Choose from several options for complete web, email and data security.
Evaluate Websense products by watching demos and installing evaluation software.
Learn how Websense solutions help keep our customer safe, secure and productive
Get information on product updates, support resources and more.
Get the most out of support in five simple steps.
Find tools and assets to help sell Websense solutions.
Come work for the global leader in unified information security.
I recently hosted a Websense customer round-table discussion with 20 CSOs from top U.S. companies. We swapped war stories, hashed out the security challenges they face every day and they shared how they’ve been successful. These CSOs work in a variety of industries, including federal, finance and healthcare. Recently, there have been a number of highly public targeted attacks, which led to a lengthy discussion on spear-phishing. I found their insights very valuable and I wanted to share some key points...
Every day, organizations worldwide are targeted by data-stealing attacks. While these attacks have evolved in frequency and sophistication, many security defenses have failed to adapt. Old techniques don’t address containment against data theft and cybercrime call-home communications. The growing prevalence of cloud apps, along with increases in SSL traffic, mobility and remote users are also adding more blind spots to traditional defenses.
It’s imperative that we continue to stay up-to-date on the latest tactics and tricks. Join me this Wednesday, August 8, 2012 from 10 a.m. - 11 a.m. PT for a webinar on the seven stages of data theft. We’ll be covering each of these steps:
Reconnaissance - Targeted
attackers access credentials and research online profiles, email IDs, org.
chart information, hobbies and interests from social profiles to gain insight
on their victims.
Lures - Designed to prey
on human curiosity, web lures often link to videos or breaking news, while
email lures are more business-focused on transaction and fake delivery notices.
Redirects - Users are
usually directed to a survey, rogue anti virus offer or a fake web page where
an exploit kit is waiting. Traditional redirects are injection attacks, while
newer ones focus on social networking wall postings, fake plug-ins, fake
certificates and heavily obfuscated java script.
Exploit Kits - The
exploit kit objective is like that of a sniper: take the shot with a malware
dropper file only when an open door for tested vulnerabilities is found.
Dropper Files - This stage
is what most people consider the focus of their forward-facing defenses:
analyze every file that comes into the network for malware. The problem is
dropper files use dynamic packers, so known signatures and patterns are not
Call-Home - This stage
involves calling home for malware downloads and tools, and for sending back
information, standard procedure for any successful online attack. The problem
is that most defenses are only forward-facing and do not analyze the outbound
traffic from infected systems.
Data Theft - This is
what they are after. The ability to contain an attack and stop data theft raises
many questions that we will address. Can your defenses detect password files
leaving your network or the use of custom encryption on outbound files?
In addition, we’ll be covering: why current defenses are failing; today’s new security requirements; and the newest, bleeding edge advanced threat and data theft defenses to emerge thus far.
We look forward to having you join the webinar. Bring your questions and be ready to talk threats!
Before we begin, I recommended reading Getting Ready For Data Loss Prevention (DLP). Go ahead, I’ll wait for you…
Back? OK, now let’s talk what comes after; the “How” to implement DLP part.
As a next step, and at the risk of blowing my own horn, consider watching the recording of a webcast I did on April 5 here. You’ll get recommendations on how to deal with issues that are often overlooked in DLP deployments as well as some critical “how to” advice. This I position as an antidote to the all-too-common and none-too-helpful “just do it” approach to DLP advice. Because, on the path to DLP success, there are two deadly pitfalls to watch out for:
The first is in understanding where to start your data protection strategy using DLP (and why). Where to start influences your program’s effectiveness compared to how much risk you are hoping to eliminate from the business.
The second pitfall is in understanding how to execute. The "how" may be the most important part as it ultimately determines how soon you will benefit from DLP and determines the amount of resources that are required.
Surviving one of the pitfalls is hard enough, but trying to get through both on your own is nearly impossible.
Unfortunately, much of the historical “how” started with massive data-discovery projects, which usually meant at least six-months of project consulting before any data is protected.
Not every DLP vendor has the same vision for how to make DLP work, so make sure that you understand your vendor’s approach and agree with it.
Have a listen and let me know what you think.
With the hectic travel schedule of first quarter wrapping up I had some spare time to think about advocating a fresh approach to security for the spring. I know it’s not the beginning of the year, but if your schedule is anything like mine, this may be the first time you’ve had a minute to spare since the calendar moved to 2012. With everything in the threat landscape changing so frequently, it’s important to reassess your current status and plan for the coming year, whenever we can come up for air. So, I came up with the following nine tips to help you get a fresh start this spring:
This Sunday at 2:00 a.m. many of us will be moving our clocks ahead one hour to “spring forward” for daylight savings time. We’ve all heard the suggestion that daylight savings is a good reminder to check your smoke detector or carbon monoxide detector batteries. I’d like to add to that—this is a great time of year to remind yourself to change your passwords for your email, social media, banking accounts and mobile phone.
