There is a significant security flaw in Java and it is being exploited fast and furiously by cyber criminals. Sophos’ Naked Security blog has a fantastic post on the vulnerability and especially its effect on Oracle users. Their solution: Disable Java immediately. Check out the post here.
And why is Java so problematic you ask? Graham Cluley states the following:
“In fact, it has become increasinglycommon to see malware authors exploiting vulnerabilities in Java – as it is so commonly installed, and has been frequently found to be lacking when it comes to security.
Cybercriminals also love Java because it is multi-platform – capable of running on computers regardless of whether they are running Windows, Mac OS X or Linux. As a result it’s not unusual for us to see malicious hackers use Java as an integral part of their attack before serving up an OS-specific payload.”
For easy reference, here’s how to disable Java on the most popular web browsers.
Whether embracing the 80×5 rule or learning how to effectively solicit outside advice, there’s a way to make your security strategy work smarter, not harder. Perfect security is a pipedream. So use what you have and learn from what works.
Follow the principles and strategy detailed in our very own “Lean Security 101″ comic book and you can build your own lean security model within your organization!
Follow this link to download Lean Security 101: The Comic Book.
And don’t forget … you can get a lean security review for free, just by requesting one here.
What would you do if you discovered that attackers had taken over your server and were in the process of stealing all your data?
What would you do if law enforcement came to your place of work and demanded all of your computers as part of an investigation?
What would you do if a tornado hit your building and spread all of your computers across a mile-wide radius?
If you are like most organizations, you don’t have a plan for everything. You can think of security (in an over-simplified way) of having three areas of control: Detective, Preventative and Reactive. We tend to start with Detective. When antivirus was new, it just alerted you when you had a problem. As the technology improved, it became preventative and would stop bad applications from running. Most security technology, in fact, has followed this pattern. Intrusion Detection moved to Intrusion Prevention. Patch Detection moved to Patch Management. Log Analysis moved to full-fledged SEIM systems.
However, this progression ignores a very powerful tool. As an example, here’s a video:
What would you do if you woke up one morning to find a moose in your swingset? Odds are you’d either deal with it yourself or call someone to deal with it for you. Response is key. When things happen, whether it involves an attacker taking over a system, an external agency taking your stuff or a natural disaster, reacting to the situation is important. You can either do it in an ad hoc way, or try to plan everything out.
In general, organizations that trust their people, just let their people do what they need to do. Organizations that do not trust their people, invest in planning and procedures. What’s interesting is that both methods work… though not always particularly well. Sometimes people hide behind policy and avoid doing the right thing. Sometimes, people hide behind uncertainty and avoid doing the right thing.
The problem here is that “right” and “wrong” are not always clear cut. Consider recent occurrences involving United Airlines, Penn State and FedEx. A reasonable response to events like these would be “we can’t trust our people,” and to address the issue by creating policies.
So it would seem that this is a “damned if you do, damned if you don’t” situation, right?
It turns out to err is human… but human error can happen whether or not we are constrained by policy. Using policy to prevent bad things from happening requires not only that you have people who will always follow the policy, but also that you have policies that are 100% correct and written by people who can see the future. Perhaps a better approach would be to use policies as guides that people can refer to when they’re confused. Then, build a culture around the fact it’s okay to make mistakes so long as you’re willing to apologize, attempt to fix things and learn from your error.
Not everything can be avoided. Sometimes you just have to deal.
Accuvant Labs researcher Charlie Miller has figured out how to break into the Google/Samsung Nexus S and the Nokia 9 smartphones by using Near Field Communication (NFC).
I can read all the files, said Miller about how he managed to break into the Nokia 9 when his home-made NFC-based device is in very close proximity to the targeted smartphone. I can make phone calls, too. Vulnerabilities he identified in the Android-powered Nexus S were located in the browser surface, he said.
419 Advanced Fee Fraud (also known as the Nigerian 419 scam) is still being used quite frequently to steal money from gullible victims via fraudulent emails. But are these emails really coming from Nigeria, or are they perpetrated by attackers from other countries?
Researchers from the University of Ibadan found the following IP locations within 400 scam emails tested:
Adam Levin of Credit.com wrote an interesting story documenting Wisconsin’s complete inability to secure public information.
Last week, the Wisconsin Department of Revenue revealed that it had accidentally made public 110,795 Social Security numbers and tax ID numbers of Wisconsin residents. The numbers were mistakenly embedded in a real estate report and posted to the department’s website for almost three months before being removed.
This is the fourth time since 2006 that Wisconsin state agencies have been involved in the public release of Social Security numbers.
Unlike you, attackers are not limited by resources, budgets, laws or ethics. They can launch any number
of attacks from anytime or anywhere. This means you have to maintain a strategic balance between defense and response. Learn More
Always stay a move ahead of your opponent.
If you are constantly focused on reacting, you are not taking the time to learn and adjust your security
strategy based on your experiences. Your attackers are constantly evolving, so you must, too … just a little faster. Learn More
Make better use of what you already have.
Before you invest in yet another expensive security project, fine-tune the security products you have in place.
Are your defense systems fully-patched? Have you turned on all the necessary bells and whistles that came with your original product? Learn More
The right security strategy for right now.
The days of defining and executing a rigid multi-year security plan are over. Since attackers are incentivized
for rapid change, you must also adapt to the always-evolving threat landscape. An inflexible security plan will create holes
quicker than you can fill them. Learn More
Part of your team, not instead of your team.
Without a highly-skilled and experienced staff of security experts, it is extremely difficult to remain unscathed
from the many possible attacks waged against your organization each day. Thus, it is sometimes necessary to leverage the knowledge
of others. Learn More
A smart investment for smart growth.
Once your internal operations are working well and you are effectively using what you have, it's time to grow.
But before you purchase another layer of protection, first identify what really matters to your business and create goals you
can measure to see if your next project will indeed be a success. Learn More
About RJS Security
RJS Software provides information management solutions that allow businesses
to improve productivity, make better decisions and save money. Our software helps organizations
streamline data collection, digitize and manage documents, automate work processes and optimize