STE WILLIAMS

A new survey commissioned by the UK Government’s Department for Business, Innovation and Skills (BIS) has revealed the scale of cyber attacks on UK companies.

The 2013 Information Security Breaches Survey, which collected data from 1,402 respondents, presented results for large organisations (in excess of 250 employees) and small firms (less than 50 members of staff).

One of the key findings of the report was the level of attacks sustained by businesses – with breaches reaching record levels. The survey discovered that 93% of large organisations experienced a security breach last year, a figure that is broadly in line with 2012 reports. Smaller businesses, however, saw a marked increase in the number of attacks levied against them. Some 87% of smaller firms reported experiencing a data breach last year, which is up significantly from 76% the previous year.

An average of 113 security breaches

The number of security breaches within each of the affected companies also showed a sharp increase too. Larger companies experienced an average of 113 breaches and smaller firms reported 17 such incidents, an increase across the board of almost 50% year on year.

It’s not only the number of breaches that have increased amongst survey respondents though – the financial impact has also risen. The survey concluded that the worst security breaches were costing large companies an average of £450,000 – £850,000 each. Smaller businesses typically experienced losses of between £35,000 – £65,000.

The survey determined that the attacks faced by businesses over the last year came from both outside and inside the organisation.

A whopping 78% of large organisations reported attacks from outsiders over the last year with 39% of those incidents being denial of service attacks. Smaller companies fared slightly better in both regards with 63% reporting outside attacks. The number of smaller firms which experienced a DoS attack was 23%.

The survey respondents did not just experience random attacks though – 14% percent of larger businesses reported the theft of confidential data or intellectual property by external attackers, while 9% of smaller firms experienced such losses too.

36% of the worst breaches down to human error

Insider threats also pose a risk to organisations though. The survey found that technology, people and processes were to blame in several cases. Of the worst security breaches during the year, 36% were attributed to human error. Alarmingly, an additional 10% of the reported security breaches were pinned on staff and their misuse of systems.

On a more positive note the survey discovered that attitudes towards information security are generally good and continually improving too.

The survey found that 76% of larger organisations believe that senior management place a high level of priority on information security. Interestingly, smaller firms were better, with 83% placing a strong emphasis on security.

It should be noted that while the vast majority of larger companies now have a written security policy in place, most respondents indicated that staff understanding of the policy is still relatively poor, in turn leading to twice the number of internal security breaches than in organisations where employees had a good understanding of the policy.

Another contributory factor with regards to internal breaches could be a lack of staff training. Survey respondents indicated that many large organisations only prioritised training after a breach. At the time of induction 10% of new staff were given no security training whatsoever and 42% of large firms failed to employ any kind of ongoing training in terms of security awareness.

Given the level of security incidents experienced by firms of all sizes it is not surprising to learn that many of those surveyed expected security spending to either stay the same in the coming year or to increase.

Larger organisations expect to spend more next year in customer data protection and compliance, but just how much a business spends on security seems to be highly dependent upon the outlook of senior members of the management team.

The survey ends by saying that the majority of firms believe that the number of breaches next year is likely to be higher.  As per this year, attacks are expected in every industry though the public sector and financial services showed more concern than other sectors.

Dealing with security breaches

Respondents’ replies would suggest that the best course of action in dealing with security breaches, which will likely affect most companies this year, is to have a strong set of contingency plans in place. It would also be advisable to have an incident handling plan in place before a breach takes place rather than afterwards.

Likewise, training people in security best practices from day one is a sound investment. Good quality training is likely to minimise the risk of being the next company facing a PR challenge following a high profile security incident.

After all, bad publicity can have a very negative influence upon consumer trust in a business, a fact that has been borne out by another recent survey undertaken by Populus. That survey suggests that around one quarter of UK residents have had their online accounts hacked with a significant number of victims saying they would cease to do business with any entity that had been breached.

If you’d like to know more about the kind of threats we think your business will face in the coming year then download our freshly minted Security Threat Report 2014.

Image of London’s financial district courtesy of Shutterstock.

