http://www.informationweek.comInformationWeeken-usCopyright 2012, UBM LLC.2011-03-01T20:46:37ZThe change of seasons offers a good time to take a look at your security posture -- and especially any vulnerabilities that may have cropped up.http://www.iweek-interim.com/news/229300862?cid=RSSfeed_IWK_AuthorsThe change of seasons offers a good time to take a look at your security posture -- and especially any vulnerabilities that may have cropped up.The rapidly approaching first day of spring (no matter what it looks like outside your window at the moment), offers one of those seasonal markers that can be helpful in scheduling regular, ongoing security review. <P> A Top 10 List Of Items for review as the seasons change would include: <P> <ul> <P> <li>All antivirus and other security progress fully updated, with auto-updates set to keep them so.</li> <P> <li>All software fully patched, with procedures in place for ensuring that patches and updates remain current.</li> <P> <li>All antivirus and related programs fully licensed and paid-to-date; if using Security as a Service, review provider agreements. More subjectively, review your satisfaction with your SaaS provider. This is a good point to <a href="http://www.informationweek.com/news/security/management/showArticle.jhtml?articleID=229218689">review your security budget</a> as well.</li> <P> <li>Insist on password change for all employees, with strong passwords required.</li> <P> <li>Review all employee e-mail accounts and log-ins for appropriateness (which employees need access to which information?), as well as ensuring that departed employees' accounts have been closed. <P> <li>Tighten perimeter defenses, changing router passwords, and ensuring that router is also up-to-date and effective.</li> <P> <li>Review employee usage policies <em>with employees</em>, reminding them that policies are to be followed scrupulously.</li> <P> <li>Audit all mobile devices that employees use for business purposes, ensuring that business information is only stored on mobile devices that are secure, and even then, only when absolutely necessary.</li> <P> <li>Test backup and recovery plans and procedures to ensure that you're ready tor recover quickly should a disaster strike.</li> <P> <li>Don't neglect physical security -- are all doors and windows equipped with strong locks and alarm systems? Does your facility include smoke and other detectors? Do business papers only hit the trash after being shredded?</li> </ul> <P> You've undoubtedly got a number of other items that would fit nicely on such a checklist, some of them specific to your business and its operations and practices. Add them and start working through the list. <P> Taking advantage of the change of seasons to also check -- and, where needed, change -- your security profile, posture and practices gives you a four-time a year improvement of the odds that your business not only is secure, but also that it will <em>stay</em> secure.2011-01-21T10:18:36ZHow long since you've taken a look at your business's security policy? (Assuming, of course that your business <em>has</em> a security policy.)http://www.iweek-interim.com/news/229219288?cid=RSSfeed_IWK_AuthorsHow long since you've taken a look at your business's security policy? (Assuming, of course that your business <em>has</em> a security policy.)The <a href="http://www.informationweek.com/news/smb/security/showArticle.jhtml?articleID=229000910">range, variety and sheer number of threats </a>small and midsized businesses face can distract us from anything other than trying to keep our defenses up -- and up-to-date. <P> But one of the most essential elements of your defensive arsenal is a thorough security and usage policy. An effective policy requires the same sorts of regular attention and periodic updating as the rest of your security array. <P> While requiring nowhere near as frequent attention as virus definitions and patches, your company's policy should receive regular reviews. A quarterly look should be sufficient; with interim updates if circumstances or configurations change. <P> Even a minimal policy should deal with: <P> <strong>Acceptable and unacceptable use of company equipment and connections and Web access <P> Special attention and, if needed, special rules for phones and other mobile devices <P> Company e-mail account usage policy <P> Social network behavior and restrictions <P> Strong password creation and frequency of password-changes <P> Personal devices and software used for company business, or for personal purposes over company connections <P> Data access and particularly data-copying rules and restrictions</strong> <P> Penalties for violations should also be spelled out clearly. <P> The particulars of each category will depend upon you, the nature of your business and the business purposes to which your employees put your equipment. <P> But by establishing good, general security and usage policies, putting them in writing and requiring your employees to sign them, you're well-prepared to refine and focus the policies as needed, each time you review them. <P> Each of those review, I believe, should include review by all of your employees, with a dated signature if practical. <P> If it's not practical to get a new signature each quarter, give some thought to making employee policy review and re-signature an annual item. You could, in fact, make it part of the policy!2011-01-11T15:54:03ZHeavy weather can carry a heavy price if your digital and workplace security measures aren't thorough and up-to-date.http://www.iweek-interim.com/news/229200309?cid=RSSfeed_IWK_AuthorsHeavy weather can carry a heavy price if your digital and workplace security measures aren't thorough and up-to-date.The latest storm bearing down on the northeast is a seasonal and geographic reminder of something businesses in every region face at different times of the year: disruptions, or potential disruptions, caused by severe weather. <P> How prepared are you, your employees and your infrastructure to deal with the challenges that a patch of extreme weather could impose? <P> More to the point, how ready are your security and security backup procedures? <P> <strong>If your employees are going to be working from home:</strong> <P> Are their home systems and connections as secure as those in the workplace? (Pay special attention to employees' approaches to home networking: unsecured wifi could make you business data available to the neighborhood.) <P> That security level must include up-to-date virus definitions and vulnerability patches. <P> Who else in their home will be using devices that contain business information? A home PC that sports three or or four or more users isn't the best place for your business information. <P> <strong>If your workplace is going to be understaffed or closed until the weather emergency passes:</strong> <P> Are all non-essential systems shut down? <P> Are door locks and other physical security items adequate? How recently have they been tested? Is the safe closed? The fireproof cabinet holding essential papers locked? <P> If no one from the company can get by the workplace to check on its security, have you made arrangements with authorities -- or a nearer business -- to keep at least an occasional eye on things? <P> <strong>If power outages are likely as a result of weather:</strong> <P> Do you have backup power set to automatically come on? <P> In addition to servers and other business essentials that will be using backup power, make sure your alarms and other security systems will remain up and running if the main current gets cut. <P> If you're facing a winter weather even, have you made provisions for shutting off water before the pipes freeze, burst and flood your business? <P> Clearly, these and related matters should be addressed <em>before</em> the storms strike. If you haven't given much thought to the relationship between your security procedures and the weather outside your business, now's as good a time as any -- whether or not the weather outside your business is good or bad at the moment.2011-01-03T13:14:39ZThe new year brings plenty of the same old security challenges and problems, as well as some new mash-ups of old attacks.http://www.iweek-interim.com/news/229200319?cid=RSSfeed_IWK_AuthorsThe new year brings plenty of the same old security challenges and problems, as well as some new mash-ups of old attacks.With the new year -- the new decade -- just a couple of days old, it's already clear that whatever else 2011 brings, relaxation of the threat environment isn't likely, <a href="http://www.darkreading.com/"> <em>Dark Reading</em>'s</a> Tim Wilson recently took a <a href="http://www.darkreading.com/security/vulnerabilities/228901590/for-hackers-2011-looks-like-a-prosperous-new-year.html">good look at the top threats you're likely face in the months ahead</a>. Tim's top three picks: <P> 1. <strong>Social Media:</strong> No news here, but a warning well worth repeating to all of your employees. Facebook, Twitter and the lesser players are prime hunting grounds for cybercrooks, and the increasing use of social nets by legit businesses will only serve to increase the energy attackers use when prowling for marks among the friends and followers. <P> <strong>Your best move</strong> -- short of banning social networking at work altogether -- is tighten your usage policies, and remind employees never to give up personal or business information to requests arriving via a social network (or via a link followed from with a net). <P> 2. <strong>Mobile Devices:</strong> The smarter and more capable the mobile device, the likelier your people are to use it for business purposes... and the more appealing a target the device becomes. <P> <strong>Best move: </strong>Extend your device and data policies -- and defensive strategies and tools -- to every device that touches business data, and make sure employees' personal devices used for business purposes are included. <P> 3.