More midsize companies are being attacked by cybercriminals at the same time they're spending less on security, says a McAfee report released Wednesday.
Across the world, more than half of the 900 midsize businesses (51 to 1,000 employees) surveyed by McAfee for its report, The Security Paradox, said they've seen an increase in security breaches over the past year. Despite the threat, the recession has caused most of these companies to freeze their IT security budgets.
(Credit:
McAfee)
McAfee found that the costs of dealing with a security attack can be high. Over the last year, one of five midsize companies surveyed lost $41,000 in sales on average as a result of a breach. In China alone, 38 percent of the businesses questioned lost an average of $85,000 due to an attack. And more than 70 percent believe a serious data breach could put them out of business, noted the report.
(Credit:
McAfee)
But as the recession has grown, IT budgets have dropped. Almost 40 percent of the companies trimming their IT security budget plan to limit the purchase of new security products. And more than a third are switching to cheaper security software to cut expenses, even though they realize that may put them at greater risk.
"An organization's level of worry and awareness about increasing threats has not overcome the downward pressure on budgets and resources," said Darrell Rodenbaugh, senior vice president of global midmarket for McAfee, in a statement. "But this creates a vicious cycle of breach and repair that costs far more than prevention."
Midsize companies also may underestimate their risk, according to McAfee. Among companies with fewer than 500 employees, more than 90 percent believe they're protected from cybercriminals and feel they don't face the same threats that larger firms do.
But McAfee discovered that businesses with 101 to 500 people had on average 24 security breaches over the past three years, compared to 15 breaches for those with 501 to 1,000 employees.
In the long run, dealing with the aftermath of a security attack eats up a company's time and expenses. The study found that 65 percent of firms spend less than four hours a week on IT security, but around the same percentage have spent more than a day recovering from security breaches.
"Our research shows that organizations that put more effort on preventing attacks can end up spending less than a third as much as those that allow themselves to be at risk," said Rodenbaugh.
The study was conducted by research firm MSI International, which surveyed 100 midsize businesses in each of the following countries: U.S., U.K., Australia, Canada, China, France, Germany, India, and Spain. The results were compared with prior studies done in North America and Europe.
ORLANDO, Fla.--OK, IT managers, it's time to loosen up.
That's how analysts advised Gartner Symposium attendees here Monday, arguing that corporate computing departments shouldn't block social networking and that security shouldn't completely lock down communications with the outside world. And even if information technology authorities want to shut down such activity, they can't.
Carol Rozwell, a Gartner vice president
(Credit: Stephen Shankland/CNET)"Banning access to social media from the corporate network is futile," said Carol Rozwell, a Gartner vice president. "The world we live in is digitally enabled and socially connected."
The advice reflects the transformation of the information technology world as the Internet steadily pervades more and more corners of everybody's life. Although the Gartner event historically has concerned itself with matters such as justifying the expense of a new enterprise resource management computing system, the broadening show reflects the growing scope of work that IT managers face.
Overall, companies must acknowledge that not everything is under control of their own top-down administration, said Peter Sondergaard, senior vice president of research at Gartner.
"We're moving from control to greater autonomy," Sondergaard said. Managers also must find an appropriate place on the spectrums of in here vs. out there and owned vs. shared.
... Read more
With security and cloud-computing both hot-button topics, Verizon Communications and McAfee are joining forces to offer customers a combination of the two.
Verizon's business unit and McAfee announced Thursday a new joint venture to sell cloud-based security products and services to large businesses and government agencies. With more companies tapping into the "cloud" to lower costs and outsource administration, McAfee and Verizon will sell a new suite of cloud-based security products, expanding on Verizon's current lineup.
Managed by Verizon, the new cloud-based services will offer an array of security products, including firewalls, intrusion prevention, anti-malware, and Secure Socket Layer (SSL) virtual private networks (VPNs).
"This strategic agreement with McAfee enables us to drive even more complete and integrated IT solutions to enterprises across the world," said Kerry Bailey, senior vice president of Verizon Business global solutions. "Our newly expanded and next-generation cloud capabilities will enable organizations to better use security as a strategic tool and business enabler."
