Showing posts with label Hackers. Show all posts
Showing posts with label Hackers. Show all posts

October 23, 2017

Cybersecurity Vulnerabilities Database

There is a very useful article in Bloomberg about how the U.S. is taking too long to publish cybersecurity vulnerabilities. 

And the longer we take to publish the vulnerabilities with the patch/fix, the more time the hackers have to exploit it!

Generally, the U.S. is lagging China in publishing the vulnerabilities by a whopping 20-days!

Additionally, China's database has thousands of vulnerabilities identified that don't appear in the U.S. version. 

Hence, hackers can find the vulnerabilities on the Chinese database and then have almost three weeks or more to target our unpatched systems before we can potentially catch up in not only publishing but also remediating them. 

Why the lag and disparity in reporting between their systems and ours?

China uses a "wider variety of sources and methods" for reporting, while the U.S. process focuses more on ensuring the reliability of reporting sources--hence, it's a "trade-off between speed and accuracy."

For reference: 

The Department of Commerce's National Institute of Standards and Technology publishes the vulnerabilities in the National Vulnerability Database (NVD).

And the NCD is built off of a "catalog of Common Vulnerabilities and Exposures (CVEs) maintained by the nonprofit Mitre Corp."

Unfortunately, when it comes to cybersecurity, speed is critical.

If we don't do vastly better, we can be cyber "dead right" before we even get the information that we were vulnerable and wrong in our cyber posture to begin with.  ;-)

(Source Photo: Andy Blumenthal)
Share/Save/Bookmark

October 23, 2016

Your Score Is Your Life

Absolutely fascinating article in the Washington Post

China is working on a plan to use big data to score people on their social behavior. 

Every interaction you make in life either increments or decrements your social score. 

You social score determines how trustworthy you are. 

The social score would vacuum up data from the "courts, police, banking, tax, and employment records."

People in service professions like teacher, doctors, and business could be scored for their professionalism. 

Doing positive social actions like caring for the elderly earn you added points and doing negative social actions like DUI or running a red light subtracts points from your score. 

As the score includes more and more data feeds over time, you could eventually be scored for doing your homework, chores in the home, how you treat your wife and children, the community service you do, how hard you perform at work, how you treat people socially and on dates, whether you are fair in your business dealings and treat others well, whether you do your religious duties, and so on. 

People can get rated for just about everything they do.

And these rating get aggregated into your social score. 

The score is immediately available to everyone and so they know how good or bad you are on the scale of 1 to a 1,000.

If you think people are stressed out now, can you imagine having to worry about everything you do and how you will be rated for it and how it can affect your score and your future. 

If you have a bad score, say goodbye to opportunities for education, employment, loans, friends, and marriage prospects. 

Imagine people held hostage by others threatening to give you a bad score because they don't like you, are racist, or for blackmail. 

What about society abusing this power to get you to not only follow positive social norms, but to enforce on you certain political leanings, religious followings, or policy endorsements. 

Social scores could end up meaning the ultimate in social control. 

Personal scores can manipulate your behavior by being rewarding or punitive and rehabilitative to whatever end the scoring authorities dictate. 

Moreover, hackers or the people who control the big data machinery could destroy your life in a matter of milliseconds. 

So this is what it comes down to: You are your score!

Play along and do what you are told to do...you are the Borg and you will follow. 

Conform or you are dead by number!

Transparency is everywhere. 

Pluses and minuses every day. 

What is my score today? 

Today, I am desirable and successful, and tomorrow, I am disregarded and a loser. 

Please don't kill my score.

Please don't destroy me. 

Please, I will be socially good. 

Please, I will not resist. ;-)

(Source Graphic: Andy Blumenthal)

Share/Save/Bookmark

August 24, 2015

My Ashley Madison

So Ashley Madison is now a well-known adulterous website, particularly after hackers stole 37 million records on the site participants, and have released that information to the public.

These tens of millions of users seek companionship for loveless or sexless marriages or perhaps are just plain liars and cheaters--who knows? 

But yikes, now everyone knows!

Huffington reports that divorce lawyers are anticipating a deluge of new clients seeking divorces

And BBC reports that two people have already taken their lives in Canada as a result of the release. 

What is incredible as well are the 15,000 people who used their .gov or .mil accounts presumably to hide their infidelity from their spouses, but now are in potentially huge trouble with their government agencies.

I assume that Ashley Madison prided themselves on their discretion in handling their clients accounts, but lo' and behold the discretion is for naught compliments of some very naughty hackers. 

