Archive for category Malware
This week, the Federal Financial Institutions Examination Council (FFIEC) released “Social Media: Consumer Compliance Risk Management Guidance. The FFIEC is asking for comments within sixty days. You can download the 31-page document here.
Its release has created quite a stir within the banking industry. A comprehensive article appeared on TheFinancialBrand.com, “Regulatory Shocker on Social Media in Banking Coming Soon” that summarizes the guidance quite nicely.
But . . . what’s so shocking?
We’ve been having the same conversations in the securities industry for three years. And in those three years, firms have learned that there are three major areas of risk that need to be mitigated before deploying social media:
- Security: your IT department needs to prevent your firm’s proprietary and client information from being leaked out either inadvertently or maliciously from the enterprise. They also need to ramp up malware protection. That’s because social media users are susceptible to incoming threats as they view themselves as part of a tribe and tend to click on any link sent by a “friend.”
- Compliance and Governance: your legal and compliance departments already know that there are thousands of rules and regulations that govern the communications and advertising of publicly held corporations, firms in general, and bank specifically. Take the securities industry as an example – the banking regulators aren’t issuing new rules and regulations around social media. Social media is viewed as just another form of written communications. Your compliance department is therefore challenged to interpret existing rules as they apply to social media and to develop and enforce firm policies.
- Enablement: your executive team is concerned about productivity and the bottom line. Now that every employee can be the face of the business, you either have a powerful marketing tool or your worst nightmare. Employees will need to be trained on how to use social media effectively to meet the firm’s goals, such as nurturing existing clients, attracting new business, recruiting, and brand awareness.
However, during the last three years, we’ve learned that all these risks can be mitigated by strong corporate polices, backed up with technology and training.
So far, so good. Nothing new here. Or is there? In addition to what we’ve already seen from other regulators, the FFIEC specifically also calls for:
- Creation of policies to address negative feedback or customer complaints, even if a financial firm chooses not to actively engage in social media.
- Monitoring to protect the firm’s brand identity
- Due diligence and oversight for third-party vendors that firms may hire in connection with social media
And the one that I find most interesting:
- Processes and reporting to demonstrate how social media “contributes to the strategic goals of the institution.”
In other words, the FFIEC recommends that firms measure the ROI of social media.
It will be interesting to see the reaction that FFIEC gets from the industry. I just hope that the banking industry can use some of the key learnings from the securities industry to streamline the processes to reap the benefits of “getting social.”
For more details on how to deploy social media within retail banking, you can also check out Belbey Blogs: Upcoming Guidance for the Use of Social Media for Retail Banking from FFIEC.
Today’s post comes from Norv Leong, Director of Product Marketing at Actiance.
No, I’m not talking about one of America’s most beloved (or perhaps ridiculed) canned foods, but rather, the elimination of about half of the world’s electronic spam recently, thanks to a coordinated effort from several ISPs spread across the globe. Their efforts wiped out and crippled the Grum and Lethic botnets, respectively, which together accounted for about half of the world’s spam. Let that sink in for a moment.
Everybody that has ever touched a computer has likely received some kind of spam in their email inbox. It’s annoying and never seems to go away. Just goes to show that there will always be evil lurking in cyberspace. I’m talking about folks who are solely focused on wreaking havoc, stealing passwords, launching denial of service attacks, or hacking into computer networks of some of the most secretive agencies in the world. Whether they do it for fun, cuz they’re bored, or on someone’s payroll, I do not know.
The bottom line is that all individuals and companies have to be on their guard and not underestimate the importance of having the proper security measures, settings, and policies in place to combat the evildoers out there. Nowadays, the wildfire proliferation of social media and other Web 2.0 sites has proved to be prime hunting ground for spammers (check out a blog entry we did earlier on this topic).
Passing along malware is no longer the domain of email; it’s now spread to sites like Facebook, Twitter, and Skype. One thing that’s different about these sites (vis-à-vis email) is that they require a connection, friendship, or link to be established before you can receive content. That wasn’t the case with email. For instance, if Stevie were to receive a link from his buddy, Timmay, via Skype, Steve’s probably gonna click on that link since he trusts Timmay. That link might not in fact be from Timmay, but rather, from some spammer in Estonia.
