Answers: Top 10 consumer threats to the enterprise 1. This Internet application allows end users to read and write personal email at work by using a Web browser. What is it? Answer: webmail Threats:
The recent acquisition of email security firm Postini by Google further confirms the importance of securing webmail, crucial considering issues with Gmail security discovered earlier this year. Researchers demonstrated webmail flaws at Black Hat 2007 as well, making this a must-fix for IT admins everywhere. Resources:
Web Application Attacks Learning Guide
SearchSecurity.com's E-mail Security School
Ask the Security Expert Q&A: Digital certificates and webmail
2. This term describes the practice of copying data from a computer onto a personal storage device such as a USB drive, PDA or iPod. What is it? Answer: podslurping Threats:
Your data may be your most precious asset. Do you really want to see next season's software, industrial design or previous intellectual property walk out the door? To protect against podslurping and other network intrusions targeting individual computers, experts recommend that administrators develop and enforce effective endpoint security policies. Resources:
Topic: Endpoint Security
Learn how to build, implement and maintain secure procedures for keeping your network safe from potentially insecure laptops, desktops, PDAs and other endpoint machines. This Information Security magazine article describes how Parity works for securing workstations and laptops around the office.
3. This real-time communication technology can unwittingly become an "instant" security threat. What is it? Answer: instant messaging Threats: Instant messaging (IM) security risks, especially the potential for data leaks and policy breaches, are the biggest reasons businesses and organizations need to secure their IM clients. Security Expert Michael Cobb, in this Q&A, writes that: "As one of the most widely deployed applications on the Internet, instant messaging, or IM, has increasingly become a target for attackers. Threats range from IM-borne viruses, worms, SPIM (spam over IM), malware and phishing attacks. Unfortunately, controlling the use of IM within an organization is quite difficult."
Read the rest of Cobb's answer Resources:
IM security address both risks and compliance requirement.
Review how to secure instant messaging.
Then, try your hand at this short IM quiz from SearchSecurity.com to see if you've internalized what you've learned.
4. When combined with Bluetooth and an Internet connection and a quick shutter finger, this mobile imaging technology can be a potential PR or intellectual property nightmare. ET, don't phone home! What is it? Answer: picture messaging in camera phones
Threats:
Disgruntled employees taking pictures of confidential documents? Prototypes showing up in the background of Facebook photos and blogs? Scary. Perhaps more significant, however, is the possibility that in order to send and receive images, users will disable image filters on Outlook, allowing image spam and phishing attacks to slip through. Resources:
Camera phones: Snapping at workplace privacy?
Gartner: A camera phone ban is shortsighted
5. Now that these portable organizational devices have large amounts of flash memory, wireless connectivity and automatic synchronization, there are many new ways for data to escape and for malware to sneak in. What are they? Answer: PDAs & smartphones Threats: Unless you've been holding onto your old Palm, the odds are that your current PDA is a BlackBerry or Treo. Losing them may be the primary concern but viruses can be transferred onto the corporate server when they synchronize. Resources:
BlackBerry vulnerability, mobile viruses are real threats
BlackBerry Security
White Paper: CIO Guide to Mobile Security
Weekly Security Planner: Your PDA/PED Policy
6. This P2P VoIP service may be free, easy to use and allows people to connect through a simple headset and interface, but hackers are finding ways to exploit potential vulnerabilities. What is it? Answer: Skype
Threats:
According to security expert Mike Chapple, "There are certainly some security concerns related to using services like Skype on an enterprise network. Specifically, Skype does not publish the details of its security controls, and some traffic may take place in an unencrypted fashion. Therefore, I would not recommend using the technology for confidential information."
Read the rest of Chapple's discussion of Skype dangers Resources:
High-risk flaws in Skype
Skype Trojan: Much ado about nothing?
IM, Skype, P2P open security holes: Survey
Can Skype phones threaten an enterprise network?
Skype: Its dangers and how to protect against them
7. Desktop _____ that display system information and other data, like weather forecasts or stock quotes, have become quite popular. Unfortunately, they can also provide a backdoor into the PCs of end users, along with allowing those latest sports scores to refresh. What are they? Answer: desktop widgets, like OS X widgets Threats:
Attackers have already discovered how to exploit a flaw in Yahoo!'s Widgets to run malicious code on compromised Windows computers. Few users realize that downloading, installing and running these small applications may open up a vulnerability -- and administrators may not see the issue until it's too late. Resources:
Widgets: The next big security threat?
Are desktop gadgets a target for hackers?
Security update fixes Yahoo Widgets flaw
8. Enterprise applications delivered through this online, pay-per-service software distribution model may be hijacked or repurposed to allow a number of Web-based attacks, compromising network security. What is it? Answer: SaaS applications Threats: Web applications of any sort, including SaaS apps, are exposed to a wide variety of threats and potential vulnerabilities that can put an entire enterprise at risk. Whether it's the method used is cross-site scripting, command injection, path traversal attacks or buffer overflows, compromised SaaS applications are bad news for everyone. Resources:
Web Application Attacks Learning Guide
SaaS apps being deployed by business units, not IT
What You Don't Know About SaaS
Burton cautions architects on SaaS
9. There's more to worry about than your choice of avatar -- according to Gartner, companies risk damage to their brand and reputation, as well as potentially serious security breaches, by engaging in activities in unmoderated virtual worlds like _____ _____. Where do you need to worry about more than what avatar you've chosen? Answer: Second Life Threats:
Aside from the potential PR damage asserted by Gartner, considerable in the context of the popularity of illicit pursuits in Second Life. While phishing or identity theft scams are still in their infancy in the context of 3-D virtual worlds, the software and updates that the client software frequently requests aren't just a drag on network resources. Like widgets, automatic updates can be used by hackers to bring malware into the user's PC. Resources:
Second Life a security risk for businesses, Gartner cautions
Web services and Second Life
Second Life job fairs boost IT prospects
10. Malicious users are constantly trying to post malware to Facebook, MySpace and similar sites, where they hope to take control of insecure browsers or naive users. It turns out being accepting a friend request may have unintended consequences! What kinds of sites are they? Answer: social networking Threats: Beyond browser exploits, an attacker can post a script on a social networking site that will run inside the browsers of those who view the content. Social networking sites so far have been hit mostly by annoying worm, adware and phishing attacks.
Read the rest of Ed Skoudis' explanation of social networking dangers Resources:
What are the risks of social networking sites?
Black Hat 2007: Researchers demonstrate webmail, social networking flaws
Hackers planning cyberwar on social networking sites
Social-networking sites rife with wormable flaws
Social networking gone bad
|
|
|
| Last updated on: May 07, 2008 |
|
|
Are you a Know-IT-All?
What instant messaging platform did AOL buy in 1998 for $407 million?
Answer
|
|
|
|
|
