Many large banks are all too familiar with the problem of phishing:
customers receive an email, as if from the bank, asking for logons and
passwords and other personal information. The financial services sector
typically accounts for four out of every five phishing attacks. But no
matter how many times banks tell customers to take no notice of emails
purporting to come from the bank, the scam continues to fool the unwary.
Phishing scams are increasingly being directed at smaller, more targeted
firms, including local banks and credit unions. Websense, a provider of
employee Internet management solutions, has coined the term puddle phishing
to describe this latest security development. The company warns that the
customers of small financial institutions are being targeted.
Websense monitors 50 million URLs per day, searching for Web sites infected
with malicious code, such as spyware and phishing dummies. Earlier this
year, it reported that more than 13,000 infected sites were discovered in
the first quarter of 2005 alone. They have seen a growing number of small
credit unions falling foul of this latest development: more than 30 since
the beginning of the year. Dan Hubbard, senior director of security and
technology research at Websense, reports that one of the community banks
recently under attack operates only 11 branches. Researchers also noted that
a credit union that serves employees and staff of the White House was also
hit with a phishing scam.
Customers and users still need education about e-mail scams
The concern is that puddle phishing, presumably, works.
"The fact that we are seeing more and more of the smaller financial outlets
being targeted by phishing attacks may indicate that this is a highly
profitable scam," continues Hubbard.
A firewall is either hardware or software that stands between your
computer and its Internet connection, and provides "access control."
Access control is just a fancy way of saying that your firewall
determines what can and cannot pass through.
A computer firewall is very much like the firewall in your car. Your
car's firewall keeps the bad stuff from your engine [like heat and
exhaust] out of your passenger cabin. But it isn't impervious. It
has holes in it to let the good stuff [like the steering column and
the brakes] through.
A good computer firewall, like your car's firewall, keeps the bad
stuff out and lets the good stuff through. How?
Computer stealth: they hide your computer from the crackers'
scans; and
Intrusion blocking: they make it harder [but not impossible]
for crackers to break in.
All computer security measures are aimed at one thing — keeping
intruders away from private information. Here are the five worst
security practices found in businesses both large and small:
Failing to enforce policies. If your organization
wants good security practices, it must establish a clearly
enunciated set of policies. Among other things, these policies
must define basic usage rules, such as never opening strange
emails, surfing random sites on personal business, or downloading
files from the Web.
Ignoring new vulnerabilities.
Basically, many security managers are not keeping up with avaialble
patches.
Relying too much on technology.
Another big mistake is relying excessively on technological fixes and paying
too little attention to actually using them. For example, if you tell upper
management that you've installed the latest firewall or the top
antivirus software, they'll think you've done your job. But unless you've
carefully configured that firewall and maintained the antivirus software,
you really haven't done much of anything.
Failing to thoroughly investigate job candidates.
The fourth biggest mistake is failing to properly screen job candidates for
criminal records or even poor financial decisions, especially for candidates
outside of the IT department.
Organizations often have plans in place that detail what must be done if a catastrophic event takes out their entire data center or makes it inaccessible. However they frequently fail to prepare for the loss of one critical system. For example, there is no plan in place that describes what to do if the firm's Internet connection goes down or if a single file server fails.
These types of outages can be protected against using some sort of "high availability" solution. In the case of the Internet connection, a redundant connection from a different provider can be obtained and automatic failover can be accomplished in the event the primary line goes down. Having a spare server available or, at a minimum, critical spare parts, might be an adequate solution for a file server outage. Of course, the solution you choose depends on your tolerance for downtime. The longer you can tolerate a critical component being out of commission, the less expensive the high availability solution will have to be, as a general rule.
The point is, when you write your Business Continuity Plans, you should not just plan for catastrophic events like 9/11. You should give some thought to smaller "disasters" that might only effect one or two components of your IT infrastructure.
Internet file-sharing technology is a popular way for users to exchange, or
"share," files stored on their computers. Peer-to-peer (P2P) applications
(commonly used to share music files) are the most common forms of file-sharing
technology.
Unfortunately, this technology can make your systems susceptible to risks
such as virus/scumware infection, attack, or exposure of personal information.
Risks introduced by file-sharing technology include:
Malicious programs. It is almost impossible to verify that
the source of shared files is trustworthy. File sharing applications
are often used by attackers to transmit spyware, viruses, Trojan
horses, or worms.
Exposure of sensitive information. By using P2P
applications, you may be giving other users access to personal
information. Whether it's because certain directories are
accessible or because you provide personal information to what you
believe to be a trusted person or organization, unauthorized
people may be able to access sensitive information.
Susceptibility to attack. Some P2P applications may ask you to
open certain ports on your firewall to transmit the files.
This may give attackers access to your computer or enable them to
attack your computer by taking advantage of any vulnerabilities
that may exist in the P2P application.
Denial of service. Downloading files causes a significant amount
of traffic on your network and may tie up the PC's CPU. This may reduce
the availability of certain programs or may limit your access to the
Internet.
Legal issues. Files shared through P2P applications may include
pirated software, copyrighted material, or pornography. If you
download these, even unknowingly, you may be faced with fines or
other legal action. If your computer is on a company network and
exposes customer information, both you and your company may be
liable.
I can think of no good business reason to allow people to use these
applications on a corporate network.
