Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts tagged with IT Risk Management
Showing posts in English
Survey: People Know Online Risks But Often Ignore Them
RyanWhite | 15 Jul 2011 15:20:57 GMT

Surveys are a great window into people’s minds, especially when they can illuminate contrasting, and even contradictory, behaviors in the same group. Results from the Symantec Online Internet Safety Survey have done just that. The most compelling finding—that respondents frequently proceed with online transactions they know might be insecure—inspired me to ask not just, “What are they thinking?” but “What are they thinking?!?”

The survey’s focus must be on many people’s minds, as we’ve had an extraordinary response: 301 people in just a few days! My initial impressions of the results are below. Feel free to share your comments and questions on the original edition of this post.
 

Findings

Risky behavior remains common despite respondents knowing better

...

Read more
Spear Phishing in Google’s Pond
fdesouza | 06 Jun 2011 13:47:32 GMT

Francis deSouza - Group President, Enterprise Products and Services, Symantec

Earlier this week, Google posted a blog stating that the personal Gmail accounts of numerous users, including senior US government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel, and journalists had been attacked. Google said a campaign to obtain passwords appears to have originated in Jinan, China and was aimed at monitoring the contents of these users' emails, with the perpetrators apparently using stolen passwords to change people's forwarding and delegation settings. Google confirmed that it detected and disrupted this campaign and has notified victims and secured their accounts. They have also notified the relevant government authorities.

These attacks appear to be an example of...

Read more
Too Many Hoaxes
Kevin Haley | 20 May 2011 20:25:20 GMT

At first, I was just plain annoyed. Someone forwarded a hoax email to me twice in the same week. I am often asked about hoax email: “Kevin, you work at Symantec, is this true?” That’s fine; that’s not what annoyed me. What set me off was that both emails had been forwarded to warn me. The forwarder wasn’t even questioning the content of the email. They had accepted clearly bogus warnings about the “world’s worst virus” as fact.
 
Then I started thinking about the Twitter discussion I recently had about education. Some security professionals are turned off by education because they don’t believe it works. The rest feel it’s important, but never done right. (I fall into the latter category.) And, I decided that my previous approach to educating people about these hoaxes was not working. Just giving people a link to a Web page...

Read more
Internet Security Predictions for 2011: The Shape of Things to Come
Kevin Haley | 17 Nov 2010 13:50:44 GMT

My prediction is that we are all going to become nostalgic for the days of fame-seeking mass mailers and network worms. Think of LoveLetter, SQL Slammer, and Melissa all crashing millions of systems within hours of being released into the wild. Those threats seem quite quaint these days as we enter the third significant shift in the threat landscape.

We moved from fame to fortune (which we have dubbed “crimeware”) in the last ten years. Mass mailers were replaced by malware that steals credit card information and sells phony antivirus products. Malware has become a successful criminal business model with billions of dollars in play. The goal became stealth and financial gain at the expense of unsuspecting computer users. And Trojans and toolkits, like Zeus, are the modern tools of the trade.

We have now entered a third stage—one of cyber-espionage and cyber-sabotage. Cyber-espionage did not begin with Stuxnet, and crimeware does not end with it. In...

Read more
Banking, Breaches, and Brands – Three Ways Cybercriminals Can Put You Out of Business
Kevin Haley | 15 Sep 2010 13:29:02 GMT

“It can’t happen to me”

Hunters and gatherers. Most people think of cybercrime against business to be the work of hunters such as cybercriminals who target then infiltrate a company to steal from it. Reading the newspaper, it’s easy to convince yourself that these hunters are after big game and a small business does not have to worry about these targeted attacks. Maybe; however, we’ll talk more about that later. The majority of cybercriminals can best be described as gatherers. They throw wide nets and take advantage of whatever victims land in those nets. Small businesses really must watch out for the gatherers.