The team-up will also allow Verizon and McAfee to tap into each other's portfolio of products and services.
Verizon will offer its customers McAfee's entire line of security software and will soon provide McAfee's PCI (Payment Card Industry) compliance services to banks and other organizations that need to secure credit card data.
The PCI services will be targeted to "Level 4" merchants--businesses that manage up to 1 million credit card transactions each year. Verizon said this business class is at the highest risk for security breaches and accounts for one-third of all credit card transactions. In April, Verizon released a report showing that more payment card records were breached in 2008 than in the previous four years combined.
McAfee's customers will now be able to contact Verizon's network of 1,200 security professionals for assistance on setting up and managing in-house security.
Finally, Verizon will help McAfee consolidate its data centers, so that McAfee can better offer 24/7 management for its own Web hosting and cloud-based services.
Verizon and McAfee will target the new products and services to small-to-medium companies, large enterprises, and government entities.
McAfee has been pushing to grow beyond the consumer market through a series of deals and acquisitions. In July, the company said it would buy MX Logic, which provides cloud-based e-mail and other services. In May, McAfee bought white-listing vendor Solidcore.
The tech world is all too familiar with Twitter's "fail whale" and have become accustomed to Gmail failures (which are inevitably chronicled on Twitter.) And while sometimes it's infrastructure (such as routers and switches) rather than software that fails, it often seems as if we too readily accept that software will inevitably breakdown.
Mark Donsky, director of product management at Coverity, commented recently about a recent static analysis of open-source projects performed on the Scan site that showed a 71.9 percent correlation between the number of lines of code and number of defects found.
This is of course, not an open-source problem but a general issue that occurs as more code is integrated into products. I've been told that Windows is developed with two quality assurance people to every engineer as the product has grown over the years.
Coverity is focused on software integrity and advocates static analysis early in the development cycle. While testing of all kinds, including static analysis are obviously good ideas, the tools and methods vary dramatically by engineering organization. The Software Engineering Institute (SEI) at Carnegie Mellon University and the Object Management Group (OMG) recently paired up to form a consortium to establish standards for software quality.
... Read more
Mozilla on Wednesday released two new versions of its browser, Firefox 3.5.3 and 3.0.14, that patch three critical security holes and fix assorted other bugs.
The updates can be fetched through the Help menu's Check for Updates option, or can be downloaded directly.
Although Mozilla still supports the 3.0 version, it's pushing people to the 3.5 version, and support for the 3.0 series will end in a few months. Version 3.5, released in June, supports a variety of new Web page technologies and includes a faster JavaScript engine for running Web-based programs.
Interested folks can read the release notes.
Mozilla on Monday released two new versions of Firefox, 3.5.2 and 3.0.13, to patch two critical security holes. You can download the Windows and Mac versions of 3.5.2 from CNET Download.com, or go to Mozilla for the Linux build and Firefox 3.0.13.
"We strongly recommend that all Firefox users upgrade to this latest release," Mozilla said in a blog posting about the security issue.
The first vulnerability could let an attacker run arbitrary code on a person's computer by sending specially crafted authentication information called certificate.
The second vulnerability, disclosed last week, involves a flaw in certificate authentication technology that could potentially let an attacker gain access to encrypted information or issue a bogus update to Firefox.
IBM has purchased Ounce Labs, a privately held software security provider, the companies said Tuesday.
Software developers often face both security and compliance issues with their products. Ounce Labs uses its technology to scan the source code of an application, hunting for security holes and compliance failures. Ounce tries to track down problems early on in a product's development when they're easier and cheaper to fix.
IBM will integrate Waltham, Mass.-based Ounce Labs into its Rational software business, which offers security and compliance testing. Big Blue said it believes that the combination of Ounce Labs and Rational will provide its customers with security analysis from source code to final production.
"The complexity of today's systems and the sophistication of attacks require comprehensive technology," said Daniel Sabbah, general manager of IBM Rational Software. "The acquisition of Ounce Labs allows IBM to provide customers an end-to-end application security-testing solution for managing security and compliance across all stages of the software delivery process."
