It’s not a virus, Trojan, or a denial of service attack. The latest threat to your browser, computer, and network is click-jacking. Click-jacking is the result of a visit to a malicious web page that allows the attacker to take control of your browser. Specifically, it can force your browser to click on any link it wants.

THE THREAT

According to the latest Wikipedia definition:

“Clickjacking is a malicious technique of tricking web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. A vulnerability across a variety of browsers and platforms, a clickjacking takes the form of embedded code or script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function.”

Read my entire blog post Clickjacking threatens your security (Content Matters)

A new poll from a vendor shows that nearly 50% of UK organisations could be leaving themselves open to litigation through managing their corporate policies primarily on the intranet (see Businesses warned over use of intranet).

I could not find the actual poll results and the company that conducted the poll, NETconsent, does not make it readily available on its website. This sounds like another marketing exercise masquerading as scientific research... but regardless the information is worthwhile.

The marketing states that the “poll reveals that many organisations have a passive and potentially dangerous attitude towards managing their policies. Intranet implementations that grow organically can prove challenging to manage and might no longer meet the increasing compliance requirements for such processes.”

NETconsent highlights the following “dangers of managing policies over the Intranet”:

• No proof – Simply making a policy available for reading on the intranet is not sufficient. In the instance of a legal challenge companies need to demonstrate that an employee has agreed to the policy in question, if not also read and understood it.

• Out of date / inaccurate – Policies need updating on a regular basis. If policies are not kept up to date with company and legislative changes, employees may be reading and agreeing to inaccurate information, leaving the company open to risk.

• Understanding – Without measures to ensure that policies are read and understood, organisations do not know whether their policies are viable and effective.

• Relevance – Many policies will only be relevant to a set group of people. Managing policies through the intranet may make it confusing for employees to identify which policies are relevant to them. Ideally policies should only be targeted at the relevant employees.

• Access – In many organisations not all employees have access to the intranet or use it on a daily basis. This may result in employees being unaware of policy changes or unable to access policy documents.

I believe the use of “danger” to be rather strong here, but I’ll let each reader judge for themselves vis a vis the present intranet environment and culture at their respective organization.

“The research indicates just how many businesses rely on the Intranet to communicate policies,” says Dominic Saunders, NETconsent’s Operations Director. “While it is encouraging that companies are using policies to educate their employees and protect themselves, managing them over the intranet might not be enough.”

“Without evidence of the signed document, employers are leaving themselves open to risk. In the event of a breach of policy, organisations need to be able to demonstrate not only that they have a policy in place but that the employee concerned has seen and agreed to the document.”

How can you tell both lawyers and marketers are involved in this announcement? Fear and legalease can together form a very powerful marketing punch.

I’ve not heard of a company that was sued because each and every employee did not sign-off on an intranet policy. If it’s stated and available through a link on every single page (via CSS template) then that should suffice. I’m not saying that such a lawsuit is not possible, it obviously is possible, but I’ve not seen or heard of one as of yet.  

NETconsent is of course raising the possibility of potential lawsuits under some circumstances in order to sell companies their product – which by no coincidence helps “mitigate risks” by maintaining “full and accurate records of written policies.” Fair enough.

NETconsent Ltd. “is the world-leading vendor of effective policy management software solutions and corporate communications.”

NETconsent’s “Tips for better Policy Management” include:

• Ease of use – The more policies that are managed through the intranet the more updates and changes will be required. To minimise the time spent on managing policies by staff it should be easy to create, update, distribute and monitor responses of new and revised policies.

• Updates – Keep all policies updated and current in line with corporate culture, working practices, legal precedents and legislation changes.

• Record agreements – Maintain records of employee agreement to relevant active policies, whilst retaining a full archive of agreements to previous policy versions.

• Access for all – Ensure that all employees, including those that work from home or remotely, have access to central policy repository.

