The following was taken from the National Cyber Security Alliance website:

--------------------

The National Cyber Security Alliance (NCSA), a consortium of government agencies and private industry sponsors, is proud to designate October 2007 as National Cyber Security Awareness Month (NCSAM).

National Cyber Security Awareness Month is a national campaign designed to increase the public's awareness of cyber security and cyber crime issues so that users can take precautions to avoid these threats on the Internet.

--------------------

So throughout the month of October I will focus my blog postings on not only Security Awareness, but points to consider when implementing a successful security awareness program in your organization.

Stay tuned for more to come over the next few weeks. I hope you all find the information useful!

We've been talking quite a bit lately about the move from "push" based malware to "pull" based. So I figured it was time to dedicate a full blog posting to it and its significance.

Again, pull based malware is generally web site hosted malware where the user "pulls" the content from the web site by virtue of visiting the site with their web browser.

This type of malware is especially dangerous for a couple of reasons:

-- It evades attachment filtering techniques (since there is no email attachment. The content comes via a web site link) -- The user generally has no idea that the site they visited is malicious -- Hackers can employ technologies like server side polymorphism to repack binaries for every download, thus rendering traditional signature based anti virus engines useless

We are starting to see more and more instances of common web site compromises where users can get infected without any lure (for example the 1st Congressional District GOP of Wisconsin was reported as compromised about a week ago by the same group that brought us the Storm Worm. In general, however these types of infections are still the exception, not the norm.

Speaking of the Storm Worm gang, they have actually created a hybrid between push and pull infections for some of their variants. These will look for a number of unpatched vulnerabilities on a victim's PC when launched and if it can't find any that it is looking for will direct the user to download and install the file manually. Even Vista's UAC system only provides rudimentary protection here. Since applications executed directly by the end user are considered trusted (Vista will ask you if you are sure you want to install the program, but who doesn't just click "Yes" to that prompt?) the user falls on their own sword and infects themselves. Nice, eh?

Typically when a user is being lured to a malicious web site multiple communication mediums are leveraged. Something has to let the user know that the site is available and accessible, right? That lure in many cases comes via email.

There is a distinct crossover between email and web defense solutions such the data collected from one can be used to make the other one more effective, creating a synergistic relationship between the systems. At least for the foreseeable future hackers are going to have to continue to use technologies like email in an attempt to get users infected. During that time having a solution which not only monitors and protects your inbound mail flow but also your outbound web browsing activities provides an effective defense-in-depth solution against malware and fraud.

How at risk are you to be a victim of identity theft?

According to the folks over the Privacy Rights Clearinghouse approximately 165 million data records of U.S. residents have been exposed due to security breaches since January, 2005. In 2007 there have been 278 breaches reported which account for over 75 million records.

Keep in mind that these numbers are for *reported* breaches by companies who are required to report such incidents. This only represents a small percentage of the number of businesses out there who might have your personally identifiable information.

Even if we take the 165M records number as being accurate, this means that we are all roughly at about a 50% risk of having our identities stolen as a result of these breaches! Granted, the information obtained could vary greatly from a hacker only obtaining your name and email address all the way to exposure of credit card numbers and your social security number. Both types are just as dangerous though. For example, if a hacker only obtains your name and email address they could use that information to send legitimate looking phishing messages to your inbox in an effort to get the rest of what they want.

So, what to do if you believe that your identity might have been stolen? Privacy Rights Clearinghouse has a comprehensive guide posted on their website which discusses not only how to pro actively stay on top of your credit (I would also recommend the Identity Theft Resource Center, but also things that you can do to prevent further damage from being done once your information does end up in the wrong hands.

One of the most important things to remember is that just because your data might have been compromised does not mean that you will be a victim of identity theft. Unfortunately, there is little that you can do to prevent this sort of thing from happening, but it is important, however to remain diligent in order to minimize how it will affect you.

It's going to be a wild last 3 months of the year for ISPs of all kinds.

Over the last 2-3 months we have seen over a 60% increase in mail traffic (mostly attributed to the Storm Worm and its many variants). Since the Christmas marketing season will soon be upon us I would not be surprised if internet email traffic at least doubled on top of where it is now before the year is out.

If you don't believe that you are equipped to handle this kind of additional load, NOW is the time to act!

Protect your mail infrastructure!

Protect your network!

Most of all, protect your business!

(We now return you to your regularly scheduled programming)

The Computer Security Institute's annual Computer Crime and Security Survey reports that insider attacks are now surpassing computer viruses as the most common cause of security incidents within organizations. It also says, however that the losses incurred are not significant. The fact that insider threats have surpasses viruses in prevalence makes sense to me, but the argument that damage is minimal does not. Companies have been fighting the virus wars for years now. Granted, insider espionage has been a potential issue for much longer than computer viruses, it has generally not received the same level of attention.

It is estimated that a little less than one third of all security incidents are the result of an insider, whether the incident was a result of malicious intent or an honest mistake. What is not accounted for here, however is the level of ease by which insiders can obtain potentially damaging company confidential information. Some users have access to it by default as a result of their position within an organization. Others gain access by finding security weaknesses within the company's infrastructure. Either way, I believe that the reason companies are saying that the resulting losses from the insider threat are not the biggest cost is because they don't know how to estimate the damage.

Do they know how much data was really altered/copied/deleted? Do they have a good idea as to how much that data is really worth? Are the values being underestimated because they don't want to lose face in their respective industries? Do they not want to give their competitors ammunition to use against them? Do they not want their customers to lose confidence in them as a provider of a good or a service?

I think all of those are valid points to consider, but the real question at the root of the entire issue is not "Will you have a security incident?", rather "When will you have a security incident?" and are you equipped to respond?

We generally spend so much time trying to make sure that the bad guys can't get in from the outside, but we need to also consider the possibility that they are already "in" and have been for quite some time.

Do not underestimate the insider threat and the ease by which they can cause damage to your organization. Chances are that someone who may cause either inadvertent or intentional data leakage/deletion already has access to the information they need....they don't have to break in or be sneaky to get it.