Privacy is becoming a very lonely and meaningless word whether you are faithful or a cheater--it's all open fodder on the net. ;-)

(Source Photo: Andy Blumenthal)
Share/Save/Bookmark

February 13, 2015

tURNING yOUR dEVICE aGAINST yOU!

So interesting article in BBC about the Samsung's "Listening TV."

This TV has voice activated controls and they don't just take commands, but...


"If your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party."


So aside from hackers (and spies) being able to turn your phone and computer mics, cameras, and GPS location data on and off to surveil and eavesdrop on you, now the dumb television set can listen in as well. 


You can be heard, seen, and found...whether you know it or not. ;-)


(Source Photo: Andy Blumenthal with eyes and ears from here and here with attribution to Firas and Simon James)

Share/Save/Bookmark

November 23, 2014

Data 4 Ransom

The future of cybercrime will soon become the almost routine taking of your personal and corporate data as hostage. 

Once the hacker has control of it, with or without exfiltration, they will attach malware to it--like a ticking time bomb.


A simple threat will follow:


"I have your data. Either you pay for your data back unharmed OR your data will become vaporware! You have one hour to decide. If you call the authorities, you data is history."


So how valuable is your data to you?  


- Your personal information--financial, medical, legal, sentimental things, etc.


- Your corporate information--proprietary trade secrets, customer lists, employee data, more.


How long would it take you to reconstitute if it's destroyed?  How about if instead it's sold and used for identity theft or to copy your "secret sauce" (i.e. competitive advantage) or maybe even to surpass you in the marketplace? 


Data is not just inert...it is alive!


Data is not just valuable...often it's invaluable!


Exposed in our networks or the cloud, data is at risk of theft, distortion, or even ultimate destruction. 


When the time comes, how much will you pay to save your data?


(Source Comic: Andy Blumenthal)

Share/Save/Bookmark

October 20, 2014

Shining A Light On Your Privacy


Check out this special report...

~Half a billion~ downloads of the top 10 Flashlights Apps--the ones we all have on our smartphones--and guess what?

All/most are malware/spyware from China, India, and Russia that are spying on you!

Your contacts, banking information, even your location, is being intercepted by hackers abroad,

The cybersecurity experts Snoopwall (that conducted this study and are offering a free opensource "privacy flashlight") are recommending that you don't just uninstall these flashlight apps, because they leave behind trojans that still are functioning behind the scene and capturing your information. 

So instead doing a backup of key information and then a factory reset of the smartphone is advised.

Pain in the you know what, but these flashlight apps are shining a light and compromising your personal information.

Snopes points out that the flashlight apps may be no more vulnerable to spyware than other apps you download and that perhaps the screening process from the app stores help to protect us somewhat.

When the cyber hackers decide to exploit those apps that are vulnerable, whether for political, military, or financial gain, it will likely be ugly and that flashlight or other app you use may prove much more costly than the download to get them. ;-)

(Thank you Betty Monoker for sharing this.)
Share/Save/Bookmark

October 3, 2014

Data Like Clouds

So data is like clouds...

Clouds want to be free roaming the wild blue skies similar to how data wants to be searchable, accessible, useful, and so on. 

But with data, like clouds, when it rains it pours--and when data blows about with the windstorm and is compromised in terms of security or privacy, then we not only come away wet but very uncomfortable and unhappy. 

Then, as we actually end up putting our data in the great computing clouds of the likes of Amazon, iCloud, HP, and more, the data is just within arm's reach of the nearest smartphone, tablet, or desktop computer. 

But just as we aspire to reach to the clouds--and get to our data--other less scrupled (cyber criminals, terrorists, and nation states)--seek to grab some of those oh so soft, white cloud data too.

While you may want to lock your data cloud in a highly secure double vault, unfortunately, you won't be able to still get to it quickly and easily...it's a trade-off between security and accessibility. 

And leaving the doors wide open doesn't work either, because then no one even needs an (encryption) key to get in. 

So that's our dilemma--open data, but secured storage--white, soft, beautiful clouds wisping overhead, but not raining data on our organizational and personal parades. ;-)

(Source Photo: Andy Blumenthal)
Share/Save/Bookmark

March 21, 2014

Safely Detonate That Malware


I like the potential of the FireEye Malware Protection System (MPS).

Unlike traditional signature-based malware protections like antivirus, firewalls, and intrusion prevention systems (IPS), FireEye is an additional security layer that uses a dynamic Multi-Vector Virtual Execution (MVX) engine to detonate even zero-day attacks from suspicious files, web pages, and email attachments. 

