Lost in the Noise (Archive)

While 92 percent of security professionals in new Ponemon-Lumension study say their organization suffered a cyberattack, only 55 percent of IT staffers said the same

A new report underscores a major disconnect between IT and security groups when it comes to what most threatens their organizations.

The Ponemon Institute's 2008 Security Mega Trends Survey, which was commissioned by Lumension, reveals just how far apart IT departments and security groups are when it comes to what they perceive as the biggest threats to their data today and in the next 12 to 24 months. While outsourcing risks are at the top of IT managers' worries, data breaches and cybercrime are the biggest worries for security.

More specifically, half of the IT managers said that outsourcing was a high or very high security risk to their organizations today and in the next one to two years; 44 percent also pointed to data breaches as a comparable risk today, while 40 percent expect them to be so in the next one to two years. Security professionals, meanwhile, ranked data breaches and cybercrime higher: Sixty-six percent consider data breaches high or very high risks today, while 65 percent rank them as such for the next year to two years. In addition, 65 percent say cybercrime is a high or very high risk to their organizations today, while 77 percent say it will be in the next 12 to 24 months. That's in contrast to the IT side, where 47 percent consider it a high risk today, and 49 percent expect that it will be in the next year to two years.

"We see a big disconnect between IT and security in their thoughts about data breaches and how risky that is to a business," says Pat Clawson, CEO of Lumension.

But the most disturbing disconnect was in actual breaches. While 92 percent of security professionals say their organizations had suffered a cyberattack, only 55 percent of IT staffers said the same, while 32 percent said they were uncertain. "That just floored me," Clawson says. "That shows the silos" that still exist, he says.

The two groups were far apart on Web 2.0 threats as well, with only 34 percent of IT saying the use of Web 2.0 will result in the loss of business information (including trade secrets), while 64 percent of IT security said it will. "That's a big delta -- IT is not 'getting' the risk," Clawson says.

Mobile devices is one area where both sides are on the same page, however, with nearly half of each group ranking them as a high or very high risk to the business. "We also think that mobility is dramatically contributing to data loss...mobility and mobile devices were the only area where IT and security got close" in their perceptions, Clawson says.

"The key for both IT operations and IT security is to find the common ground necessary to better wage this security battle together," says Larry Ponemon, chairman and founder of the Ponemon Institute.

Interestingly, both IT and security departments don't rate virtualization as high risk. But about half of each said the biggest danger with virtualizatoin is not being able to identify and authenticate users to multiple systems "and third parties' access to private files without authorization," according to the report.

The upcoming Obama administration should establish a new office in the White House to manage cybersecurity, a commission comprised of a wide-range of experts and two lawmakers said today.

The Center for Strategic and International Studies (CSIS) Commission on Cybersecurity for the 44th Presidency recommended that a new office in the Executive Office of the President -– which would be named the National Office for Cyberspace. NOC would work with a new cybersecurity directorate, which would be part of the National Security Council (NSC), to develop and manage a comprehensive national security strategy for cyber space, the commission recommended.

A new assistant to the president would direct NOC, which could be established by merging the existing National Center for Cybersecurity and the Joint Interagency Cyber Task Force, the commission recommended.

“Cyberspace is now a major national security issue,” wrote the panel, whose co-chairmen include Reps. Jim Langevin (D-R.I.) and Michael McCaul (R-Texas). “The United States should treat it as such, following the precedent” of weapons of mass destruction and nonproliferation. Langevin and McCaul are chairman and ranking member, respectively, of the Homeland Security Committee's Emerging Threats, Cybersecurity, and Science and Technology Subcommittee.

The new strategy should include diplomatic, intelligence, military, economic and law enforcement efforts the report states.

In its final report, the CSIS panel said that although the nature of cybersecurity means the ultimate authority should be bumped up to the Executive Office of the President, agencies should be responsible for their operational activities. For example, the Homeland Security Department would maintain its network and intrusion monitoring responsibilities, and the Office of Management and Budget would retain oversight of the budget functions in coordination with the new office and NSC.

In addition, the group urged President-elect Barack Obama to work with Congress to rewrite the Federal Information Security Management Act to use performance-based measurements of security. He should also propose legislation that eliminates the legal distinction between the technical standards for national security systems and civilian agency systems. The group said FISMA encourages document reviews rather than network security improvements.

The panel’s final report also recommends creating a presidential advisory committee and organizations to improve collaboration and bolstering public/private partnerships.

“America’s power, status and security in the world depend in good measure upon its economic strength; our lack of cybersecurity is steadily eroding this advantage,” the panel wrote.

The panel said the existing multiyear, multibillion-dollar Comprehensive National Cybersecurity Initiative should not be discarded, but it was insufficient.

“The next administration should not start over; it should adopt the initial efforts of the Initiative, but it should not consider it adequate,” the report states.

The commission emphasized the need to bolster identity management and update laws. It added that security should be part of the acquisition process. The report states that “laws for cyberspace are decades old, written for the technologies of a less-connected era. Working with Congress, the next administration should update these laws.”

The commission urged the next administration to enforce the requirements for secure interoperable identification cards required by Homeland Security Presidential Directive 12. It urged the new administration to restrict bonuses or awards at agencies that do not fully comply with those requirements.

“Finding ways to take better advantage of cyberspace will help give the United States a competitive edge in a world where we are currently running behind our competitors,” the report concluded.

Criminals are taking advantage of a bug in the Asterisk Internet telephony system that lets them pump out thousands of scam phone calls in an hour, the FBI has warned

The FBI didn't say which versions of Asterisk were vulnerable to the bug, but it advised users to upgrade to the latest version of the software. Asterisk is an open-source product that lets users turn a Linux computer into a VoIP phone exchange.

In so-called vishing attacks, scammers usually use a VoIP system to set up a phony call centre and then use phishing mails to trick victims into calling the center. Once there, they are prompted to give private information. But in the scam described by the FBI, they apparently are taking over legitimate Asterisk systems in order to directly dial victims.

"Early versions of the Asterisk software are known to have a vulnerability," the FBI said in an advisory posted on the Internet Crime Complaint Center. "The vulnerability can be exploited by cyber criminals to use the system as an auto dialer, generating thousands of vishing telephone calls to consumers within one hour."

The software, developed by Digium, has been available for nearly a decade, and a number of critical flaws have been found in the software. In March, researchers at Mu Dynamics reported a bug that could allow an attacker to take control of an Asterisk system.

Digium wasn't certain what vulnerability the FBI was referencing in its advisory. However John Todd, the company's Asterisk open-source community director, believes that it was probably this March bug. That vulnerability "basically allowed you to take over the account of one individual," he said. "In the worst possible case, you could make thousands of calls in an hour."

However, the attack described by the FBI would be extremely hard to pull off, Todd said.

Most Asterisk systems are protected by firewalls or other security software and even if one could be accessed by a visher, administrators generally limit the number of calls any one account can make simultaneously, he explained. "Most of the time you would not be able to create thousands of calls in an hour."

The flaw affects older versions of Asterisk but not the most current version 1.6, he said.