• Control – Make sure that access of ‘author rights’ to policies is tightly controlled and only nominated persons can make changes to policies and policy records.

• Understanding – Randomly test employees’ understanding of policies to determine whether further education or policy reviews may be required.

• Check – Carry out checks to ensure that any required policy agreements can be accessed for evidence at short notice.

About the poll

“The results were taken from a telephone poll of 100 UK HR and IT managers, working in a range of sectors including technology, government and professional services, across a variety of company sizes.

  Digg this         Post to del.icio.us       Post to Slashdot

There’s more of your money to take; and the crooks are using more technology to take it.

e-Bay and PayPal phishing e-mails are becoming more and more prevalent. And now the dirty little crooks are no longer relying on e-mail to get you to cough up your dough. Some criminals have learned that we’re becoming more cautious about these e-mails – so they’re setting up fake call centers so that you phone-in and give your personal information after you receive the e-mail.

Phishing schemes often start with misleading spam urging people to visit a fraud website designed to mimic the real business website (such as e-Bay or PayPal). Once unsuspecting people go to the site they’re asked to give personal information – or are loaded up with spyware such as those that track and log your keystrokes.  

According to Symantec's latest Internet Security Threat Report, there were 7.92 million phishing attempts per day during the second half of 2005, compared with the 5.7 million attempts per day it reported for the first half of 2005. And the attacks are becoming sneakier and more sinister.

Criminals Increasingly Blend IT Threats is an interesting read from eWeek: “As businesses and home users have become increasingly savvy about traditional threats delivered via e-mail attachments, criminals are finding new ways to lure end users to consume their attacks, according to the report. Researchers specifically cited a growth in the number of threats that use spam e-mail messages or IMs to distribute links to Web sites where malware or spyware is secretly downloaded to end users' computers.”

One of the keys to identifying a phisher is looking at the URL requesting you to update your information. If for example, rather then clicking through to the PayPal URL www.paypal.com, a phisher would have you go to a dummy site with a similar URL (e.g. paypal.palpay.com). Now, one crook even used a URL hosted on PayPal's legitimate site that had been altered by cyber-criminals using a “so-called cross-site scripting attack.” Little bastards!

Here are some tips from MailFrontier (TopTenTipsforFindingaPhish) to avoid being scammed:

1. Know thyself: Know the online companies you deal with. When a suspect email arrives, remember: it could be fraud, it's definitely spam, and it is definitely not for you. Delete it.
2. Subject matters: Consider the subject line of an email carefully. Citibank will never send you an email headed “_Citiibank_account_update ACT-N0W”. These messages may get through spam filters because they appear to come from a reputable source, but that doesn’t mean it’s really from Citibank.
3. Learn the language: Understand how the companies you deal with want to interact with you. For example, banks usually want you to access your account through their website–not an email link. “Phishing” emails stand out because they don’t follow the rules.
4. Browsing around: Practice safe browsing. Open a new browser window each time you log on to a web site that displays personal information. When you are done at that site, log out and close that browser window.
5. Spelling counts: Be sure to read emails that say they are from companies you know. Sometimes a real email will have a spelling or grammatical error, but anything more than one error is suspicious.
6. Mousing around: Scroll over the links in emails you receive and check them. In some email systems, you can scroll over the different links in an email and see the actual contents of the link. If the email says PayPal, but the link content says “ www.paipall.com”, be careful. And note: URLs can be disguised—so don’t take a suspect link at face value.
7. All form, no function: Never enter your personal or credit information into a form in an email. If you feel the email is legitimate, call the company or visit their web site and log in to provide the requested information.
8. It’s personal: Expect good customer service. Unless your name is “eBay User” or “johndoe99”, most “phishing” emails are not personalized. If you receive a “Dear Customer” email, it may be time to move on.
9. Make a statement: Read your statements – every one, every month to ensure your charges and debits are correct. Often information obtained through phishing is not used right away. Stay vigilant and report any suspicious activity immediately.
10. Stay current: Use and maintain your email protection software for spam blocking, fraud blocking, and anti-virus. If you have any questions, there are many fine web sites which can provide the latest information on the latest virus, “phishing” attack, or on-line scam.