Follow @Security_FAQs
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/X1RqISolywY/

Tags: 00000000, 1960s, 1970s, 60 Sec Security, 60 Second Security, 60 Seconds, 60SS, Exploit, Google, Microsoft, nuclear missile, Patch Tuesday, Security Threat Report, Spoofing, SSL, Threat Report, TIFF, vulnerability, XP

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/laBs7bT2BRw/

The UK government minister responsible for cyber security issues, the Rt Hon Francis Maude, has released a statement and a pair of reports looking back over the first two years of the government’s Cyber Security Strategy and detailing further plans going forward.

One of the key developments expected in the near future is the unveiling of a security standard for businesses, which early reports on Maude’s statement predicted would be a requirement for firms hoping to pick up government contracts.

Variously described as a “baseline“, a “kitemark” and a “badge“, the new standard is being developed in collaboration with the British Standards Institute, the Information Security Forum and other players, and is expected to be released publicly in March of 2014.

Those expecting the “Organisational Standard” to be mandatory for firms doing business with the government may be a little disappointed though, as the statement’s wording leaves plenty of wriggle-room to allow firms to avoid conforming.

While firms in general will be encouraged to adopt the standard, in government procurement compliance will be mandated only “where proportionate and relevant” – so, if anyone wants out and has enough clout, it’s likely they’ll be able to persuade the government to continue doing business with them.

A group of firms currently supplying the Ministry of Defence (MoD), including BAE Systems, Rolls Royce and HP, have shown willingness to adopt the standard when it is released, but again there seems to be no definite requirement of the sort imposed by the US Defense Department a few weeks ago.

Hopefully once the standard is finalised and released the rules regarding its use will be made stricter and less flexible.

There’s a lot more covered by the two reports, with the retrospective overview of progress highlighting the creation of the new National Crime Agency (NCA) and its cyber sub-division the National Cyber Crime Unit (NCCU), set up a few months ago, and its successes so far.

These include a number of high-profile international operations, as well as sending out an email warning people about Cryptolocker.

A number of other initiatives are mentioned, including information-sharing partnerships, the Centre for the Protection of National Infrastructure (CPNI) and its Cyber Risk Advisory Service for businesses, and the budding CERT-UK, as well as the recent banking simulation project known as “Operation Waking Shark 2“.

Looking forward, we can expect expansions and improvements in all these areas, plus new initiatives such as “kite-marking” of cyber security professionals and products. Police expertise will be increased, with half of the NCA’s 4000 staff expected to receive training in cyber investigation.

Education in general is a major theme, with new plans ranging from primary schools to universities and on into professional training and certifications.

A “major public awareness campaign” is planned for January 2014, with Sophos namechecked alongside Facebook and BT as partners in the project.

Just how successful some of these endeavors will be will of course depend on the details, with much of the information in these reports still fairly vague and non-committal.

Nevertheless, it’s good to see government making the right noises and putting some fairly considerable effort into cyber security in all sorts of areas.

Follow @VirusBtn
Follow @NakedSecurity

Image of school kids courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/VfS6cHkGe_U/

Tags: 00000000, 1960s, 1970s, 60 Sec Security, 60 Second Security, 60 Seconds, 60SS, Exploit, Google, Microsoft, nuclear missile, Patch Tuesday, Security Threat Report, Spoofing, SSL, Threat Report, TIFF, vulnerability, XP

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/EBJ4HmU_CQM/

While businesses continue to expand their use of social networking to manage their brand and increase productivity, only a minority of firms are attempting to offset the risks posed by the services.

The lack of focus on securing social networking is leaving companies vulnerable, say security experts. Only 18 percent of companies do a risk assessment of their use of social media, even though 84 percent worry about the risks, according to a recent survey.

Monitoring is an important part of detecting and responding to the business risks posed by social networks, says Bob Shaw, senior vice president for network-monitoring firm Net Optics, an Ixia company. Companies should monitor what customers are saying about the brand and what employees post under their corporate personas.

“There are no spots of the network that companies can leave as blind spots now,” says Shaw. “Businesses have to have visibility across their network and applications, including social media.”

There are three main threats posed by social networks. Because a business’s online presence and brand heavily relies on public postings, poor judgment on the part of employees or malicious postings by hacktivists or attackers can sully a company’s image. In addition, social networks are also a vector through which attackers can deliver attacks to specific employees. Finally, the networks also pose a data leakage risk, where workers can inadvertently or maliciously leak sensitive information about the company or themselves.

