Research from Kaspersky Lab shows malware on social networking sites such as Facebook and MySpace is 10 times more successful at infecting users than e-mail-based attacks. Enterprises and users need to adopt sound security practices to deal with the problem.
That hackers are using sites such as Facebook, LinkedIn and MySpace to launch attacks is no revelation. New statistics, however, show just how effective malware on social networking sites can be.

In its “Malware Evolution 2008″ report, published in February 2009, Kaspersky Lab revealed that malicious code distributed via social networking sites has a success rate of 10 percent in terms of infections, making it 10 times more potent than malware distributed via e-mail.

“In 2008 we increased the collection of malicious files relating to social networks by approximately 26,000,” said Stefan Tanase, a security researcher for the Kaspersky Lab Global Research and Analysis Team. “In 2008 alone we processed more of those samples than in the total of all years prior to 2008, making the growth rate exponential. Our collection of malicious software samples reached 43,000 at the end of last year.”

Tanase said he expects that number to hit 100,000 by the end of 2009. According to McAfee, 800 new variants of the notorious Koobface virus were discovered in March alone. Social networking sites have also been hit by malware hidden in seemingly legitimate third-party applications.

No particular site is more dangerous than others, Tanase said. Different sites are popular in different regions of the world, and attackers follow the users.

“It’s very hard for social networking sites to do better,” he said. “Their business is about having an easy-to-use Website, so that everyone can join. The problem is that usability and security don’t really go hand in hand most of the time.”

For enterprises, that means developing policies to control the use of social networks by employees. Organizations can instruct employees not to mention the company name on social networking sites, for example, and can couple that with education on configuring privacy settings and general Web safety.

“Blocking access to social networking site[s] is not going to work in the long run,” said Chenxi Wang, an analyst with Forrester Research. “As younger employees join the work force, they increasingly expect to have access to social networking sites from work, [so] having such a restrictive policy will damage the company’s [prospects of attracting] employees and ultimately may become a competitive advantage [to competitors].”

As for basic security advice, Tanase advised users to limit the code executed inside their browsers to trusted sources only and to make sure the operating system, anti-virus application and other software are fully patched and up-to-date.

“When talking about social networks, even though they are made of users wandering throughout cyber-space, we should not forget we’re actually talking about real people, actual human beings that have friends and relationships,” he said. “These relationships are usually based on trust, so the bad guys are trying to exploit this trust.” 

http://www.eweek.com/c/a/Security/Social-Networks-10-Times-as-Effective-for-Hackers-Malware-892010/?kc=rss

Twitter tormented by nettlesome computer program

Unwelcome computer program disrupts the chatter on Twitter, adding to service’s growing pains

• Monday April 13, 2009, 3:24 pm EDT

Over the weekend while listening to my Zune, an audio book of The Art of War started playing.  It had been awhile since I had actually listened to it, so I sat back grabbed a soda and let it played.  For those of you not familiar with this book let me give a brief overview.  Written sometime between 500 – 350 BCE the Ancient Art of War was written by the legendary Chinese General Sun Tzu.  Written as a military strategy guide for his officers, the Art of War has flourished for twenty five centuries.  Listing the military leaders who are considered students of Sun Tzu would sound like a history lesson. Napoleon, Lord Cornwallis, Gen Patton, Dwight Eisenhower, and Gen Colin Powell.  Recent readers include business professionals who incorporate the strategies into their “Business Conquests”.

Fighting for the King of Wu, Sun Tzu fought in a violate time when the provinces of what would become China were constantly at war with one another.  Losing a battle could mean the end of your province.  Therefore The Art of War conveys a win at all cost attitude, which I don’t believe is useful for many aspects of business.  In the realm of Cyber-Security though I believe we find an exception.  We have a real threat of forces that want to defeat us in order to obtain, sabotage, or destroy our treasures. Unlike sales, where you win one you lost one is a fact of life, in defending our company against cyber threats we must maintain a defend at all cost attitude.  We never know if the next incursion will be the blow that you or your company cannot bounce back from.

Throughout the next few post we’ll examine the strategies of Sun Tzu and delve into how we can use them in designing our Cyber strategies.

Lesson 1 – It’s not a matter of if, but when…

The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.

- Sun Tzu- Sun Tzu “The Art of War” 500 BCE

Growing up my father used to say “There are two certainties in life, death and taxes”.  I want to add a third, your network will be attacked.  In this day and age your network is under attack constantly.  The average network will be attacked hundreds if not thousands of times in a given day.  Your network is your modern castle and you are definitely under siege.  Yet I still hear business owners and IT professionals say something like “We don’t have to worry about cyber security; A. we’re too small of a company B. we don’t have any sensitive data C. we’re located in the middle of nowhere D. add your own lame excuse. 

First things first, most attacks are random.  From the internet side of things, you are an IP address.  It doesn’t matter if you are a stock firm in New York or a Farm store in Nebraska you connect to the same public network where scans for vulnerabilities are consistently being performed.  At Parameter our testing network drops a scan from the internet about once a minute.  That’s nearly 1500 scans a day.  Most attackers will hack first and if successful they will then look for their spoils, financial data, employee information, or even create a platform for future attacks on other systems, it doesn’t matter your system has been breached and your reputation has been tarnished.

The art of war teaches us to understand that we will be attacked; therefore we must focus on successfully detecting, evading, and repelling any attack that comes our way.  We must understand that no network is impenetrable. We must know our network’s weaknesses and if we cannot mitigate those dangers we must ensure we can detect any attempt to exploit the vulnerabilities and respond quickly.

Identify your companies “treasures” and ensure the proper defenses are in place.  If you do not know your treasures, cannot detect attempted attacks, or don’t employ defense in depth, you have no choice but to admit defeat and assume your treasure has been stolen.