According to Bloomberg Businessweek, Target's implementation of FireEye detected the malware attack on Nov 30, 2013 and it alerted security officials, but allegedly "Target stood by as as 40 million credit card numbers--and 70 million addresses, phone numbers, and other pieces of personal information--gushed out of its mainframes"over two weeks!

In fact, FireEye could've been set to "automatically delete [the] malware as it's detected" without human intervention, but "Target's team apparently "turned that function off."

FireEye works by "creating a parallel computer network on virtual machines," and before data reaches its endpoint, they pass through FireEye's technology.  Here they are "fooled into thinking they're in real computers," and the files can be scanned, and attacks spotted in safe "detonation chambers."

Target may have been way off target in the way they bungled their security breach, but using FireEye properly, it is good to know that attacks like this potentially can be thwarted in the future. ;-)

[Note: this is not an endorsement of any product or vendor]
Share/Save/Bookmark

March 8, 2014

Security Is A Joke!


Fascinating video with Dan Tentler on the Shodan Search Engine...which CNN calls the "scariest search engine on the Internet."

The search engine crawls the Internet for servers, webcams, printers, routers, and every type of vulnerable device you can imagine.

It collects information on more than 500 million devices per month and that was as of last year, so it's already probably a lot more.

Tentler shows the unbelievable amounts and type of things you can access with this, including our critical infrastructure for the country --from utilities to traffic lights, and power plants:

- Private webcams
- Bridges
- Freeways
- Data Centers
- Polycoms
- Fuel cells
- Wind farms
- Building controls for lighting, HVAC, door locks, and alarms
- Floor plans
- Power meters
- Heat pump controllers
- Garage doors
- Traffic control systems
- Hydroelectric plants
- Nuclear power plant controls
- Particle accelerators
- MORE!!!!

Aside from getting information on the IP address, description of the devices, locations (just plug the longitude and latitude into Google for a street location), you can often actually control these devices right from YOUR computer!

The information is online, open to the public, and requires no credentials.

- "It's a massive security failure!"

- "Why is this stuff even online?"

Where is our cyber leadership????

>>>Where is the regulation over critical infrastructure?

If there is a heaven for hackers, this is it--shame on us. :-(
Share/Save/Bookmark

February 21, 2014

Can You Trust Social Media?

Interesting article in BBC about a project underway to develop a system that will rate information on the Internet as trustworthy or not. 

Considering how quickly we get information from the Net and how easy it is to start crazy rumors, manipulate financial investors, or even cause a near panic, it would be good to know whether the source is legitimate and the information has been validated. 

Are we simply getting someone mouthing off on their opinions or what they think may happen or perhaps they are unknowingly spreading false information (misinformation) or even purposely doing it (disinformation)?

Depending how the Internet is being used--someone may be trying to get the real word out to you (e.g. from dissidents in repressive regimes) or they may be manipulating you (e.g. hackers, criminals, or even terrorists). 

To have a reliable system that tells us if information being promulgated is good or not could add some credibility and security online. 

What if that system though itself is hacked? Then lies can perhaps be "verified" as truth and truth can be discredited as falsehood. 

The Internet is dangerous terrain, and as in the life in general, it is best to take a cautious approach to verify source and message. 

The next cyber or kinetic attack may start not with someone bringing down the Internet, but rather with using it to sow confusion and disarm the masses with chaos. ;-)

(Source Photo: Andy Blumenthal)
Share/Save/Bookmark

January 25, 2014

Remodulate The Shields For Cyber Security


I really like the concept for Cyber Security by Shape Security.

They have an appliance called a ShapeShifter that uses polymorphism to constantly change a website's code in order to prevent scripted botnet attacks--even as the web pages themselves maintain their look and feel.  

In essence they make the site a moving target, rather than a sitting duck. 

This is like Star Trek's modulating shield frequencies that would prevent enemies from obtaining the frequency of the shield emitters so they could then modify their weapons to bypass the shield and get in a deadly attack. 

In real life, as hackers readily change their malware, attack vectors, and social engineering tactics, we need to be agile and adapt faster than the enemy to thwart them. 

Changing defense tactics has also been used by agencies like Homeland Security to alter screening methods and throw potential terrorists off from a routine that could be more easily overcome.

I think the future of IT Security really lies in the shapeshifter strategy, where the enemy can't easily penetrate our defenses, because we're moving so fast that they can't even find our vulnerabilities and design an effective attack before we change it and up our game again.  