A good first step for most companies is to monitor social networks to gather information on the possible issues facing them and what the threats might be, says Caleb Barlow, director of security for IBM.

“If you are not monitoring both what your employees saying and what you customers are saying, you run the risk of having your company debated and not having a seat at the table when that happens,” he says. Monitoring public posts to social networks can also help catch compromises of social networking accounts, albeit after the thief has caused problems.

While many companies are worried about the leakage of trade secrets or business data, they should also worry about the leakage of personal information about their employees, says Barlow. More than two-third of people share their birthday online, and almost half reveal their hometown, he says.

“You start taking all this information, and these are typically the challenge-response questions that protect many types of accounts,” Barlow says.

[Phishers favor emails that appear to be from LinkedIn friends or email systems, study says. See Study: Beware LinkedIn Invitations, Mail Delivery Messages.]

Yet, the posting of proprietary data to social networking sites is perhaps the greater dangers, says Adam Ghetti, founder and chief technology officer of Ionic Security, which protects data in the cloud. And, because they allow people to connect and share information, file-sharing services such as Box and Dropbox are another form of social networking that needs to be watched. When employees post information to those site, they are adding a social aspect to the problem of data security, he says.

“They have made the data itself social, because they have uploaded it to a service where it is out of the view and control of the enterprise,” says Ghetti.

Companies need to take a multi-layer approach to defending against leaks to social networks and threats coming in from the networks, Ghetti says. Network-based monitoring is not enough, because cloud providers are increasingly using SSL to protect communications between the end user and their servers, which makes it difficult for network-only monitoring to inspect the content going to those social networks. Ghetti argues that companies have to take a data-centric approach to protect sensitive information no matter where it goes.

“Monitoring has to happen well before content gets to a social-media destination,” says Ghetti. “That monitoring has to take place in a clearly defined way so that it is not intrusive to the end user, it is not violating their privacy or personal life, but it is under the scrutiny of the enterprise when it is in a business context.”

Finally, all the security measures should not add extra steps to employees work process. Doing so only makes it more likely that the workers will try to work around the security, says Ionic’s Ghetti.

“Most circumvention is not maliciously intended, it’s purely just so that users can get their jobs done,” he says. “The security process in place is too high friction, so they go around it, and in doing so, they are leaking information.”

Monitoring can give companies visibility while not getting in the way of business, he says.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/monitoring/protecting-brand-and-data-while-staying/240164774

Portland, OR — December 11, 2013 — SecureWorld Insight, a partnership with Ponemon Institute and SecureWorld Expo, today revealed the highlights of the “2013 Salary Benchmark Report,” kicking off a new series of quarterly cybersecurity research reports. This benchmark is the first to identify compensation for eight categories of information security staff – from CISOs to directors, managers and technicians – and key influencing factors.

The survey reveals higher average salaries than expected, with the top title of Chief Information Security Officer (CISO) earning an average annual base salary equivalent to the compensation of other C-level executives for 50% of the respondents. And this trend extends beyond the C-suite to all other levels. However the report also finds that 43% of cybersecurity professionals rate their position as the most difficult one in the organization.

Surprise findings include the number one factor influencing salary: reporting channel. In fact those who report to the CEO make a significantly higher salary; however they are also at risk as the first to be fired. The data also confirms that the number one reason security staff leave an organization is compensation – and leads to the resulting conclusion that an organization’s biggest vulnerability may well be its own information security team, due to unfilled jobs and lack of funding.

Companies are heading into budgeting for 2014 facing an unprecedented threat landscape, extremely competitive environment and a limited pool of skilled cybersecurity talent. In response the SecureWorld Insight benchmarking report offers insights for IT, security and HR executives into how to hire and retain top cybersecurity talent and build information security teams.

Key findings from the study include:

Compensation varies widely based on the following factors, in order of highest impact:

Steps from the CEO / Reporting Channel: CISO reporting to the CEO enjoy a 36% jump in average annual salary, followed by direct lines to the CFO, COO, CIO, CTO. Ironically, few actually report to the CEO and the majority (46%) report to the CIO.

Industry Sector: The Communications sector leads in average annual salary, followed by Financial Services, Services and 11 other categories; Health Pharma ranks lowest with Defense close by.

