March 2011
Security in the Digital Age
Security Threats Ad InfiniSpringboard Research‟s Top 10 tum in 2011. Page 8 Predictions in 2011, page 22
When Google‟s „Panda‟ goes Yahoo: Science is Insight, Global … Page 38 Not Hindsight!, page 41
Disaster Preparedness Still Not Out There for Media‟s State-of-the-art a Priority SMBs. Page 12 Mobile Advertising Marketplace, page 44
EDITORIAL:
O N L I N E
V E R S I O N
Dear Reader, Asian e-Marketing is dedicated this time to the topic Security in the Digital Age as it seems that IT security remains a hotbed of activity and growth in 2011. And who would be surprised, considering that companies have to grapple with a more menacing business environment, which is forcing them to adapt to an unprecedented level of IT upheaval in an instant? Stay informed to defend yourself against advanced threats and start to weave security more tightly into your IT portfolios by making sure that your network service providers and cloud providers have embedded security into their services. Keep well protected against ever rising cyber-security concerns, as 2011 will definitely be challenging.
Daniela La Marca Editor-in-Chief Asian eMarketing
Happy reading,
PS: If you couldnâ€&#x;t catch the previous issue of Asian e-Marketing here is another chance.
Follow us on
Exclusive Sponsor of this Issue
2
MARCH 2011
INSIDE THIS ISSUE:
SECURITY IN THE DIGITAL AGE RESEARCH, ANALYSIS & TRENDS
4
Network Box‟s Data Leakage Prevention
33
Uncovering the Risks of Social Networking Applications in the Workplace
4
Internet Explorer 9 Promises a More Beautiful Web Experience
35
Mobile Security - An Increasing Need for Asia Pacific Enterprises
6
COMPANIES & CAMPAIGNS
38
Security Threats Ad Infinitum in 2011
8
When Google‟s „Panda‟ goes Global …
38
Ever-increasing List of Security Threats
10
Symantec‟s Acquisition of VeriSign completes its Business Strategy
40
LEGISLATION
43
Opt-in or Opt-out is Still the Question
43
Regulation for More Protection? - or What!
45
BUZZWORD
47
Spoofing Attacks
47
APPOINTMENTS
49
IMPRINT
50
Frost & Sullivan: Asia Pacific‟s Security Information and Event Management Market to reach $243 Million in 2014
11
Disaster Preparedness Still Not a Priority for SMBs
12
The Anti-Phishing Working Group (APWG) eCrime Report
14
Frost & Sullivan‟s 2011 (ISC)2® Global Information Security Workforce Study (GISWS)
15
Cloud Computing More Secure than On-Premise Alternatives
17
New IE9 Survey Reveals Fresh Insights on Web Surfing Habits in Asia
18
Yahoo! and Nielsen launched First Asia-wide Online Advertising Effectiveness Study
20
BEST PRACTICES & STRATEGIES
22
Ensure You Are Not Labelled a Spammer
22
Internet Security Software Demystified
23
Protecting your Mobile Device from Attacks
25
Cleaning Data Carriers Effectively
27
Smartphones: Stepchildren of IT Security?
28
Microsoft‟s Five Key Tips when Using IE9
30
TECHNOLOGIES & PRODUCTS
32
Trend Micro Safeguards Kids from the Dangers of Social Networks
32
ADVERTISE WITH US! Just take a look!
3
RESEARCH, ANALYSIS & TRENDS
Uncovering the Risks of Social Networking Applications in the Workplace With the revolution of Web 2.0, social networking applications are now playing a pivotal role in influencing and shaping the way we socialize and collaborate for both work and personal purposes. In fact, the use of social networking applications can be broadly categorized into 3 enabling objectives: „Saying, Socializing and Sharingâ€&#x;. Specific examples of Saying applications are like Gmail, Yahoo! Instant Messaging, Microsoft Hotmail which enable people to communicate. Socializing refers to applications like Facebook, Twitter and Linked-In that connects everyone on social and professional basis; while applications that enable Sharing include BitTorrent, YouSendIt, and Xunlei. At work, social networking applications are also widely used among employees and employers to get their jobs done. For instance, a corporate professional or an employer uses Linked-In to enable them to connect with people in their network or head hunt talents, while Facebook is widely used among marketers for sales, customer relations management, branding and communication. Applications that enable users to Say, Socialize and Share files are being used worldwide with remarkable consistency. No single geography whether it is Asia Pacific, US, or Europe is that different in terms of application usage at a category level. However, organiza-
4
tions today might face the possibility of data leakage as employees who have Internet access are putting their organizations at a risk by using certain applications that could involve the sharing of sensitive and confidential information. Saying Applications: Unmonitored, Unchecked, and Very Risky Saying applications, including webmail and instant messaging, can bring about more active collaboration, increased communications efficiency, and quicker timeto-market. The dark side is that these applications are unmonitored and as such, they pose business and security risks. Business risks include internal compliance with application usage policies that may not allow the use at all, or dictate what can or cannot be said about the company. Furthermore, saying applications are capable of transferring files, thus opening organizations up to data leakage and the delivery of malware via attachments. Palo Alto Networksâ€&#x; latest Application Usage & Risk Report* (AUR) showed that the most frequently detected saying applications being used in the enterprise networks are Gmail (93%), Hotmail (90%), Yahoo Mail (88%), and Facebook Mail (79%). In the report covering South East Asia countries - Singapore and Thailand which surveyed 41 organizations, Hotmail is found most common (83%) and most heavily used by nearly 6 times from the next closest web application (224GB vs 36GB) per organization.
RESEARCH, ANALYSIS & TRENDS
Eric Chong Socializing: When at Work, Users are Voyeurs With a base of more than 500 million users, it is no surprise that Facebook is the most popular social networking application. Social networking applications were found in 96% of participating organizations, which indicates that its control efforts are not working. Statistics in the AUR showed Facebook champions the percentage of most commonly detected socializing applications with 96%, followed by Twitter 93%, Linked-In 85%, MySpace 79% and other Facebook apps at 76%. Facebook use among employees in the company are often perceived as waste of time where users are „voyeurs‟ while at work. Interestingly, the bulk of the traffic (69%) is actually users watching Facebook pages. The risks that voyeurism represent include a potential loss of productivity and the possibility of malware introduction by clicking on a link within someone's "wall". Blindly allowing Facebook in the workplace may result in propagation of data leakage, loss of data and damage to the corporate reputation. Sharing: A better way to move and broadcast data Browser-based file-sharing applications have steadily grown in popularity to the point where they are
now used more frequently than P2P or FTP. Now seen in 96% of organizations, these new class of applications simplify file sharing but can also be broadcast-oriented (similar to P2P) in their distribution model. By using RapidShare, MegaUpload or Mediafire, a user can now upload their content and allow it to be affiliated with many search engines. In Palo Alto Network‟s latest AUR findings, an average of 500GB of data is being transferred per organization during a 1 week period. Interestingly, Singapore consumes the second highest amount of bandwidth on a regional basis (P2P = 4.8 TB and BB FS = 6.7 TB) behind China. Saying, Socializing, and Sharing Security Risks Whether it is saying, socializing or sharing, these applications are popular vectors delivery of malware and vulnerability. The reason is simple: their popularity makes it easy for malware creators to deliver their payload by simply creating a compelling reason for a user to “click” on what appears to be an update, an IM, a tweet, or a post from a trusted acquaintance. The sender may in fact be the person they say, but that fact is insignificant. By “clicking” first on a link sent by a highly trusted source and asking or thinking later, the user has, unknowingly, propagated the threat or installed the malware.
The speed of adoption by techsavvy network users adds significantly to the risks that companies must try to manage---making the challenge doubly difficult because of the resistance to change and the inflexibility that traditional control mechanisms exhibit. Organizations need to work diligently yet quickly to determine the appropriate balance between blocking and blindly allowing these applications. What should be taken into consideration by organizations are the issues or solution methods employed in enabling social networking in the workplace without jeopardizing the security and confidentially of information in an organization. And this is where IT and the security team needs to exert their influence and expertise.♦ By Eric Chong, Regional Marketing Director - Asia Pacific, Palo Alto Networks * The latest edition of the Application Usage and Risk Report (issued in the last quarter of 2010) by Palo Alto Networks™, consists of real-world traffic from 723 organizations worldwide, and examines user and application trends in the enterprise. The report advocates for assigning an action to these saying, socializing and sharing applications, and fostering discussions and creating viable policies around acceptable use.
A New Generation of Savvy Workforce Applications that enable saying, socializing, and sharing have long been used in workplace environments, however their usage has been somewhat “quiet”. Today, the intertwined nature of work, home, family, and technology, combined with a generation of users that is always connected and assumes usage is “approved”, has dramatically elevated the discussion around these applications.
5
RESEARCH, ANALYSIS & TRENDS
Mobile Security - An Increasing Need for Asia Pacific Enterprises In Springboard Researchâ€&#x;s latest Asia Pacific (AP) IT Market Predictions 2011 Report, we noted that rapid growth in the use of smart mobile devices, combined with an explosion in social computing, are already impacting the way end-users view and consume IT. Over the next 12 months, Springboard Research believes the increased usage of and reliance on mobile devices will dramatically impact how end-users access enterprise applications and data. This will drive growing complexity for IT departments to manage as they face increased pressure to allow more consumer/personal devices into corporate networks. While CIOs continue to grapple with the demand for greater access to information on personal devices, not all organizations are embracing the mobile device revolution. Many AP organizations will continue to operate in a traditional, internally focused IT environment, leaving employees with little or no choice about how they access enterprise information from outside as well as inside the workplace. Springboard Research believes, however, it will be a growing challenge for organizations to resist the tide of change by relying on traditional IT systems and policies. We believe that IT
6
teams will be forced to address mobile security issues, which will gradually become a primary consideration, whether access from personal devices or mobility in general are seen as the underlying drivers or not. Springboard Research recently examined mobile security solutions available from leading security software and network security vendors. These included Symantec and Juniper Networks. Both vendors have similar visions but slightly different approaches for assisting enterprises in addressing mobile security issues. Below is a comparison and assessment of both vendorsâ€&#x; mobile security: Bottom Line Both vendors are targeting IT departments with a solution to manage the complexity of different models of smartphones and different types of applications used on the devices, but clear differences do exist. Symantec views mobile security as a part of its overall strategy to provide information and identity protection anywhere, anytime and on any device, which encompasses protection from external threats and internal data loss. By comparison, Juniper believes mobile se-
RESEARCH, ANALYSIS & TRENDS
Product Name
Symantec
Juniper Networks
Symantec Mobile Security and Management Product Series
JUNOS Pulse – Mobile Security Suite
Device management Device security (Antivirus & Anti-spam) Product Features Device encryption Strong authentication
Antivirus Personal firewall Device monitoring & control Anti-spam Loss/theft protection
Mobile Devices Supported
Windows Mobile Symbian iPhone (no antivirus or anti-spam) Android (no SSL-VPN) BlackBerry (no SSL-VPN, personal firewall, or anti-spam)
Windows Mobile Symbian iPhone (no antivirus or anti-spam) Android (no SSL-VPN) BlackBerry (no SSL-VPN, personal firewall, or anti-spam)
Availability
Available in selected AP countries from October 2010 (China not included)
All smartphones are supported by December 2010 except for iPhone (by 1H 2011)
Pricing
Dependent on scale and scope of products and services. Mobile security suite is sold starting from US$20 per device onwards.
List price: 25,000 devices: US$19 per device per year 50 devices: approx. US$70 per devices per year
GTM Strategy
Symantec to leverage its traditional channel partner networks to approach enterprise customers. First to cover multinational customers with clearer mobile security strategy and extending to Asia Pacific region, and also targeting large finance and government customers in the region who are moving to the direction to support more corporate and personal mobile devices usage in the corporate environment.
