Before I Forget…

An independent study shows that, in 2006, IE users were vulnerable to online threats 78% of the time. Firefox users? Only 2%. “At risk” defined as publicly available exploits with no patch. Source: “Internet Explorer users Unsafe for 284 Days in 2006” Brian Krebs, Washington Post, 1/4/2007

A new do-it-yourself phishing tool lets enterprises automatically spear-phish their own users.  The new PhishMe software-as-a-service offering is designed to help companies assess their vulnerability to spear phishing, as well as to give their users a real-world taste of these targeted attacks.  Boutique security firm Intrepidus Group, which is made up of some black hat researchers, today rolled out the new Web-based PhishMe service for helping companies find the weakest links in their targeted phishing defense.  Spear phishing attacks target specific organizations or individuals, rather than blanketing large groups of users…..The concept of unleashing a fake phishing campaign inside your own organization isn’t new — some companies routinely hire penetration testers or social engineering experts to do the dirty work for them…..PhishMe is also a gentler way of catching employees falling for a phish.  Rather than making them feel punk’d, like some social engineering exploits do, it gives them instant feedback:  They are redirected to educational messages and information, including a PhishMe educational comic strip and links to their corporate sites for more information…..Security experts say the hands-on attack approach is more powerful than a security policy statement or traditional user training…..Setting up an attack takes just a few minutes, and PhishMe provides user behavior metrics as well as other trend information.  For security reasons, Intrepidus doesn’t collect its clients’ user passwords on its servers.  “The only thing we have is the email addresses of our clients,” says Aaron Higgby, CTO of Intrepidus.  PhishMe can be configured for any type of phishing exploit, even the more obviously phony ones that aren’t targeted at any particular organization or person.  But spear phishing campaigns are usually the most difficult phishing attacks to detect, experts say.  “They are hard to pick up because they are so close to legitimate emails out there,” Belani says.  “You need to train people to focus on the targeted phishing attacks.”  The next version of the service will have options for including benign infected-email attachments, Belani says.

Reference : http://www.darkreading.com/document.asp?doc_id=159436

Security applications delivered as cloud-based services will have a dramatic impact on the industry, as many cloud-based services will more than triple in many security segments, according to Gartner, Inc.  In messaging security controls, such as malware and spam detection/exclusion for e-mail and instant messaging, cloud-based services account for 20% of revenue in 2008, and by 2013 cloud-based services in messaging security controls will account for 60% of revenue.  Cloud computing will enable security controls and functions to be delivered in new ways and by new types of service providers.  It will also enable enterprises to use security technologies and techniques that are not otherwise cost-effective.  Gartner defines cloud computing as a style of computing where massively scalable IT-related capabilities are provided “as a service” using Internet technologies to multiple external customers.  “The ability to provide massively scalable processing, storage and bandwidth inherent in cloud computing will require security controls and functions to be delivered to customers in new ways and by new service providers,” said Kelly Kavanagh, principal analyst at Gartner.  “It also will allow security technologies and techniques that are cost-effective to be used only with cloud-style computing.  The massively scalable resources provided through the cloud also will be available to people who develop attacks that require intense processing, pursue cloud providers, or both.”

Reference : http://www.darkreading.com/document.asp?doc_id=158994

Worldwide security software revenue market totalled $10.4 billion in 2007, an increase of 19.8% from 2006 revenue of $8.7 billion, according to Gartner, Inc.  Analysts said there is an increasing shift toward offering appliance based products, particularly within certain segments such as e-mail security and secure Web gateway markets.  “Compliance, data leakage and privacy issues, along with the need to tackle the fast evolving and sophisticated threat environment, are among the major drivers fuelling the growth of spending on security,” said Ruggero Contu, principal research analyst at Gartner.

Reference : http://www.darkreading.com/document.asp?doc_id=156690

Gartner calls it the “consumerization” of IT — the inevitable spillover of social networks, Google apps, iPhones, and other mainstream technology tools into the enterprise.  And with it comes a whole new generation of threats.  “We’re finding a lot of clients calling it a ‘Generation X/Generation Y problem,’” where young users who have grown up with social networks and smart phones expect to be able to use these tools not only at home, but at work, says John Pescatore, vice president and research fellow at Gartner.  “The old IT model that tells you what you can do and use [technology-wise] is breaking.”  Pescatore will reveal some new threats Gartner expects to emerge as a result of this and other trends, such as the move to software as a service (SaaS), at next week’s Gartner Security Summit in Washington, D.C.  Among the main threats on Gartner’s list: attacks on SaaS providers, social network subversion, and desktop utility application attacks, he says.  Meanwhile, Pescatore says the consumerization of IT came a lot faster than he expected.  “We have more clients saying their clients are asking ‘why can’t we use Google apps?’”  The conventional wisdom until recently would have been no dice on bringing in these unmanaged and potentially risky apps to the business.  But now, all that is starting to change, he says.  The move to SaaS has made it more difficult for IT to protect its own.  “It used to be that I bought up a CRM app, installed it on a server, patched it, and took care of it.  I could protect it,” he says.  Now SaaS providers are doing that for IT, which has its obvious advantages as well as some risk.  Gartner expects attackers to streamline their attacks on organizations, and SaaS is one form of shared apps that could be exploited, Pescatore says.  “The attacker could go after Proctor & Gamble — or salesforce.com, which P&G uses, as well as hundreds of others,” he says.  “They are going after shared code – software as a service, etc. – to magnify the impact of the attack.”  The recent salesforce.com phishing attack was just a peek at the kind of attacks that will emerge in this space, he says.

Social network subversion, meanwhile, is basically where an attacker would exploit the trust of a social networking user by posing as a “friend,” for example, while launching a malware attack or stealing credentials.  Pescatore says that although many businesses today still shun Facebook, MySpace, YouTube, and Twitter use at the office, that soon will change as the new generation of employees expects to use these tools. “ And attackers exploit trust.  We used to trust email addresses, so viruses and worms took advantage of that… Now people trust their ‘friends’ list,” he says.  Look for more attacks on social networks like the one where hackers infected Alicia Keys’s MySpace account and served up malware to its visitors — Trojans posing as video codecs that redirected user searches to malicious sites, for instance.  “Those types of attacks are going to multiply,” Pescatore says.  Socially acceptable social networking at work will also open the door for what Gartner calls desktop utility app attacks, or widget/gadget attacks.  These are the applets that MySpace and Facebook let users create and share with their friends, everything from a widget to a virtual cocktail, for instance, all of which would be infected or used maliciously — exploiting the trust of the social network in order to spread.  The goal is to get users to unwittingly carry that malware back to their enterprises and provide an opening to the attacker there, for example, according to Pescatore.  Gartner also expects a rise in attacks on virtual server environments, as well as in wireless networks.  Another ominous threat: “There will be more tools to reverse-engineer enterprise applications on Websites,” Pescatore says.  “Within two- to three years, these reverse-engineering tools will be so easy to use that the next round of application-level attacks will be against every type of software you can think of.”  With employees jumping on and off the enterprise network on the road and at home and using various unmanaged devices, enterprises need to look at security as a service to better protect them and the company’s data, Pescatore says.  “IT is going to SaaS, so they are going to need security-as-a-service to deal with the issue that their users aren’t always using IT-approved [equipment] and any time they connect to the Internet, we need to force them to apply to some security policy,” such as malware-filtering or a network access control service, he says…..

Reference : http://www.darkreading.com/document.asp?doc_id=155126