RELATED READING:

Assessing your security risk

Best practices: securing your intranet

Securing your intranet from the inside

Top 10 security lapses

Email and intranet are biggest wireless threats

A new survey on mobile security by Good Technology reveals that e-mail and the corporate intranet are the top two security concerns slowing the widespread adoption of enterprise handheld computing using PDAs like the Blackberry or Trio.

The Good Technology (a provider of industry standards-based enterprise handheld computing software and service) survey included the voluntary participation of nearly 600 U.S.-based IT professionals and executives representing companies of 150 to 16,000 employees.

Findings include:

·     79% of respondents consider email to be the greatest source

·     26% of respondents regard as the greatest vulnerability

·     48% of respondents stated that firewall vulnerability (open firewall holes to allow inbound wireless device traffic, risk of denial of service attacks, or other unauthorized intrusion) concerns them most

·     30% of respondents are not likely at all to deploy a wireless solution that requires opening firewall ports, making perimeter security a top priority when selecting a mobile email solution

·     Top wireless security concern: selected handheld security (protecting data on the handheld if it is lost, stolen or misplaced) cited by 29% of individuals surveyed

"The enterprise mobile email and handheld computing markets have grown exponentially over the past five years. But this growth has created a corresponding surge in security vulnerability over the same time period," said Rick Osterloh, vice president, Product Management and Marketing, Good Technology. "This survey reveals important concerns and underscores the requirement for comprehensive mobile security. (Good Technology has) has united device and security management, and are enabling IT to establish an automated system for compliance—all in a single, integrated solution."

Handheld Compliance On-device data encryption remains top of mind for IT administrators.

·     59% will not deploy a solution that does not encrypt data on the device.

·     65% of individuals surveyed stated that wireless enforcement of virus protection, along with the ability to update virus files over the air, are very important handheld security features

Remote control of password policy is considered a very important handheld security requirement by 55% of respondents; only 18% are comfortable with simple user name and password authentication, traditionally used as a primary layer of protection.

In addition, 57% of respondents believe that the ability to wirelessly specify applications that must be present on the device to be very important, demonstrating the increasing importance of handheld compliance with broader corporate security policy.

Proliferation of Handhelds Drives Need for Automated Security and Device Management

While the ability to detect and control applications on handhelds remains a top concern, the study concluded the majority of enterprises do not have standard operating procedure to address this issue; 70% of respondents do not have an automated mechanism to determine which applications mobile users have on their devices. Only half 53% are currently able to enforce security and password policies consistently and effectively on devices without end-user dependency.

There’s an adage that is old for the intranet age (since they came to be mainstream in the early 90s) that says you shouldn’t put anything on the intranet that you wouldn’t put in print. It relates to the older adage that you shouldn’t print anything that you wouldn’t want anyone outside the company to read.

Your content is valuable. You wouldn’t want to share most of it with the outside world – especially the competition or media. However, if you are making content available via the intranet then it is possible it can be leaked externally. The number one leaking culprit, of course, is the employee.

There are three general positions or models to adopt vis a vis content protection:

• Open market – publish just about anything you can on the corporate intranet.
• Closed market – put sever constraints on what can be published.
• Asynchronous market – a hybrid model that entrusts employees with a certain level of responsibility to maintain confidentiality.

My own personal opinion is that if you’ve hired and trusted an individual to do a job that the organization deems crucial enough to justify the pay then most individuals are trustworthy and not likely to leak confidential information to outside sources. On the other hand, I wouldn’t publish any corporate top secrets either. As such I recommend most companies adopt an asynchronous model that assumes a certain level of responsibility and trustworthiness of employees but does not make widely available all information and data to all employees.