Juniper is first approaching mobile operators in Asia Pacific and trying to convince them to provide mobile security as a value-added service. It has less emphasis on the enterprise market as of now, as they think the enterprise market has limited opportunities in the next 12 to 24 months. However, it also leverages its channel ecosystem to approach large enterprises with existing installed base for Juniper security products.
curity is a network issue and its solution has therefore been developed to resolve security issues from the network layer. Client software installed on mobile devices is monitored remotely by the network operation center, which is either managed by enterprises themselves or by managed services providers. Springboard Research believes that, for many mid-size customers who are mostly managing their security from a software perspective, the Symantec solution is a good entry point. It provides comprehensive features for most enterprise and also mid-sized environments. For large enterprises with sophisticated network security policies and who have already deployed the Juniper/NetScreen security solution, Juniperâ€&#x;s network based JUNOS Pulse mobile security suite will work well and is easy to manage based on the JUNOS common operating system. Ultimately, CIOs should carefully evaluate the different approaches and select the most appropriate solution based on their existing security infrastructure and policies.♌ By Brian Wang, Analyst, Springboard Research
7
RESEARCH, ANALYSIS & TRENDS
Security Threats Ad Infinitum in 2011 The February 2011 MessageLabs Intelligence Report indicated that last month has been the most prolific period in terms of simultaneous attacks and malware family integration across Zeus (aka Zbot), Bredolab and SpyEye.
tracked countries. China became the most spammed in February with a spam rate of 86.2 percent, making it the most spammed country in Asia and the world, while the automotive sector continued to be the most spammed industry with a spam rate of 84.3 percent.
SMEs, who suffer from limited IT and security resources, need to be more vigilant in the use of portable and online assets, particularly email and social networking tools, an infamous vector of infection.
India was the most targeted country by email-borne malware with 1 in 267.7 emails blocked as malicious in February – an increase from 1 in 647.9 from January. In Malaysia, virus levels were 1 in 396.9. The Government/Public Sector also remained the most targeted industry for malware with 1 in 41.1 emails being blocked as malicious.
China and India leading victims of spam and viruses According to a recent survey, around 80 percent of Singapore companies are planning overseas expansion in the next six months, with China being the most preferred destination. For companies looking to expand their operations overseas, they are opening themselves up to a wider variety of IT security threats. For these Singapore companies (especially SMEs), expansion to other markets like China or India can be a critical move, and one that already requires significant investment. As clearly more spam is flooding China‟s in -boxes, the risk to poorly or undefended systems is extremely high as well as the threat of losing critical, confidential information to cybercriminals. Overall, Asia‟s virus rates increased from January to February 2011 and spam rates increased across all
8
Go regional - go Cloud! Companies looking to expand into China or India know they need security even more, but traditional measures such as on-premise software and on-premise appliances require heavy investments and resource allocation to be most effective. Cloud security services on the other hand, are simple to set up and administer and generally work with any mail client or server configuration, regardless of geographic location. Moreover, this set up process is significantly faster than packaged software or appliances and once completed, data is routed through secure data centres and analyzed for malware, viruses and spam before reaching their destinations.
RESEARCH, ANALYSIS & TRENDS With new spam and virus techniques emerging almost daily, companies have to realise that they, in general, neither have the core competency nor the financial power to keep investing personnel, time and money into deploying new countermeasures at such a rapid rate. The situation is more acute amongst small and medium sized businesses. All is not lost however. Security vendors that have already embraced the cloud have the expertise and resources to devote frontline personnel and massive processing power to fighting emerging threats. Co-opting these cloud security vendors into your security strategy may prove to be the best shot yet. Cloud security potentially enables the latest security policies, processes and patches to come into effect the moment threats arise, protecting its clients in real-time. Bredolab Trojan takes top spot There were 40 variants of the Bredolab Trojan, accounting for more than 10% of email-borne malware blocked by MessageLabs Intelligence. Bredolab is one of the more well known botnets, and has infected at least 30 million infected computer systems worldwide since July 2009. Last year, the Dutch National Crime Squad High Tech Crime Team claimed they had taken down Bredolab by shutting down 143 computer servers. But in November 2010, MessageLabs Intelligence started to report Bredolab emails which all contained a similar subject referring to “DHL International.” They have been using the DHL and
UPS Invoice subjects for a long time. These latest findings reveal that contrary to recent beliefs, Bredolab is not dead and similar techniques are being employed by other major malware families. There has also been an increase in the volume of collaborative attacks that make use of well-timed, carefully crafted and targeted techniques. The Bredolab malware families were used to conduct simultaneous attacks via propagation techniques, signalling the likelihood of a common origin for these infected emails.
PDFs - the new vector of attack Over the past year, malicious executable files have increased in frequency and PDF files are the most popular file format for malware distribution. PDFs now account for a larger proportion of document file types used as attack vectors. In 2009, approximately, 52.6 percent of targeted attacks used PDF exploits, compared with 65 percent in 2010, an increase of 12.4 percent. If the trend were to continue as it has over the past year, 76 percent of targeted malware could be used for PDF-based attacks by mid-2011. Other report highlights from a global perspective
Spam: In February 2011, the global ratio of spam in email traffic from new and previously unknown bad sources was 81.3 percent (1 in 1.23 emails), an increase of 2.7 percentage points since January.
Viruses: The global ratio of email-borne viruses in email traffic from new and previously unknown bad sources was 1 in 290.1 emails (0.345 percent) in February, an increase of .07 percentage points since January. In February, 63.5 percent of email-borne malware contained links to malicious websites, a decrease of 1.6 percentage points since January. Endpoint Threats: Threats against endpoint devices such as laptops, PCs and servers may penetrate an organization in a number of ways, including drive-by attacks from compromised websites, Trojan horses and worms that spread by copying themselves to removable drives. Analysis of the most frequently blocked malware for the last month revealed that the Sality.AE virus was the most prevalent. Sality.AE spreads by infecting executable files and attempts to download potentially malicious files from the Internet. Phishing: In February, phishing activity was 1 in 216.7 emails (0.462 percent), an increase of 0.22 percentage points since January. Web security: Analysis of web security activity shows that 38.9 percent of malicious domains blocked in February were new, a decrease of 2.2 percentage points since January. Additionally, 20.3 percent of all webbased malware blocked in February was new, a decrease of 2.2 percentage points since last month. MessageLabs Intelligence also identified an average of 4,098 new web sites per day harbouring malware and other potentially unwanted programs such as spyware and adware, a decrease of 13.7 percent since January.♦
Source: The February 2011 MessageLabs Intelligence Report The full report is available at http:// www.messagelabs.com/resources/ mlireports.aspx
9
RESEARCH, ANALYSIS & TRENDS
Ever-increasing List of Security Threats Businesses will struggle to keep up with the growing list of threats such as cyber espionage unless they adopt a different approach to tackling them, according to Ovum. In a new report, the independent technology analyst states that there is an ever-increasing list of security threats to businesses and to keep up they must develop a new line of defence. Ovum identifies cyber espionage and online fraud as among the most urgent security threats in a long list that companies need to tackle. Other priorities include compliance and the protection of intellectual property, Graham Titterington, Ovum analyst and author of the report, said: “Security needs are growing fast. Businesses are facing a large-scale, well-organised and well-resourced criminal network which is intent on defrauding them and their customers. On top of this there is the growing threat of cyber espionage and the need to meet ever more stringent compliance requirements. In addition, while cloud services and virtualisation have many advantages, they also bring their own dangers. We believe this ever-growing list of new threats needs a new approach to security and the focus should now be on protecting assets rather than defending perimeters.” According to the report, cyber espionage is now a ma-
10
jor problem for business and is no longer just a concern for governments. Titterington said: “State sponsored cyber attacks are now a threat to the commercial world, which should be as concerned about them as governments are.” Examples of state sponsored attacks on businesses include the strike against Google by China in early 2010. According to the report, there have been similar attacks on at least 34 US corporations and Fortune 500 companies are coming under constant attack. According to Titterington, to deal with the ever-growing list of new security threats, businesses should adopt a risk management strategy that allows them to manage threats when they become a risk, rather than limiting their impact. He believes vendors have a key role to play and should ensure they are addressing the changing priorities of businesses in the products and services they provide. Titterington added: “Businesses are looking to vendors to provide leadership and advice to help them through the fast-moving security landscape. There are also significant new opportunities for vendors in securing new mobile devices such as tablet computers and smartphones. In addition, the range of emerging data and content services also represent a good opportunity for vendors.”♦ By Ovum, a Datamonitor group
RESEARCH, ANALYSIS & TRENDS
Frost & Sullivan: Asia Pacific‟s Security Information and Event Management Market to reach $243 Million in 2014 The Asia Pacific (APAC) security information and event management (SIEM) market witnessed a healthy growth momentum in 2010 and is expected to grow at a strong compound annual growth rate (CAGR) of 27.0 percent during 2010-2014. Enterprises have recognized the importance of SIEM in ramping up their security posture. According to a new analysis from Frost & Sullivan, the Asia Pacific Security Information and Event Management (SIEM) Market earned revenues of $93.4 million in 2010 and estimates that this will reach $242.7 million in 2014. With technology convergence largely characterizing the evolution in the IT security arena, it is no surprise to see growing enterprise demand for SIEM solutions. As the business landscape enters a new era of enterprise mobility and cloud computing, the need for a comprehensive SIEM setup will be vital for protecting critical assets in an enterprise network. SIEM is poised for vigorous uptake, and the market is expected to show a robust growth rate in three to four years‟ time. “Regulations surrounding security have led enterprises in the region to adopt SIEM technology,” says Frost & Sullivan Industry Analyst Cathy Huang. “SIEM will emerge as a mainstream solution as enterprises strive to gain visibility across the network, endpoints, internal servers, and applications.”
The lack of a clear market position for SIEM is also restraining market momentum. The unilateral approach in positioning the technology segment by vendors, as well as the interchangeable usage of terms such as SIEM, security information management (SIM), and security event management (SEM), indicates a highly fragmented market, with both customers and vendors alike having different versions of SIEM. It is imperative for SIEM vendors to reach out to enterprise end users to enhance their technological awareness and correct any underlying misconceptions, which may exist toward the technology. Moreover, by actively engaging the enterprise population, SIEM vendors are also helping to establish their presence in the technology segment, thus enabling them to fortify their position as SIEM solution providers. “Selling SIEM solutions goes beyond merely selling appliances, as implementing SIEM technology in an enterprise setup involves the need for services, as much as it is also a product setup,” says Huang. “In this sense, it is critical for the vendors and their channels to be able to articulate the value proposition of SIEM and its implementation requirements properly to convince enterprises of the value of SIEM deployment.”♦ Source: Frost & Sullivan
The capabilities of SIEM solutions make them ideal tools for convergence, ensuring security synergies are properly achieved. Although SIEM is gaining steady traction, proper understanding of the technology is lacking. The prevailing market perceptions of the complexities involved in its implementation actually impeded the adoption rate of SIEM solutions in some APAC markets. Currently, there is an abysmally low level of awareness associated with the priority level given to the SIEM solutions in the APAC region where the regulatory regime is not as strict as that of North America or Europe.
11
RESEARCH, ANALYSIS & TRENDS
Disaster Preparedness Still Not a Priority for SMBs Symantec announced just recently the findings of its 2011 SMB Disaster Preparedness Survey, which measured the attitudes and practices of small- and midsized businesses (SMBs) and their customers toward disaster preparedness. Conducted in October and November 2010 by Applied Research, which surveyed IT professionals responsible for computers, networks and technology resources, the report was designed to gauge the impact and stage of disaster recovery preparedness, perceptions and practices of SMBs. According to the survey, SMBs do not make disaster preparedness a priority until they experience an incident or data loss, revealing further that it could mean for such companies losing hundreds of thousands of dollars, a lot of customers, or even being out of business. Didnâ€&#x;t the current earthquakes in Japan demonstrate the tremendous impact natural disasters can have on people and businesses?
