Category Archives: Site Security

A Conundrum Called Adware! (Page 1 of 3)

We, as dedicated computer and software users, have traversed a long way from those bad days, when our computers used to get attacked by vicious sounding viruses, Trojans, spyware and malwares. We are still are under constant threat from attack by invisible viruses or spyware. As the word “spyware” became a household name, and when it started creating havoc on thousands of computer systems the world over, security experts and anti-virus software professionals started taking notice of the menace posed by these spyware modules.

Strangely, all these spywares were designed and propagated by the so called software majors! However, with the passage of time, the word “spyware” became a dirty word among computer users, which needed to be avoided at any cost! As a result, everyone started to think that spyware is a piece of software that closely monitors your activities on computers and reports them back to its maker. In fact, all software users were neatly outflanked by these smart operators, who surreptitiously planted their evil creations in the computer systems. It was a peculiar situation, when people simply abhorred the word “spyware”, and they got irritated when it was suggested to them that their computer systems were being spied upon by these spyware modules. As a result, it was so convenient to label these software items, as something that is very dirty. And, it was a good way to make sure that everyone listened to this fact!

But, the situation is entirely different today; if you notice, there are a lot of public relation exercises that keep coming at you, non-stop for twenty-four hours a day. Many software majors claim that they are not making spyware anymore, but they make highly innovative “adware”! Paradoxically, these firms also claim that adware is actually very good for your computer system! As all computer users were just sighing relief, thinking that they had decisively won the moral war against “spyware”, they were in for a real surprise! Many software majors wanted to push computer users all over the world, with a clever strategy that was devised with a novel idea in mind (maybe ulterior?).

Though, these software majors stopped creating spyware altogether, they found another smart way to outflank computer users! It was very ingenious as well! And it had to be! It is so true that someone could plant legal software right into your computer, with your own consent, to monitor your online activities and browsing habits! And the amazing thing with these software modules was that there was absolutely no need to send those vital bits of information back to the software company! The program that was installed on your computer system did everything by itself!

These smart software items were designed to perform the same thing that was performed by spyware. However, there was no need for any spying with these software modules. The creators of these software programs were intelligent enough to call them “adware” and their monster creation was promoted by floating a huge publicity campaign. All of this was done to separate out adware from spyware!

Implementing Threats, Risk and Security Audits

People used to close business deals with a handshake.

They looked one another in the eye. Today, more and more transactions are electronic, anonymous and, in too many cases, fraudulent. Any organization that stores or moves important information on an electronic network is putting its information at risk. A criminal on the other side of the world or an apparently loyal employee may have the ability to wreak havoc, by stealing, deleting or exposing confidential information.

The Computer Crime and Security Survey, conducted by the Computer Security Institute and the Federal Bureau of Investigation, indicates almost two-thirds of the large corporations and government agencies it surveyed lost money when their computer security broke down.

The survey noted that 9 out of 10 respondents had computer security breaches during the previous 12 months. Proprietary information worth $170.8 million was stolen from 41 respondents. Fraud cost 40 respondents $115.8 million.

When only 45 per cent of executives in North America said they conduct security audits on their e-commerce systems, (around the world, fewer than 35 per cent had conducted security audits) it becomes obvious that organizations must improve their defenses quickly.

The first step in protecting information assets is a Threat and Risk Assessment (TRA). Without the information it provides, organizations are in danger of fixing only what is broken and ignoring potential hazards. While the specifics of a TRA will be unique at each organization, a common methodology provides a starting point.

The first step is risk assessment, to identify the most important assets and information: threats and vulnerabilities are identified; solutions are proposed and refined; corporate policies are tightened up; roles and responsibilities are assigned; standards and training are developed.

The next step is the creation of a security plan, with its own procedures, budget and implementation timetable. Once those steps are complete, any new architecture can be rolled out and new procedures put in place. At this point, the new system should be tested from the outside for any remaining weak points.

Finally, to maintain system security, security should be audited on a regular basis to keep pace with both internal changes and evolving external threats. The TRA provides the map, but organizations must make the journey. Consulting companies have identified factors that contribute to the success or failure of an IT security project. Senior managers have to support the project and demonstrate their involvement. Otherwise, their staffs will place a higher priority on other activities.

Business and technical experts should both be involved because solutions that overburden the enterprise are not acceptable. Individual business units should be responsible for their own TRA to prevent foot-dragging during implementation and finger-pointing later. Interestingly, one consultant recommended conducting assessments on a department-by-department basis, rather than all at once. The reasoning is that valuable resources can be narrowly focused, and lessons learned can be carried over to subsequent assessments.

The Threat and Risk Assessment is an important tool. Recent reports show not enough organizations are using it.

Implementing Threats, Risk and Security Audits

People used to close business deals with a handshake.

They looked one another in the eye. Today, more and more transactions are electronic, anonymous and, in too many cases, fraudulent. Any organization that stores or moves important information on an electronic network is putting its information at risk. A criminal on the other side of the world or an apparently loyal employee may have the ability to wreak havoc, by stealing, deleting or exposing confidential information.

The Computer Crime and Security Survey, conducted by the Computer Security Institute and the Federal Bureau of Investigation, indicates almost two-thirds of the large corporations and government agencies it surveyed lost money when their computer security broke down.

The survey noted that 9 out of 10 respondents had computer security breaches during the previous 12 months. Proprietary information worth $170.8 million was stolen from 41 respondents. Fraud cost 40 respondents $115.8 million.

When only 45 per cent of executives in North America said they conduct security audits on their e-commerce systems, (around the world, fewer than 35 per cent had conducted security audits) it becomes obvious that organizations must improve their defenses quickly.

The first step in protecting information assets is a Threat and Risk Assessment (TRA). Without the information it provides, organizations are in danger of fixing only what is broken and ignoring potential hazards. While the specifics of a TRA will be unique at each organization, a common methodology provides a starting point.

The first step is risk assessment, to identify the most important assets and information: threats and vulnerabilities are identified; solutions are proposed and refined; corporate policies are tightened up; roles and responsibilities are assigned; standards and training are developed.

The next step is the creation of a security plan, with its own procedures, budget and implementation timetable. Once those steps are complete, any new architecture can be rolled out and new procedures put in place. At this point, the new system should be tested from the outside for any remaining weak points.

Finally, to maintain system security, security should be audited on a regular basis to keep pace with both internal changes and evolving external threats. The TRA provides the map, but organizations must make the journey. Consulting companies have identified factors that contribute to the success or failure of an IT security project. Senior managers have to support the project and demonstrate their involvement. Otherwise, their staffs will place a higher priority on other activities.

Business and technical experts should both be involved because solutions that overburden the enterprise are not acceptable. Individual business units should be responsible for their own TRA to prevent foot-dragging during implementation and finger-pointing later. Interestingly, one consultant recommended conducting assessments on a department-by-department basis, rather than all at once. The reasoning is that valuable resources can be narrowly focused, and lessons learned can be carried over to subsequent assessments.

The Threat and Risk Assessment is an important tool. Recent reports show not enough organizations are using it.