Today’s session on IT Security Update was led by David Cieslak.

David Cieslak is a Principal with Arxis Technology, Inc., a computer consulting firm with offices in Southern California, Chicago and Phoenix. He specializes in micro-computer accounting systems, information security, the Windows operating environment, eCommerce, handheld computing, systems development and project management.

He is currently an instructor for K2 Enterprises and frequent speaker for the California Society of Certified Public Accountants (CalCPA), the American Institute of Certified Public Accountants (AICPA) and other state accounting societies

David is a CPA, CITP, and GSEC.

The agenda for the session was:

– Goals of IT Security

– Current Threats & Understanding the Threats

– Developments & Trends

According to Mr. Cieslak the main goals of IT security are: Confidentiality, Integrity, Availability, Accountability!

Data is only available to authorized individuals, can only be changed by authorized individuals, data and systems are available when needed and changes are traceable.

Before I continue any further, I would like to provide you with the two (short & long) explanations of “Why do Hackers hack?”

Short: To compromise a machine and gain access to confidential information.

Longer: Through whatever possible means, enable malicious code to run, that exploits a vulnerability, resulting in a compromised system that can then be controlled, in full or in part, by the hacker.

Based on SANS 2009 Top Cyber Security Risk Report we know that unpatched client-side software, infected trusted websites, and attacks on Microsoft Windows OS were the most widely spread hacker attacks. Adobe PDF reader, QuickTime, Adobe Flash, and Microsoft office accounted for the largest amount of hacking attacks.

Attacks on Microsoft Windows OS were dominated by Conficker / Downadump worm variants, but with the release of Windows 7 OS and especially the 64bit versions, we are seing a slow decline in the vulnerabilities.

David shared a really nice statistical finding that should help you realize how important IT security has become. A report from the Internet Crime Compliant Center, a joint effort by the FBI and the National White Collar Crime Center, found the amount of losses from cyber-crime doubled in 2009, and those between the ages of 30-49 were hardest hit. Internet fraud cost $559 million in 2009!!!

Phishing e-mail, compromised (legit) websites, social networking, and phony security software are the top current security threats.

Phishing e-mail: We have all gotten at least one of those in our lifetime. It is usually an email that either has an attachment that contains a malicious code or it is faking a legit email for password recovery.

Compromised Web sites: Those sites usually contain browser exploits, harmful Java script code or ActiveX or other technologies seeking to infect a computer with spyware. Shortened links, i.e., tinyurl, etc., pose a major problem as well since AV products and browsers cannot verify sites in the abbreviated form.

Social Networks: Criminal organizations are increasingly sophisticated in how they attack different social networking sites. Twitter is being used as a distribution engine for malware. Linkedin is used for attacks against high-value individuals, Facebook users constantly get hit with malware as well.

Phony Security Software: In 2009 Symantec found 250 varieties of scam security software with legitimate sounding names like Antivirus 2010 and SpywareGuard2008.

David talked about encryption, firewalls, and user access control. I will not get into the details of those items, but will go into some details on a couple of other ones that I believe are more important and easily overlooked – Passwords and AV tools.

Passwords: Getting the user to give away security credentials through phishing or keylogging is much more effective than dictionary attacks. Password strength is totally irrelevant when it is stolen.

The 10 most common passwords are:

  1. password
  2. 123456
  3. qwerty
  4. abc123
  5. letmein
  6. monkey
  7. myspace1
  8. password1
  9. link182
  10. your first name


Antivirus: SurfRight study recently reported that 32% of machines with AV solutions were still infected. The study also recommended running a 2nd AV program on regular basis to scan for malware not detected by a users primary product.

I will conclude my summary with the Top Threats to Cloud Computing that David talked about and the Key security considerations:

  • Service Provider: Adequate trained support personnel, support hours, incident response procedure, comprehensive DRP and BCP, ease of doing business, long term viability, and regular security audits
  • Platform: Insecure APIs, shared technology issues, lack of data and resource segmentation, application version control
  • Data Protection: Data must be protected from loss / leakage while in transit, at rest and in between servers.
  • Access Control: Complex and inconsistent access control procedures coupled with the inability to audit controls and regulatory compliance