Cyber Risk No. 1: Loss Or Theft Of Confidential Information

Image representing Dropbox as depicted in Crun...
Image via CrunchBase
Cyber risks are a growing concern for every company, no matter the industry. The storage and transfer of data have become necessary parts of doing business, and “putting it out there,” so to speak, increases the chance of a hack-attack. 
File sharing in particular is a major concern for organizations concerned about their sensitive or proprietary data.  With services like Dropbox, Google Drive and Microsoft’s SkyDrive gaining traction daily, IT professionals need an effective way to manage and monitor the flow of their data.  It’s for this reason that both our Harbinger and Nemesis services include a dedicated file sharing category, giving you the ability to control the transfer and integrity of your data.
This month we’ll be looking at three cyber risks most often identified by companies open to disclosure. The first risk is loss or theft of confidential information, which has become even more of a concern for companies and individuals in this post-NSA PRISM world. 
Each year, security threats continue to be more costly and require greater vigilance as evidenced in a recent settlement that cost Sony more than $383,000 in UK-based fines for a 2011 breach of its PlayStation Network. Nintendo also faced similar issues in June of this year with more than 15 million hacking attempts resulting in 24,000 breaches in a single month, according to CBR Online.
The average cost of a breach lasting 3-5 days for a small company is $35,000 – $65,000.  For a large company, that number grows to a staggering $400,000 – $840,000.  If at first glance those figures seem high, consider the cost of the following: time spent responding to incident, lost business, lost assets, reputational damage, and that’s before any compliance issues or fines.
The more your business grows, the more likely it will attract the interest of cyber-attacks. So what can you do to protect yourself? 
1. Pinpoint the associated risks for the types of data that are important to your business. 
2. Define your security policy. 
3. Implement.
4. Review and revise.
Final word of warning: don’t think this is one-size-fits-all. Prevention is dependent on your company’s needs, and could involve establishing Internet use protection or safeguards against intrusion or remote access safety measures for backing up and accessing data. 

Know what you need, and make sure you get it.  For more information about our Harbinger and Nemesis services, visit us at
Enhanced by Zemanta

Browser Bingo

bingoImage by hownowdesign via FlickrWay back in 2007 the European Commission and Microsoft began a legal dispute over competition concerns regarding Microsoft’s domination in the European user space. In December of 2009 the dialogue between the EC and Microsoft ended, culminating in a resolution that would aid in easy interoperability with various software and force Microsoft to force browser choice on its current European users.

A large part of the agreements by Microsoft deals with browser choice for OEMs and end users on Windows 7, XP, and Vista operating systems. Starting the week of March 1st, users in 30 European nations with IE as their default browser may start seeing an introductory screen pop up on their machines. This introductory screen, only seen after installing the relevant Microsoft update and restarting their systems, will explain the purpose behind the subsequent choice screen.

The choice screen will display 12 of the most used browsers in random order, with the top 5 highest ranked browsers displayed randomly in the first positions. The idea behind the settlement is to prevent monopoly holdings for any one vendor and create a fair presentation of consumer options, but this top 5 configuration will obviously give the bigger guns a better aim at end user installment. Internet Explorer, as a major holder of the browsing community, will then always be listed in the first few slots.

So, what will user reaction be to all this? I’m guessing more confusion than anything else. Part of the update being sent out will allow IE to be turned off, it will “unpin” the IE icon from the taskbar and, where IE is turned off, “no icons, links or shortcuts or any other means will appear within Windows to start a download or installation of Internet Explorer.” (microsoft commitments document) Then users will be given a choice to select their browser.

I know that some people need to be presented their options in a supermarket fashion, like side by side sodas in the snacks aisle, where Coke is next to Pepsi and the generic version, but I don’t think this is an ultimate solution to the problem. For the less clueful users who “just want to get on the internet”, this may just create problems. Those same users, who are now presented with a browser lineup, may not understand or try to understand what their options actually are. In all likelihood they will recognize Internet Explorer from the list given them and click on install without reading the additional information.

For the users who already understand the choice of browser usage, they have already made their choice. They don’t need any more education and, likely not having IE as their default browser, won’t see the new choice screen. Efforts like this to change bias will likely be ineffective in producing real change or raising awareness to the right people. The bias of users comes from long term ignorance, disinterest, marketing inundation, and comfort level on the internet. None of this will be reversed by what many users will just view as more pop ups.

Matt Sully
Threat Research & Analysis

Microsoft On the Issues

Reblog this post [with Zemanta]

The Enemy Within

Two weeks ago, users of AVG’s virus scanner awoke to a nasty surprise: their supposed security software had been updated to identify the file named user32.dll as malicious. Those people most keen to protect their computer systems followed the instructions as directed and deleted the file – only to find that they were now stuck in an endless cycle of reboots.

User32.dll is a core Windows file; and not, as identified by AVG, a Trojan Horse named PSW.Banker4.APSA or Generic9TBN. This is not the first time AVG has struggled with misidentifying Malware, nor is it the first time an Anti Virus company has recommended users remove core Windows files.

In December of last year, Anti Virus company Kaspersky Labs decided that a Virus existed within Windows Explorer, the graphical user interface for Windows itself. Thankfully, Kaspersky managed to catch the error before the damage was too widespread; though, I imagine the employees at the UK enterprise that was affected would tell a different story.

Even Microsoft is guilty of such casual coding. In 2007, Microsoft’s OneCare, an Anti Virus product, when used with Internet Explorer 7, was flagging Google’s Gmail as a Virus. Even Microsoft’s own product weren’t safe, with OneCare regularly quarantining or deleting all of the email in a user’s inbox.

AV companies tout their wares as the silver bullet for personal protection. You know this isn’t true. I know this isn’t true. So, why doesn’t everybody else?

It was bad enough that the generic, non-technical computer user didn’t know that his Anti Virus software is only protecting him from a small percentage of modern threats. Now we also have to let them in on the secret that their “protection” might sometimes do more harm than good.