So, it’s all well and good that the amount of spam has been cut down for now. But, like Wile E. Coyote’s lifelong pursuit of the Road Runner, I’ll bet a bomb shelter’s worth of Spam that hackers will continue to think up elaborate malware schemes that will make the Grum and Lethic botnets look like starter kits.
Any veteran of social media has at one time or another put face-to-palm when they see another one of their contacts trying to distribute yet another scam through their profile. There is no escaping it. Whether it’s a third-party application that promises free coupons or a tweet promising a free iPad, illegitimate offers wanting your PII (Personally Identifiable Information) are everywhere. If this were 10 years ago, you would hear me complaining about e-mail or IM spam. Sure these spam attempts still happen, but that is broad attacks at best. E-mail or IM spam doesn’t even know your gender most of the time, let alone what demographic you may fall under. That’s what makes Social Media spam such a lucrative trade. Never before have people been so compelled to give away so much information about themselves. The content that we end up posting on social network sites is so descriptive of our personal lives that even corporations are asking for your content during the interview process.
It’s not difficult to tell if someone close to you has been hit by a spam attack. If their profile has been hijacked, then you can expect to see the same messages to several friends – always with a shortened URL link. Your best defense is to be weary of links that you receive, even if they are from trusted sources. You should also take a moment to explore what privacy settings you already have in place. The goal should be to make sure that your information is not accessible without your explicit knowledge.
Spammers are able to find you and send targeted attacks, if you share all of your information with the open web. Any kind of application that you use to access a social network is acting as the middleman for your data. This usually means that you are allowing them access to your data in exchange for their ‘free’ service. What they do with that information after they provide their service is up to them.
Before you click that link, be more skeptical. Does this person really want to give me free money? Unfortunately, we don’t live in that kind of world. The more likely answer is that they are looking to sell your information to advertisers for other scam attempts. I could be wrong of course. A smartly-dressed woman could always show up in a diamond -crusted Bentley with $500 and a promise of a new monetary system that will work out in my favor.
Let’s use a recent scam example seen on Facebook. A common attack method on Facebook is to create a third-party application that immediately redirects the user away from Facebook. This could be as harmless as trying to build SEO tracking to a site or propagating something malicious to your PC. In this case, it’s just a scam to get more traffic to a site selling shoes. It starts as most of these scam attacks start: a buddy clicked something they should not have and now a third-party application on Facebook is posting messages as them. To make sure that their friends view the content, they tag them in a picture.
Now they’ve got you on the hook. If you happen to click that link, you are navigated first to a Facebook Application page that only redirects to a site not belonging to Facebook.
Applications like this one are a dime a dozen. Facebook has been under heat in the past for allowing this kind of activity. This is an unavoidable side effect whenever you provide an open web platform for users to create their own applications. Facebook deletes the malicious ones, but they haven’t done an outstanding job of policing these in the past. In this case, the user is immediately taken to a blogger page that looks like this:
There are a few tools that you can use in your browser to make sure your exchanges on social media are kept as private as possible. I recommend Ghostery for detecting any invisible trackers that exist on most web pages. These are usually advertisers trying to capitalize on your digital presence. Unless you intend to read a 30-page EULA describing what they are allowed to do with your data afterwards, just block it. Another useful tool is called LongURL. This allows you to see the link you are about to click. It will also help you avoid getting hit by that one friend that is always rickrolling people.
Recently, the Department of Homeland Security (DHS) released its blueprint on cybersecurity. The document essentially provides a framework for managing the myriad cyber threats that are lurking out there, while still fostering an environment of innovation, prosperity, and economic growth. It’s an ambitious plan, but it’s certainly necessary.
The range of security threats runs the gamut these days. You’ve got so many different options for hackers to ply their trade that it can be quite a challenge to police all physical and virtual borders. The explosion in social media and collaboration tools has opened up a bevy of new channels for hackers to distribute viruses and other types of malware. Thus, the sophistication of criminals nowadays makes cybersecurity one of the most important issues for DHS in the 21st century.
