Scareware is the latest type of malware (MALicious softWARE) labeled by the media, not my poor sense of style. These are nasty little messages try to frighten you into browsing infected websites, installing infected software, and even giving up your credit card numbers. We have discussed this type of malware before, but since we are seeing an upswing in it recently, we thought we'd touch on it again. As our computers become more resilient to traditional methods of infection, we have seen an increasing number of bugs that bypass a computer's security by fooling you into allowing them in. This type of infection is spreading through social networking website apps, paid advertisements on legitimate websites, or even bogus search engine entries that take you to infected sites. This Scareware is actually comprised of elements from a few types of malware. Infection stage 1: Social...

A few weeks ago, it was reported that one of our local school districts was the victim of a security breach. This breach resulted in wire transfers totaling almost $3 million from their bank accounts to various foreign banks; reportedly 20% of the school's annual budget. While the school district has recovered most of the funds, and is working with the FBI and the State Police to recover the rest, this incident brings home the pressing need for Information Security in today's environment. (http://www.timesunion.com/AspStories/story.asp?storyID=885104#ixzz0bwm3keRx) How this happened has not been disclosed, although the above article speculates on two likely scenarios. One is through "phishing". This involves an email message or website that tries to fool the reader into entering protected information such as user names/passwords or account numbers. These can be very sophisticated,...

With the new year, it's time to get back to basics and review some key concepts in the security field. One term we often bandy about is "defense in depth" as a means to secure your information and it has nothing to do with deep sea warfare. The term is taken from military parlance and can be traced back to ancient times as a way to increase the survival of whatever it is you're protecting. By placing your king, or gold, or big rock, or sensitive information within multiple layers of defense, you can significantly increase the difficulty of others getting to it. Think of a medieval castle: for a marauding dragon to get at your king he must go through the town walls, then swim across the moat, and then get through the castle walls. Once inside the castle, there is the main keep or central tower to get into and climb. At each layer, defensive countermeasures can be taken to repel...

As the year winds to a close, thoughts are turning to the coming holidays: turkey, pies, snow shoveling, and perhaps a new budget. So how exactly does one plan for the unexpected, or budget for disasters? By definition disasters are very bad: bad enough that we should be insured against them. Assuming that we are insured against most disasters, we're going to downgrade this discussion to mere emergencies. Specifically, we'll be focusing on those nasty little incidents that fall into that gray area between "AHHHH!!" and "doh!". This might be a network server going down, a critical file being corrupted, a virus getting loose in the network, a lost backup tape with patient records, or even a court ordered e-discovery request. The common threads between all of these incidents are 1) they are unexpected, 2) they involve the technologies we use to run our organizations, and 3) they have the...

Virtualization has become a force to be reckoned with for organizations of all sizes and shapes. The flexibility and consolidation options available in virtualized environments give this technology an unusual distinction: it appeals to both the engineers and the accountants. But as with any new technology, virtualization does bring new security considerations. Virtualization allows a "host computer" to run multiple "virtual computers" as applications, with all of them sharing the same physical server hardware. Different vendors have different terms and implement this in different ways, but basically they all run computer operating systems as applications. This has many benefits; allowing better hardware to be employed (as it is shared by numerous servers) and the infrastructure to be reconfigured at will. Need more memory for your web server? Change the settings on the virtual host...

As cloud computing becomes more commonplace and vital to our operations, it's imperative to keep in mind the security implications of running your business from “the cloud". Moving expensive and hard to maintain programs to the cloud can be an attractive  alternative to large one time investments in hardware and software. However, we need to be very aware of how this move affects our information's security. Specifically, we will be focusing on our information's availability in the cloud. With business critical applications and services hosted in the cloud, internet access, which smaller organizations have traditionally seen as just "useful", is suddenly elevated to "vital". With your application in the cloud, slow internet means low productivity. “Cloud computing” offers programs and applications as services that are accessible from any internet connection instead of running...

One aspect often overlooked when securing our information is physical security. The goal of physical security is to control who can walk up to the information and touch it. The idea is to prevent unwanted information disclosure, loss, or corruption, the same as when securing the information across the network or from the internet. The difference is that physical security deals with the “real world". For most of us, this doesn't mean training your Chihuahua as an attack dog or outfitting your employees with dark shades, cheap suits and sleeve microphones; it simply means using some common sense. Before we can take measures to physically secure our information, we need to know what type of information needs to be protected. There is no need to post armed guards around your product catalog after it's been published: it's meant to be seen by others. Before it's published could be a...

As summer approaches, the dream of working while sitting on the beach comes to the fore. While I doubt many of us will be that lucky, the technology to enable this has been with us for some time and most of us use it every day: WiFi. WiFi (or Wireless Fidelity) is any of the widely deployed wireless networking protocols that operate in the frequencies unregulated by the FCC (Federal Communications Commission), specifically 2.4 GHz and 5.8 GHz. These protocols are technically referred to as the IEEE (Institute of Electrical and Electronics Engineers) 802.11x specification, with the "x" being the version. The versions are lettered: "b", "a", "g", and now "n" (in order of release) and specify the maximum connectivity speed, signaling rules and frequencies used. Many coffee shops, cafés, airports, and hotels offer WiFi hotspots for their patrons. Many homes and offices have these networks...

Every day, our communications are becoming more interconnected. Whether it's receiving work and home email on your phone, updating your Linkedin status at work, or accessing work files from home, the line between home life and work life is more blurred than ever. While all of this interconnection can make our lives easier, we must be aware of where sensitive data is being accessed and stored, and the information security implications. As an employer, the first step in preventing any issues with social websites, or internet communications in general, is to decide on clear policy to let the everyone know what they can and can't do. The policy can be as relaxed or stringent as is appropriate to your working environment, but should be clear, concise, and in plain English (avoid legalese). Then of course, the decided policy needs to be uniformly enforced. Contact your network security...

As the warm weather begins to set in, something besides April showers may be approaching. A malicious program called Conficker (a.k.a. Worm_DownAD.AD, Trojan.Win32.Pakes.lxf, W32.Downadup) has been propagating throughout the internet and making headlines. This malware (malicious software) has garnered so much attention because of it's level sophistication, it's install base, and it's unknown nature. Conficker was first discovered in the wild (on the internet) back in October of 2008, and targets Windows based computers and servers. The latest variants of this malware are programmed to download an update in April 1st, 2009. Unfortunately, no one knows what this update is or what effect it will have on  infected computers or the internet in general. Conficker is employing some of the latest encryption techniques and is being actively adapted in response to network security measures...