<strong> Smarter, More Complex Attacks</strong>: While old favorites -- brute force phishing, spoofing, etc. -- won't go away, the next wave of attacks is likely to be more sophisticated, involve a variety of techniques, and target critical systems. <P> <strong>Best moves:</strong> Make sure your security teams -- or vendors -- are as engaged with constant awareness, education and updating as they are with maintaining strong defenses against last year's threats and threat vectors. <P> The old threats won't go away -- and unfortunately neither will the behaviors that made them effective. <P> But unless you and your security personnel and policies are aggressively monitoring for the new threats, your new year will be anything but happy.2010-12-02T17:33:00ZHow much is your data worth to you? That's the question behind ransomware, an aggressive bit of data extortion that's making some noise again.http://www.iweek-interim.com/news/229200363?cid=RSSfeed_IWK_AuthorsHow much is your data worth to you? That's the question behind ransomware, an aggressive bit of data extortion that's making some noise again.If you discovered that crucial files had been kidnapped, encrypted and held hostage by crooks who deny you access to your information unless you pay up, would you? <P> You say it depends on the price? <P> How does $120 sound? That's the question crooks hope to pose to you. <P> It's been <a href="http://www.informationweek.com/news/security/cybercrime/showArticle.jhtml?articleID=191101205">awhile since ransomware was in the news</a>, but the <a href="http://www.theregister.co.uk/2010/11/30/ransomware_trojan_returns/">digital extortion scheme seems to be making a comeback</a>. <P> According to <a href="http://nakedsecurity.sophos.com/2010/11/26/drive-by-ransomware-attack-demands-120/">Sophos, a new ransomware surge is spreading via malicious PDF files</a>. <P> Once the ransomware -- identified as <a href="http://www.sophos.com/security/analyses/viruses-and-spyware/trojransomu.html">Troj/Ransom-U</a> --is launched, and target files encrypted, the recipient receives a strongly worded "request" to read a newly delivered txt file on the desktop, then follow the instructions for getting in touch with the extortionists. <P> Do that, and you'll be "asked" for $120 in order to get the key to decrypting your information. <P> The scam targets only Windows systems, and can encrypt files with the following extensions, again according to Sophos: <P> <strong>.jpg, .jpeg, .psd, .cdr, .dwg, .max, .mov, .m2v, .3gp, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .rar, .zip, .mdb, .mp3, .cer, .p12, .pfx, .kwm, .pwm, .txt, .pdf, .avi, .flv, .lnk, .bmp, .1cd, .md, .mdf, .dbf, .mdb, .odt, .vob, .ifo, .mpeg, .mpg, .doc, .docx, .xls, and .xlsx. </strong> <P> Once a file has been encrypted, the suffix ENCODED will be added to the filename. <P> $120 may not sound like a lot to pay to get your data back, especially if you're in a panic over losing it, but it's a lot more than simply instructing your people just to steer clear of PDFs, and to make sure they're running the <a href="http://get.adobe.com/reader/">latest version of Adobe Reader</a>, which offers some protection, for those PDFs they simply must have.2010-11-30T16:15:09ZThreats targeting mobile devices are growing as the holidays get under way. Time to make sure your employees have their mobile guards up.http://www.iweek-interim.com/news/229200471?cid=RSSfeed_IWK_AuthorsThreats targeting mobile devices are growing as the holidays get under way. Time to make sure your employees have their mobile guards up.An <a href="http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=228400096">FBI warning of new mobile device attacks</a> offers a good opportunity to bring your employees up-to-speed on mobile security, mobile precautions and general mobile wariness. <P> The FBI warning deals with <a href="http://www.fbi.gov/news/stories/2010/november/cyber_112410/cyber_112410">smishing (aka vishing) -- a scam using text messages or robot calls to persuade recipients to share confidential information.</a> <P> Make sure your mobile employees -- and, indeed, any employee who might have business information stored on a personal mobile device -- understand that the proper response to this sort of malicious outreach is the same as to phishing and other e-mails: no response at all. Unsolicited messages, unfamiliar senders, any message or call that seems even the slightest bit out of the ordinary should be discarded immediately. <P> Commonsense and wariness need to be raised at any holiday-themed message, too -- particularly those promising Big Sales, cute videos or seasonal merriment. <P> But smishing, vishing and holiday scams are only one aspect of the mobile risks the holidays bring. <P> The rush and crush of brick-and-mortar shopping, holiday travel and crowded parties are prime opportunities to <a href="http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=227900388">lose a mobile device, or have it stolen, either of which can put business information at risk.</a> <P> In addition to insisting that any device holding company information be encrypted, it's a good idea to review basics of physical devices security with mobile employees. <P> That physical security needs to include more than locking the phone, handheld device or notebook in the car or eve the trunk: a bad idea all year round, it's a bit worse an idea during the shopping season, when crooks looking for unattended presents will be just as happy to grab an employee's Android phone, iPad or Netbook. <P> Finally, make sure employees are attending to their devices' security updates and patches promptly. <P> Apple's <a href="http://www.informationweek.com/news/security/management/showArticle.jhtml?articleID=228300455">iOS 4.2, for one example, deals with 40 security problems</a>. <P> Users of <a href="http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=228400108">Android phones should keep an eye out for Google's promised patch of a vulnerability</a> that affects all versions of the operating system. <P> Whatever variety of phone -- or notebook, handheld, tablet or other device -- employees carry, its operating system and security tools should be absolutely up to date before it leaves the office again. <P> Mobile devices, and the employees who carry and use them require an extra bit of awareness and caution throughout the year, and a bit more than that during the hectic holidays.2010-11-23T15:28:51ZA recent study pointed out that fear of downtime outranked data theft among consequences of a data breach or other intrusion. There's a reason for that ranking, and it extends far beyond breaches.http://www.iweek-interim.com/news/229200493?cid=RSSfeed_IWK_AuthorsA recent study pointed out that fear of downtime outranked data theft among consequences of a data breach or other intrusion. There's a reason for that ranking, and it extends far beyond breaches.According to a Trusted Strategies/Solera Networks survey of 200 security professionals, <a href="http://www.informationweek.com/news/smb/security/showArticle.jhtml?articleID=228201056">system or network downtime or outage was the top concern when dealing with the aftermath of a security incident</a>. <P> It's no great leap to see that the concern applies to any kind of downtime, not just that caused by a breach of security. <P> The reason that downtime topped the list, according to survey respondents, was the awareness that downtime -- and especially the often chaotic process of recovering from it -- is something too many businesses are unprepared for. <P> For the IT professionals participating in the survey, the focus on consequences of a data breach were paramount. That downtime, associated with cleaning out systems, insuring that the systems actually <em>are</em> cleaned, then restoring the systems to full operational capability rightly tops security concerns... and you can be close to positive that it tops business concerns as well. <P> Despite those concerns, 25% of the respondents admitted that their companies were unprepared to deal with a breach and its consequences. <P> Which is at the heart of the fears, I believe. No one wants to experience a security incident or the downtime that follows it, but the fear is magnified by the awareness of how poorly prepared so many of us are to recover from the incident. <P> And that extends far beyond security breaches. Power outages, natural disasters, fires or other infrastructure damage, any number of unexpected situations that cause your systems to go dark, and risk leaving your business in the dark with them. <P> Ask yourself: <P> How prepared are you to restore your critical business systems to operational capability in the event of an outage? <P> How long would it take you to do so? <P> More critically, how much time would you and your