And hence, the evil Borg will be vanquished... ;-)
Share/Save/Bookmark

March 29, 2013

Catching More Flies With Honey

There's an old saying that you can catch more flies with honey than with vinegar. 

And this is true in cyberspace as well...

Like a honey pot that attracts cyber criminals, organizations are now hiring "ethical hackers" to teach employees a lesson, before the bad guys teach them the hard way. 

The Wall Street Journal (27 March 2013) reports that ethical hackers lure employees to click on potentially dangerous email links and websites, get them to provide physical access to data centers and work site computers, or give up passwords or other compromising information through social engineering.

The point of this is not to make people feel stupid when they fall for the hack--although they probably do--but rather to show the dangers out there in cyberspace and to impress on them to be more careful in the future. 

One ethical hacker company sends an email with a Turkish Angora cat (code-named Dr. Zaius) promising more feline photos if people just click on the link. After sending this to 2 million unsuspecting recipients, 48% actually fell for the trick and ended up with a stern warning coming up on their screen from the cyber security folks. 

Another dupe is to send an faux email seemingly from the CEO or another colleague so that they feel safe, but with a unsafe web link, and see how many fall for it. 

While I think it is good to play devil's advocate and teach employees by letting them make mistakes in a safe way--I do not think that the people should be named or reported as to who feel for it--it should be a private learning experience, not a shameful one!

The best part of the article was the ending from a cyber security expert at BT Group who said that rather than "waste" money on awareness training, we should be building systems that don't let users choose weak passwords and doesn't care what links they click--they are protected!

I think this is a really interesting notion--not that we can ever assume that any system is ever 100% secure or that situational awareness and being careful should ever be taken for granted, but rather that we need to build a safer cyberspace--where every misstep or mistake doesn't cost you dearly in terms of compromised systems and privacy. ;-)

(Source Photo: Dannielle Blumenthal)
Share/Save/Bookmark

January 10, 2013

One-Two-Three Punch For Cyber Security

Here are three crafty ideas for improving our cyber security that can be used to protect, prevent, and recover from attacks:

1) Intrusion Deception (not detection)--Mykonos Software aims to protect websites by putting up a virtual minefield--"setting traps to confound hackers." When the software detects hackers trying to infiltrate, it can flood hackers with false information on vulnerabilities that goes nowhere, mess with the hackers computers such as by pop-up flashing maps of their locations and local defense attorneys, and disrupt their connections and slow down their hacking attempts (Bloomberg BusinessWeek).

2) Scamming The Scammers--Notorious email spams such as from Nigeria that look to ensnare victims into wiring money overseas in order to secure some lost fortune costs $9.3 billion in losses in 2009. Psychology professors Chris Chabris and Daniel Simons suggest that we can prevent many scammers from succeeding by raising the cost of their doing business by scamming them with " baiters" that send responses to scammers and occupy them but never actually send any money. They suggest that artificial intelligence could actually be used to create "automated scam-baiters bots" simulating potential gullible victims. These bots could even be programmed to provide phony account numbers and data to scammers to really get them spun up. (Wall Street Journal)

3) Insuring Again Losses--Insurance is a common way to manage risk by purchasing coverage for potential liabilities--this is used to indemnify against losses for everything from auto accidents to home fires, personal theft, and business interruptions. However, according to Bernard Horovitz, CEO of XL Insurance's Global Professional Operations, businesses (and of course, individuals) are rarely are covered by insurance for hacker attacks. Insurance companies are now offering specialty products to recover from the insuring liabilities. Additionally, the insurers will "help with preventing and mitigating cyber crime" through security audits. (Wall Street Journal)

These three cyber security strategies are great examples of how we can make it technically and financially more difficult for cyber attackers to succeed in geting in a knockout punch on their victims. ;-)

(Source Photo: Minna Blumenthal)

Share/Save/Bookmark

December 3, 2012

The Information High


Kids_and_technology

A new article by Andy Blumenthal called "The Information High" at Public CIO Magazine (29 November 2012).

"In addition to being slaves to our things--including technology gadgets--we are also addicted to the data and information they serve up."

Hope you enjoy! ;-)

Andy

(Source Photo: Andy Blumenthal)

Share/Save/Bookmark

February 3, 2012

Online Presence, Your Calling Card

In the age when Facebook has surpassed 800 million users, I still often hear people say that they don't like to join social networks or put any information about themselves on the Internet. 

Whether or not their apprehensions about their privacy being compromised is justified or whether they feel that "it's simply a waste of time" or that they "just don't get it," the impetus for us to all establish and nurture our online presence is getting more important than ever. 