12
Although the disasters that followed the 9.0 magnitude earthquake in Japan are paralysing, Internet users should not forget those who await to exploit such delicate situations, such as spammers maintaining the guise of charitable institutions and governmental organizations or cybercriminals who launched Facebook pages claiming to contain Japanese tsunami videos to lure users to the malicious sites such as hxxp://www. {BLOCKED}u.fr/view.php?vid=Le-plus-gros-Tsunamidu-Japon-depuis-20-ans.Therefore, do use caution when opening forwarded messages related to the Japan earthquake and tsunami, and any other tragedy or event that stirs international news coverage, legitimate and otherwise. Nefarious attackers may be sending malicious Java scripts and other threats that could compromise both your personal data and your computer. While natural disasters are top of mind for many businesses today, they also need to consider the more common disasters of human error and IT systems failures� said Steve Martin, director small and medium business for the Pacific region, Symantec. “A disaster
RESEARCH, ANALYSIS & TRENDS can strike at any time and SMBs cannot afford to risk losing their information.” According to research findings, SMBs still haven‟t recognised the impact a disaster can have on their businesses, although simple planning can protect their information and minimise downtime during a disaster. Despite Warnings, SMBs Still Not Prepared Many SMBs still don‟t understand the importance of disaster preparedness, have no plan in place, or say that disaster preparedness is not a priority for them. This lack of preparation is surprising given how many SMBs are at risk just by living in regions susceptible to natural disasters. In the past 12 months, the typical SMB experienced six outages, with the leading causes being cyber attacks, power outages, or natural disasters. SMBs Don‟t Act Until After a Disaster According to the survey findings, half of SMBs globally implemented disaster preparedness plans only after experiencing an outage and/or data loss, while only 28 percent have actually tested their recovery plans, which is a critical component of actually being prepared for a potential disaster. Lack of Preparedness Impacts the Business Disasters can have a significant
financial impact on SMBs, as outages cause customers to leave - 54 percent of SMB customer respondents globally reported they have switched SMB vendors due to unreliable computing systems, a 12 percent increase on last year‟s survey. In addition, 44 percent of SMB customers globally surveyed stated that their SMB vendors have shut down temporarily due to a disaster. SMB customers also reported considerable effects to their own businesses. When SMBs globally experience downtime, it costs their customers an average of US$10,000 per day. In addition to direct financial costs, 29 percent of SMB customers globally lost “some” or “a lot” of important data as a result of disasters impacting their SMB vendors. Recommendations The survey found that 36 percent of SMBs globally intend to create a disaster preparedness plan in the future, considering: Don‟t wait until it‟s too late: It is critical for SMBs not to wait until after a disaster. Not only is downtime costly from a financial perspective, but it could mean the complete demise of the business. SMBs can‟t wait until it is too late and need to begin mapping out a disaster preparedness plan today. A plan should include identification of key systems and data that is intrinsic to the running of the business.
Protect information completely: To reduce the risk of losing critical business information, SMBs must implement the appropriate security and backup solutions to archive important files, such as customer records and financial information. Natural disasters, power outages and cyber attacks can all result in data and financial loss, so SMBs need to make sure important files are saved not only on an external hard drive and/or company network, but in a safe, off-site location. Get employees involved: SMB employees play a key role in helping to prevent downtime, and should be educated on computer security best practices and what to do if information is accidentally deleted or cannot easily be found in their files. Since SMBs have few resources, every employee should know how to retrieve the businesses‟ information in times of disaster. Test frequently: After a disaster hits is the worst time to learn that critical files were not backed up as planned. Regular disaster recovery testing is invaluable. Test your plan anytime anything changes in your environment. Review your plan: If frequent testing is not feasible due to resources and bandwidth, SMBs should spend an hour to review their disaster preparedness plan every six months.♦ Source: Symantec, Inc
13
RESEARCH, ANALYSIS & TRENDS
The Anti-Phishing Working Group (APWG) eCrime Report The Anti-Phishing Working Group (APWG), founded in 2003, is a global industry, law enforcement, and government coalition focused on eliminating the identity theft and fraud that result from the growing problem of phishing, email spoofing, and crimeware. In their recent report, the group states, that the online classified advertisement services sector has been increasingly exploited as a phishing attack vector by ecrime gangs. A trend confirmed by the growth of attacks abusing classified companies in the first half of 2010, which accounts for 6.6 percent of phishing attacks in Q2 2010 alone, according to the APWG‟s Q2, 2010 Phishing Activity Trends Report. While the online payment services sector remained the most targeted industry with 38 percent of detected attacks in Q2, up from 37 percent in Q1, the classified advertisement services sector exhibited the most rapid growth in phishing attacks of all sectors. Ihab Shraim, MarkMonitor's Chief Security Officer and Trends Report contributing analyst said, “The Classifieds sector grew 142 percent from the previous quarter and over 91,000 percent from the comparable quarter [Q1] a year ago. This sudden growth may have been due to Auction sector phishing resources shifting over to the Classifieds sector." Classified advertisement websites for person-to-person trading, job postings, personal ads and other kinds of online commerce and culture offer ecrime gangs rich contexts for casting false scenarios to trick consumers into giving up funds or financial data that can be used for fraud, or even to draft them as unwitting accomplices into their criminal enterprises such as working as money mules. Meanwhile, the growth of detected samples of rogueware – malicious crimeware disguised as anti-virus or anti-spyware software – rose some 13 percent from
14
quarter to quarter, up from 183,781 in Q1 to 207,322 in Q2, 2010. Luis Corrons, PandaLabs Technical Director and APWG Trends Report contributing analyst, said that just three rogueware “families” are responsible for 72 percent of all the samples detected in this period: Adware/SecurityTool was the most frequently detected rogueware family in Q2 with 25 percent; Adware/ TotalSecurity2009 was second with 24 percent; and Adware/MSAntispyware2009 was third with 21 percent of the rogueware samples detected in Q2. Although some APWG metrics show conventional spam-based phishing attacks levelling off in the first half of 2010, field reports and statistical surveys from APWG member companies indicate that ecrime gangs are cultivating an array of alternative attack schemes: selling bogus security software to infect users PCs (rogueware); deploying website and search engine advertisements that link to malicious code or to downloader websites sites designed to infect consumers‟ PCs (malvertising); crafting focused-target phishing against corporate treasurers and key personnel; deployment of advanced crimeware and socialengineering schemes crafted specifically for social networking websites and the applications that are running on them; and more. APWG Secretary General Peter Cassidy said, “While the once-rapid expansion of conventional phishing is apparently slowing, there is every indication that ecrime gangs are expending much greater effort to design and deploy ever more undetectable, manipulative, focused and attractive schemes to defraud consumers and enterprise users. These organizations have become no less ambitious, we should note, just increasingly sophisticated and evermore deft in their criminal craftsmanship.”♦ The full report is available here: http:// www.apwg.org/reports/apwg_report_q2_2010.pdf
RESEARCH, ANALYSIS & TRENDS
Frost & Sullivanâ€&#x;s 2011 (ISC)2ÂŽ Global Information Security Workforce Study (GISWS) A study based on a survey of more than 10,000 information security professionals, worldwide finds that a growing number of technologies being widely adopted by businesses are challenging information security executives and their staff, potentially endangering the security of government agencies, corporations and consumers worldwide over the next several years. Conducted by Frost & Sullivan, the 2011 (ISC)2ÂŽ Global Information Security Workforce Study (GISWS) says new threats stemming from mobile devices, the cloud, social networking and insecure applications, as well as added responsibilities such as addressing the security concerns of customers, have led to "information security professionals being stretched thin, and like a series of small leaks in a dam, the current overworked workforce may be showing signs of strain." Conducted on behalf of (ISC)2, the not-for-profit global leader in educating and certifying information security professionals throughout their careers, the study also shows a severe gap in skills needed industry-wide. Information security professionals admitted they needed better training yet reported in significant numbers that many of these technologies are already being deployed without security in mind.
"In the modern organization, end-users are dictating IT priorities by bringing technology to the enterprise rather than the other way around," said Robert Ayoub, Global Program Director - Network Security for Frost & Sullivan. "Pressure to secure too much and the resulting skills gap are creating risk for organizations worldwide." "We can reduce the risks, however, if we invest now in attracting high-quality entrants to the field and make concurrent investments in professional development for emerging skills. As the study finds, these solutions are underway, but the question remains whether enough new professionals and training will come soon enough to keep critical global infrastructures in the private and public sectors protected." "The good news from this study is that information security professionals finally have management support and are being relied upon and compensated for the security of the most mission-critical data and systems within an organization," added Ayoub. "The bad news is that they are being asked to do too much, with little time left to enhance their skills to meet the latest security threats and business demands." Other key findings from the study include:
15
RESEARCH, ANALYSIS & TRENDS
16
As of 2010, Frost & Sullivan estimates that there are 2.28 million information security professionals worldwide, while there are around 750,000 in Asia-Pacific (A-P). Demand for professionals in A-P is expected to increase to over 1.3 million by 2015, with a compound annual growth rate (CAGR) of 11.9 percent, creating career opportunities for those with the right skills. Secure software development is a significant new area of focus for information security professionals worldwide. Application vulnerabilities ranked as the No. 1 threat to organizations by 72 percent of respondents, while 20 percent said they are involved in secure software development. Nearly 70 percent of respondents reported having policies and technology in place to meet the security challenges of mobile devices, yet mobile devices were still ranked second on the list of highest concerns by respondents. The study concludes that mobile security could be the single most dangerous threat to organizations for the foreseeable future. Cloud computing illustrates a serious gap between technology implementation and the skills necessary to provide security. More than 50 percent of respondents reported having private clouds in place, while more than 70 percent reported the need for new skills to properly secure cloud-based technologies. Professionals aren't ready for
social media threats. Respondents reported inconsistent policies and protection for endusers visiting social media sites, and just less than 30 percent had no social media security policies whatsoever. Viruses and worms, hackers and internal employees all fell in significance as top threats from 2008, the most recent year of the study. The main drivers for the continued growth of the profession are regulatory compliance demands, greater potential for data loss via mobile devices and mobile workforce, and the potential loss of control as organizations shift data to cloudbased services. Nearly two-thirds of respondents do not expect to see any increase in budget for information security personnel and training in 2011. Salaries showed healthy growth despite a global recession, with three out of five respondents reported receiving a salary increase in 2010. Overall, salaries for information security professionals increased, with the A-P region showing the highest growth at 18 percent since the 2007 study.
"With the increasing demand for information security professionals due to security threats, we need to change our approach to global cyber security to address the skills gaps revealed by the study," said Dr. Lee Jae-woo, co-chair for the (ISC)2 Asian Advisory Board and Fellow of (ISC)2. "Especially in Asia, we see that career opportuni-
ties are growing. In order to fill the gap of professional demands, we urge industry, government, academia and the profession to collaborate to attract a new generation of highly qualified information security talent while supporting current professionals to help them address the latest threats." Likely the largest study of the information security profession ever conducted, 10,413 information security professionals from companies and public sector organizations from around the world were surveyed in the fall of 2010, including 61 percent in the Americas, 22.5 percent in Europe, the Middle East and Africa, and 16.5 percent in Asia Pacific. Forty-five percent were from organizations with over 10,000 employees. The average experience of respondents worldwide was more than nine years, while five percent of respondents held executive titles such as Chief Information Security Officer. Additionally, Frost & Sullivan supplemented the analysis with its other primary data sources and methods. The objective of the GISWS, the fifth study sponsored by (ISC)2 since 2004, is to provide meaningful research about the information security profession to industry stakeholders, including professionals, corporations, government agencies, academia, and hiring managers.♦ The full study can be found here: https://www.isc2.org/ workforcestudy/Default.aspx.