Ounce Labs, which was founded in 2002, recently sponsored a survey that showed many CEOs and their executive officers don't necessarily see eye to eye on key security issues.
Big Blue is in a buying mood. Ounce Labs is IBM's second acquisition deal of the day, with the company just announcing that it will acquire business analytics forecaster SPSS for $1.2 billion.
The terms of the Ounce Labs acquisition were not disclosed.
Microsoft has failed to remove a long-recognized Windows Explorer security risk from Windows 7, according to security company F-Secure.
The "hide extensions" feature, which was present in Windows NT, 2000, XP, and Vista, is also included in the Windows 7 release candidate, Mikko Hypponen, F-Secure's chief research officer, said Tuesday in a blog. The feature could allow virus writers to trick users into opening and running malicious files, he added.
"In Windows NT, 2000, XP and Vista, Explorer used to hide extensions for known file types," Hypponen said. "And virus writers used this 'feature' to make people mistake executables for stuff such as document files."
For example, malicious code writers could name a "virus.exe" file as "virus.txt.exe" or "virus.jpg.exe," he said. Windows Explorer would then hide the .exe part of the filename, meaning that the user would only see "virus.txt" or "virus.jpg." Additionally, virus writers could change the icon displayed with the file in Windows Explorer so it looks like the icon of a text file or an image. Users might then click on the disguised file.
The blog post appeared on the same day that Microsoft had been scheduled to make the Windows 7 RC1 available for download to the public, although the OS release did in fact arrive early. Microsoft made its Windows 7 release candidate available to MSDN and TechNet subscribers Thursday. Microsoft hasn't yet given a release date for the final product.
Microsoft had not responded to a request for comment at the time of writing.
Tom Espiner of ZDNet UKreported from London.
Google released a new version of its Chrome browser Thursday to fix a high-severity security problem.
The problem affects Google's mainstream stable version of Chrome and is fixed in the new version 1.0.154.59 (download). Google has built Chrome so it updates itself automatically with no user intervention, though the software must be restarted for the new version to run.
The security problem, reported April 8 by Roi Saltzman of the IBM Rational Application Security Research Group, allowed cross-site scripting attacks. Such methods can make a Web browser process unauthorized code such as JavaScript, enabling a variety of attacks, including impersonation or phishing.
Mark Larson, Google Chrome program manager, described the problem this way in a blog posting Thursday:
An error in handling URLs with a chromehtml: protocol could allow an attacker to run scripts of his choosing on any page or enumerate files on the local disk under certain conditions.
If a user has Google Chrome installed, visiting an attacker-controlled Web page in Internet Explorer could have caused Google Chrome to launch, open multiple tabs, and load scripts that run after navigating to a URL of the attacker's choice. Such an attack only works if Chrome is not already running.
The Cloud Security Alliance, whose founding members include eBay, PGP, and Qualys, is seeking to promote the best ways to secure cloud computing and outline how to use cloud computing for the protection of other types of computing.
"The very nature of how businesses use information technology is being transformed by the 'on-demand' cloud-computing model," Dave Cullinane, chief information security officer for eBay, said in a statement. "It is imperative that information security leaders are engaged at this early stage to help assure that the rapid adoption of cloud computing builds in information-security best practices without impeding business."
Cloud-computing leaders Amazon, Google, and Microsoft are not listed on the group's Web site as members. The organization is expected to reveal more information about participating companies at its official launch. This is scheduled to take place at the RSA Conference in San Francisco on April 21, where the alliance will present a white paper titled "Guidance for Critical Areas of Focus in Cloud Computing."
While cloud computing has been touted as an efficient way to cut costs, organizations including Hewlett-Packard have noted business concerns around ensuring the security, performance, and availability of Internet-based services. Security experts have said cloud computing presents a challenge for businesses, as it calls for a change in the way they think about security.
"Traditionally, if you want to keep data safe you lock it away or keep it underground. Suddenly, you say I have to give it to a third party," analyst Jon Collins of Freeform Dynamics told CNET News sister site ZDNet UK recently.
Tom Espiner of ZDNet UK reported from London.