Organization Headcount: The biggest jumps in technicians’ average annual salary occur in organizations with more than 75,000 employees.

Geo Footprint: Organizations with a global footprint pay more than domestics.

Gender: In another surprise finding, men make only 5.5% more than women in the top security executive positions.

Certifications matter.. but not as much as you think. Professionals with certifications earn only 8.7% more than those without; however those with advanced degrees demand up to 35% higher salary.

Lack of adequate funding is the biggest barrier to team success. Fifty-six percent of respondents cited lack of adequate funding as their biggest barrier to success, followed by IT complexity (42%) and lack of qualified personnel (41%). In fact only 8% report having cybersecurity teams of over 20 FTEs, with the majority operating with 6-15 FTEs.

The study also identifies trends related to the CISO position specifically, such as how many organizations have a CISO; how many have a formal reporting structure to the board; what metrics are used to determine the success or failure; and the seven critical career success factors.

The benchmark study was conducted to independently determine the annual salary of CISO-level executives in larger-sized companies (with 1,000 employees or more). A total of 133 companies and CISOs agreed to participate by providing confidential salary and benefits data collected with a survey instrument. In addition to their own data, respondents provided salary data for members of their IT security team.

The “2013 Salary Benchmark Report: Compensation and Role of Security Teams” report includes studies of eight categories of security staff: CISO, Director Level 1, Director Level 2, Manager Level 1, Manager Level 2, Technician, Supervisor, Staff/Admin.

Supporting Quotes

“In past years, organizations have commissioned us to produce salary studies for their own knowledge. We are now making this comprehensive report available to all organizations through SecureWorld Insight,” says Dr. Larry Ponemon. “As the market for top quality IT security professions get more competitive, this information becomes increasingly important to assure proper staff budgets and to avoid vulnerabilities that result from unfilled roles.”

“Security teams and HR professionals need salary benchmarking information to retain key staff and make offers to new team members,” added Michael O’Gara, president, SecureWorld. “We’re excited to have identified this gap and provide this benchmarking to IT professionals nationwide throughout our SecureWorld network.”

Resources and Links

Watch the Preview Video: http://secureworldinsight.com/

Purchase the Study: http://secureworldinsight.com/products/the-compensation-and-role-of-security-teams

Interviews Available Upon Request

About SecureWorld Insight

SecureWorld Insight, Powered by Ponemon, is a partnership with Ponemon Institute and SecureWorld Expo, combining SecureWorld’s nationwide reach with Ponemon Institute’s highly respected research. SecureWorld Insight provides unprecedented, highly targeted, relevant benchmarking to IT professionals across the country and beyond.

Article source: http://www.darkreading.com/management/ponemon-institute-reveals-results-of-fir/240164762

ABINGDON, England, December 13, 2013 /PRNewswire/ —

Just days after the launch of the PlayStation 4 and the Xbox One, Kaspersky Lab experts have discovered that PC gamers across Europe were hit by a massive number of attacks in 2013. Currently Kaspersky Lab knows 4.6 million pieces of gaming focused malware, with the total number of attacks facing gamers hitting

11.7 million globally. On average, users were hit by 34,000 attacks related to gaming malware daily. With Christmas coming up and hundreds of thousands expected to receive games as presents, Kaspersky Lab experts are recommending users take the right precautions.

Spanish gamers were the worst hit of all, as hackers made 138,786 attempts on them from 1 January to November 2013. Poland was in second with 127,509, followed by Italy on 75,080.Here’s the top-10 ranking of Europe:

1) Spain: 138,786

2) Poland: 127,509

3) Italy: 75,080

4) France: 47,065

5) Germany: 29,049

6) United Kingdom: 27,049

7) Ukraine: 22,220

8) Greece: 17,203

9) Romania: 13,778

10) Portugal: 7,458

Gamers face all kinds of different digital attempts on their systems.

Underground forums are ridden with cyber crooks selling access to people’s gaming accounts, such as the portal and marketplace Steam. The market for usernames and passwords is fuelled by attacks on the gaming companies themselves. Earlier this year, Kaspersky Lab detected a major espionage campaign on a range of massively multiplayer online games makers [http://www.securelist.com/en/analysis/204792287/Winnti_More_than_just_a_game ], with source code and other valuable data stolen.