RESEARCH, ANALYSIS & TRENDS
Cloud Computing More Secure than On-Premise Alternatives As this issue of Asian e-Marketing focuses on “Security in the Digital Age”, I want to highlight once again an article that Andrew Milroy, ICT Director, ANZ, at Frost & Sullivan wrote. He stated that while the IT industry may successfully generate billions of dollars each year by selling security products and services to corporations, there is still a long way to go before they can feel safe. The fact is that most security breaches are internal, caused by employees or other authorized users (such as contractors) of corporate systems. These groups are the ones most likely to compromise the integrity of an enterprise‟s system, not external hackers. All that needs to be done is to insert a thumb drive with malicious code into a USB port to undermine hugely expensive security investments. In spite of this, much more focus tends to be placed on external threats. According to Andrew “it is reckless to allow employees and contractors to carry highly sensitive data around with little consideration of the consequences of losing the laptops and smart phones that house the data”, pointing out that this particular security threat does not receive enough attention. Many enterprises do not put enough focus on changing the behaviour of their users by making them aware of security policies and the reasons for those policies. Few ensure adequate control of basic access to their physical premises and to end-points that form part of their network. It also seems that few enterprises track the location of sensitive data which physically moves around with their employees and contractors.
Ensuring that everybody who accesses enterprise networks is trained to follow appropriate security policies is an extremely challenging task. For this reason, it is necessary to consider other ways of mitigating the risk of an employee or contractor from compromising security. One way of doing this is to source as much of the enterprise‟s computing resources as possible on the cloud, as managing the security of heterogeneous onpremise IT environments is a highly complex and almost impossible task. Minimizing the amount of on-premise resources that a corporation manages greatly mitigates risks associated with security breaches. Ensuring that data is stored in a secure environment (in the cloud), rather than on portable devices such as laptops and smart phones also enables corporations to reduce risk. According to Frost & Sullivan‟s ICT Director, cloud computing offers more security than what could be provided by a multi-million dollar attempt to secure onpremise resources. “Public cloud services providers such as Google, Amazon, Microsoft and Salesforce.com focus heavily on ensuring that their data centres follow best practice security policies and are using the most up-to-date security tools. So, using public cloud services can offer more security than keeping data and other computing resources on-premise”, he assured, adding: “The cloud model of computing is much better positioned to address today‟s security challenges and concerns than alternative models.”♦ By Daniela La Marca
17
RESEARCH, ANALYSIS & TRENDS
New IE9 Survey Reveals Fresh Insights on Web Surfing Habits in Asia When it comes to browsing the Internet, women in Asia tend to put safety first (78 percent), while their male counterparts choose speed above all else (83 percent). In contrast, European Internet users, both male and female, ranked safety as their biggest concern with 69 percent saying online safety is a priority over speed. These were some of the findings in an IE9 poll conducted to mark the global launch of Microsoft‟s latest browser, Internet Explorer 9 (IE9). The IE9 poll was conducted across Asia Pacific and Europe, with more than 20,000 respondents participating across 11 Asian and 20 European markets. It sought to understand users‟ preferences when it comes to surfing the Web. Speed (82 percent), security (78 percent) and ease of use (66 percent) were the top priorities among respondents in the Asia region. Respondents in Malaysia (91 percent), Singapore (92 percent) and the Philippines (94 percent) were particularly drawn to speed.
18
“With close to half the world‟s Internet users coming from the Asia Pacific region, we took into account their priorities for a great browsing experience,” said Haresh Khoobchandani, Chief Marketing Officer, Consumer & Online, Asia Pacific, Microsoft. “More than 36 million users have downloaded the beta version of Internet Explorer 9 and they are excited about the faster, safer and cleaner browsing experience that we have built. IE9‟s technically superior platform has enabled collaboration with more than 200 partners globally, resulting in a more beautiful web experience for our users.” Speed is key priority for Internet surfers When it comes to speed, the most common complaint was that videos take too long to load, with music and games being other bandwidth-chokers. Not surprisingly, this is the content that appeals most to users, with 69 percent of those surveyed saying they would like to be able to watch movies in high definition online in the future.
RESEARCH, ANALYSIS & TRENDS
Speed is a key proposition for IE9. Today‟s websites and browsers only use about 10 percent of the processing power that the PC has to offer. IE9 uses hardware acceleration through Windows to harness the full potential of the PC, making websites and the online experience much faster. In fact, IE9 is 11 times faster than its predecessor, IE8. An online martial arts g a m e (www.masterofthewebgame.com) has been specially designed by Asian firm, The Upper Storey, to allow users to experience first-hand the remarkable speed and performance of IE9. “Developing Master of the Web on Internet Explorer 9 was an absolute joy mainly because of the newly introduced canvas element in HTML5 that allows the browser to render graphics and images on the fly. IE9‟s hardware acceleration feature is definitely the best thing because it pushes the canvas element to perform at an all new level which no other browser could achieve. With this, the speed increase and beautiful graphics are nothing to scoff at.” Chandra Bara-
thi, Technical Director, The Upper Storey. IE9 survey highlights dangerous online habits that threaten security Despite rating security highly in their list of important Internet features, it appears that many Asians do not apply the necessary precautions when browsing. Only a little more than half (57 percent) of all respondents said they would refrain from downloading online content when they are uncertain about their safety or legitimacy. More than one -third of users admitted to be willing to take the risk if the questionable content is something they really want, while nearly a tenth of users claimed to not worry at all when downloading anything from the Web. Respondents from China were the most likely to download unsafe content with 44 percent open to taking a chance on questionable content. Once again, European users were much more cautious – 68 percent of those surveyed said they would avoid downloading any potentially unsafe content from the Internet.
Asians most guarded online banking
about
When it comes to online privacy, a majority of respondents in Asia were most concerned with hiding details of their visits to banking websites (65 percent), followed by visits to adult websites (61 percent). In some markets such as New Zealand, the difference was particularly pronounced, with 88 per cent more concerned about hiding their online banking history and 53 percent concerned about covering their visits to adult sites. Other online activities that Asians prefer to keep close to their chest include visits to dating/relationship sites (42 percent) and support groups or forums (32 per cent).♦ Source: Microsoft
19
RESEARCH, ANALYSIS & TRENDS
Yahoo! and Nielsen launched First Asia-wide Online Advertising Effectiveness Study Yahoo! Inc. and Nielsen have announced the launch of Brand Impact, a study aimed at quantifying the branding effectiveness of online advertising campaigns across Asia. The Yahoo! Nielsen Brand Impact project will consist of a series of 100 case studies which will gauge the brand effectiveness of online advertising campaigns. This study will provide better Internet insights to marketers based on a range of digital marketing evaluation benchmarks that will enable advertisers to compare the branding performance of their online ads against the online advertising sector and within their industry verticals. Brand Impact will also provide advertisers with a range of metrics including awareness, favourability, purchase consideration, recommendation and purchase intent. According to David Webb, Nielsen‟s Managing Director of Advertising Solutions, APMEA Region: “The online sector in Asia and around the world has seen exponential growth in advertising spend as companies look to determine the right balance across media to best reach consumers. Up until now, however, these companies have been operating with limited metrics to evaluate the success of their online campaigns. Brand Impact is an excellent example of Nielsen and Yahoo!‟s ongoing
20
efforts to measure advertising effectiveness and will present Asia‟s most in-depth insights on the impact of online advertising to date. This will allow us to look beyond traditional click-through rate metrics to quantify the broader brand impact of online campaigns and provide a true gauge on ROI and performance.” Jeff Han, Vice President of Marketing, Yahoo! Asia Pacific feels that marketers are often challenged to justify how they will stretch limited budgets across a range of advertising vehicles including online platforms, saying: “It is critical for today‟s marketers to be able to measure their return on a marketing investment and Yahoo! has taken the lead in the industry by working with Nielsen to produce benchmarking metrics that marketers can leverage to evaluate the success of their online advertising campaigns.” Brand Impact will be carried out over the next 24 months and will involve 100 campaigns from several markets in the region including Taiwan, Hong Kong, India, Korea, Singapore, Indonesia, Malaysia, Philippines, Thailand and Vietnam. An interim report will be released at the end of 2011 and the final study and benchmarks will be available in 2012.♦ Source: Yahoo! Singapore
21
BEST PRACTICES & STRATEGIES
Ensure You Are Not Labelled a Spammer The success of email is unquestionable, but sadly no one uses it more intensely than spammers. Investigations have shown that 60% to 90% of all emails are spam, which costs individual users time and nerves, small and medium enterprises tens of thousands dollars, and for big Internet providers millions dollars per year - taking into consideration that a spam transmission can be directed to up to one million receivers. The damage caused by spam to the worldwide economy continues to skyrocket and as always, threatens the reputation of the medium. So, whenever you plan an email marketing campaign, make sure that you are not violating the spam laws of your country or your Internet Service Provider's conventional user policy. You think this is manageable? That‟s great! But let‟s face the truth: even if you and your company follow the specified legislation, there is no guarantee that you will not be branded a spammer. Even if you are in full compliance with all the anti-spam laws around the world, you can still get into trouble and be accused of spamming. The reasons are quite obvious:
22
Internet Service Providers (ISPs) or global players like Google or Yahoo!, provide the medium to go online and therefore have the power to stop anyone from using their systems, if they believe them to be spammers. As ISPs suffer most from an operative as well as financial aspect, national governments tend to give them a lot of power to influence their anti-spam legislation. It has generally become accepted that the law allows local ISPs to initiate civil lawsuits to seek compensation from identified spammers for damage(s) caused. As the use of automated spamming software is usually outlawed as well, individuals or companies found using such tools could also be sued by Internet Service Providers without any problems. In addition to ISPs, other people who can block your email are corporate mail managers, not to mention each individual recipient. Nowadays, email users can easily scan and block their incoming
emails with just a few keystrokes by using the "mail block" or "block sender" feature in their email program. But let‟s stick to the business sector. Most companies have someone in charge of their email system, who has to block all spam. If your emails get classified as spam, they not only block that particular message, but often blacklist your email address. It is all a question of perception, and is thus subjective, as the methods of ISPs and corporate postmasters demonstrate. Generally, their decisions on when an email is considered spam depends on the subject line of your email message and sometimes even your company name/sender address and the number of complaints as well as who complains. If, for instance, their CEO complains about being spammed, you can bet that the email is blocked. The situation can be even worse if busy managers are gung-ho and don't take their time to carefully examine each case of suspected spam before they take action. I don‟t want to meet trouble halfway, but as ISPs, many major corporate and governmental mail managers are well-connected, you can bet that if you are blocked by one, you will also find yourself quickly blocked by others. Then there are email discussion groups and bulletin boards that often pass the word when they spot a suspected spammer. It is extremely easy to land on the famous blocking list, called the "Black Hole", where from time to time, even big company names appear next to all the other “obvious” junk emailers. If an email administrator believes that you are sending spam, you could also easily find yourself being blacklisted in the Spam Prevention Early Warning System (SPEWS). This anonymous service administers a list of IP addresses that belong to Internet Service Providers that are hosting known spammers and who show little, if any, engagement to prevent abuse of other network resources. It can be used by Internet sites as a source of information about the senders of unsolicited bulk email.