staff have to spend putting together a plan for system restoration -- or, slightly less critically but all too typically of some businesses, putting your hands on the plan you do have prepared? <P> And above all: <P> How long could your business stay in business if your systems are down? <P> The answers you give to these questions will tell you a lot both about the nature of your business, and also about the nature of your understanding of the most serious risks your business faces, whether you ever face a serious incident or not.2010-11-19T12:06:07ZEmployee vacations, workplace celebrations, unexpected visitors and hours and hours of online shopping loom. Time to take a pre-holiday look at your seasonal security preparations.http://www.iweek-interim.com/news/229200441?cid=RSSfeed_IWK_AuthorsEmployee vacations, workplace celebrations, unexpected visitors and hours and hours of online shopping loom. Time to take a pre-holiday look at your seasonal security preparations.The approaching holidays, and the joy, delights and especially the distractions that accompany them should prompt a quick review of those aspects of your security posture most likely to be affected by the holiday effect. <P> <ul> <P> <li><strong>Absent Employees</strong>: before the holiday travel and time-off season gets into full swing, take a look at who's going to be gone when, whether they will be accessing your systems remotely, and if not, whether their accounts and log-ons should be suspended for the duration of their vacation. Don't forget to check the employee's workspace for potential security vulnerabilities, including password and other sensitive material that's written down, USB and other easily removable devices that could contain confidential information, accounts with automated password and log-in fills (which shouldn't be permitted in the first place, frankly) left active.</li> <P> <li><strong>Absent-<em>Minded</em> Employees</strong>: As the holiday season moves into higher gear, the prospect for employee distraction grows apace. Pass the word that while seasonal cheer is a good thing, letting that cheer get in the way of standard security procedures and policies isn't. Some key reminders: don't leave computers and other devices running when away; shut all systems down, if possible, during holiday parties and gatherings; remind employees to be extra vigilant about spam and other suspect communications and Web sites, especially holiday-themed come-ons.</li> <P> <li><strong>Unexpected Visitors</strong>: Both unscheduled drop-ins and invited guests can pose security risks. If you're having a open house, for instance, make sure that monitors aren't showing sensitive information while guest are circulating; not a bad idea, in fact, to shut down all public are systems while guests are present, if practical. Be wary as well of visitors -- and for that matter employees -- bearing digital devices containing seasonal music or other digital diversions. Strongly suggest that such devices not be plugged into your business systems.</li> <P> <li><strong>Don't Let Employees Shop If Their Guard Is Dropped</strong>: Online shopping from the workplace is a fact of holiday life, and should be addressed with a) a policy that makes clear the times, if any, that online shopping is permitted via company equipment and connections, b) a triple-check of your systems' up-to-date defenses against drive-by and other malware attacks aimed at shopper, sand c) a refresher course in online shopping security for your employees. Not a bad idea to remind them that shopping by phone requires the same security vigilance as shopping from the desktop.</li> <P> <li><strong>Physical Security For Digital Assets</strong>: Brick and mortar thieves are out in fore during the holiday season, so it's important that you check your workplace's physical security, especially if the workplace is going to be completely closed during part or all of the holidays.</li> <P> <li><strong>Patches and Updates Don't Get Time Off For The Holidays</strong>: Many of the tips offered here are applicable throughout the year, not just during the holiday season. The same goes for your day-to-day security practices and policies. Patches will still need to be installed, virus definitions updated. Make sure you know who's responsible for the daily maintenance of your security posture, and have plans in place should they be away for the holidays.</li> </ul> <P> A bit of preparation and reinforcement now will make your workplace -- and your employees -- more secure when the holiday season ramps up.2010-11-16T14:07:39ZEmployee access to social networks is blocked by half of small and midsized business, security firm Webroot reports. The company's survey also found that malware and data leakage were the top social network fears.http://www.iweek-interim.com/news/229200476?cid=RSSfeed_IWK_AuthorsEmployee access to social networks is blocked by half of small and midsized business, security firm Webroot reports. The company's survey also found that malware and data leakage were the top social network fears.The threats posed by social networks -- and particularly by unfettered employee access to social networks -- are <a href="http://www.darkreading.com/smb-security/167901073/security/security-management/228200979/half-of-smbs-block-social-networks-at-work-due-to-security-concerns.html">prompting more and more SMBs to block access to the services</a>, according to findings in a new <a href="http://pr.webroot.com/web-security/ent/research-shows-half-of-smbs-block-employee-access-to-facebook-111510.html">Webroot</a> survey. <P> The company's survey of more than 1,000 U.S. and U.K. businesses with 500 or fewer employees found that more than half of the respondents (53%) tagged fear of malware as their top reason for blocking employee access to social nets such as Facebook and Twitter. <P> Nearly as many (47%) were concerned about company information leaking onto social networking sites. In fact, 12% of the respondents said they'd already had sensitive company information appear on a social network as a result of employee activity. <P> As a consequence, fully <strong>half of the respondents have blocked all employee access to any social networking site via company equipment</strong>. <P> The access blockage comes despite -- and, in some instances, because of -- widespread Internet and social network usage policies among small and midsized businesses. <P> While 81% of Webroot's respondents have an employee Internet usage policy in place, 42% put such a policy in place only after employees had used social networking inappropriately at work. <P> A third of respondents (34%) monitor Internet use as a means of enforcing policies. <P> The combination of policies, policy violations, usage monitoring and malware fears has led to increased prohibition of social network access: <P> <ul> <P> <li><strong>39% prohibit employees from visiting Facebook</li> <P> <li>30% have banned employee access to Twitter</li> <P> <li>27% prohibit YouTube and video-sharing sites</li> <P> <li>21% restrict employee social network access to specific times of day (breaks, meals, after work hours)</strong></li> </ul> <P> While Webroot acknowledges that certain business departments and functions -- marketing, for instance -- are likelier to have legitimate business reasons for using social networks, the company's findings indicate that more and more employers are finding that the easiest, and safest, way to deal with social networks is to keep their employees from dealing with them at all.2010-11-15T10:42:45ZThe attractiveness of unpatched Java as an attack entry-point continues to grow, as do calls for all users to patch Java <em>immediately</em>. But in order to do that, you need to know who's running which version of Java.http://www.iweek-interim.com/news/229200468?cid=RSSfeed_IWK_AuthorsThe attractiveness of unpatched Java as an attack entry-point continues to grow, as do calls for all users to patch Java <em>immediately</em>. But in order to do that, you need to know who's running which version of Java.Unpatched <a href="http://www.darkreading.com/vulnerability_management/security/app-security/showArticle.jhtml?articleID=228000083">Java seems poised to become the top attack platform</a>, at least for the moment, prompting even louder <a href="http://www.informationweek.com/news/windows/opensource/showArticle.jhtml?articleID=228200857">warnings for users to get the latest Java updates, and get them now</a>. <P> Leaving aside the universe of users who rarely if ever patch anything -- most of the recent Java exploits take advantage of vulnerabilities for which patches had long been available -- the challenge to businesses that <em>do</em> patch is the variety of Java installs that may be present throughout their business. Nor should you overlook the possibility of unpatched Java iterations on home and personal devices that employees may use occasionally for work. <P> Oracle itself posted this <a href="http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html">list of affected Java versions</a>. <P> A <a href="http://www.informationweek.com/blog/main/archives/2010/10/is_java_putting.html">thorough audit of Java versions in your business</a> is more essential than ever. <P> But, frankly, Java is only the attack-opportunity of the moment. Once a large enough number of users wake up and patch their Java, the