercrime

Farnborough, United Kingdom, 7th April 2008

Finjan Inc., a leader in secure web gateway products, today announced important findings by its Malicious Code Research Center (MCRC) identifying and analyzing the latest trends in the ongoing commercialization of cybercrime.

Criminals have started to use online cybercrime services instead of having to deal themselves with the technical challenges of running their own Crimeware server, installing Crimeware toolkits or compromising legitimate websites.

“Currently, we see the rise of the Crimeware-as-a-Service (CaaS) business model in the Crimeware-toolkit market. Cybercriminals and criminal organizations are getting better and better at protecting themselves from law enforcement by using the Crimeware services, especially since the operator does not necessarily conduct the criminal activities related to the data that is being compromised but only provides the infrastructure for it,” said Yuval Ben-Itzhak, CTO of Finjan.

As with mainstream software providers, the creators and owners of these Crimeware toolkits provide their customer base with update mechanisms while tooling them with sophisticated, anti-forensic attack techniques, as well as the ability to manage and monitor malicious code affiliation networks. It enables a new level of Crimeware availability by supplying anyone willing to purchase an easy-to-use Crimeware toolkit.

During 2007, Finjan’s MCRC covered the trend of new Crimeware that purely focuses on financial gain, as well as the way it works to get revenue out of each infection. In this report, MCRC shows how the delivery and distribution of malware have been upgraded to deliver a different type of malware to different geographical regions.

“Cybercriminals can now generate more targeted infections and deliver specialized Crimeware for specific geographical regions,” Ben-Itzhak said. “Our report illustrates how these criminals are employing marketing and sales techniques to address the cybercrime economy and ensure that the market they are after gets the proper “product” localized for it.”

Finjan foresees the next phase in the commercialization process as creating a service for getting straight to stolen data by providing the victim data tailored to the criminal intent. Having such a service eliminates the need for attackers to even have to log-in to manage an attacker profile on a Crimeware-toolkit platform.

Concludes Ben-Itzhak: “The trends described in this report confirm that the security industry and law enforcement agencies should take an innovative approach in handling these Crimeware commercialization threats. Cybercriminals continue to adapt legitimate technologies and business models to support their criminal activities.”
.

Outsource your code & you're more likely to be hacked

More than 60% of companies overlook mandating security when outsourcing

London (UK); 7 April 2008 – In a new report released by European information technology analysis group, Quocirca, organisations that admitted to being frequently hacked, all outsource at least some of their coding practice, with 90 percent outsourcing more than 40 percent! With this in mind the hacker’s future looks rosy as outsourcing applications is on the up, with 78 percent of organisations that say software development is business critical for them choosing to outsource their vital applications. But security is being left out in the cold—with companies failing to build security in when they outsource the development of their critical applications, according to a report released today by Quocirca and supported by Fortify Software.

The survey has found that over 60% of companies that outsource the coding of their critical applications do not mandate that security must be built into the applications. In fact, the study has uncovered the chilling statistic that 20 percent of UK companies do not even consider security when building their applications—thus potentially leaving a great big stable door open to the hacking community. Yet outsourcing is very much on the up.

The report which was carried out amongst 250 C level executives and IT Directors from mainly 1000+ employee sized corporations from the UK, US and Germany, reveals that outsourcing of code development is widespread—and growing in importance. From this study of the organisations stating that software code development is business critical or important to them, 50 percent outsource more than 40 percent of their code development needs.

Statistics already show that the software application layer is where most hackers are accessing critical data. According to NIST (National Institute of Standards and Technology), 92 percent of vulnerabilities affecting computer networks are contained in software applications. As organisations increasingly look to outsource application development, more components of software applications are being developed outside of their direct control.

An organisation that has not developed the code itself can never be absolutely certain that it is secure. However strong a relationship with a third-party developer, or watertight the service-level agreements in place, a rogue developer can place vulnerabilities in the code that they develop—for example, by placing a backdoor in software that can be used to infiltrate a network in the future. This is something TS Ameritrade found out to its cost when it was forced to disclose in 2007 that personal details regarding 6.3 million customers had been leaked through a vulnerability caused by a backdoor created by an outsourced programmer.

Howard Schmidt, Member of Fortify Software Board of Directors and previously Cyber Security Advisor for the White House said: “These survey results help explain the recent, sudden rise in data breaches and should serve as a wake-up call to any executive whose company sits on a pile of mission-critical application code. “

In the report, financial services companies are identified as the most likely to outsource their code development needs and therefore could be putting themselves at serious risk, with 72 percent reporting that they outsource more than 40 percent. Disturbingly, 84 percent of these organisations report that code development is business critical or important.

Public sector organisations are also big outsourcers, with 55 percent outsourcing over 40 percent of their code development. Also, 64 percent stating code development is only of moderate importance to them.

At the other end of the scale are utility companies—the highest of all the industries to cite software development as business critical or important at 90%, however just 7 percent outsource more that 8 percent of code development.