In the competition for the best jobs, schools, even mates, and other opportunities, our online credentials are becoming key.

We've heard previously about jobs checking candidates backgrounds on the Internet and even bypassing candidates or even firing employees for their activities online.  

Numerous examples of people badmouthing their companies or bosses have been profiled in the media and even some politicians have been forced out of office--remember "Weinergate" not too long ago?

Now, not only can negative activities online get you in trouble, but positive presence and contributions can get you ahead.

The Wall Street Journal (24 January 2012) reports in an article titled No More Resumes, Say Some Firms that companies are not only checking up on people online, but they are actually asking "applicants to send links representing their web presence" in lieu of resumes altogether. 

What are they looking for:

- Twitter Accounts
- Blogs
- Short Videos
- Online Surveys/Challenges


The idea is that you can learn a lot more about someone--how they think and what they are like--from their history online, then from a resume snapshot.

Of course, many companies still rely on the resume to screen applicants, but even then LinkedIn with over 135 million members is sometimes the first stop for recruiters looking for applicants.

Is everything you do and say online appropriate or "fair game" for people screening or is this going over some sacred line that says that we all have professional lives and personal lives and what we do "when we're off the clock" (as long as your not breaking any laws or doing something unethical) is no one's darn business.  

The problem is that when you post something online--publicly--for the world to see, can you really blame someone for looking?  

In the end, we have to be responsible for what we disclose about ourselves and demonstrate prudence, maturity, respect, and diplomacy, perhaps that itself is a valid area for others to take into account when they are making judgments about us. 

When it comes to children--parents-beware; the Internet has a long memory and Facebook now has a "timeline", so don't assume everyone will be as understanding or forgiving for "letting kids be kids."

One last thought, even if we are responsible online, what happens when others such as hackers, identity thieves, slanderers, those with grudges, and others--mess with your online identity--can you ever really be secure? 

Being online is no longer an option, but it is certainly a double-edged sword. 

(Source Photo: here; Image credit to L Hollis Photography)

Share/Save/Bookmark

October 13, 2011

Increase Security On Your Google Account

After reading the article Hacked! in The Atlantic (November 2011), I looked into Google's new security feature called 2-Step Verification (a.k.a. Two Factor Authentication).

This new extra layer of security--adding "something you have" to "something you know"--to your sign in credentials helps to better protect you and your information in Google (i.e. in the Google cloud), including your emails, documents, and applications.

While a little extra work to login to Google--you have to type in a verification code that Google sends or calls to your phone (this is the something you have), it provides an extra layer of defense against hackers, criminals, and identity thieves.

To protect your Smartphone, Google provides "Application-specific passwords" that you generate from the 2-Step Verification screen and then you enter those into the specific iPhone, Droid, or Blackberry device.

You can sign up for 2-Step Verification from your Google Account Settings page and help protect yourself, your information, and your privacy.

In the future, I hope that Google (and other cloud vendors) will improve on this and use biometrics, to add "something you are," to the authentication process and make this even sleeker and more secure yet.

Stay safe out there! ;-)

Share/Save/Bookmark

January 22, 2011

When My Friend Got Hacked

True story.

So an old friend of mine had his account hacked on Facebook.

And the hacker is sending chat messages to my friend’s Facebook contacts—like me—pretending to be him—with his picture and name and all his online information.

He says that he is stuck in London, just got mugged—at gunpoint—losing his money and phone and needs my help.

At first, I’m thinking oh crap; my friend is in trouble and needs me. Then, I’m like wait a second, he’s pulling my leg. So I ask “are you joking?”

The hacker—pretending to be my friend—continues how it was such a terrible experience, but thank G-d they are still alive.

I’m on the other end of this chat—and questioning now if this person is really who they say they are—despite the REAL picture and profile.

I ask who are you with?

The hacker replies with the name of my friend’s wife. Her real name!

And the hacker continues with the mugging story and how they are leaving in a few hours for their return flight to the States, but need help.

Ok, I am happy to help my friends, but I want to know this is really my friend. Behind the scenes, I am contacting other mutual friends, family and so on to verify this story and resolve this.

On the chat, I ask—can you tell me something that only the two of us would know?

The hacker starts flipping out and gives me "?!?!?!...."

I repeat my question and ask if the hacker understands.

The hacker responds that they do.

And then ignoring my questioning, proceeds with the storyline asking me to wire money and that it will be okay, because they will need identification to retrieve the wire.