exploiters will move on to the next big vulnerability. You can bet that they're already looking for it. <P> Which imposes even more pain -- or at least effort -- on businesses seeking to establish and <em>maintain</em> up-to-date defenses. <P> A thorough audit and inventory of all the apps, gadgets, widgets and other possible entry points in your business may not seem practical -- but it sure seems necessary. <P> The inventory and audit should include not only what's installed, but what the patch status is, including a review, vendor by vendor, of patch availability and patch scheduling. <P> Clearly a task worthy of Sisyphus, and possibly just as futile in a world where new apps, new exploitable bells, new vulnerable whistle are only a click away. <P> A simpler -- and I use the word advisedly -- solution might be to introduce a form of <a href="http://www.informationweek.com/news/smb/security/showArticle.jhtml?articleID=212701670">application whitelisting</a>, establishing and making clear throughout your company which programs are allowed on company equipment, and restricting users only to those programs. At the very least, such an approach, if adhered to, reduces the number of programs you're monitoring for vulnerabilities and patches. <P> As long as we're taking about "the very least," you should certainly ask yourself how many of your employees actually use or even <em>need</em> Java on their devices, and eliminate installs accordingly. <P> Either approach -- audit/review/patch or whitelist/prohibit -- requires plenty of extra effort, diligence, ongoing vigilance. But the alternative -- doing nothing or, nearly as bad, doing just enough and doing that haphazardly -- virtually guarantees that you'll be spending plenty of extra effort playing catchup, and possibly playing it too late. <P> <a href="http://www.oracle.com/technetwork/topics/security/alerts-086861.html">Oracle's Critical Patch Updates are here</a>.2010-11-08T14:44:31ZViruses and Trojans topped small and midsized business's security concerns in a recent survey, with data leaks not far behind. But the <em>real</em> top concern needs to be the incomplete security policies and practices that are typical of too many SMBs.http://www.iweek-interim.com/news/229200442?cid=RSSfeed_IWK_AuthorsViruses and Trojans topped small and midsized business's security concerns in a recent survey, with data leaks not far behind. But the <em>real</em> top concern needs to be the incomplete security policies and practices that are typical of too many SMBs.According to a recent Trend Micro survey of 1,600 small and midsized, the dangers posed by <a href="http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=228200171">viruses and Trojans were the number one SMB security concern</a>. <P> <a href="http://trendmicro.mediaroom.com/index.php?s=43&news_item=842&type=current&year=0">Trend Micro's findings</a> showed viruses holding the prime fear position with 63% of respondents, and Trojans not far behind with 60%; deliberate data-theft malware close behind at 59%. <P> These are all reasonable and worthwhile fears that every business must attend to, as are data leaks, spyware and spam, all of which were well-represented on the survey's concerns list. <P> What's really scary about the survey finding isn't so much the threats, but how little some businesses are doing to protect themselves against them. <P> Less than 50% of the survey respondents, for instance, had implemented defenses against data-stealing malware, despite awareness of the size of the threat and availability of tools to protect against it. <P> More telling, and more scary, though, was the degree to which awareness of threats -- particularly data leakage -- was <em>not</em> reflected in small and midsized business's overall policies and the communication of those policies to employees. <P> Less than half of the businesses surveyed -- 44% -- have formal policies regarding data leakage. <P> Without those formal policies -- and the employee education that makes the effective -- all the concern in the world isn't going to do much good. <P> Tellingly, the companies that <em>do</em> have a data leakage policy in place, are also the companies likeliest to back that policy up with employee education. <P> The lesson -- and I use the word deliberately -- here is clear: Put policies in place to address threats and concerns. <P> And make sure that one core part of that policy is thorough and ongoing employee education. <P> The top security concern for small and midsized businesses that don't have policies in place should be to craft one, soon, and begin educating employees about it the instant it's ready.2010-11-05T11:08:16ZThe approach of winter, and the holiday season in the middle of it, means it's time for SMBs to take a few security steps, and implement a few security measures and practices aimed at keeping the chill away from your data and systems.http://www.iweek-interim.com/news/229200451?cid=RSSfeed_IWK_AuthorsThe approach of winter, and the holiday season in the middle of it, means it's time for SMBs to take a few security steps, and implement a few security measures and practices aimed at keeping the chill away from your data and systems.Changing seasons, I've written often, offer a <a href="http://www.informationweek.com/blog/main/archives/2010/09/change_of_seaso.html">calendar-convenient point for undertaking a regular review of your security practices and policies</a>. <P> While the more frequently you keep an eye on your overall security posture the better, a seasonal approach at least guarantees that you'll take time to take a comprehensive look four times a year. <P> And even though winter is officially still a few weeks away, now's a good time to begin planning your winter security checklist. <P> Some of what you'll be looking at will come up every season: <P> <ul> <li><strong>Endpoint protection in place, including patches</li> <li>All passwords changed</li> <li>All licenses for security products legitimate and up-to-date</li> <li>Access to data reviewed for actual business need</li> <li>Review of your written security and usage policy to see if updates/changes are needed</li> <li>Review -- with test, if practical -- of your Disaster Recovery/Business Continuity procedures and plans; at the very least, test a recent backup for viability</strong></li> </ul> <P> And others, of course -- the basics of your security infrastructure, strategy and policy examined top-to-bottom. <P> But some seasons bring additional challenges, and winter weather, in many parts of the country, is one of them <P> Among the winter-specific and holiday-season items that should be on your advance security checklist are: <P> <ul> <li><strong>Test of backup power supplies and generators if your region is susceptible to heavy storms and outages</li> <li>If your business takes on temporary workers during the holiday season, make advance plans for handling their logins and access-levels, as well as for <a href="http://www.informationweek.com/blog/main/archives/2010/08/back_to_school_1.html">shutting off their access when their temporary gig ends</a></li> <li>Plan in advance for holiday absences -- consider shutting off accounts if the employee will be away more than a few days</li> <li>Pass the word about holiday-related spam and scams</li> <li>Check physical security, including monitors and other easily-viewed sources of confidential information; this one's important every season, but during the holidays you may have more visitors in your business than at other times of the year</li> <li>Be ready for unexpected -- or unavoidable -- telecommutes; if your employees are weathered-in at home, and choose to work from there, be sure that their equipment <em>and their connections</em> match the security levels you've set in the workplace</li> <li>Be ready as well for the flu season that generally follows hard on the heels of the holidays and the arrival of deep winter; same rules and reviews for telecommuters at home with a cold as for those who are out of the office because of weather</strong></li> </ul> <P> Taking a bit of time now to make sure your security and related procedures are up-to-date and in-place before winter arrives will make it far less likely that you'll be playing security catchup when the cold weather really hits.2010-11-02T10:53:36ZInsider fraud cost businesses 5% of their revenue in 2009, a new study reports. So ho how much should you trust -- or distrust -- your employees?http://www.iweek-interim.com/news/229200502?cid=RSSfeed_IWK_AuthorsInsider fraud cost businesses 5% of their revenue in 2009, a new study reports. So ho how much should you trust -- or distrust -- your employees?The 2010 <a href="http://butest.acfe.com/rttn/rttn-2010.pdf">Association of Certified Fraud Examiners (ACFE)</a>report on the state of insider fraud and theft points out that while stealing company resources (asset fraud) accounted for 90% of last year's cases, financial fraud -- 5% of incidents -- was responsible for far greater losses. <P> The average asset fraud exploit cost companies $135,000; financial fraud averaged $4 million per exploit. <P> The result is that, <a href="http://www.darkreading.com/insiderthreat/security/client/showArticle.jhtml?articleID=228000516">on average, companies lost 5% of their 2009 revenue to employee fraud of one sort or another</a>. <P> It can be difficult to predict -- or even become suspicious -- which employees are going to try and rip off an employer. According to ACFE, 85% of insider fraud is committed by employees whose records, up to that point, are clean. <P> So what do you do? Trust no one? <P> I don't think so. <P> We've all worked at or known companies whose attitude and relationship to employees is essentially paranoid and confrontational, an approach that may keep fraud at bay (emphasis on the <em>may</em>) but is also unlikely to foster a work environment that's as productive and innovative as it could be. <P> At the same time, it hardly pays (other than to the crooks) to be naive. <P> The solution, I believe, is to strike that reasonable balance that has <em>always </em> marked the best employers and, not coincidentally, many of the best and most innovative companies. <P> That balance consists of a variety of elements, key among them: <P> <strong>Clear and clearly <em>written</em> policies, with careful attention paid to digital assets and employees' relationship to them. <P> A definition of those assets -- i.e., if you consider bandwidth capacity as asset (as, increasingly, companies should), make clear what employees are and aren't allowed to use company bandwidth for. <P> A regular audit of employee access credentials -- who needs to have access to what data and resources, and who has such access but <em>doesn't</em> need it. <P> Monitoring, audit and analysis tools that can reveal policy and access violations and <em>attempted </em>policy or access violations. <P> Thorough education and communication with employees about policies and responsibilities. <P> Heightened awareness on the part of line managers and supervisors as to what to look for. </strong> <P> That heightened awareness, along with enhanced communication with employees is an important point: ACFE reports that 40% of the cases it examined were brought to light by co-workers. (Other sources of information include customers and vendors.) <P> <a href="http://butest.acfe.com/rttn/rttn-2010.pdf">The complete ACFE Occupational Fraud And Abuse Report is here</a>.2010-10-29T13:20:02ZA critical zero-day Flash exploit that arrives in a PDF file is being used in attacks aimed at Adobe Reader and Acrobat 9.x. The exploited vulnerability is found across all major platforms, and a patch is not expected to be available for a couple of weeks.http://www.iweek-interim.com/news/229200547?cid=RSSfeed_IWK_AuthorsA critical zero-day Flash exploit that arrives in a PDF file is being used in attacks aimed at Adobe Reader and Acrobat 9.x. The exploited vulnerability is found across all major platforms, and a patch is not expected to be available for a couple of weeks.The <a href="http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=228000332">exploited Flash vulnerability</a> is found across all major platforms, <a href="http://www.adobe.com/support/security/advisories/apsa10-05.html">Adobe stated when acknowledging the problem: </a> <strong>"A critical vulnerability exists in Adobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems; Adobe Flash Player 10.1.95.2 and earlier versions for Android; and the authplay.dll component that ships with Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and UNIX operating systems, and Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh operating systems." </strong> <P> The exploit arrives by way of a trojan-bearing PDF file attached to an e-mail promising info about a government-released Personnel Management iPad/iPhone app -- making the mail particularly tempting for people seeking jobs. <P> But even if all of your employees are happy and secure in their positions, they need to be warned about this exploit: <P> Once executed, the malware can, according to Adobe, "cause a crash and potentially allow an attacker to take control of the affected system." <P> The company announced a fix schedule that calls for the Flash bug repair to be released November 9, with the Reader and Acrobat repairs to be released the week of November 15. <P> Until then, Adobe recommends that users delete or remove or rename the authplay file(s) on their systems. <a href="http://www.adobe.com/support/security/advisories/apsa10-05.html">Platform specific authplay delete/remove information is here (scroll down</a>). <P> Good idea to pass that information along, to mark your calendars for the patch release dates... and to remind your people once more not to open unsolicited e-mail of any sort, and to be hyper-wary of any e-mail with a PDF attachment.2010-10-27T12:28:43ZJava exploits are on the rise, and sharply so, exceeding PDF attacks by a factor of 60 to 1, according to Microsoft. Is it time to cut off Java in your workplace?http://www.iweek-interim.com/news/229200536?cid=RSSfeed_IWK_AuthorsJava exploits are on the rise, and sharply so, exceeding PDF attacks by a factor of 60 to 1, according to Microsoft. Is it time to cut off Java in your workplace?There's an unavoidable, I think, progression in the growth of attacks against Java. <P> That progression, as pointed out in a <a href="http://blogs.technet.com/b/mmpc/archive/2010/10/18/have-you-checked-the-java.aspx">recent Microsoft security blog</a>, has steepened dramatically over the past couple of years, with the quarter just ended showing -- according to Microsoft -- more than 6 million attacks aimed at Java, compared to around 100,000 targeting PDF vulnerabilities. <P> The reason for the growth? Java -- and its vulnerabilities -- may not be as obvious even to security-savvy businesses as browsers, applications and other common attack targets. This is a dilemma with anything that runs in the background, but Java's popularity makes Java a bigger dilemma. <P> As a result -- along with other <a href="http://www.darkreading.com/vulnerability_management/security/app-security/showArticle.jhtml?articleID=228000083">factors including the number of Java versions out there</a> -- the number of unpatched Java holes remains higher than the number (still too high) of unpatched or not-upgraded higher profile programs. <P> Which begs the question, in some ways. <P> While you should take an inventory of your business's Java deployments, and take steps to ensure that every version in your system is the latest version, you should also ask yourself: <P> <strong>Just how much Java does the business really need?</strong> <P> What business purposes are served by providing employees Java-enabled platforms? <P> If you can't come up with a good answer to that one, your Java audit should also include a Java-disabled audit. <P> Of course, if you're running a <a href="http://www.informationweek.com/news/smb/services/showArticle.jhtml?articleID=227900513&pgno=2">Mac-based business, Java and its vulnerability issues is increasingly irrelavent</a>.2010-10-25T12:41:36ZWhatever your employees <em>need</em> to be doing on the Web via your network, a fair percentage are doing -- or trying to do -- a lot more, according to Symantec/MessageLabs findings.http://www.iweek-interim.com/news/229200636?cid=RSSfeed_IWK_AuthorsWhatever your employees <em>need</em> to be doing on the Web via your network, a fair percentage are doing -- or trying to do -- a lot more, according to Symantec/MessageLabs findings.Got employee Web usage and browsing policies in place? How's that working for you? <P> According to some <a href="http://www.symantec.com/connect/blogs/employee-browsing-habits-good-bad-and-ugly">Symantec/MessageLabs findings about employee browsing habits</a>, probably not all that well. <P> One-third of employees, the company reported, have 10% of their browser requests blocked, while another third have far more than 10% blocked. <P> But that still leaves two-thirds who are trying to violate policy on a fairly regular -- and for some of them constant -- basis. <P> In fact, Symantec reports that <strong>14% of employees have between 90-100% of all browser requests blocked!</strong> (Gotta wonder about those 100% blocked users -- what are they doing either a) still working for the company or b) being allowed access to a computer at all?) <P> One of the scariest -- and, upon reflection, least surprising -- findings was that the employees with the highest per centage of blocked requests also had the highest per centage of blocked requests that were aimed at getting them to <strong>"sites relating to 'Proxies & Translators'. This strongly suggests activity to circumvent company policy to gain access to sites."</strong> <P> That "strongly suggests" is an admirably subtle way of saying: <strong>"Ya THINK?"