Fran Howarth, Principal Analyst at Quocirca and author of the report said: “The findings of this report indicate that not enough is being done by organisations to build security into the applications on which their businesses rely. Not only that, but they are entrusting large parts of their application development needs to third parties. This creates an even greater onus for organisations to thoroughly test all code generated for applications—without which they could be playing into the hands of hackers.”

The fact that software applications contain flaws that can be exploited by hackers is nothing new. That organisations are increasingly reliant on bespoke applications to maintain a competitive edge, and are outsourcing a significant proportion of the coding for these applications to third parties, is an alarming trend. That said, German organisations are better at building in security than both their UK and US counterparts. As electronic crime continues to increase, organisations are under pressure to be seen to be more proactive about IT security. This is not only something that makes common sense but also is increasingly a requirement being placed on organisations across a wide range of industries by governments and industry regulators.

Fortify, who are advocates of Business Software Assurance, a holistic approach to protecting corporate digital assets at the most fundamental level, recommend that if a company outsource the development of critical applications, they should follow these guidelines:

• Work with the outsourced vendor to fully understand what processes and procedures are in place to assure software security.
• Review contract language and procurement procedures so outsourcers assume liability for software vulnerabilities
• Make sure outsourcers are applying testing and assurance technologies on all code developed offsite.

Other key findings in this study are:

• Exposure to Web 2.0 technologies—among the least understood, but considered to be among the most insecure technologies—is high, but many manage their use through policies alone
• Organisations are exposing their applications to new security threats through use of a Service Oriented Architectures SOA
• Data protection is the key driver behind application security for the vast majority
• Using automated tools for building security into the software development lifecycle translates to lower overall spend on IT security

The information in the report is based on a survey of 250 IT directors, senior IT managers and C-level executives in Germany, the UK and the US. It was completed in December 2007 and January 2008. Those surveyed included organisations from 1,000 employees up to large multinationals within a wide range of industrial sectors.

Report can be downloaded here: www.fortify.com/quocirca

Fortify is offering security professionals the opportunity to benchmark their security practices against industry averages. This survey is available at:
http://www.nkv5.com/fortifysoftware/survey/2008_01_survey.php

Marsh survey: Firms over-optimistic about ability to manage business continuity risks

London, 1 April 2008 - A new survey by Marsh, the world’s leading insurance broker and risk adviser, has revealed many European firms are failing to overcome a ‘perception gap’ in their approach to business continuity management (BCM).

Marsh’s latest research, The Upside to Business Continuity, examines the views and perceptions of Business Continuity and Risk Managers from organisations across Europe on issues relating to BCM. These professionals were drawn from delegates attending the Business Continuity Expo, which is being held on the 2, 3 April at the ExCel centre, clients of the British Standards Institute and members of London First.

The study highlights that while over three-quarters of respondents believed that their BCM is: aligned to their strategic business objectives, integrated into their risk management programme and is understood/supported by senior management, only half believe BCM is used as a strategic tool within their organisations.

Martin Caddick, Leader of Marsh’s Business Continuity Management team, commented: “Our research suggests that organisations which believe their approach to BCM is mature or very mature are generally being optimistic. It seems that many businesses overrate their own level of BCM and their perceptions do not match the reality.

“However, it is encouraging to note that more organisations are aspiring to a view of BCM as part of an integrated approach to risk, even if their implementation has yet to catch up.”

Supply chain risk
The research examined whether firms are using BCM strategies to offset their supply chain risk, one of the biggest challenges facing businesses this year: 54% of respondents agreed that their BCM plan covers their supply chain risks, with 22% saying that it definitely did not; 24% of respondents were unsure.

Mr Caddick continued: “As supply chains have extended, especially into the Far East, the nature of disruption and vulnerability in the risk landscape has changed significantly. Embracing BCM to help manage supply chain risk can deliver real business benefits. Given that nearly half of the respondents stated that their BCM plans did not cover supply chain risks or they were unsure only reinforces our view that firms are overrating the maturity of their BCM.”

Barriers to BCM
The research also highlighted how many firms still view BCM as an additional service, rather than intrinsic to their culture and strategy. When asked to identify the barriers to BCM within their organisations, the most common stumbling blocks cited were lack of time and resources, and lack of budget. In the study, Marsh concludes that the barriers are more related to a lack of understanding of the level of resource and commitment required to do the job properly, which again is in contrast to firm’s perception of how mature they believe their BCM programme is.

BS 25999
Marsh also questioned the respondents about the new British Standard, BS 25999, which regulates BCM programme implementation and management. Although a British Standard, it has relevance outside of the UK and is recognised as a useful tool for any firm that is trying to implement a BCM programme.

Only 39% of respondents said they intended to align their organisation with BS 25999 in the next two years, while 19% said that they did not intend to align their organisation with BS 25999 and 42% were undecided.

Looking more closely into the country of origin shows that BS 25999 alignment is a more serious issue for UK firms, with 60% agreeing with the proposition. Outside the UK, half the respondents remain undecided, but 28% of foreign businesses do intend to comply with the standard, a surprisingly high level of acceptance.