Because the barrier of entry is low, there are many gatherers. A gatherer doesn’t have to be a criminal genius. They don’t even need advanced computer skills. They really don’t need to know much at all—except where to buy a toolkit. Toolkits allow criminals with limited skills to get...

Read more
Security Industry Best Practices: Black Hat 2010
Gary Phillips | 13 Aug 2010 13:49:04 GMT

Following an industry conference, I find it a good practice for me to reflect back on what I learned and observed and see how I can apply it to my current work. At the conference there is so much to learn and take in, so I find it helps to let it all marinate for a bit of time and then I can start to uncover the new learning once I’m back at my desk and away from the conference buzz. It’s now been nearly two weeks since BlackHat wrapped up and these are the topics and observations from the conference that have been swilling around in my head. I hope to explore these thoughts more with my industry colleagues and find my way to contribute to improving security industry best practices.
 
Cyber security professionals need an education

Education remains an area of concern for cyber security professionals. The perception is that universities are graduating computer scientists and other degreed professionals inadequately prepared to...

Read more
Security Trends to Watch in 2010: A Mid-Year Status Check
Vincent Weafer | 27 Jul 2010 13:18:56 GMT

As 2009 came to a close, we at Symantec looked into our crystal ball and made a few predictions regarding what online security trends we expected to see in 2010. Now that we’re halfway through the year, we’re taking a look back and evaluating ourselves based on how our forecasts are panning out thus far.

Here’s a brief recap of how we think our trend predictions are fairing. We’ve rated each of them as either “on track,” “mostly on track,” “still possible,” or “more likely next year.”

To view an interactive version of this graphic that provides more detail, please click here. Once you do, you can click on each of our predictions and the corresponding mid-year statuses to read more.

...
Read more
Social Media: Can’t Live With it, Can’t Live Without It.
Kevin Haley | 01 Jul 2010 11:56:13 GMT

Despite threats, companies lack policies on social media at work

Nothing has happened to change the mind of IT management in the last several years; social networks remain a major security concern. What has changed is that social media has become more established, and the ability for IT management to block access to social media is less and less likely. According to some survey work we did, there is only a 1 in 20 chance of your company blocking access to social networking sites.

Part of this is no doubt because of the rush by businesses to adopt social networking in their marketing efforts. Companies have started Twitter accounts, created Facebook fan pages, and established a presence in online communities. What’s clear from our survey is that simply having a presence on social networks is good for business. In our survey, 52% of respondents said that a company’s presence on social media positively impacts their opinion of the company. As for keeping...

Read more
IT Governance, Risk, and Compliance – Part II
Marco Ceccon | 21 May 2010 19:30:24 GMT

IT Governance, Risk, and Compliance: A method of analysis based on the Symantec Response Assessment Module (RAM)

Part I of this blog series introduced the concepts of IT governance, risk, and compliance (GRC). To quote:


“In recent times, companies, organizations, and consulting firms from various sectors have started to address the great issues that lie at the base of IT. These issues are governance, risk management, and compliance. Every organization should be able to transform these problems into opportunities to continually improve IT. In practice, everyone realizes that these three issues are related.”

Here I will continue to expand on GRC issues by touching on phases 1.2.1: Design and 1.2.2: Build.

1.2.1    Phase 1: Design

In the Design phase, datacenter security analysis begins and a...

Read more
IT Governance, Risk, and Compliance
Marco Ceccon | 08 Apr 2010 23:24:09 GMT

IT Governance, Risk, and Compliance (GRC): A method of analysis based on the Symantec Response Assessment Module (RAM)

1.1    Introduction
1.2    GRC Analysis: a new method based on the Symantec Response Assessment Module
          1.2.1    PHASE 1: Design
          1.2.2    PHASE 2: Build
          1.2.3    PHASE 3: Assess
          1.2.4    PHASE 4: Operate
1.3    Final conclusions


1.1   Introduction

In recent times, companies, organizations, and consulting firms from various sectors have started to address the great issues that lie at the base of IT. These issues are...

Read more