Well, no one ever said that life is fair, so the best thing to do is to ensure you don‟t get labelled a spammer!♦
BEST PRACTICES & STRATEGIES
Internet Security Software Demystified You think having security software on your computer keeps you safe from Internet threats, right? Well, don‟t bet on it, as the appropriate software alone isn‟t enough to ensure that you and your information will stay safe online. The kind of software you have, and your knowledge of threats and how to avoid them, is much more important than you might think. In fact, you will probably be surprised to learn that many of the ideas people have about Internet safety are just myths. Check out the Top 5 Internet Safety Myths listed below to separate truth from fiction, and ensure that you know how to stay safe online: Myth #1: Security software guarantees full protection when surfing online In reality, security software protects your computer from threats and helps you with safe Internet surfing, but it can‟t physically stop you from clicking on dangerous links that download spyware or adware, or takes you to phishing sites that try to trick you into revealing personal and financial information. To avoid these dangers, it helps to know about common threats and their telltale signs. Myth #2: Anti-virus is all you need for protection In reality, anti-virus software alone cannot protect you
from the wide range of threats that exist on the Internet today, such as spam, identity theft, and malicious websites designed to steal your money and information. That is why it is important that you have comprehensive, updated and active security software, which offers protection beyond anti-virus and includes at least a two -way firewall, anti-spyware, phishing and spam protection, along with safe search functionality. In addition to security software, you have to use common sense if you want to truly avoid Internet threats since cybercriminals use popular topics and recent news events to trick you into clicking on links and downloading malware. Software alone cannot keep you from making risky decisions on the web. Myth #3: Dangerous websites can be identified just by looking at them In reality, cybercriminals have become extremely sophisticated in their ability to replicate authentic websites, such as banking sites. In fact, there are programs available on the Internet that allows cybercriminals with no programming knowledge to quickly replicate a site, down to the tiniest of details. While some dangerous websites still look sloppy - with fuzzy resolutions or incorrect grammar - others can look very convincing. On the other hand, a legitimate website that has been poorly designed can look dubious, even if it‟s not. Your best bet is to stop the guesswork and use a safe search plug-in which warns you of potentially dangerous sites right in your search results.
23
BEST PRACTICES & STRATEGIES
Myth #4: What my friend sends me is safe to download In reality, an online message may appear to be from a friend of yours but their email or social networking account could have been hijacked. The hacker could send out spam emails and dangerous downloads that appear to be coming directly from your friend. If you receive suspicious messages asking you to download a file or click on a link, even if it‟s from a friend, use common sense and don‟t click. You should also notify your friend if you think their account may have been compromised.
24
to buy a paid version with more functionality. In addition, cybercriminals often hide viruses and malware in supposed “free security software,” hoping to trick users into downloading them.
Myth #5: Free security software is just as good as the one you pay for In reality, barely anything is really for free, although it‟s tempting to believe so. Most free software providers are trying to hook you with a free product, only to try to get you
When it comes to Internet and computer security, it doesn‟t pay to skimp. In fact, you may end up paying more in the long run when your computer becomes infected or you lose valuable personal information. It‟s better to go with a reputable security software provider that offers comprehensive protection at a fair price.♦
BEST PRACTICES & STRATEGIES
Protecting your Mobile Device from Attack Twitter is a popular micro-blogging tool that enables users to communicate to an audience of “followers” using a combination of characters, images and URLs (tiny URLS) – all of which must fit into a 140 character limit. Like email or IM from years ago, and more recently Social Networking, end-users are rapidly making Twitter an integral part of the corporate application infrastructure. The benefit of using Twitter is that it enables users to interact bi-directionally with a wide audience. Marketing can “tweet” about the latest press release or success story; engineers can solicit answers to a perplexing question; and corporate bloggers can tweet about the latest blog post. There are, however, several challenges that the rapid adoption of Twitter has introduced. Many Malaysian organizations for instance are unaware of who is using Twitter and for what purpose - and as is the case with social networking applications, policies governing specific usage are non-existent. Many users tend to be too trusting and blindly download images or access shortened, and effectively obfuscated, URLs which can introduce malware into their network. IT is therefore tasked with keeping the network secure while enabling the use of Twitter. Blindly blocking tweets is an inappropriate response because it may be detrimental to organizational productivity and may force users tMobile phones with built-in office and Internet functions, so-called smart phones, are starting to become omnipresent and consequently will inspire more and more hackers and virus writers to
come up with ideas, especially since these end devices, like PCs, have many security gaps. Believe me, the dangers are manifold: attackers can, for instance, read personal data such as contact and call lists, steal documents stored on the mobile phone, or reprogram the device in such a way that it works like a bug which monitors the entire usage behaviour of the owner, including telephone calls and sent as well as received text messages. Fortunately, no one is defenceless if the following simple advice is taken to heart. These points apply to users of Windows Mobile smartphones, but can be applied, for the most part, to other operating system devices too: Don‟t be frivolous Act with the same caution while surfing the mobile Internet as when you use your regular PC. So, do not download software indiscriminately from the Web. It is recommended that you install only programs with a digital signature that confirms the program as legitimate software from commercial vendors, which has gone through a specific certification procedure. Don‟t try to outsmart any security mechanism The programming interface (API) of the Windows Mobile operating system allows ex factory-only certified software with a digital signature. This system works well as long as a user isn‟t trying to install a signed pro-
25
BEST PRACTICES & STRATEGIES
gram. The pre-adjustment can be avoided, for example, with Novosec‟s auxiliary program SDA_ApplicationUnlock, which disables the certificate checkups on mobile devices. This creates a security risk, as any other software can also be embedded without control on the mobile device. Therefore, you are strongly advised to avoid such "workarounds," if you want to keep your smart phone free of malicious programs. Use a process manager Process management software enables you to search for suspicious processes on your mobile phone and to stop it if necessary. Due to hardware limitations, only a limited number of processes can run with Windows Mobile. Make a note of these processes if you are sure that your phone is not infected. If, at a later date, a hitherto unknown process attracts your attention, it could indicate a virus and you can stop the process. Use WLAN and Bluetooth sparingly Disable WLAN and Bluetooth if you
are outdoors, as these close range wire data transmission techniques can be easily abused to dispatch viruses or other pests. In addition, so-called “sniffers” can intercept your confidential data. Watch out for spontaneous data connections If you discover that your mobile phone connects without manual intervention (via GPRS, UMTS, etc.) to a mobile operator, it could be a sign that it is infected with a virus, which causes data to be transmitted to a foreign body. If this is the case, cut off the connection immediately and remove the malicious program by using anti-virus software. Make regular backups Whether your smartphone is used for business or for private, probably one of the most important resources on your device is your contact list. Imagine the consequences if it were lost or stolen, so always save the stored data on your mobile device regularly. Should the device be infected by viruses, it can then be set back to the factory de-
faults without significant loss of data when getting rid of any pests. Save sensitive data outside of your smartphone Don‟t save confidential files on your mobile device‟s built-in memory, save them on removable memory cards. Be aware that smartphones are in general not very safe. Install anti-virus software Almost all security providers now have anti-virus solutions for mobile devices. If you haven‟t done it yet, install such software. It is time that your smartphone enjoys the same protection as your desktop or laptop computer. In both cases: software, which block viruses or other malicious programs so that it can‟t reach the system, is more effective than those that clean already infected machines, as the subsequent virus revision is not always easy. You can have the most effective protection, if you combine a mobile security solution with an anti-virus program for the PC with active realtime testing.♦ Source: McAfee
26
BEST PRACTICES & STRATEGIES
Cleaning Data Storage Effectively Whoever is planning to sell or scrap their old computer, used mobile phone or storage media, should make sure that all files are really deleted. Improvements in capacities and better performance of computers, mobile phones, PDAs, or storage media leads to a faster exchange of equipment and many companies and individuals are selling, giving away, or scrapping their still often functioning devices. Be cautious, as the buyer can get hold of confidential information, even if the previous owner believes that they deleted all documents properly. In general it is not enough to just empty the trash as it does not remove files from the hard drive, just the references to them. Furthermore, please remember that application programs, such as Microsoft Office, automatically generate backup copies of edited documents, which usually do not appear as a file whose data is yet available. Most users, therefore, are not aware that even deleted documents on the hard disk are easily recoverable. It is recommended to securely delete all personal information and data sources stored on old equipment when sorting them out.
Here are the most basic rules:
Override hard disks and floppy disks repeatedly: The Linux and Mac OS X operating systems have serial-production special programs; for Windows there is suitable software from Acronis, Steganos or Ashampoo, which can make targeted individual folders and files unreadable. Destroy CD-ROMs and DVDs: An inexpensive solution is a small office document shredder with an additional CD disk shredder. Override memory cards and USB sticks: The contents are no longer legible after a single complete overwrite. Put mobile phones back into their original position: Delete the phone memory which contains telephone book entries and SMSs and set the mobile back (reset) to the factory settings, and don‟t forget to remove the SIM card!♦ By Daniela La Marca
27
BEST PRACTICES & STRATEGIES
Smartphones: Stepchildren of IT Security? Working with smartphones to access important data or to interact quickly with colleagues is already a quite common business practice as this enables higher productivity. Unfortunately up to now, the specific vulnerabilities of these handy communication tools still seem to be underestimated by many companies. Basically, there are two security vulnerabilities when using smartphones in the enterprise, namely the user and the device itself. For the integration of such devices into the corporate network, IT is too seldom on the list of "usual suspects": authentication, mobile VPN clients, firewalls, encryption, and malware scanner. So security settings can be made on the handheld in accordance with company policies. While IT managers and administrators should be aware
28
of these risks, user rights and security settings on mobile devices are not defined in most companies. The majority of businesses are dealing with applications and settings quite carelessly, compromising in that way sensitive corporate data. Therefore, confidential emails and documents, network access, customer contacts and supplier data are saved unsecured on most company smartphones. The IT department is transferring the responsibility for data security to their fellow staff and expects them to take care of their own data in accordance with the companyâ€&#x;s security policy. In many cases, this assumption often fails due to user ignorance, irrationality, or lack of technical understanding. Taking adequate measures is often the key weak point. Human Interface as security guard The "human interface" or human factor still remains the biggest security risk, if the smartphone has been con-
BEST PRACTICES & STRATEGIES figured according to the appropriate IT security policy. Keep in mind that each user is always an administrator, so with enough technical knowledge they can modify their device‟s configuration in the way they want which may likely disable security software. The configuration database of the operating system, the registry, is for most users easily accessible on smartphones. With the remote registry editor or the editor of other manufacturers, any experienced user can, for example, disable encryption software and firewalls. In order to watch over the safetycritical settings in the registry, it must be protected against write access. This can be achieved by deploying a security solution such as ubiControl that runs as a secure kernel application on the handheld and is not closed or set aside by buffer overflow attacks. It prevents the execution of the registry editors and disables the import of registry changes. Attack on the company network via hotspots If a sales representative, for instance, is logging onto the corporate network over an unsecured connection like an airport hotspot, to download say an important chart for their presentation, uncontrolled access by third parties on the corporate network is possible. IT managers can stop such security risks
by installing a firewall or a permanent VPN-protected connection to the corporate network. The connection, however, has to be fixed permanently, as even with dial-up connections, the experienced user has administration rights, which means that they could potentially annul the dial-up security for various networks such as GSM, GPRS, UMTS, Bluetooth and Wi-Fi and set up their own POP3 accounts for private e-mail communications. Sensitive data on a silver platter As mobile workers around the world always have their smartphone at their fingertips it is no wonder that these handy devices are often left behind in restaurants, trains, airports or taxis. This makes easy game for the skilful and malicious to get access to all data on the handheld. The built-in power-on password is not an obstacle.