Benefits of BCM
Marsh also explored the perceived benefits of BCM among the respondents: 32% of respondents were able to point to faster recovery after real incidents as a benefit, while 96% of firms found at least one other benefit to implementing a BCM programme, with 52% of firms finding two or more. In addition, over the last 12 months 50% of respondents found that they had a better understanding of their business, and 37% found they have improved their risk-intelligent decision making.

Mr Caddick said: “This finding shows that although BCM’s primary role may be to help organisations recover from an incident, it has many other ancillary benefits. These benefits can yield huge benefits to business; the fact that 37% of respondents believe that their strategic decision-making has improved because they had a BCM programme is very encouraging.

“A more incisive understanding of your business and risk-intelligent decision making will improve the effectiveness of the overall risk management and resilience strategies, which can potentially lead to a better return from the investment in these areas. More mature firms are utilising BCM as a strategic tool to gain these extra benefits and thus improve the bottom line of their business. BCM is not just a risk mitigation and control tool – but also to add value and create an upside for firms.”

About Marsh
Marsh, the world's leading insurance broker and risk advisor, has 26,000 employees and provides advice and transactional capabilities to clients in over 100 countries. Marsh is a unit of Marsh & McLennan Companies (MMC), a global professional services firm with more than 55,000 employees and annual revenue exceeding $11 billion. MMC also is the parent company of Guy Carpenter, the risk and reinsurance specialist; Kroll, the risk consulting firm; Mercer, the provider of HR and related financial advice and services; and Oliver Wyman, the management consultancy. MMC’s stock (ticker symbol: MMC) is listed on the New York, Chicago and London stock exchanges. MMC’s Web Site is www.mmc.com. Marsh’s Web site is www.marsh.com.

InMage Systems Presents DR-Scout Solution at the Business Continuity Expo

- Company Extends Proven Business Continuity Technologies to European Enterprises -

LONDON UK – BUSINESS CONTINUITY EXPO – April 2, 2008 – InMage Systems (www.inmage.net), a leading provider of business continuity and disaster recovery software, continues to gain traction in the European market with the exhibition of its flagship DR-Scout™ solution at the Business Continuity Expo, the premier event dedicated to best practices and industry trends in operational risk, resilience and recovery. InMage Systems will present DR-Scout at booth #652 in the ExCel Exhibition Centre in London.

DR-Scout is a turnkey DR/business continuity software product that enables businesses to protect their data in the event of a natural disaster or everyday application or server failure. Utilizing true continuous data protection, DR-Scout offers an integrated solution for disaster recovery and continuous local backup. Furthermore, InMage’s CDP-based software provides comprehensive protection across most leading applications with push button failover capabilities for Microsoft Exchange and SQL, Sharepoint, Oracle, Blackberry Server and SAP.

About InMage Systems, Inc.

InMage Systems provides continuous data protection and disaster recovery solutions for small to large enterprises. The company’s flagship software suite, DR-Scout, enables companies to protect, maintain and access their critical data and applications during any event that threatens information loss. DR-Scout ensures the integrity of backup and replication processes that are essential to business operations, both on a daily basis and during unforeseen disasters. Key applications include disaster recovery, operational recovery and application/data availability. DR-Scout is also noted as the pioneer of true event-based recovery that facilitates compliance with regulatory requirements. InMage was co-founded in 2001 by technology leaders, including CTO and SVP of Engineering Rajeev Atluri, previously of Gadzoox and storage visionary and Brocade co-founder Kumar Malavalli. InMage is headquartered in Santa Clara, California. For more information, visit www.inmage.net.

Crisis? What Crisis? Solcara points to the top issues for Business Continuity Managers in 2008

Enterprises and government still have a long way to go to effectively handle operational continuity during crises, says Solcara, market-leading provider of software for the control, management and searching of digital information.

Many firms still do not have anything beyond basic procedures in place for emergencies, although more and more are deploying specialist software to assist them during a crisis period. There are many issues enterprises need to get to grips with and Solcara has undertaken informal research amongst its customers and partners to identify the top issues for the BCM industry.

Speaking at the Business Continuity Expo in Docklands tomorrow, Solcara’s Managing Director, Rob Martin will outline key areas of business continuity for enterprises. He lists these as:

Maintaining a smooth supply chain before, during and after a crisis;
Compliance with industry and regulatory requirements, including BS25999;
Maintaining support from the Board of Directors in the current economic climate;
Avoiding unnecessary legal costs after an incident by creating clear audit trails of who did what, when and why;
Creating effective training and simulations to perfect responses to a crisis or business emergency;

He adds: “Enterprises are much better than they used to be at preparing and training for emergencies, but I’m sure many businesses, whilst feeling they have ticked the BCM box, don’t have robust follow-through procedures or a training regime before a crisis takes place. We have all seen over the last few years how one crisis can ruin an entire company or even badly damage a whole industry. Good BCM is that important to a business. Having effective training and support mechanisms before, during and after a crisis will set you apart from competitors and give you competitive advantage, because as we have seen with the food industry, good risk management can ensure you are the last company standing if a major crisis arises.”

Solcara will be demonstrating its Crisis Control Centre at the Business Continuity Expo on Stand 237.
For more information about Solcara’s products, go to www.solcara.com