Malware types target specific games, such as the hugely popular Minecraft.

Earlier this year, a fake Minecraft tool built with Java promised to give the player powers such as banning other users, but was stealing usernames and passwords in the background. When Grand Theft Auto V landed earlier this year, various sites offered fake downloads to access the record-smashing game for free. But when users tried to get the game, all they got was malware – a classic example of powerful names getting abused to lure victims into downloading malicious code.

Then there’s the typical scams, like phishing. Slews of emails are sent around every time a big gaming launch happens, and at Christmas, attempting to lure users into handing over data or money with the promise of discounts or cheap gaming goods.

“We’ve just seen two of the biggest console launches ever, with the PlayStation

4 and the Xbox One. That means there will be more gamers for criminals to target, especially as the Sony and Microsoft machines increasingly use the Internet for a fuller gaming experience. And don’t forget the PC, still the most popular gaming platform and cyber crooks’ favourite target,” says David Emm, senior security researcher at Kaspersky Lab.

“As computer games continue to become an increasingly prominent and important part of our lives, and our culture, expect malicious actors to up the sophistication and the volume of their attacks on gamers. If people want to enjoy their new toys this Christmas, they have to be careful, as it’s clear they are facing a greater threat than ever.”

So gamers, especially anyone investing in a load of new games this Christmas, need to take the right precautions, investing in adequate protections and wising up to the range of threats they face. Here are Kaspersky Lab’s top five tips for gaming security:

1) Don’t click through on any offers that look too good to be true, whether

from your inbox or on social networks like Facebook or Twitter. If an offer does come

through that looks legitimate, ensure the sender is trusted before hitting a link or

handing over any details. If in doubt, contact the official company the sender claims

to be from.

2) Use strong and varied passwords across your gaming accounts. As we’ve seen

this year, gaming companies get hacked and logins are leaked. If you don’t have

different credentials, getting one set stolen means all your different accounts using

that same password could be compromised. Consider investing in a password manager, as

it will give you simple, smart protection.

3) Get a good quality anti-virus. With the rafts of gaming malware out there,

and the increasing sophistication of the malicious software, you’ll need some level of

protection against it. You’ll need AV that goes beyond signature-based detection to

look at file reputation, if you want to stop the smartest malware getting on your

system.

4) Be careful whom you befriend. It’s easy to make friends in virtual worlds

today, but not all are doing so innocently. Beware anyone who asks for your personal

details, as they may want to do more than just contact you.

5) Only download titles from legitimate sellers. If you’re downloading an

illegal copy of a game, you aren’t just breaking the law. You’re risking getting

malware on your machine, as crooks often disguise game files as malicious software.

About Kaspersky Lab

Kaspersky Lab is the world’s largest privately held vendor of endpoint protection solutions. The company is ranked among the world’s top four vendors of security solutions for endpoint users*. Throughout its more than 15-year history Kaspersky Lab has remained an innovator in IT security and provides effective digital security solutions for large enterprises, SMBs and consumers.

Kaspersky Lab, with its holding company registered in the United Kingdom, currently operates in almost 200 countries and territories across the globe, providing protection for over 300 million users worldwide. Learn more athttp://www.kaspersky.com.

Article source: http://www.darkreading.com/end-user/christmas-warning-kaspersky-lab-finds-ga/240164763

Sunrise, FL – December 9, 2013 – Easy Solutions, the Total Fraud Protection company, today unveiled Easy Solutions Mobile, the only solution which transparently protects all of a financial institution’s mobile banking customers from a wide array of online threats, and provides analytics to assess risk levels by customer, and improve the security of the overall mobile customer base over time.

A recent Pew survey found that 32% of U.S. adults use mobile banking[1], a number that has grown steadily over the past two years, and is forecast to continue growing. This percentage is even higher in emerging-growth countries. A recent survey from Easy Solutions found that 44% of Latin American consumers now leverage mobile devices to perform banking transactions.

Easy Solutions Mobile combines native application malware protection with native integration of advanced strong authentication and mobile endpoint security, to deliver the most comprehensive, proactive security solution for mobile banking. The solution also offers the ability to qualify risk in the mobile banking customer base, providing data intelligence per device that can be leveraged for granular access control based on device risk factors.