Regardless, intranet and corporate information managers do have a responsibility to inform employees of their responsibility and to limit the organization’s liability. Such action includes the development of several policies:

• Editorial policy
• Terms of use
• Acceptable use

Editorial policy

Your editorial policy is less of a legal security blanket and more of a definition of roles and responsibilities of those developing and maintaining online content. The editorial policy should include details on...

• content types
• style acceptability
• news determinants (e.g. currency, impact, etc.)
• formatting
• archiving
• photo treatments and bylines
• content management system rules and directions
• copyright and legal
• privacy and security
• governance including roles and responsibilities
• taxonomy (classification)
• site registration and indexing

Terms of use

Terms of use is a standard legal disclaimer. It says who owns it and declares the copyright, disclaims accuracy of content, etc.

Acceptable use

Acceptable use spells out the rules. Thall shall not...

• Email content outside of the company.
• Print and distribute content outside of the company.
• Release content to any media outlet.
• Rewrite or reproduce content for personal purposes or profit without the expressed written consent of the company (legal department).

Page footers

If you’re not already doing so make sure you have coded into your style sheets or CMS templates a footer that always includes the following:

• A legal disclaimer
• Terms of use
• Copyright stamp
• Name and email address of author
• Date of publish

While clients have hired me to develop these policies and standards the work is not really rocket science. It just takes a little time and thought that could save your organization some headaches in the future.

How secure is your intranet? The IT department has likely has gone to great lengths to protect financial and customer systems and databases but have they applied the same rigor to the intranet or portal?

Intranets and portals have grown exponentially since becoming mainstream in the early 1990s. Some are millions of pages large. However, the intranet has typically taken a backseat as the poor cousin to customer websites.

“Although media and management attention is focused on protecting external-facing sites from security threats, identity theft and other online vulnerabilities, intranets should not be overlooked,” writes Peter McKay, CEO of Watchfire in a recent Federal Times article When securing information, don’t overlook intranet. These sites can easily be compromised, and government IT executives are now realizing the need to expand security and privacy practices to agency intranets.”

If you’re a communicator, HR or marketing person responsible for the intranet then you need to ask the right questions of your IT department. First and foremost is understanding what you have, what is available to a wider audience, and what is specifically being done to secure it.

“Only by understanding the intranet environment — the domains, websites, directories, content, servers, technologies in use, and the policies and standards in place — can agencies ensure that they have adequate control of this information and its delivery,” says McKay. “The first step is to conduct an agency wide (assessment) to evaluate the size and complexity of the intranet. By conducting a thorough assessment agencies can effectively evaluate risks. Managers can then make informed decisions about risk mitigation as well as server and application consolidation.”

Things to look for:

·         Identify systems and servers not up to date or otherwise not conforming to IT standards

·         Orphaned content and rogue intranet sites and servers

·         Applications that work or communicate outside the firewall

McKay recommends several key steps to “effectively manage the compliance risks and costs of managing agency intranets:

• Conduct an inventory of internal Web properties to better understand the Web environment. Knowing how many sites and servers you have, the technologies in use, and the technology policies and standards your agency employs will create a more secure and productive intranet environment.

• Scan your intranet with an automated solution to identify vulnerable areas, including forms that may be inconsistent with internal privacy policies or may lead to information leaks.

• Understand what employee and citizen information is being collected and published on the Internet and intranet. The intranet is used to publish sensitive information, including human resources forms and employee health care information. Full knowledge of all online data-collection methods is critical to effectively managing Web privacy.

• Understand exactly who has access to this sensitive information. Proper technology and security controls will allow employees to see only the information required to do their jobs. Often, contractors are granted access without careful consideration for all the information they may have access to.

• Consider applicable security, privacy and accessibility legislation such as the 2002 Federal Information Security Management Act, the 2002 E-Government Act and the 1998 Rehabilitation Act amendments.