VantagePoint Security

SECURITY INDUSTRY WATCH

Spam has made the leap from annoyance to security threat.

Increasingly, spam messages contain viruses that can cause considerable disruption if unchecked. Further, many spam messages attempt to entice recipients to visit web sites for a variety of purposes; often these web sites contain malicious code that attempts to implant viruses or spyware on unsuspecting visitors.

There are also many "phishing" scams that purport to be legitimate organizations such as Citibank and Paypal. Some of these "phishing" sites look remarkably like the real thing. Generally they contain so-called "verification" pages that request a credit card number and PIN (something that no legitimate bank would do).

Another variety of spam messages are made to look like they originated from within the organization’s IT department or help desk. Usually these messages contain a deadly payload that the victim is supposed to open.

Organizations can protect themselves from spam-based threats through three activities:

- building and managing an effective antivirus infrastructure
- keeping security patches on end user systems up to date
- educating end users about the threats that spam contains

To be successful, these tasks require constant diligence as well as good judgment in times of crisis.

BUILDING YOUR INFORMATION SECURITY PROGRAM
Part of a multi-part series

Part 1, Information Security Policy

A surprising number of companies - both large and small - have yet to develop an information security policy. Regardless of the reason why companies have delayed this, there are several liabilities that result:

- Employee Discipline. Companies that discipline or terminate an employee because of computer-related conduct risk wrongful-termination lawsuits. Lack of a written policy that defines acceptable and unacceptable behavior gives companies very little to stand on.

- Higher Risk of Security Incidents. Without a security policy that defines acceptable and unacceptable behavior, employees are more likely to engage in unsafe behavior. Company servers and networks are more likely to be vulnerable to hackers, worms, and viruses.

- Downstream Liability. Companies without a security policy are more likely to suffer security incidents that can adversely affect other organizations. A company that - through negligence - fails to stop security threats from spreading to other companies, faces the possibility of a lawsuit for failing to take reasonable measures to protect itself and others.

But companies may not know where or how to begin writing a security policy. Fortunately, there are some good industry practices that a company can use as a starting point. But the art of developing a good security policy is the blending of best practices while taking into account the realities of how the company does business.

TERM OF THE MONTH

PHISHING SCAM: Pronounced "fishing", the act of sending deceptive e-mail to large numbers of people in the hopes that some will be duped into surrendering personal information. A phishing scam will claim and appear to originate from a legitimate business, and urges the reader to immediately log onto a web site that also appears to be genuine. Such web sites invariably request that the user input personal information such as credit card numbers or other information that the scam’s perpetrator can use to purchase goods or services, or commit identity theft.

SUBSCRIPTION INFORMATION

Subscribe: newsletters/

Unsubscribe: newsletters/

Please allow 48 hours to process all subscription requests.

Contact us via e-mail at info@vantagepointsecurity.com or call us at 425.454.5455.