“With the growth in mobile banking, cybercriminals are deploying increasingly complex fraud schemes targeting the mobile banking channel,” said Daniel Ingevaldson, CTO of Easy Solutions. “Banks and other financial institutions are looking for ways to gain deeper insights into this customer base, in order to establish mobile fraud and risk strategies that address the unique challenges associated with the mobile channel.”

Easy Solutions Mobile provides a multi-layered solution to help financial institutions protect their entire user base from mobile fraud, and harness analytics that help improve their mobile security posture across the customer base. Features include:

Intelligence and Analytics

Easy Solutions Mobile collects a broad range of data intelligence from the device–jailbroken/rooted device status, malicious apps, device type, OS, processor and more – to enable risk-scoring based on device profile or behavior. This risk scoring can be leveraged by the mobile banking application to reduce customer friction, require further authentication based on profile, and enable additional functionality. Easy Solutions Mobile provides the institution with the visibility needed to make decisions based on the mobile channel environment. For example, based on institutional policies, financial institutions can allow or reject certain activities performed through the mobile channel due to the secured or unsecured status of that device.

Embeddable Software for Mobile Apps

Embedding Easy Solutions Mobile in any mobile banking application protects the app itself from the expanding landscape of mobile threats, while simultaneously enabling advanced mobile capabilities such as hardware-based device ID, push authentication and notification, and collaborative protection. This eliminates the need for users to download unfamiliar third-party applications, and allows the financial institution to retain control over the complete end-user experience.

Device Identification

Easy Solutions Mobile provides hardware-based device identification that creates persistent device ID to uniquely identify mobile devices. The device ID is recognized by the mobile banking app even after deletion and re-installation of the mobile app.

Push Authentication and Push Transaction Verification

Easy Solutions Mobile provides on-device protection and analytics as a foundation to leverage the mobile channel for a better OOB (out of band) experience. Easy Solutions Mobile includes powerful functionality to enable “push” authentication and transaction verification to tightly integrate the OOB experience to the financial institutions own mobile app, while providing a much better user experience than SMS-based OOB.

Collaborative Protection

Easy Solutions Mobile detects, blocks, alerts and reports in real-time on infected devices and web pages that contain malware and other fraudulent content. It harnesses Easy Solutions’ Collaborative Protection, which gathers big data on any malicious process found on one device to provide fraud intelligence for the early detection and deactivation of sites hosting malware and attacks. This helps to reduce fraud and block phishing and pharming attacks across the entire customer population.

Easy Solutions Mobile is part of Easy Solutions’ Total Fraud Protection platform, which provides comprehensive fraud protection across all channels, and extended to the end-user. By combining cross-channel risk-scoring, transaction anomaly detection, multi-factor authentication, secure browsing, and detection and take-down services, Easy Solutions blocks criminals at all three phases of the fraud lifecycle – planning, launching, and cashing – while ensuring that authorized users can conduct business.

For more information on Easy Solutions Mobile, visit http://www.easysol.net/newweb/Products/easy_solutions_mobile

ClickToTweet: @goeasysol offers new Easy Solutions Mobile; protecting native banking apps and users http://ow.ly/rtMRO

ABOUT EASY SOLUTIONS

Easy Solutions delivers Total Fraud Protection to over 150 clients, with over 40 million end users. The company’s products protect against phishing, pharming, malware, Man-in-the-Middle and Man-in-the-Browser attacks, and deliver multi-factor authentication and transaction anomaly detection. For more information, visit http://www.easysol.net, or follow us on Twitter @goeasysol.

Article source: http://www.darkreading.com/mobile/easy-solutions-mobile-launched/240164764

I think most of you’d agree that among the toughest challenges in fighting malware is sorting out what ought to run from what needs to be stopped. Your increasingly sophisticated adversaries hide, run 0-days, and design advanced attacks that evade common detection tools. Sadly, the adversaries will grow only more sophisticated. Future security solutions must do more to keep pace. And to successfully keep pace, we need to build security solutions on strong foundations that ensure we can “start secure” and “run secure.”