Policy enforcement module takes users‟ admin rights Risks due to missing data security on smartphones as well as the resulting opportunities for attacks on the company IT systems can be eliminated only if user rights and company security settings are permanently stored on the device. With the installation of a policy enforcement module on employee handhelds, the company-specific user rights and device configurations can be controlled and the callup of critical functions and applications specifically prevented. Users, therefore, should have no administrative rights on their company's handheld, meaning they cannot even subconsciously override the device‟s security settings. In addition, companies can reduce support costs since potential corporate communication incidents and the time required for the administration of mobile devices can be reduced.♦
If the device is, for example, started -up in the boot ROM mode of its network card, the input of the power-on password can completely be bypassed. All memory contained can then be easily read on the connected computer - the entire email traffic, addresses and customer data, all stored documents and the access data for the corporate network. This data espionage can be prevented by IT managers with secure VPN or encryption systems that are used in conjunction with a registry-blocker.
29
BEST PRACTICES & STRATEGIES
Microsoft‟s Five Key Tips when Using IE9 Microsoft Corp. launched this month their latest version of Windows Internet Explorer 9 (IE9) in 40 languages and this has been the company‟s most-downloaded browser beta of all time, with more than 36 million downloads around the world. Based on a survey they conducted region-wide on Internet browsing habits in Asia Pacific, Microsoft highlights five key tips when using IE9. Top five tips from IE9 survey findings: Keep your browser current: download IE9 at www.beautyofthewebasia.com. Your Internet browser is the first line of defence against online attacks. Research data from NSS Labs shows that IE9 blocks 99 percent of all socially generated malware attacks – much higher than any other browser.
1. Browse on the fast lane: IE9 is designed to ensure that the browser starts fast and stays fast over time. Add-ons Advisor identifies programs that may be slowing down the browser and gives you the information you need to disable or fix it, directly from the Notification Bar itself.
30
2. Stay safe: The „SmartScreen Filter‟ in IE9 protects your computer better by warning you when you attempt to view sites or download files that are potentially unsafe. IE9 also introduces the new SmartScreen Download Reputation filter that uses a website‟s reputation data to remove unnecessary warnings for wellknown files, and show more severe warnings when the download is a higher risk of being malicious.
3. Don‟t leave an online trail behind: With the new Tracking Protection feature, IE9 provides you with an added level of control and choice about the information that you reveal about your online activities.
4. Make your online browsing a breeze: IE9 comes packed with nifty shortcuts that take you to your online destination faster. For example, the Pinned Sites feature allows you to pin the websites you access most often directly to the taskbar on your desktop. You can now get there with just one click!♦
Source: Microsoft
31
TECHNOLOGIES & PRODUCTS
Trend Micro Safeguards Kids from the Dangers of Social Networks Trend Micro unveiled recently its “Online Guardian for Families”, the company's first product designed for parents concerned about their kids' social networking activities. With comprehensive parental controls, social network monitoring, and Internet filtering, Trend Micro Online Guardian gives parents the tools they need to keep up with their children's Internet and social networking activities and take action to keep them safe while they are using their cell phones, tablets, laptops, and desktops. "As busy parents who may or may not have the technical know-how, it's hard to keep up with our kids online," said Carol Carpenter, executive general manager for the consumer and small business units at Trend Micro. "Our vision with Trend Micro Online Guardian is to provide the tools and information for parents to become aware of their kids' online activities, to generate healthy family dialogue, and to prevent problems before they happen." Over 90 percent of kids aged 12 to 17 are on the Internet and over 70 percent of teens have a social networking profile. To fully attain the social networking sites' benefits, these sites require users to provide personal information. While social networks are heavily used by millions to keep relatives up-to-date, find lost friends, or make new ones, they can also be popular places for people who have bad intentions. Risks such as unwanted contact, scams or identity theft, computer security issues, cyberbullying, and harming one's reputation are things parents need to watch out for.
Action is needed
While young adults and teenagers are concerned about the risks that come with social networking sites, they don't always act on that doubt, thus a little up-front Internet monitoring can be helpful to kids as well as their parents. Trend Micro Online Guardian provides parents with control resources and tools to stay informed. It gives them the ability to approach concerns proactively and to help encourage children to make smart online choices, by providing an easy-to-read report on what their kids are doing on the web. Trend Micro Online Guardian allows parents to:
32
Monitor Internet activities 24/7 on web sites like Facebook, Twitter, MySpace, YouTube, and Flickr. View browsing history, wall postings, messages, photos and videos (shared and viewed), and chat logs to help prevent damage to their reputation. Stop access to adult and other inappropriate content. Limit Internet time and set daily access schedules. Block sharing of personal information to shield kids from online predators, identity thieves and cybercriminals. Install on as many computers as needed and monitor up to five children. Once activated, privacy settings within Facebook and MySpace won't stop it from monitoring activities. Once it begins monitoring the child's account, it reports on activities happening from any location, even those outside of the home (friend's house, school, cell phone, etc). The online management console allows parents to access the latest information from anywhere in the world.
Trend Micro Online Guardian, however, requires kids' permission to allow their parents to monitor them; thus allowing parents to get reporting on non-public information while other products only report public information.♦ Source: Trend Micro
TECHNOLOGIES & PRODUCTS
Network Box‟s Data Leakage Prevention According to a survey conducted by managed security firm Network Box Corporation, over 92 per cent of companies feel that it is important to deploy data-leakage prevention and to pay more attention to the importance of data security. Due to this established fact, the specialist in Unified Threat Management (UTM) has just released a new feature – Data Leakage Prevention (DLP) – in addition to continuously defending customer‟s networks by using PUSH technology to instantaneously update protection from 12 Security Operations Centres spread across the globe. Network Box receives numerous customer requests to enforce policy blocks on outbound content and has been working on this solution for quite some time now. “The reason for developing Data Leakage Protection (DLP) was that many companies and banks around the world require this due to government and security regulations. The more businesses focus on data security, the more requests for DLP have emerged. As with all additions to our technology, we looked at the many ways to do this and after much testing and analysis, we have come up with what we think is a terrific solution that will be very well received by our customers.” said
Mark Webb-Johnson, CTO of Network Box Corporation. Implemented in two parts, called „DLP_Rules‟ engine and „Policy_DLP‟ engine, the same award-winning Network Box anti-spam technology to police outbound SMTP mail is applied and allows complex rules to be defined and policy blocks to be enforced. The DLP_Rules engine runs at the policy scanning stage, after anti-virus and anti-spam, and can be configured to run on outbound data, inbound data, or bidirectionally. It can be used to block sensitive information such as credit card numbers, a validated US Social Security card number, etc. The Policy_DLP engine is configured with a list of directions, named DLP tests and thresholds, which permits sophisticated policy enforcement rules to be configured. With this engine, you can block outbound emails containing specific attachments, encrypted ZIP files, etc. The company noticed in the past few days increased email-based malware activity on a global level that has not emerged in such a way for several years.
33
TECHNOLOGIES & PRODUCTS “The malware is coming in from hundreds of thousands of sources in emails of varying subjects. So far, our heuristics such as NBHBGTRACK and zero-day Z-scan protection systems are holding it back, but the increase is more than four times baseline and all the samples we are seeing are emerging as never-before-seen zero-day threats. We expect that this increased activity is caused by botnet herders attempting to increase the size of their botnets and this will probably be followed by a corresponding increase in spam levels,” said Mark Webb-Johnson, CTO of Network Box Corporation. Network Box‟s alert condition, therefore, has been raised to 3 and the company continues to monitor the situation closely. In just the last year, more than three million new threats were identified, which means approximately one every 10.2 seconds, according to analysis by Network Box. 3,083,018 threat signatures were released through the year to protect against new or variant threats, which is an increase of 6.1 per cent. In 2010, zero day viruses became more and more commonplace. They are so named because there is zero time between a virus coming out and the vulnerability used by that virus being commonly
34
known. Standard anti-virus technologies are simply not able to cope, especially as virus writers are starting to use Internet-based antivirus sites to test their viruses prior to launch. This means, a new virus can be released by its creator, just after being tested as not detected by any of the world's major antivirus providers. Network Box is protecting their customers with next generation protection 'Z-Scan'. Network Box Managing Director, Michael Gazeley said last year was quite different from previous years: “2010 saw the number of signatures per-update fall, while the number of signatures released increased; reflecting the continued move to cloud-based signature systems such as the Network Box ZScan, and NBCP content categorisation systems. We expect this trend to continue, as traditional signatures continue to be the most effective against the depth and breadth of malware, whilst cloudbased signatures are emerging as the most effective solution for zeroday outbreaks,” he said. The reduction in overall spam volume continues, as large-scale takedown operations are effective in controlling botnet-based spam, which is the most prolific source of spam. 2010 saw the spammers continued migration away from traditional Viagra-type spam to more
sophisticated phishing and hoax attacks. The increase in malware over the year has continued, and reflects this greater level of sophistication on the part of the spammers. During 2010, the average Network Box blocked a spam or malware once every 63 seconds and all in all 8,129,674 attacks using firewall technology, and 1,738,576 attacks using IDP technology (up 38.9% and 10.6% respectively when compared with 2009). “During 2011, Network Box will launch a Network Vulnerability Scanning service that will also improve the protection we can offer to our customers, pro-actively scanning networks for unauthorised servers/services.” Gazeley said.♦ By Daniela La Marca
TECHNOLOGIES & PRODUCTS
Internet Explorer 9 Promises a More Beautiful Web Experience By 2014, close to half of all Internet users will live in Asia and it may surprise, but 70 percent of Asians already spend more than three hours a day online, watching more videos on the Internet than people in North America or Europe. No wonder then that nowadays there is a pretty high expectation for Internet safety and security in the region as well. Actually, there has never been a greater need for an immersive, high-performance browser that not only meets ever increasing demands, but opens the window to the Web of tomorrow. Microsoftâ€&#x;s new Internet Explorer 9 (IE9) promises users to get to their online destination faster and with a richer, safer and highly enjoyable experience. IE9 enables a more immersive, more beautiful Web experience with features such as Pinned Sites and Jump List, that allows its users to put their websites directly on the Windows 7 Taskbar, as though they were native applications, and then to quickly and easily perform tasks related to those websites, such as check their inboxes, change the music station, accept friend
invitations or see breaking news. Hardware Acceleration The new Internet Explorer also takes advantage of the power of modern Windows PC hardware to improve allaround Web browsing performance. It is the only browser with hardware-accelerated HTML5 spanning all graphics, text, audio and video. Internet Explorer 9 harnesses the power of the Graphics Processing Unit (GPU), unlocking 90 percent of the PCâ€&#x;s power that went previously untapped by Web browsers. In that way, developers get a chance to build faster, more immersive websites that feel like native applications using HTML5, as well as runtimes such as Adobe Flash Player and Microsoft Silverlight, both of which will take advantage of the hardware acceleration in Internet Explorer 9 in their next versions. Tracking Protection Lists In December 2010, Microsoft introduced Tracking Protection in Internet Explorer 9, which puts people in control of what data they are sharing as they move around the Web, by enabling consumers to indicate what web-
35
TECHNOLOGIES & PRODUCTS sites they‟d prefer not to exchange information with. Consumers do this by adding Tracking Protection Lists to Internet Explorer 9, and partners such as PrivacyChoice, TRUSTe, Abine and Adblock Plus have already published these lists. Because the Web is increasingly less secure and private, Internet Explorer 9 is designed to be a trusted browser by containing a robust set of built-in security, privacy and reliability technologies that keep customers safer online.
security. The browser also introduces SmartScreen download reputation, a groundbreaking browser feature that uses reputation data to remove unnecessary warnings for well-known files and shows more severe warnings when the download has a higher risk of being malicious. Microsoft‟s studies showed that Internet Explorer 9 blocks 99 percent of socially engineered malware attacks, five times more than Firefox and 33 times more than Google Chrome.