The DHS framework has two key pillars: (1) the infrastructure protecting critical information, and (2) strengthening the cyber ecosystem in general. To achieve these twin objectives, DHS must execute on several fronts: hardening critical networks, prosecuting cybercriminals, raising public awareness, and hiring/training cybersecurity-savvy workers. As you can see, it’s a multi-faceted strategy that requires cooperation and input from several sources and individuals (including we the people).
Thankfully, the pace of technological innovation in the security space is just as brisk. Anti-malware and URL filtering technologies continue to push the envelope in terms of detection capabilities. Monitoring software now offers granular controls over social media sites. And archiving capabilities now include a slew of communications modalities, including email, instant messaging, social media, collaboration platforms, etc., making it easier to build a case should prosecution become an option.
Security dangers may lurk everywhere, but with the right systems, policies, and training in place, the DHS blueprint may well become a reality sooner rather than later.
You know that there’s been a seismic shift in the US Government’s communications strategy when guidelines are published by the government for agencies about how they can adopt social networks to deliver a better customer experience.
We can all applaud the good – when the magnitude 5.8 earthquake shook the East Coast in August, the Department of Homeland security was quick to tweet advice on getting in touch with loved ones via social networks, eschewing phone lines which were getting clogged.
But before we get carried away, we need to put this success in perspective.
Just last week, news was released that Air Force One’s flight plans were inadvertently leaked when a Japanese air traffic controller decided to post them on his blog to show off to his friends.
Who needs Wikileaks when you have to contend with the foibles of your own staff?
The threat of malware infection continues to loom large, as our own Jae found out to his chagrin.
There is no time to be complacent. This is why we’ve knuckled down and begun the process of testing our platform for federal government usage. We’ve kicked of with subjecting Vantage and Unified Security Gateway (USG) to the rigorous tests conducted by Science Applications International Corporation (SAIC) Labs.
It is with a mixture of post-exam relief, pleasure and pride that we can reveal that (drumroll please…) we have met the initial requirements for Common Criteria IA SL2 and The Federal Information Processing Standard (FIPS) 140-2.
The process is by no means over, but we’re certainly well on the way, but it’s another confirmation that Federal Agencies can rest assured that our solutions are robust, enterprise-ready and will do what they say on the ‘can’.
Regardless of media – it could be Jabber, Microsoft Lync or Facebook – we can monitor, track and archive content to protect against unsanctioned disclosures and security threats.
What is YOUR federal agency doing with regard to new communications modalities?
|I may need to wear a shirt like this in the office.|
Most readers of this blog are savvy social media users. I would include myself in that category. Well, I would have until last Sunday.
Yes, I will come out and admit it for once. I got suckered into clicking on a Twitter malware link that was forwarded to me by one of my ‘trusted’ venture friends. Now that I got that off my chest (and demonstrated that I could be just as naive as thousands of users out in the Internet), I think I can talk about this incident somewhat objectively.
It turns out that this particular malware spreads by getting a Twitter user to click on the shortened t.co URL that’s sent via private message. When an unsuspecting recipient clicks on the link, it automatically sends the same tweet to all of the recipient’s followers as a private message. Very sneaky.
It was quite an embarrassing moment when I realized what just happened (I even had to update the new Twitter app to follow the link on my iPhone). Thanks to a couple of my co-workers and good Twitter citizen @DevonAlderton, I came to my senses only after a few hours had passed. Once a few seconds of disillusionment of my malware ‘detect-o-meter’ had passed, I regained my composure to delete all of my private tweets to all my followers (thank goodness I don’t have Kim Kardashian’s follower base) and took remedial action to shore up my defenses.
Last week, it was announced that Steven VanRoekel would be replacing Vivek Kundra as the CIO at the Office of Management and Budget (OMB). It’s a high-profile position that essentially puts VanRoekel in charge of the federal government’s IT budget – currently about $80 billion a year. A tidy sum of money.
So, as VanRoekel assumes his new role, all eyes will be focused on how he handles the projects he’s inheriting from Kundra as well as new initiatives. Of the former, issues such as data center consolidation and the “cloud” are top-of-mind. Recently, much of the buzz, both in the government and in the private sector, has revolved around Web 2.0 and social media. However, they’re just two components of an overall security strategy.
