The Internet has grown to be one of the most important information and business conduits the world has ever seen.  While it’s brought us amazing, new capabilities over the past 15 years or so, the Internet comes with its downside.  Much like the days when America was stretching itself from the east to the west, the “wild west” was a ripe playground for “bad” people. The same goes for the Internet.

It is a double-edged sword. We have amazing capabilities, but also a perfect landscape for lawlessness.  Hackers and cybercriminals have taken note. Today, they leverage the Internet to target specific individuals or groups of individuals at specific companies, get them to react to an email message thereby directing them to an attacker’s site and silently download malware to begin the process of gaining access and stealing data or IP.  What’s more, they’re automating their attacks. Sophisticated attackers are leveraging the power of scripting tools and computing power to call together vast amounts of computers to aide in perpetrating automated attacks.

Recently, the Homeland Security Department unveiled a new system of guidance intended to help make the software behind websites, power grids and other services less susceptible to hacking. The system includes an updated list of the top 25 programming errors that enable today’s most serious hacks. The list, topped by SQL-injection vulnerabilities, is an attempt to address the root-cause issues behind cyberattacks.

However well-intentioned, this new system will likely fall flat just like the several attempts over the years to legislate security through compliance – the last count was at least seven bills in Congress that would attempt to do so, several of which were re-attempts on previous legislation. There have also been attempts at requiring certification and licensing of information security professionals, which have also not succeeded to date. DoD 8570 is the closest thing we have for mandatory certification.

IT is constantly adapting to new realities spurred by the types of technologies that people are using and bringing into the enterprise environment. One of the most disruptive technologies of late has been iOS devices. These devices are massively popular, and for good reason. Whether you’re a vice president keeping up on the latest sales reports mid-flight via their iPad or a physician accessing medical reports while meeting with his patient, iOS devices can improve productivity.

Platforms such as iOS have been designed from the ground up to be more secure—they raise the bar by leveraging techniques such as application isolation, provenance, device encryption, and permission-based access control. However, these devices were designed for consumers and, as such, security has been traded off for usability to varying degrees. It’s this usability that makes them so popular among consumers.

(Cross-posted from Symantec Connect)

I believe that we have reached a saturation point.  You know how, after heavy rain, the ground can’t absorb any more water and it begins to pool on the ground? We’ve reached that point with security incidents.

The bad guys just can’t pump out new malware any faster. Check out the Norton Cybercrime Index.  The trends for 2011 are pretty much flat. The explosive growth in malware we’ve seen in the previous 10 years is just not sustainable. Maybe new hacker tools will come along, new propagation methods, or more platforms, or more people to infect.  But for now, things are beginning to stagnate.

This is not to say the problem is going away.  There were 286M new malware variants in 2010. 286 million! But even that mind-blowing number reflect a slow down.  It’s more than the year before, but not the 100% increase we’ve reported in previous years.  It’s not like the growth we use to see.

A news article in the New York Post provides a cautionary tale of one of the many reasons properly securing home wireless networks is more than just a good idea. While the story is interesting and makes for good press, it merely scratches the surface of why companies and individuals need to pay a lot more attention to the security of home wireless networks.

While unauthorized use of an individual’s Wi-Fi network to commit serious crimes can put innocent people in the crosshairs of criminal investigations, the implications for the protection of corporate data are significant as well.  If an attacker gains access to a person’s wireless network, corporate systems (i.e corporate-owned laptops and/or desktops) connected to that network can be easy points of compromise and data loss.

Internet connectivity is turning up in every product we see: phones, video game systems, video cameras, televisions, coffee machines, home lighting, vehicle alarms and soon refrigerators, ovens, and heck, maybe toilets.

What a great world it will be when my refrigerator sends me a text message or posts to my favourite social network that I need to buy milk and salami. It will be even better when I can log into my oven and tell it to turn on and cook a pot roast at 350 degrees for 4 hours so I come home to a great slow cooked meal, or when my oven contacts the fire department when it lights my house on fire. I’m sure over time this great technology will be adopted by supermarkets to manage their nationwide chains remotely to ensure proper temperatures are maintained in their coolers and freezers.

(Cross-posted from Symantec Connect)

Technologies such as virtualization and cloud computing offer the potential to reduce costs and improve operational efficiency – benefits organizations can’t afford to ignore. The shift to a cloud-based IT infrastructure is a goal for many, with 75 percent of enterprises at least discussing the implementation of these technologies. Whether you are just beginning to implement virtualization and private cloud computing or are already in the process, here are a few recommendations to give you the smoothest transition possible, based on the results of our 2011 Virtualization and Evolution to the Cloud Survey.

(Cross-posted from Symantec Connect)

Let’s pretend for a moment that you’re on a business trip. You hear the boarding call for your flight and reach down to grab your laptop – only your laptop isn’t there. Whether it was left at security or snagged by another traveler in the terminal, your laptop is gone and your company data is at risk.

So what do you do? Typically you’ll need to make a call to the office, notifying your IT department of the incident. This call will initiate a chain reaction of events set into place to ensure measures are taken to secure the files and equip you with a new device to keep business running as usual. This process typically involves a series of forms, approvals, signatures, etc.

It seems that no matter where you are, you’re paying more for data breach these days. The Ponemon Institute, together with Symantec, released results of the second annual 2010 Global Cost of a Data Breach report today. The average cost of a data breach has now reached $4 million, up 18 percent from 2009, and the average cost per compromised record jumped 10 percent to $156. Costs still vary between regions. The United States had the highest cost per compromised record at $214, followed by Germany at $191, France at $136, Australia at $123 and the United Kingdom at $114 (a whopping $100 less than the United States).

But enough with the numbers, the interesting stuff is what’s behind the rising global cost of a data breach. It’s certainly true that companies face intense pressure to improve data security. In 2010, there was no shortage of high-profile data breach incidents making headlines in the global media. High-profile data breaches really aren’t anything new—though their probably getting more attention than in years past. What has continued to evolve is regulation.

Fact: It’s faster and cheaper to switch to mobile tokens than manage hard token replacement

It’s been a number of years since two-factor authentication spent an extended time in mainstream consciousness in the way it currently is. This type of authentication, which requires the provision of two different kinds of evidence that the providing person is really who they say they are, is most often connected with the concept of a hard token. It’s usually put in place to ensure access to an organisation’s most important information assets are secured appropriately. However, something that appears to be missing from the discussion is that a hardware-based token is just one of many ways to do this (see Wikipedia for an extensive list) and is probably the most expensive to run.

Most companies may save money and end up with a more secure system by moving away from hard tokens instead of accepting an offer for a free refresh of their existing estate!