Download Manager with integrated SmartScreen malware protection
Ryan Gavin, Senior Director, Windows Internet Explorer, at Microsoft, last but not least reminds us that: “What people care about on the Web is their sites, not their browser. That‟s why Internet Explorer 9 is about making those sites shine. The browser is the theatre,
Internet Explorer 9 provides the first Download Manager with integrated SmartScreen malware protection, to protect online users with better
36
and the sites people visit are the play, and that is what Internet Explorer 9 makes better - your favourite sites.”♦ Seems to me like Windows Internet Explorer 9 lives up to its expectations! By Daniela La Marca
37
COMPANIES & CAMPAIGNS
When Google‟s „Panda‟ goes Global … Hot at the heels of an algorithm update to combat duplicate content last month, Google has followed up with “Panda”, another algorithm change that hits purveyors of “low quality content.” Generally perceived to be designed to tackle content farms, it destroys the rankings of sites which many Google users are sick and tired of seeing in the search engine results pages. Although currently alive and kicking in the US, going by the trend of previous Google algorithm roll-outs, it could, at any time within the next few months, hit European sites and swiftly move beyond. As most of the larger content farm type sites are US based, I guess nobody really knows what kind of impact it will have in Asia. As Google‟s additional algorithm is applied at a domain level rather than a specific page level, we are probably only talking about a small number of affected sites, which are, however, so powerful, that it seems to justify the precaution. To avoid being slammed with little or no warning, leading search marketing specialist and technology firm Greenlight is urging businesses to take the necessary
38
steps to ensure that their site rankings and visibility are not affected when Panda strikes. Greenlight also unravels how the update might go about judging quality content and sorting it from the junk. What you should do to be prepared To avoid any negative impacts, the content on websites should be well written. Businesses should aim to attract as many clicks as possible when ranking in Google, by optimising the message being put across to users with the page title, meta description and URL. Once users land on the site, they should be kept happy through the provision of a rich experience, with as much supporting multimedia as possible, and clear options for where to go elsewhere on the site if the first landing page does not "do it" for them in the first instance. “Regardless of what Google is doing, these are all the basic requirements for almost any online business, which gets at the heart of what the Google algorithm updates, and indeed SEO (search engine optimization), are all about,” says Adam Bunn, Director of SEO at Greenlight.
COMPANIES & CAMPAIGNS How your content quality could be judged According to Greenlight, Panda is a combination of more emphasis on user click data and a revised document level classifier. User click data concerns the behaviour of real users, during and immediately after their engagement with the SERPs (search engine results pages). Google can track click through rates (CTRs) on natural search results easily. It can also track the length of time a user spends on a site, either by picking up users who immediately hit the back button and go back to the SERPs, or by collating data from the Google Toolbar or any third party toolbar that contains a PageRank meter. This collective in all probability provides enough data to draw conclusions about user behaviour. Using it, Google might conclude that pages are more likely to contain low value content if a significant proportion of users display any of the following behaviours:
Rarely clicking on the suspect page, despite the page ranking in a position that would ordinarily generate a significant number of clicks. Clicking on the suspect page, then returning to the SERPs and clicking a different result instead. Clicking on the suspect page, then returning to the SERPs and revising their query (using a similar but different search term). Clicking on the suspect page, then immediately or quickly leaving the site entirely. What might constitute "quickly" in this context? According to Greenlight, Google probably compares, for example, the engagement time against other pages of similar type, length and topic. “We know Google has strongly considered using user click data in this
way. It filed (and was granted), a patent called method and apparatus for classifying documents based on user inputs describing just this. It is likely Google only uses this data heavily in combination with other signals, as user click data as a quality signal, is highly susceptible to manipulation. Hence it‟s historically been such a minor part of search engine algorithms,” says Bunn. Bunn explains Google could give a percentage likelihood of a page containing low value content, and then any page that exceeds a certain percentage threshold might be analysed in terms of its user click data. This keeps such data as confirmation of low quality only, rather than a signal of quality (high or low) in its own right. So it cannot be abused by webmasters eager to unleash smart automatic link clicking bots on the Google SERPs. Google‟s document level classifier A "document level classifier" (which Google announced a redesign to in a blog post late January), is the part of the search engine that decides such things as what language a document is written in and what type of document it is (blog post, news, research paper, patent, recipe etc.). It could also be used to determine whether a document is spam, or contains low value content. For example, it might look for content with excessive repetition of a particular key word and lacking in semantic variation unlike a naturally written document, content with little supporting video and/or images, content containing keywords but few proper sentences (indicating it could be machine generated) or newly created content too closely aligned with keywords regularly searched for (a hallmark of content farms).
says Bunn. “Or, the new classifier may only have been "soft launched" on a few data centres or for internal testing, before being rolled out alongside the user click data component.” Google‟s “Personal Blocklist” Chrome Extension to help validate quality content Some in the industry are nervous of Google making qualitative judgements about content quality. There is a way for Google to validate what its algorithm believes are low quality content sites against real user feedback - the Personal Blocklist extension for its browser, Google Chrome. Launched in midFebruary, the extension lets Chrome users block specific sites from appearing in their search results on Google, and passes back information about what sites are being blocked to Google. Google, however, claims that the Personal Blocklist has no algorithmic impact on rankings, yet. Whilst Greenlight‟s Bunn is of the view that this is credible, although not enough time has as yet elapsed to properly analyse and build the data into the algorithm, he does not rule out the use of this data in the future and in a similar capacity to click data - a second or third line validation of assumptions Google has already made about quality in other ways. Indeed, Google itself has pointed out it has compared the sites affected by Panda to the sites people are blocking with Personal Blocklist saying “we were very pleased that the preferences our users expressed by using the extension are well represented."♦ Source: Greenlight
“It is possible the first algorithm update of the year i.e. in January, was the roll out of the document level classifier, and Panda added the additional layer of user click data”,
39
COMPANIES & CAMPAIGNS
Symantec‟s Acquisition of VeriSign completes its Business Strategy Symantec Corporation‟s acquisition of VeriSign‟s identity and authentication business, which includes the Secure Sockets Layer (SSL) and Code Signing Certificate Services, the Managed Public Key Infrastructure (MPKI) Services, the VeriSign Trust Seal, the VeriSign Identity Protection (VIP) Authentication Service and the VIP Fraud Detection Service (FDS) has been a strategic step to create the most trusted brand for protecting information and identities online. According to Enrique Salem, President and CEO, Symantec “The combination of Symantec‟s leading security solutions with VeriSign‟s security products, services and recognition as the most trusted brand online, uniquely positions Symantec to drive the adoption of identity security and restore trust online unlike any other company.” The VeriSign check mark is the most recognized symbol of trust online with more than 250 million impressions every day on more than 90,000 websites in 160
40
countries. To no surprise, Symantec has immediately started to incorporate the VeriSign check mark into their corporate identity, which includes a new corporate logo, as well as a new version of the Norton consumer logo, to convey that it‟s safe to communicate, transact commerce and exchange information online. You would probably have noticed it by now. VeriSign‟s Trust Seal has been promoting a safer Internet by proactively identifying Web sites that compromise consumer safety and consequently increased confidence, traffic and transactions for sites that do not require SSL Certificates. Any business Website can benefit from the global awareness it has created. The VeriSign Trust Seal has assisted in driving traffic and helped to avoid search-engine blacklisting. It increased conversion results as consumers have a higher propensity to take action on sites that they trust and which protect them from malicious attacks or identity theft. Symantec‟s portfolio, along with assets from VeriSign, now provides the depth and breadth of technologies to
COMPANIES & CAMPAIGNS
make identity-based security of information part of a comprehensive solution, which means:
VeriSign‟s SSL Certificate Services will be provided with Symantec Critical System Protection through the sales channel. By quickly enabling the sales force to begin cross-selling these offerings, Symantec will help organizations ensure and
verify a higher level of security on their web servers, providing users with the trust and confidence to do business online. VeriSign SSL and client PKI authentication services will be aligned with Symantec Protection Center (SPC) to provide a unified enterprise security management solution. By expanding Symantec‟s Data Loss Prevention solutions and Data Insight technology with VeriSign‟s identity security services, user access security will be strengthened, as it ensures that only authorized users have access to appropriate information. By providing VeriSign VIP authentication service along with Norton products and Symantec desktop clients, users enjoy strong authentication and organizations can leverage the highly-recognized VeriSign trust mark in online searches.
“As identity pervades many corporate and consumer security functions, there is a strong synergy between Symantec and VeriSign,” said Christian Christiansen, Vice President of Security Products and Services, IDC, adding: “As devices, data, web services, and applications proliferate; strong authentication and identity management become crucial to reducing risk of unauthorized information exposure, protecting privacy, and increasing trust. The incorporation of VeriSign‟s market-leading SSL, PKI and VIP products into Symantec‟s broad portfolio of information security solutions offers the promise of more secure interactions and transactions. By baking authentication into its security products, Symantec can extend VeriSign's "trusted web" to an even greater effect.”♦ Source: Symantec
41
42
LEGISLATION
Opt-in or Opt-out is Still the Question Once upon a time, direct marketers and their customers enjoyed mutually rewarding relationships. Sadly it changed when the aggressive and sometimes shady tactics of a few email marketers emerged, seeing advertising spur spamming.
was rejected by the European Parliament, after a long struggle in favour of the more user-friendly opt-in regulation. It means that the sending of advertisements via email is legally possible only with the previous approval of the receiver. In addition to the European Union, the opt-in mode has been adopted in Australia and surprisingly in China, too.
This unpleasant phenomenon gave the entire industry a black eye, by bothering or harming consumers, with abuses ranging from simple excesses that irritated consumers to instances of unfair practices or even fraud and deception. In addition, the direct-marketing industry faced concerns about invasion of privacy issues, which still seems to be one of the toughest public policy issues. For this reason, permission marketing was introduced and since then, the opt-in and opt-out mode has been garnering far-reaching attention.
The fact remains that today the right of privacy is widely recognized and protected in constitutions and laws worldwide. Remedies for infringement of this right are also implemented through civil or criminal law and therefore any potential threats to privacy should be considered in advance. The opt-in mode might better serve this goal in the information age, but there is no denying that it does hurt the direct marketing industry even more than the opt-out method.
The so-called opt-out-procedure is implemented in legislation for the United States, Canada, Japan, South Korea and Singapore. The kick-off was given by the US Can-Spam Act of 2003, where email receivers have to take the initiative if they want to prevent further nuisance via electronic post. This regulation, however,
The most important case for allowed online marketing, or so called permission marketing, is the regular customer information from free mail suppliers or online mail-order firms. As long as such emails go to a customer of the enterprise, they are legally allowed as itâ€&#x;s seen as a broadcast to persons who have requested such information. This is only valid as long as the af-
43
LEGISLATION fected person has not revoked their approval, which has to be possible for them to do at any time. The optin mode takes care of the free will in receiving messages and takes the privacy of the recipients and the consumers into account.
mate senders in general wait for the explicit approval of the receivers. This brings us back to the fact that most of the spam emails which reach the inboxes of users today are commercial advertisement messages.
Compared with the opt-in mode, the opt-out mode considers the difficulty of the industry in acquiring the users‟ written consent. If the use of such information were prohibited, the financial services, direct marketing, and customer credit industries would be directly impacted. The advantage of the opt-out mode over written consent is that it can balance the personal privacy and right of individual consumers, offering the opportunity for consumers to express their will on whether or not to receive specific categories of emails.