VanRoekel must also take into consideration other types of application that factor into a comprehensive cybersecurity strategy. These days, hackers are pretty sophisticated and are quite adept at exploiting encrypted traffic to pass along viruses or other types of malware. For instance, unified communications (UC) platforms, such as Jabber, Microsoft OCS and Lync, and IBM Sametime, all enable federation, which is the ability to communicate with others who are not members of your UC community. The danger here is federating with outside networks that may present unknown risks, like viruses, hackers, enemies mining for confidential information, etc.
The same analogy holds for the “cloud” initiative. Cloud computing is all the rage, but there’s no shortage of companies and government agencies that are incredibly leery of turning over key computing processes and applications to the cloud. Security is almost always the first issue mentioned when talking to skeptics of the cloud. Multi-tenancy (i.e., sharing physical appliances that have been logically partitioned), data storage off-premises, and the relatively short history of this computing paradigm send shivers down the spines of the most experienced IT practitioners.
With the Internet being a global resource, the potential scope of security breaches is immense. Sophisticated hackers might reside in the US, China, Russia, Iraq, North Korea; you just never know. It is under this backdrop that VanRoekel will have to drawn upon his experience in the private and public sectors to devise a strategy addressing all of these security concerns. A daunting challenge for sure, but absolutely attainable, given today’s technology.
Wouldn’t you agree?
We’ve all heard this saying before and it’s easy to get lost in the bewildering array of communications channels available to us. There’s the usual email, instant messaging networks (Yahoo!, Google Talk), peer-to-peer networks (Skype), enterprise IM applications (IBM Sametime, Microsoft Lync/OCS), and social networks (Facebook, Twitter). And these are just the big boys. There are literally thousands of IM, P2P, and social networks, in addition to those listed above.
To give you an idea of the bevy of tools out there, the US Department of Agriculture (USDA) uses over 21 different email systems, but they’ve recently decided to award Microsoft a contract to provide cloud-based email, Web conferencing, IM, and collaboration solutions. Similarly, the US General Services Administration (GSA) awarded an email contract to Google. What this goes to show is that messaging in large organizations (in this case, it’s the government) is starting to move to the cloud as companies look for ways to streamline their messaging systems, improve efficiency, and cut costs.
What with all these communications options available to end users, it’s all too common for folks to use Facebook, Yahoo!, or Skype while they’re at work on company-issued computers. Oftentimes, individuals use a combination of Web 2.0 (think Facebook or Skype) and enterprise (think Microsoft Communicator or Cisco Jabber) applications. The problem with doing so is that it opens up new vectors for malware to invade the corporate network. In other words, there are far more avenues for evil to infiltrate the corporate network these days than ever before.
Thankfully, platforms like Actiance Vantage make it easier to manage the proliferation of communications tools within the enterprise. From blocking virus attacks to managing file transfers to logging and archiving of all IM activities, Vantages provides end-to-end security and compliance coverage for an organization’s unified communications.
We can all learn a lesson from the government contracts cited above. Long ridiculed for being the poster child of bureaucracy and antiquated computer systems, it must be saying something to have two large agencies moving their communications applications to the cloud. Looks like the US government has taken heed of that old KISS principle after all.
application control, compliance, employee behavior, Enterprise 2.0, facebook, Facebook security, instant messaging, Internet security, IT security, malware, public IM, security, unified communications, Web 2.0, Web filtering, Web security
For you football (soccer as they say here in the US) fans, you’ve got to love the uncanny talent and skill (and maybe luck, too) of Paul the Octopus. He’s the eight-legged oracle who correctly picked all the World Cup 2010 matches, including the final one resulting in Spain being crowned el campeon at the quadrennial event.
I’m not Paul (nor an octopus for that matter, although my colleagues do call me interesting names from time to time), but I’ll take a stab at offering my predictions on what may unfold in 2011 on the technology side of the pitch. 2010 was pretty exciting (think iPad, Facebook, Foursquare – and the boss wants me to mention that England retaining the Ashes was pretty big, too), but 2011 portends to be at least as innovative and disruptive.