</strong> <P> However leniently or aggressively you handle your usage and browsing policies and the tools that support them, a deliberate attempt to bypass those policies should be viewed as a deliberate attack on your company's security, as well a policy violation, with appropriate consequences. <P> The good news is that a third of employees have no blocked requests on their records -- an indication that both usage polices and tools, and employee understanding of them are working... working about a third of the time, that is. <P> Of course, these figures apply only to companies that actually <em>have</em> policies and enforcement/detection tools in place. Many SMBs have neither, and can figure that risky browsing is a fact of life... except for Proxies and Translators, which they don't need because their employers are already letting them go anywhere and do anything they want, with few consequences for anything other than the company's security and, ultimately, the company itself. <P> The<a href="http://www.messagelabs.com/mlireport/MLI_2010_09_September_FINAL_EN.PDF"> complete Symantec/MessageLabs Intelligence Report for this past September is here</a>.2010-10-22T12:32:59ZThe best source of SMB funds is SMB bank accounts, obviously, and according to the FBI, those accounts are precisely what the crooks are going after.http://www.iweek-interim.com/news/229200600?cid=RSSfeed_IWK_AuthorsThe best source of SMB funds is SMB bank accounts, obviously, and according to the FBI, those accounts are precisely what the crooks are going after.An <a href="http://www.ic3.gov/media/2010/CorporateAccountTakeOver.pdf">FBI warning of criminal takeover of corporate accounts</a> makes clear that cybercrooks are getting more aggressive about gaining access to SMB accounts, draining them quickly, and moving on. <P> Their path to the accounts is information-stealing malware, but the path to get that malware into your business may well be you or your boss. While every employee with network offers thieves a potential vector into your data, the FBI notes that many <a href="http://www.darkreading.com/smb-security/security/perimeter/showArticle.jhtml?articleID=227900529">attacks focus on "senior executives or accounting and HR personnel</a>." <P> The attackers have also been known to go after customer lists, as well contractor, vendor and partner information, further spreading malware and wreaking further potentially catastrophic financial havoc. <P> Once an account is compromised, the criminals have several paths to draining your resources, including: <strong> Electronic funds transfers <P> Counterfeit checks based on records taken from electronic check archives <P> Telephone impersonation of the compromised executive <P> Wire transfers </strong> <P> In addition to strong and thorough security tools and technologies, defensive measures the Bureau recommends include re-emphasizing the need for wariness regarding e-mail and attachments (many of the scam attempts employ attachments that appear to be PDFs or Office files). <P> Because the thieves often have access to a company's e-mail lists, your wariness needs to extend to familiar e-mail, as well as names you don't recognize, or unexpected (and phony) e-mail from institutions and companies that have no reason to send you anything, much less anything with an attachment or a request for information. <P> All of this advice -- all of it good -- needs to be presented clearly and firmly to <em>all</em> employees, most definitely including the top executives, managers and supervisors at your company. <P> That last point is one of the crucial ones here. <P> Do your efforts to make sure that your employees are educated about basic security matters extend <em>all the way up </em>the organizational chart? <P> They'd better. Your bank accounts, and ultimately your business, may depend on it.2010-10-18T17:07:46ZThe latest version of Webroot's Security Service adds bandwidth trend tracking, both overall and for employees attempting to violate company usage and security policies.http://www.iweek-interim.com/news/229200631?cid=RSSfeed_IWK_AuthorsThe latest version of Webroot's Security Service adds bandwidth trend tracking, both overall and for employees attempting to violate company usage and security policies.Along with security Software as a Service (SaaS), the latest iteration of Webroot's <a href="http://www.webroot.com/En_US/business-web-security-saas.html">Web Security Service</a> includes Web activity reports designed to make bandwidth monitoring and management simpler and, as far as security goes, make clear which employees are seeking to violate company Web access and usage policies. <P> The introduction of the bandwidth and usage reports is a natural add for a <a href="http://www.webroot.com/En_US/index.html">cloud-based service company such as Webroot</a>. And as your business relies more and more on bandwidth, both for services coming in and business outreach headed in the other direction, getting a precise fix on your bandwidth patterns and problems will play an increasingly large role in both your connectivity and your security posture. <P> Whether you acquire it from Webroot or not, this sort of information about your business's usage patterns and aberrations speaks directly to certain security concerns that should be addressed by: <P> <strong>Policy that clearly defines what employees are allowed to do/explore/participate in on the Web. <P> Tools that wall off, blacklist or otherwise restrict certain types of Web sites and content. <P> Monitoring and reports that identify violations and attempted violations.</strong> <P> The key to all of this is that strong usage policy, which should be written, and which employees should sign and date. <P> In this environment, and particularly with the Web so much a part of people's non-work lives, there will be employees who violate the policy or try to in order to <a href="http://www.informationweek.com/news/infrastructure/management/showArticle.jhtml?articleID=225702723">indulge the Web activities they desire</a>. Some of these violations or bypasses, once you become aware of them, may well cause revisions and reconsideration of your policy -- not all employee Web usage is bad or even non-productive. <P> But repeat offenders seeking to access blocked or prohibited Web content, or draining your bandwidth through huge P2P downloads are security risks who are a) flagrantly violating company policy (d'oh!) and b) if they're brazen enough or dumb enough (or both, simultaneously) to openly flaunt the rules you've put in place, who knows what else they're up to and how sloppy or malicious they are while they're up to it? Their behavior may not be criminal -- probably isn't, at least not deliberately -- but could put your business information at risk and, if you're subject to compliance regulations, expose you to fines and penalties. <P> Webroot's positioning of the bandwidth reports as a policy enforcement tool is smart business -- be interesting to know how many of its SMB customers actually have written usage polices in place, and how many actually enforce them. <P> The company's <a href="http://www.prnewswire.com/news-releases/webroot-announces-latest-release-of-cloud-based-web-security-service-105161749.html">Web Security Service update </a>includes weekly and monthly vulnerability tests for several hundred of the most common weaknesses and holes in "operating system, Web browsers, browser plug-ins, Microsoft Office suite, media players, instant messaging software and various third-party solutions." <P> A <a href="http://mysite.webroot.com/forms/WWWTWR49">free trial of Webroot's Web Security Service</a> is accessible here (registration required).2010-10-14T11:28:25ZKEMP Technologies' LoadMaster DR, available as a hardware or appliance or software download, aims to insure that DMB customers have reliable access to the business's servers. And introductory price in the appliance aims to insure that SMBs can afford it.http://www.iweek-interim.com/news/229200639?cid=RSSfeed_IWK_AuthorsKEMP Technologies' LoadMaster DR, available as a hardware or appliance or software download, aims to insure that DMB customers have reliable access to the business's servers. And introductory price in the appliance aims to insure that SMBs can afford it.For non-IT small and midsized businesses, <a href="http://www.kemptechnologies.com/us/">KEMP Technologies</a> co-founder and vice president of product management Peter Melerud feels, load balancing and traffic management may be obscure technical topics, particularly as hosting services and multiple beyond-the-perimeter data centers has grown. <P> "But all it takes is for a customer request to be unable to reach the business because of a server failure, and the importance of the issue becomes clear, whatever the nature of the business is." <P> KEMP's recently released <a href="http://www.kemptechnologies.com/us/server-load-balancing-appliances/loadmaster-dr/loadmaster-dr-overview.html">LoadMaster DR</a> is designed to overcome such problems, Melerud says. <P> "There are a number of chains that can break between the customer and the server," he says. "The LoadMaster doesn't worry about which one is broken or why -- that's addressed by the service provider of the business's IT department -- but is dedicated to directing customer requests to other available servers and data centers. The point is to keep the business operational and maintain the customers' access while the problem is repaired." <P> High availability and traffic management is a business continuity issue, Melerud points out, as well as a technical one. <P> While KEMP has found success marketing its load balancers to cloud and hosting providers, which in turn provide the traffic management and monitoring as a service, the company is currently undertaking a more direct approach to the SMB marketplace. <P> As part of that approach, the $2,990 hardware version of the LoadMaster DR, is being offered at an introductory price of $1,590, with <a href="http://www.kemptechnologies.com/us/server-load-balancing-appliances/loadmaster-dr/feature-details.html">features</a> that include multi-site load balancing and the ability to handle up to 15,000 DNS queries per second, Web User