Also, remember to change the passwords of any application or API that plugs into your credentials, like HootSuite, Tweetdeck or Twitpic.
Here are a few guidelines to get your passwords in the most secure shape:
Do you think data breaches are up or down in 2011 compared to 2007 or 2008? The official answer may surprise you. According to DatalossDB and the 2011 Data Breach Investigations Report by Verizon, the number of records compromised per year has been decreasing since its 2008 peak. But these reports are missing something very important. It all comes down to what is reported. Last year I met with more than 450 CIOs and CSOs, and almost all of them said that incidents are way up. New breaches are constantly making headlines, so why is there a discrepancy between our perception and what these reports are finding?
Many industry reports focus on the never-ending stream of leaked or stolen personally identifiable information (PII). Most laws and industry standards, such as PCI DSS, also concentrate on PII. But there is something that could be more dangerous to lose than PII and that isn't getting enough attention in data breach reports—intellectual property (IP).
As we conduct business in an increasingly cloudy, mobile, and social world, it’s more important now than ever to take data security and privacy into consideration. Data is everywhere and its value is growing exponentially. But with data moving in and out of your organization so quickly—how can you keep it safe?
This is the perfect time of year to ask that question—today is Data Privacy Day. The National Cyber Security Alliance has coordinated various events in the United States and Canada to help facilitate discussions and raise awareness of data privacy and security issues.
In my opinion, the public and private sector must work together to combat the rising tide of data-hungry cyber criminals. Government legislation is and has been making strides toward mitigating cyber crime. In the U.S., 48 out of 50 states now enforce data breach notification laws, which require companies that collect or store personal identifiable information to notify customers if their information is compromised.
And, in Canada, mandatory data breach notification may soon become federal law. The Canadian Parliament is currently reviewing Bill C-12, a proposed update to Canada’s existing privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). At present, PIPEDA currently does not contain any breach notification provisions.
However, as we all witnessed in 2011, legislation alone cannot protect data. According to an upcoming study from the Identity Theft Resource Center (ITRC), previewed in advance by Information Week, in 2011, there were 419 breaches publicly disclosed in the U.S., affecting a staggering 22.9 million records.
This means we still have A LOT of work to do. And, consumers are losing patience. They hold businesses directly accountable for the loss of their personal data and continue to bring class action lawsuits against organizations. This consumer unrest is likely to fuel additional legislation that may punish companies financially for losing customer data. Corporations have to take responsibility.
Here are three key recommendations for protecting customer data:
When we were looking at putting out our Websense Security Labs predictions for 2012, we knew that mobile threats were going to be big this year. While we included one prediction on it, there was one piece that I had thought of, but didn’t include. It’s still a ways away, but Paul Henry has an excellent write up on “QR Codes – Leading Lambs To the Slaughter.”
He correctly points out that these “ultimate url-obfuscators” can be a serious threat down the line.
It’s a good reminder that any applications on workforce mobile devices need to be properly sandboxed from the operating system. We’ve already noted in Websense Security Labs research that there are challenges with certain platforms and there are a number of mobile malware variants, including Trojans on handhelds.
It’s interesting to think QR codes as threats continue to evolve in the mobile landscape. What’s funny is as I was writing this, our Security Labs researches discovered QR codes being used a new way – through a spam campaign.
What do you think about QR codes?
Last week, Lady Gaga became the latest celebrity to have her Twitter account hacked. In this instance the hacker used it to attract clicks to a scam offer for a free iPad. While this scam was designed to collect information rather than inject malware or data stealing code, it was incredibly effective. Hundreds of thousands of clicks happened in a very short amount of time before the post was taken down.
As a Security Researcher in the Websense Security Labs I’m often called upon to explain the dangers associated with these types of hacks, and how to avoid falling victim. It's a tough one because once an account is taken over the hacker mimics/impersonates the true owner of the account. In the Lady Gaga example the twitter hack used the nickname "monsters" in a rogue tweet which is a term her fans will be familiar with. Making it all the more believable.
Here are some tips for staying safe while following celebrities on Twitter...
Follow us on SpiceWorks
We want to hear from you!