Besides the annoyance, commercial advertisement spam can spread email viruses, worms, Trojan horses, and programming that provokes identity theft. The pests infect the PCs of private users and companies at work. The attackers then put thousands or hundred thousands of these PCs together, known as botnets, to control them remotely and thereby creating a gigantic security problem. Dynamic updates of the bot-software enable infected PCs to spread spam, to attack other computers, or to spy on the users. The majority of today‟s spam isn‟t distributed by hobby spammers, but by professional criminals. It can be seen as a kind of underground economy that deals with email addresses, lists of infected PCs, and credit card numbers. The worst effect of spam is that it ruins the reputation of email as an effective marketing tool, as Internet users over-enthusiastically filter their electronic messages, and
In connection with opt-outprocedures stand the so-called "Robinson lists". These are lists in which users can put down their email addresses and announce explicitly that they do not want to receive email advertisements without their prior approval. Professional spammers, however, never respect such lists and serious legiti-
44
delete or block information they requested for in the first place. Spam has an undeniably vast negative effect on the direct marketing industry as it hampers consumers' acceptance of legal emarketing, and in turn, hinders the growth of e-commerce. Many institutions are constantly putting in the effort to continually seek solutions to the problem. For example the Coalition Against Unsolicited Commercial Email (CAUCE), the Direct Marketing Association (DMA), the International Telecommunication Union (ITU), and the Organization of Economic Cooperation and Development (OECD) to mention only a few. Help in the spam war is also coming from countries that have implemented laws to regulate spam and to even punish a few of the socalled „spam kings‟. As long as the email marketing industry works closely together, the email medium will continue as a powerful communication and marketing tool - despite its struggle not to be abused.♦ By Daniela La Marca
LEGISLATION
Regulation for More Protection? - or What! In September 2010, Ovum stated in an Asian eMarketing article that the risk of sensitive information being divulged on the web by organizations makes regulation a necessary evil.
It sounds like a no-brainer, but how would the Internet really look like if there are national authorities that protect users from prying people – whoever it may be? What implications could we expect?
According to the independent telecoms analyst, regulations need to be put in place to ensure that information is used appropriately, especially in the field of social media, when public and private sectors respond increasingly to customer queries and complaints via tools such as Twitter and Facebook. Therefore, Ovum suggested to monitor peer to peer support conducted via social media and to ensure that customers do not unintentionally pass on incorrect information. The financial services industry has already made it a requirement that communications through social media are recorded and retained, Ovum stated, and recommends that all organizations that use social media to interact with customers should be regulated. “While social media should still allow customers to interact and express themselves, we believe that they need to be protected from having sensitive information spread on the Internet by staff who may not understand how to treat such enquiries. For these reasons, we believe regulations are a necessary evil”, Ovum believes, and advises companies to stop experimenting with social media and finalize formal strategies and guidelines in place.
Drafting legislation that effectively polices today's technologies while remaining general enough to apply to new emerging technologies will be an almost impossible balancing act. Internet users simply enjoy, in general, the freedom of the Internet too much – which would be jeopardized with regulations. Aren‟t we already at the point where the Internet crowd is actually screaming too loud for getting even more control over how their personal information is collected and distributed online? Self-regulation is definitely the way to go as history has proved the fact that when you regulate one area, another area of opportunity opens, so the issue will never be fully resolved, don‟t you think?♦ Please do write me your thoughts! By Daniela La Marca
45
LEGISLATION
46
BUZZWORD
Spoofing Attacks In the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage. Internet Protocol Spoofing In computer networking, the term IP address spoofing or IP spoofing refers to the creation of Internet Protocol (IP) packets with a forged source IP address, called spoofing, with the purpose of concealing the identity of the sender or impersonating another computing system. By forging the header so it contains a different address, an attacker can make it appear that the packet was sent by a different machine. The machine that receives spoofed packets will send a response back to the forged source address, which means that this technique is mainly used when the attacker does not care about the response or the attacker has some way of guessing the response. In certain cases, it might be possible for the attacker to see or redirect the response to his own machine. The most usual case is when the attacker is spoofing an address on the same LAN or WAN. Hence the attackers have unauthorized access to computers. IP spoofing is most frequently used in denial-of-service attacks, flooding the victim with overwhelming amounts of traffic, while the attacker does not care about receiving responses to the attack packets. Packets with spoofed addresses are thus suitable for such attacks. They have additional advantages for this purpose - they are more difficult to filter since each spoofed packet appears to come from a different address, and they hide the true source of the attack. Denial of service attacks that use spoofing typically randomly choose addresses from the entire IP address space, though more sophisticated spoofing mechanisms might avoid unroutable addresses or unused portions of the IP address space. The proliferation of large botnets makes spoofing less important in denial of service attacks, but attackers typically have spoofing available as a tool, if they want to use it, so defenses against denial-ofservice attacks that rely on the validity of the source IP address in attack packets might have trouble with spoofed packets. Backscatter, a technique used to observe denial-of-service attack activity in the Internet, relies on attackers' use of IP spoofing for its effectiveness. IP spoofing can also be a method of attack used by network intruders to defeat network security measures, such as authentication based on IP addresses. This method of attack on a remote system can be extremely difficult, as it involves modifying thousands of packets
at a time. This type of attack is most effective where trust relationships exist between machines. For example, it is common on some corporate networks to have internal systems trust each other, so that users can log in without a username or password provided they are connecting from another machine on the internal network (and so must already be logged in). By spoofing a connection from a trusted machine, an attacker may be able to access the target machine without an authentication. URL Spoofing and Phishing Another kind of spoofing is "webpage spoofing," also known as phishing. In this attack, a legitimate web page such as a bank's site is reproduced in "look and feel" on another server under control of the attacker. The main intent is to fool the users into thinking that they are connected to a trusted site, for instance to harvest usernames and passwords. This attack is often performed with the aid of URL spoofing, which exploits web browser bugs in order to display incorrect URLs in the browsers location bar; or with DNS cache poisoning in order to direct the user away from the legitimate site to the fake one. Once the user puts in their password, the attack-code reports a password error which then redirects the user back to the legitimate site. Referrer Spoofing Some websites, especially pornographic sites, allow access to their materials only from certain approved (login-) pages. This is enforced by checking the referrer header of the HTTP request, which however can be changed, allowing users to gain unauthorized access to the materials.♌ Source: Wikipedia
47
.
APPOINTMENTS
48
APPOINTMENTS iris Singapore has promoted Jimmy Lee to creative group head after two and a half years at the agency as senior art director. He will take a creative leadership role on several of the agency‟s biggest accounts and reports to the agency‟s creative director Tom Ormes.
Jimmy Lee
Lee has worked on many of iris‟ most successful campaigns, including the global Step Inside campaign for Johnnie Walker, regional and global product campaigns for Sony Ericsson and the Singapore launch of the Audi A8 and the current A1 campaign. iris has also appointed Vincent Tay to the position of Creative from junior art director.
iris‟ Singapore operation works with global blue-chip brands including Diageo, Unilever, Tiger, Heineken, Sony Ericsson and Red Bull. The agency launched in 2006 serves as a strategic hub for Asia Pacific. It is now 65strong, making it one of the fastest-growing agency networks in the region.♦ Frost & Sullivan appointed Andrew Milroy as Vice President of ICT Research for the Asia Pacific region. Milroy will be based out of the Singapore office and will be responsible for Frost & Sullivan ICT research activities across the region. His professional experience spans 17 years in the ICT industry, where he has held senior positions in the United States, Europe and Asia Pacific, focused upon the development of research and consulting and in particular BPO. He has also led research and consulting projects in cloud computing and sustainable IT. Andrew Milroy Milroy holds a BSc, an MA in Communication in Computing and an MBA from MGSM, as well as a diploma in Marketing from UK-based Chartered Institute of Marketing.♦ Mediabrands announced the appointment of Aloun Liu as Regional Master Data Steward, Asia Pacific. Based in Singapore, Aloun will be responsible for maintaining and improving Mediabrands‟ data collection and analysis throughout the region. Aloun will be part of Mediabrands Asia Pacific CIO, Dene Schonknecht‟s organization
Aloun Liu
Aloun joins the Mediabrands team with over eight years of data management, development and analytics experience. He is an expert in multiple database platforms that include Teradata, Oracle and SQL Server, which he has managed for large international companies across the financial, consulting and higher education sectors
Previously, Aloun was Senior Programmer Analyst, Finance MIS, Charles Schwab & Co, Inc. He was the data architect for Schwab Finance‟s reporting portal. Aloun also worked in technology consulting for PricewaterhouseCoopers LLP and FTI Consulting, Inc., where he was involved with the collection and analysis of data from many Fortune 500 companies. Aloun began his career as a database administrator/developer at the University of California, Los Angeles, which is his alma mater. With approximately 1,000 media and marketing experts across the region, Asia Pacific remains a top priority for Mediabrands. The region is a key component of the firm‟s strategy to accelerate market share for its clients around the world.♦ Acision, a world leader in mobile data, announced that its Board of Directors has appointed Jorgen Nilsson to Chief Executive. In his new role, the former COO will focus on the day to day leadership of the company, driving innovation and capitalising on the growing opportunities in the mobile data market. Nilsson assumes his new position with immediate effect, succeeding Rory Buckley who has stepped down from Acision. As an industry veteran, Nilsson has more than 30 years experience in senior executive roles at leading blue chip companies including Ericsson and Compaq. He will be instrumental in driving Acision forward as it strengthens its position across the mobile data ecosystem. Prior to joining Acision as COO, Nilsson worked for over 10 years at Ericsson where his most recent position was Executive Vice President and General Manager of Vodafone‟s Global Customer Unit. In this role, Nilsson was responsible for the management of Vodafone Group‟s 21 operators, as well as driving economies of scale across Ericsson‟s global sales, marketing, technology and operational teams. Nilsson was also previously part of Ericsson Group‟s Extended Executive Team.♦ Kevin Foster, Head of Access Platform Design at BT and four year member of the Forum Board of Directors, is the new Broadband Forum President. He joins Tom Starr (AT&T), who continues as Chairman, Marcin Drzymala (Telekomunikacja Polska) and Andrew Malis (Verizon Communications) who continue as Vice Presidents, David Sinicrope (Ericsson) who continues as Secretary and Frank Van der Putten (Alcatel-Lucent) who continues as Treasurer. The Broadband Forum will be appearing at conferences and exhibitions around the world in 2011 and in the next two months alone Forum Ambassadors will present at the IP & TV World Forum (London), Convergence India (New Delhi, India), Broadband World Forum MEA (Dubai), Carriers World Asia (Hong Kong), Mobile Backhaul Asia (Thailand), Packet Transport Networks (Spain), FTTx Summit Europe (United Kingdom) and Broadband World Forum Asia (Malaysia).♦
49
IMPRINT
MediaBUZZ Pte Ltd, launched in early 2004, is an independent online publisher in the Asia Pacific region, focusing on the business of digital media and marketing. Asian e-Marketing is a true pioneer in Asia Pacificâ€&#x;s digital marketing scene, empowering e-marketers in the vibrant and fast-paced electronic marketing environment. Key sections include e-marketing tips, best practices and trends/statistics, legislation affecting e-marketing, training the spotlight on companies and their e-marketing campaigns and e-marketing leadership profiles. Click here for the latest online edition Editor-in-Chief: Daniela La Marca
Interested in Advertising? Check out our media kit and prices. Or drop us a line (info@mediabuzz.com.sg) if you are interested in becoming the exclusive sponsor of an issue: Phone: +65 6836 2807 Fax: +65 6235 1706
Circulation & IT Manager: Mike Khoo Sales & Marketing: Carla Bertuzzi Articles contributed by: Eric Chong Brian Wang
http://www.mediabuzz.com.sg http://www.mediabuzz.asia Tell a friend and send our registration form ! Follow us on
MediaBUZZ Pte Ltd respects the privacy of its readers. If you no longer want to receive Asian e-Marketing follow this link, enter your email address and write unsubscribe into the subject line.
Copyright 2011 MediaBUZZ Pte Ltd, Registration No. 200470301C
50
Published monthly by MediaBUZZ Pte Ltd 26 Saunders Road Emerald Hill Singapore 228268 Tel: +65 6836 1607 Tax: +65 6235 1706