Interface for remote administration and a console port for local administration. <P> The LoadMaster DR is also offered as a <a href="http://www.kemptechnologies.com/us/server-load-balancing-appliances/virtual-load-balancers/vlm-overview.html">virtual load balancer</a>, available for VMWare and HyperV, and priced at $1,990. <P> Pricing for both versions includes one year of service and support. <P> An <a href="http://www.kemptechnologies.com/us/wui-demo/load-balancer-demo.html">online demo of the LoadMaster</a> is accessible here (registration required).2010-10-12T12:59:14ZWhat's your business's patch policy, who's in charge of it -- and should Microsoft's latest Biggest Patch Tuesday Ever prompt you to review it?http://www.iweek-interim.com/news/229200621?cid=RSSfeed_IWK_AuthorsWhat's your business's patch policy, who's in charge of it -- and should Microsoft's latest Biggest Patch Tuesday Ever prompt you to review it?Big Patch Tuesdays are like little Patch Tuesdays, the joke goes, only more so. <P> Which means that <a href="http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=227700420">today's record-breaking Microsoft patch deployment</a> is even more than that. <P> Even as the massive repair rollout -- explained, at least in part, as Microsoft's attempt to reduce the number of patches released during the approaching holiday season, when <a href="http://www.informationweek.com/blog/main/archives/2010/10/record_microsof.html">many retail businesses lock their systems until after the shopping rush</a> are -- rolls your way, it's time to ask how satisfied you are with your business's current patch policy and its administration. <P> And it's a <em>good</em> time to ask. Although <a href="http://www.microsoft.com/technet/security/Bulletin/MS10-oct.mspx">Microsoft identifies four of the 16 bulletins as critical, and ten as important, two as moderate</a>, a huge Patch Tuesday should cause no more haste (or panic) than a moderate one. Patching your systems should be a s<a href="http://www.informationweek.com/blog/main/archives/2010/08/patch_tuesday_p_1.html">teady-handed response more than an excessively rapid one, as has been noted here before</a>. <P> So while big businesses and others are test-bedding the patches and making sure all is well after required reboots, and while you're waiting for reports of any patch problems to make the news, consider calling in your patch team (assuming you have one) and taking a look at how that most recent huge patch deployment (worth looking at smaller ones too). <P> Here are some good questions to start with: <P> <strong> Who's in charge of seeing that all patches are deployed? How do they go about achieving that assurance? <P> Were all patch deployments accomplished successfully? <P> How confident are you that your company's software and devices -- not just Microsoft products -- are fully patched? <P> Where can you tighten up the procedure, both for efficiency and added assurance that all patchable holes are indeed filled? <P> Is there sufficient documentation and recording of the patch process and its results?</strong> <P> Work outward from these until you've developed a good, thorough picture of the patching procedures and policies that are in place at your business, address those areas you're dissatisfied with or feel can be improved, and your next Patch Tuesday, big or little, will benefit, as will all the other patches that continue to come at us.2010-10-07T13:40:45ZPanda Security has introduced hybrid cloud-based content protection for its GateDefender Performa 4.0 perimeter security appliance. One of the things the device protects your company against is your employees' behavior.http://www.iweek-interim.com/news/229200645?cid=RSSfeed_IWK_AuthorsPanda Security has introduced hybrid cloud-based content protection for its GateDefender Performa 4.0 perimeter security appliance. One of the things the device protects your company against is your employees' behavior.The <a href="http://www.prnewswire.com/news-releases/panda-adds-cloud-based-protection-to-gatedefender-performa-40-104417223.html">hybrid cloud content protection update for Panda Security's GateDefender Performa 4.0</a> aims to tamp down on malware, spam and other threats not only by securing the perimeter, but also by giving users the tools to restrict risky (and bandwidth-intensive) employee behavior <em>inside</em> the perimeter. <P> While the device may be most appropriate for high usage/heavy traffic midsized and larger businesses' demands (and <a href="http://www1.bottomdollar.com/search_attrib.php/page_id=403/form_keyword=panda+gatedefender+price/rd=1/skd=1/st=query">budgets: the small business version, GateDefender Performa SB starts at close to $2,000</a>), the GateDefender's approach is worth considering. <P> That approach includes cloud-based management that gives a single view of company-wide security, antimalware and antispam tools, content filtering, decryption/encryption for SSL scans during HTTPS sessions, load balancing and "the ability to selectively block IM/P2P/VoIP/Spotify communications that are known to critically impact bandwidth consumption." <P> Rolling P2P, music, VOIP and other heavy bandwidth productivity lowering activity monitoring into the appliance's capabilities puts teeth into employee usage policies. Restricting employees' P2P and other high bandwidth usage not only frees up your capacity (and their concentration) but also cuts way back on some of the <a href="http://www.informationweek.com/news/security/showArticle.jhtml?articleID=206903416">riskiest procedures your employees may be engaging in</a>. <P> Not cheap, and not for every SMB, but, as noted, worth a look if you're looking at hardening your perimeter defenses -- and tightening up your defensive posture within them.2010-10-06T11:39:47ZAny device that contains company information is an endpoint, right? So how do you protect your data on the personal devices in your employees' pockets, cars and homes?http://www.iweek-interim.com/news/229200642?cid=RSSfeed_IWK_AuthorsAny device that contains company information is an endpoint, right? So how do you protect your data on the personal devices in your employees' pockets, cars and homes?Depending on your company's IT Budget -- always assuming, sigh, that you still <em>have</em> an IT budget -- your employees may have newer, smarter, more sophisticated personal devices than the equipment the company provides. <P> Result? Employees using their own devices to get their work done. And if those devices don't carry at least the same levels of security that workplace do, the potential for problems -- and, at worst, disaster -- is vastly increased. <P> At what point do you address this issue -- and how? <P> The point to address the issue is <em>now</em> -- this one isn't going to go away and is, indeed, only going to grow more ubiquitous. <P> As to how -- you do it, I believe, with your employees' help. <P> How recently-- if ever -- have you d<a href="http://www.darkreading.com/insiderthreat/security/client/showArticle.jhtml?articleID=227500306">iscussed the boundaries, or lack of them, between business and personal technology</a>, including software, as well as the devices on which the software runs? <P> Have you ever polled your employees to discover what IT tools and technologies not available from your company might help them do their jobs more effectively and efficiently? <P> How about asking them if they've ever used such technologies -- including <a href="http://www.darkreading.com/insiderthreat/security/client/showArticle.jhtml?articleID=226500216">personal e-mail accounts to get their work done</a>, whether or not you have <a href="http://www.darkreading.com/insiderthreat/security/management/showArticle.jhtml?articleID=223800307">policies in place prohibiting such behavior</a>? (If you do have such policies in place, this one might best approached with a sort of one-time amnesty for violators, making clear that the policy is serious and will be enforced after the audit -- but making clear as well that the results of the audit may produce some changes in the policy.) <P> What level of employee input into your company's security posture have you requested? Your most tech-savvy employees may have good ideas and strategies that you've overlooked. <P> Finally, have you given some thought to more actively partnering with your employees for the protection of your data on their devices -- and the protection of their personal data as well? Perhaps you wrap their devices into your overall security/endpoint monitoring posture, agreeing to cover their security needs in return for their agreeing to the coverage and the monitoring. <P> While there are doubtless privacy and related concerns involved with that last -- these are employees, not property -- those concerns can be discussed, addressed, dealt with. <P> The real issue, ultimately, isn't the technology itself. In today's always connected environment, the employees themselves are the endpoints, whatever the technology they're using. <P> Time to turn those endpoints, all of them, into defense points for your business.2010-09-30T15:56:58ZEver have a trusted salesperson, contractor or customer bring by a flash drive with a file by for you to view on one of your company's machines? Ever regret letting the outsider's drive inside your perimeter?http://www.iweek-interim.com/news/229200738?cid=RSSfeed_IWK_AuthorsEver have a trusted salesperson, contractor or customer bring by a flash drive with a file by for you to view on one of your company's machines? Ever regret letting the outsider's drive inside your perimeter?You may allow your most trusted employees certain leeways and latitudes when it comes to their use of your business's technology -- but what abut your most trusted vendors, contractors, customers and partners? <P> I was talking recently with a friend who's an industrial products salesman, and among the matters we discussed was how easy technology had made it for him to show customers and vendors photos, schematics, other materials. <P> "Just pop a thumb drive in one of their machines, and there you go," he said. <P> No <a href="http://www.informationweek.com/news/security/client/showArticle.jhtml?articleID=227300112">USB-drive monitoring? No security alarms going off?