The federal government designated October as national Cyber Security Awareness Month. In this short video on the White House blog, President Obama explains the importance of cyber security and gives strategies for protecting yourself while online.
Since its inception 15 years ago Websense® has been on the leading edge of Internet security, helping protect businesses, their employees and their essential information from Web-based threats. The combination of our Web, email and data security technologies, along with the research conducted in the Websense Security Labs™, enables us to protect our customers from today’s most advanced online security threats which span multiple attack vectors.
Below, Websense provides some advice for staying secure while using the Web. You can also stay on top of the latest threats by reading the Websense Security Labs blog and by following the Security Labs on Twitter at www.twitter.com/websenselabs.
Keeping Your Web Site Safe From Compromise
In the first half of 2009, Websense Security Labs detected that 77 percent of Web sites with malicious code, viruses and data-stealing worms were actually legitimate sites that hackers had infected. And it’s not just the most popular Web sites that get targeted. The major attacks of the year, including Gumblar, Beladen and Nine Ball each infected tens of thousands of smaller Web sites.
Attackers target smaller sites because there is a perceived lack of security on these sites to protect them from malicious intrusion. This often leaves small business Web sites defending against a disproportionate amount of attacks.
Fortunately, there are a few easy steps that small business owners can take to prevent their Web sites from being compromised by hackers:
1) Make sure computers and systems are FULLY patched. Routinely check to ensure you have all software updates in place.
2) If you use forms or a database on your site; make sure you are not vulnerable to injections. This can be done through penetration testing, security tools or security services which are now relatively commoditized and inexpensive.
3) If you allow Web site visitors to post comments or upload content to your site, then make sure you scan what visitors are posting with real-time scanning tools that identify and block malicious links or spam. An example of a free tool that scans blog comments for spam is Defensio.™
Protect Yourself from Shortened URLs
More and more businesses are using social networking sites, blogs, Twitter and other Web 2.0 technologies to connect with their customers and partners. However, if left unprotected, they could be susceptible to a growing trend in Web-based threats.
On many Web 2.0 sites, people use URL shortening services like bit.ly or tinyURL when they want to share a link with their friends and followers. The shortened versions mask the destination of the original URL and cybercriminals have begun to exploit the popularity of shortened URLs as a way to trick unsuspecting users to click on malicious links.
If you’re using the social Web, here are three important tips to help you prevent security threats spread by masked URLs:
1) If you are using a browser with plug-ins, download a link previewer. A link previewer will let you either see the true target of a link or will show you a floating preview of the Web page. There are some examples of link previewers in this blog post.
2) If you are a blogger and don’t want your readers to be in danger, use software like Defensio to prevent malicious and spam links from being posted on your comment board.
3) Protect your Internet access with a Web security solution that prevents Web 2.0 threats by scanning Web content in real-time and blocking access to the portion of a Web page or Web site that contains a harmful link.
Spammers are Becoming More Sophisticated
Spammers and malicious email attacks are getting more and more sophisticated. It’s no longer easy to tell spam email simply by looking for an excess of spelling errors and poor grammar. Today’s spammers go to great lengths to customize targeted phishing emails to fool their intended victims. Even FBI Director Robert Mueller recently admitted that he nearly fell for a phishing scam that appeared perfectly legitimate.
Here are some things you need to know about today’s email attacks:
-- Web and email attacks are converging – In the past, email attacks included malicious attachments and tried to trick users into downloading and running executable files. Today, email and the Web have converged as attack vectors. More than 85 percent of spam emails contain links to malicious Web sites. Sometimes all a user needs to do is click on that link to visit the Web site and a keylogger or data-stealing Trojan Horse is automatically installed on their computer.
-- Always be wary of clicking on links in unsolicited emails – If you’ve received an email from a company that you think you recognize (such as your bank) it’s always a good idea to open a new Web browser window and manually type in the URL for that company’s Web site to find the information you need rather than clicking on any links in the unsolicited email – especially if that link asks you to provide account or password details.
-- Small businesses can use email security as a light-weight data loss prevention solution – Email security is not just about preventing external threats from making their way in. It’s also about preventing company confidential information from leaving. By using an email security solution that scans the content of the email, including zipped file attachments and embedded images, companies can prevent sensitive information like credit card numbers or customer data from being emailed outside the company, or force encryption on those emails before they are sent.
Protecting Data is no Small Matter
The goal of today’s Web and email attacks is to steal data. Nothing is more essential to the lifeblood of a business than its information. Though massive data breaches make headlines, even small data breaches can cause devastating financial, legal and reputation damage to businesses and their clients.
Data security is imperative for businesses of all sizes. Here are four tips that even small and midsize organizations can take to get started with a data loss prevention (DLP) implementation:
Step 1: Determine how important data loss prevention is in comparison to other security concerns. Begin by asking these questions:
-- What regulations must we comply with that involve confidential data?
-- Do we know where all copies of confidential data are stored?
-- How is sensitive information being used and shared inside and outside our organization?
-- How do employees exchange critical data with business partners and customers, and is it secure?
-- What would happen to our business’ sales, customers and reputation if a data breach occurred?
Step 2: Define what data is deemed sensitive
Once data protection is deemed a priority, the second step is to define what exactly constitutes sensitive data for the business. It can include customer lists, company financial data, trade secrets, marketing plans, credit card numbers, employees’ personal information and more. It’s critical to review all functional areas including legal, finance, human resources, marketing and others to help identify sensitive data.
Step 3: Determine where the primary point of data control should be: at the endpoint, the network, or a combination of both.
Now comes the time to consider what type of DLP solution is right for the organization. Endpoint technologies protect intellectual property from theft or unauthorized dissemination – such as preventing someone from downloading the customer list onto a USB drive and walking out the front door. In contrast, the value of network and discovery solutions lie in monitoring how information is used within the organization so you can identify and correct faulty business processes. Many companies choose to begin with data discovery simply to understand where their sensitive data exists and determine their level of risk.
Step 4: Select the right DLP solution
The final step requires researching and evaluating competing solutions. Take advantage of the readily available research in published analyst reports to identify viable vendors and understand product capabilities. Look for a solution that provides the flexibility to take an incremental approach, if necessary, start with just discovery, or simply monitoring data in motion to see how it’s being used in the business. Later, you can work your way toward a full data security suite that monitors and controls data at rest and in use, across the entire network and on endpoints like laptops and desktops.
English (US)