Mordor Won’t Go Away
The Lord of the Rings trilogy pitted good versus evil. This couldn’t be more apropos for technology as well. There are those who are good, and those who are bad. The latter are folks who are ever persistent in their attempts to hack computer networks in search of credit card numbers, passwords, personally identifiable information, or avenues to unleash the new virus they just created. It’s a continual game of cat-and-mouse that never seems to die. It’s like Jason of Friday the 13th fame meets Groundhog Day. Different dung, same day.
Look for these cybercriminals to continue to exploit vulnerabilities in social networks to deliver their malware. The popularity and trusted nature of users’ relationships with each other on sites like Facebook, LinkedIn, and Twitter are perfect platforms for evildoers to ply their trade. Unified communications platforms like Microsoft Lync, OCS and Lotus Sametime are also ripe targets for new forms of malware, especially since many of these platforms support federation, which opens up corporate messaging systems to the outside world through IM applications (e.g., Yahoo IM and Google Talk). Because many of these communications channels operate in real-time, the spreading of malware can happen very quickly and very globally.
You didn’t think the regulatory bodies were just gonna sit around and let their respective industries run amok with respect to social media, did you? Mwha ha ha (that’s the evil laugh I’ve been practicing). The coming year (I’m furiously rubbing the crystal ball here and looking wise) will see the introduction of more regulations specific to social media and these new communications channels. It’s not just about email any more. There’s Skype, Twitter, Facebook, Google Talk, corporate IM networks, and the list goes on and on.
The financial services industry was the first to issue social media-specific guidelines, and the FDA began to hold hearings way back in 2009 to solicit opinions and advice on what to do for social media. The energy and utilities sector has FERC and NERC regulations that can be interpreted, if not explicitly, to encompass social media. Even the government, the poster child for rigidity and glacial-paced operations (oh boy, I really am going all out to get myself some form of government monitoring on this blog, aren’t I?), is starting to step up to the plate, as evidenced by the State of Florida and the US Department of Defense each releasing guidelines on social media usage and record retention. So, the trend is impacting all levels of government – local, state, and federal.
Smartphones: My New BFF
Look around everywhere, and people are texting away, playing games on the subway, or listening to some tunes on the beach – all with their smartphones. It seems everyone has an iPhone or a Droid these days, and who can blame them. These little gizmos are so loaded with features and intelligence that it’s hard to put them down, hence, BFF. It’s like having MacGyver in the palm of your hand.
From shopping to “checking in” to online dating, mobile phones have come a long way since the days of the “brick” phones. The globalization of the Internet and the rate of mobile adoption in every part of the world reflect the ongoing opportunities within this technology space. With so many business applications moving to the “cloud”, this opens up new potential markets for vendors looking to secure or manage communications via smartphones.
Partly Cloudy Forecast
We’ve already begun to see many businesses offer a hosted version of their software. Though the “cloud” concept has been around for awhile, 2011 may see a surge in customers opting for hosted solutions. With the widespread use of real-time collaboration tools, like Microsoft Lync and Cisco Webex, it’s very easy these days to hold meetings over the Web without needing to travel to a customer or partner site. This also makes it easier to accommodate remote workers, too, who may not want to travel to or live near corporate headquarters.
Especially in times where IT budgets are strapped and qualified IT professionals are difficult to recruit and retain, the cloud computing model has a compelling value proposition. When taking into consideration ROI and security enhancements, the model has more in its favor than at any time in its past. Such a confluence of factors bodes well for 2011.
Well, I’m not sure if I’ll do as well as Paul the Octopus, but, like all the World Cup participants, it’s all about soaking up the atmosphere and enjoying the ride. What are your predictions for 2011?
You are currently browsing the archives for the Malware category.
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- August 2012
- July 2012
- June 2012
- May 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- October 2010
- September 2010
- August 2010
- June 2010
- May 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- July 2009
- June 2009
- April 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- Application Filtering
- Electronically Stored Information (ESI)
- Employee Behavior
- Enterprise 2.0
- Enterprise IM
- Financial Services
- Guest Post
- New Internet
- personal v professional
- Product Announcements
- Public IM
- Retail banking
- RSA Conference
- Securities and Exchange Commission
- Social Networking
- Unified Communications
- Web 2.0
- Web Security