</a> <P> He may still be laughing. <P> "Are you kidding?" he said, admitting that one company preferred that he connect a camera or phone to their system rather than a thumb drive because, according to his customer, "Cameras and phones are safer." <P> Now, odds are that the leeway they grant to my friend extends to people not as tech-savvy as he is, and probably extends to everybody. (Odds are, actually, that their systems are leaking information like sieves.) <P> But we all know of security-conscious and careful companies that do extend similar access to trusted outsiders, and do so for reasons of convenience, expediency or constancy of the vendor's presence in their business. <P> You know your vendors, you know your systems, you know your security procedures and tools, you know your comfort-levels with granting access. <P> Problem is, you may not know the levels of understanding your trusted outsider possesses on these very same matters. <P> The spread of USB-borne attacks isn't likely to abate; <a href="http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=227100125">A quarter of malware now arrives via USB</a>, and we're still in, alas, the fairly early days of device-borne attacks. <P> At the very least, it's a good idea to insist that your trusted outsiders adhere to the same policies, monitoring and scans that your employees must meet. <P> Insist that any device brought into your workplace be equipped with up-to-date security software. <P> Deploy tools that monitor all devices and drives on your network. <P> Too much trouble? <P> Considering doing what my salesman friend and I have discussed: <P> Set up a dedicated, <em>non-networked</em> computer for viewing materials brought in by vendors or customers. Equip the machine with security software, and use the machine <em>only</em> for outsider presentations and other materials. Scan it in depth after every such presentation. <P> Suspenders and belt? Sure -- but these sorts of safeguards can help keep your business from getting caught with its security pants down as a result of a sloppy or unaware outsider who has something you "just have to see." <P> While you're at it, you might want to review those internal leeways and latitudes you grant, as well.2010-09-28T17:49:30ZSteer clear of gambling, porn and other known risky sites and related searches and you and your employees -- and your business -- are safer, right? Not according to a new Websense study which found that leading news and pop culture sites, and hot-trend search terms may be more dangerous than some of the ones you're steering clear of.http://www.iweek-interim.com/news/229200752?cid=RSSfeed_IWK_AuthorsSteer clear of gambling, porn and other known risky sites and related searches and you and your employees -- and your business -- are safer, right? Not according to a new Websense study which found that leading news and pop culture sites, and hot-trend search terms may be more dangerous than some of the ones you're steering clear of.If you and your employees stick to the <a href="http://www.informationweek.com/news/storage/security/showArticle.jhtml?articleID=227500852">most popular news, game, social network sites and message boards, you're <em>still</em> never more than two clicks away from malware</a>, the Websense study reports. <P> In other words, when it comes to protecting yourself by proscribing your company's surfing and searching habits, you're damned if you don't, but you may also be damned if you do. <P> The cause is a combination of increased automation and thus ubiquity on the part of the malware community, and the increased use of partner sites and links -- often not previewed, obviously -- by legit sites. <P> According to Websense, no more than <a href="http://investor.websense.com/releasedetail.cfm?ReleaseID=511923">two clicks away from malware</a> or other dangerous content are: <P> <strong>"More than 70 percent of top news and media sites More than 70 percent of the top message boards and forums More than 50 percent of social networking sites"</strong> <P> Here's a startling one: more than 60% of sites linking to games also contain links to toxic sites, while less than 25% of sex-related sites contain malicious links. <P> (Not that this is any reason to alter your policies related to objectionable material, of course.) <P> Search-poisoning is just as bad. Celebrity and other hot topics have always been malware-attractors, but less newsworthy searches are becoming riskier as well. Do a search for baby bedding in London, Websense found, and a full 30% of the results returned will be poisonous. <P> It's not exactly breaking news that spammers and malware creators are following hot trends and popular topics, <a href="http://www.informationweek.com/news/storage/security/showArticle.jhtml?articleID=226800059">zapping the zeitgeist as it were, with toxic links</a>. But the Websense study shows just how pervasively the bad guys are going after you and your employees via your supposedly safe surfing and searching habits. <P> Whatever your company's policies are regarding employee Web usage, these finding are a good reminder to remind your employees that just because a link is on a reputable site, there's no guarantee that the link isn't compromised. <P> Even when they're surfing and searching safely, they have more reason than ever to be careful. To be, in fact, wary, and take one or two very deep breaths before clicking anything. <P> And certainly before that second click.2010-09-27T12:59:09ZFile sharing, drive-by downloads, social nets, phishing, malicious attachments -- according to a new report, these are the leading approaches for criminals targeting small and midsized businesses.http://www.iweek-interim.com/news/229200749?cid=RSSfeed_IWK_AuthorsFile sharing, drive-by downloads, social nets, phishing, malicious attachments -- according to a new report, these are the leading approaches for criminals targeting small and midsized businesses.While many small and midsized businesses are (rightly) increasingly alert to insider risks, that's no reason to relax at all when it comes to threats from beyond the firewall. <P> That's one of the <a href="http://www.darkreading.com/smb-security/security/perimeter/showArticle.jhtml?articleID=227500605">key points in a new <em>Dark Reading</em> report</a>, <em>SMBs in the Crosshairs</em>. <P> And the crooks' crosshairs really are increasingly trained on your business, according to the report's author, Randy George, "small businesses in particular are a filet mignon for hacks and digital criminals." <P> The reasons? Too little money, time, expertise, awareness, too much over-confidence... all of which make SMBs all too easy prey for: <P> <strong>Malware Laden File-shares:</strong> If you're letting your employees run <a href="http://www.darkreading.com/security/perimeter/showArticle.jhtml?articleID=211201278">unfettered P2P programs</a>, stop. <P> <strong>Drive-by Downloads: </strong>Unpatched and <a href="http://www.informationweek.com/blog/main/archives/2010/08/ie6_still_used.html">older browsers</a> need to be replaced/updated before anything else. <P> <strong>PDFs With Payloads:</strong> <a href="http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=227400016">Adobe's vulnerabilities catalog</a> continues to grow, and some of that growth is taking advantage of SMBs increasing use (like everybody else) of PDF files. <P> <strong>Phishing:</strong> The one that won't go away, and <a href="http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=225702834">continues to grow as phishers rebuild</a> and replace networks. If you haven't had the <a href="http://www.informationweek.com/blog/main/archives/2010/09/here_you_have_a.html">"immediately delete unfamiliar e-mails unopened"</a> talk with your employees lately, have it now. <P> <strong>Social Networking:</strong> The risks of social nets are growing as fast or faster than the networks' popularity, to the point where o<a href="http://www.informationweek.com/blog/main/archives/2010/09/social_net_malw.html">ne-third of SMBs have already encountered social network-borne malware</a>; put a thorough (and tough) social networking policy in place, enforce it, and then reinforce it constantly. <P> <strong>The <a href="http://www.darkreading.com/smb-security/util/download.jhtml?id=186300002&cat=whitepaper">complete <em>Dark Reading</em> report <em>SMBs in the Crosshairs: Understanding he Threats, Defending the Business </em>can be downloaded here (registration required</a>).</strong>