Now I ignore the hacker’s request and go back to my question about who this person on the other end of the chat really is?

No response.

"U there?"

Hacker is offline...for now.


Share/Save/Bookmark

April 2, 2008

Hacker Camps and Enterprise Architecture

One of the perspectives of the enterprise architecture is Security. It details how we secure the business and technology of the organization. It includes managerial, operational, and technical controls. From an information security view, we seek confidentiality, integrity, availability, and privacy of information.

Who are we protecting the enterprise from in terms of our information security? From hackers of course!

How do we protect ourselves from hackers? By teaching our security professionals the tricks of the trade—teach them how to hack!

The Wall Street Journal, 1 April 2008, reports that “Hacker Camps Train Network Defenders: Sessions Teach IT Pros to Use Tools of the Online Criminal Trade.”

“In such sessions, which cost about $3,800, IT pros typically spend a week playing firsthand with the latest underground computer tools. By the end of the week, participants are trained as ‘ethical hackers’ and can take a certification test backed by the International Council of Electronic Commerce Consultants.”

Overall more than 11,000 people have received the ‘ethical hacker’ certificate since 2003; nearly 500 places world-wide offer the training.”

Why do we need to teach these hacking tools to IT security professionals?

They need to understand what they’re up against so they can more effectively plan how to protect against the adversary. Know thy enemy!

How large is the IT security issue?

The average large U.S. business was attacked 150,000 times in 2007…the average business considered 1,700 of these attacks as sophisticated enough to possibly cause a data breach. In addition, the number of unique computer viruses and other pieces of malicious software that hackers tried to install on computers and IT networks doubled to 500,000 last year from 2006…[and it’s expected] to double again in 2008.”

It’s great that we are advancing the training of our information security champions and defenders, but what about those who take the course, but are really there to learn hacking for the sake of hacking? How many of the 11,000 ‘ethical hackers’ that have been trained are really ethical and how many are using their newfound knowledge for more nefarious ends?

From an enterprise architecture standpoint, we need to ensure that we are not giving away the keys of the kingdom to anyone, including our own IT security staff—through hacker training. Also, we need to be careful not to rely on any one individual to maintain the security order of things. We need to plan our security using a system of checks and balances, just like the constitution lays out for the governance of the nation, so that even the chief information security officer (CISO) is accountable and has close oversight. Finally, we need to institute multiple layers of defense to work best we can to thwart even the determined hackers out there.
Share/Save/Bookmark

December 11, 2007

Information Security and Enterprise Architecture

Information security is generally considered a cross-cutting area of enterprise architecture. However, based on its importance to the overall architecture, I treat information security as its own perspective (similar to performance, business, information, services, and technology).

According to the Wall Street Journal (WSJ), 11 December 2007, professional hackers are getting smarter and more sophisticated in their attacks and this requires new IT tools to protect the enterprise. Here are some of the suggestions:

  1. Email scams—“hackers have responded to improved filtering software and savvier population by aiming their attacks at specific individuals, using publicly available information to craft a message designed to dupe a particular person of group of people” In response, organizations are installing antivirus and antimalware software from multiple vendors to increase the chance, the an attack that gets by one security software products, will be stopped by one of the others. These products can be obtained from vendors like Sophos, Sybari, Micosoft, Symantec, and McAfee.
  2. Key loggers—“one common form of malware is a key logger, which captures the user names and passwords that an unsuspecting computer user types, and then sends these to a hacker.” However, software from Biopassword Inc. can thwart this by recording employees typing rhythms, so that even a hacker that knows a username and password is denied access if he types too fast or too slow.
  3. Patrolling the network—hackers who get past the firewall often have free rein to roam once inside the network. However, CoSentry Networks Inc. has a product that imposes controls on where a user can go on the network, so even someone with a valid login will be prevented from snooping around the network or accessing information from an unapproved location.
  4. Policing the police—one of the biggest threats to an enterprise is from the insiders, employees who have access to the systems and information. Software from Application Security Inc., however, monitors access, changes, repeated failed logins, and suspicious activity and notifies the designated security officer.

From a user-centric EA standpoint, information security is paramount to protect the enterprise, its mission execution, its employees, and stakeholders. As the WSJ points out, “breaches of corporate computer security have reached epidemic proportions. So far this year more than 270 organizations have lost sensitive information like customer credit-card or employee social security numbers—and those are just the ones that have disclosed such incidents publicly.” EA must help the chief information security officer to identify these enterprise security threats and select appropriate countermeasures to implement.


Share/Save/Bookmark