“Starting secure” is crucial. At power-on and start-up phases, our system and infrastructure are at their most vulnerable because defensive systems have not been brought online to protect them. The industry has definitely made some progress here. For example, modern operating systems have helped ease deployment of secure boot capabilities — effectively slamming shut the door on malware trying to penetrate and corrupt boot-time operations. For the highest level of protection, industry standards-based technology, such as that from Secure Boot or the Trusted Computing Group, is available today that measures each element of code executing through the boot sequence, and permits execution of that element only if it can be verified as legit. And the same capabilities that harden boot operations can be extended into new applications to help strengthen cloud security.

To improve the odds of “running secure,” new capabilities in processors and popular operating can effectively increase your system’s immunity to attack. New innovations build on baseline microprocessor architecture to restrict how, when, and where code can execute. For example, Intel and AMD introduced capabilities more than 10 years ago to stop code from executing in certain regions of memory reserved for data. Today, operating systems and new PC and server processors have greatly enhanced capabilities that can defeat some classes of malware associated with buffer overflow attacks. One recent enhancement from Intel comes in a capability called Intel OS Guard, which prevents some types of privilege escalation attacks. So instead of relying solely on recognizing malware, the system itself becomes stronger and better able to resist malware.

To learn more about emerging systems and infrastructure that “run secure,” look for combinations of hardware and operating systems that enable deeper system behavior monitoring at low levels of the computing stack. By taking advantage of processor technologies embedded in the silicon, the software provides something like close inspection and repair of plumbing or wiring in an apartment building, detecting and preventing malicious intent at the hardware level.

If you need the strongest possible foundation and support for your anti-malware regimen, then look below the application layer to assess what new OS and hardware capabilities can do to enhance your defenses.

Article source: http://www.darkreading.com/applications/stronger-defense-against-malware-happens/240164766

The UK government minister responsible for cyber security issues, the Rt Hon Francis Maude, has released a statement and a pair of reports looking back over the first two years of the government’s Cyber Security Strategy and detailing further plans going forward.

One of the key developments expected in the near future is the unveiling of a security standard for businesses, which early reports on Maude’s statement predicted would be a requirement for firms hoping to pick up government contracts.

Variously described as a “baseline“, a “kitemark” and a “badge“, the new standard is being developed in collaboration with the British Standards Institute, the Information Security Forum and other players, and is expected to be released publicly in March of 2014.

Those expecting the “Organisational Standard” to be mandatory for firms doing business with the government may be a little disappointed though, as the statement’s wording leaves plenty of wriggle-room to allow firms to avoid conforming.

While firms in general will be encouraged to adopt the standard, in government procurement compliance will be mandated only “where proportionate and relevant” – so, if anyone wants out and has enough clout, it’s likely they’ll be able to persuade the government to continue doing business with them.

A group of firms currently supplying the Ministry of Defence (MoD), including BAE Systems, Rolls Royce and HP, have shown willingness to adopt the standard when it is released, but again there seems to be no definite requirement of the sort imposed by the US Defense Department a few weeks ago.

Hopefully once the standard is finalised and released the rules regarding its use will be made stricter and less flexible.

There’s a lot more covered by the two reports, with the retrospective overview of progress highlighting the creation of the new National Crime Agency (NCA) and its cyber sub-division the National Cyber Crime Unit (NCCU), set up a few months ago, and its successes so far.

These include a number of high-profile international operations, as well as sending out an email warning people about Cryptolocker.

A number of other initiatives are mentioned, including information-sharing partnerships, the Centre for the Protection of National Infrastructure (CPNI) and its Cyber Risk Advisory Service for businesses, and the budding CERT-UK, as well as the recent banking simulation project known as “Operation Waking Shark 2“.

Looking forward, we can expect expansions and improvements in all these areas, plus new initiatives such as “kite-marking” of cyber security professionals and products. Police expertise will be increased, with half of the NCA’s 4000 staff expected to receive training in cyber investigation.

Education in general is a major theme, with new plans ranging from primary schools to universities and on into professional training and certifications.

A “major public awareness campaign” is planned for January 2014, with Sophos namechecked alongside Facebook and BT as partners in the project.

Just how successful some of these endeavors will be will of course depend on the details, with much of the information in these reports still fairly vague and non-committal.

Nevertheless, it’s good to see government making the right noises and putting some fairly considerable effort into cyber security in all sorts of areas.

Follow @VirusBtn
Follow @NakedSecurity

Image of school kids courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/KoAL96wq8yA/