Browsing articles tagged with " java"

Cyber Security Targets

Mar 24, 2014   //   by admin   //   Blog  //  No Comments

RFG Perspective: While the total cost of the cybersecurity breach at Target will not be know for quite a while, a reasonable estimate is that it could easily cost the company more than $500 million. The price tag includes bills associated with fines from credit card companies, other fines and lawsuits for non-compliance, services such as free credit card report monitoring for its impacted 70 -110 million customers, and discounts required to keep customers coming in the door. These costs far exceed the IT costs associated with better cybersecurity prevention. Target is not alone; it is just the latest in a long line of breaches that have taken major tolls on the attacked organization. Business and IT executives need to recognize that attackers and hackers will constantly change their multi-pronged sophisticated attack strategies as they attempt to stay ahead of the protections installed in the enterprises. IT executives need to be constantly aware of the risk exposures and how they are changing, and continue to invest in measured, integrated cybersecurity solutions to close the gaps.

The Target cyber breach represents a new twist to the long-standing cybersecurity challenge. Unlike most other attacks that came through direct probes into the corporate network or through employee social-engineered emails, spear phishing, or multi-vectored malware aimed at IT software, the Target incident was an Operations Technology (OT) play. One reason for this may be that the vendor patch rate has improved and successes of zero-day exploits are dropping. Of course, it could also be that the misguided actors were clever enough to try a new attack vector.

IT vs OT

Most IT executives and staff give little thought to OT software, usually referred to as SCADA (supervisory control and data acquisition) software. These are industrial control systems that monitor and control things such as air conditioning, civil defense systems, heating, manufacturing lines, power generation, power usage, transmission lines, and water treatment. IT (outside of the utilities industry) tends to treat these systems and the associated software as outside of their purview. This is no longer true. Cyber attackers are constantly upping the ante and now they have begun going after OT software in addition to traditional attack vectors. IT executives and security personnel need to become actively engaged in ensuring the organization is protected against these types of threats.

Incident Attack Types

In 2013 according to the IBM X-Force Threat Intelligence Quarterly 1Q2014, the top three disclosed attack types are distributed denial of service (DDoS), SQL injections, and malware. These three vectors account for 43 percent of 8,330 vulnerability disclosures while another 46 percent of attack types remain undisclosed. (See below chart from the IBM report.) The report also points out that Java vulnerabilities continue to rise year-over-year with them tripling in the last year alone. Fully half of the exploited application vulnerabilities were Java based, with Adobe Reader and Internet browsers accounting for 22 and 13 percent respectively. Interestingly, mobile devices excluding laptops have yet to be a major threat attack point.

most common attack types

Currency

Another common pressure point on IT organizations is keeping current with all the security patches authorized by software providers. The good news is that vendors and IT organizations are doing a better job applying patches. The overall unpatched publicly-disclosed vulnerability rate dropped from 41 percent in 2102 to 26 percent in 2013. This is great progress but still much remains to be done, especially by enterprise IT. The amount of patches to be applied on an ongoing basis can be overwhelming and many IT organizations cannot keep up, especially with quick fixes. Thus, zero-day exploits still remain major threats that IT needs to mitigate.

Playing Defense

The challenge for IT CISOs and security staff increases every year as the number and types of actors attempting to gain access to IT systems continues to grow as do the types of attacks. Therefore, enterprises must reduce their risk exposure by using monitoring and blocking software that can rapidly detect problems almost as they occur and shut off attacks immediately before the exposure becomes too large. Additionally, staff must fine-tune access controls and patch known vulnerabilities quickly so as to (virtually) eliminate the ability for criminals to exploit holes in infrastructures. Security executives and staff should work collaboratively with others in their field and share information about attacks, defenses, meaningful metrics, and trends. IT executives should ensure security personnel are continually trained and aware of the latest trends and are implementing the appropriate defenses as rapidly as possible. As people are one of the weakest links in the security chain, IT executives should also ensure all employees are aware of company privacy and security policies and procedures and are judiciously following them.

RFG POV: IT executives and cyber security staff remain behind the curve in protecting, exfiltrating, discovering, and containing cyber security attacks and data breaches. There are some low-hanging initiatives IT can execute to close some of the major vulnerabilities such as blocking troublesome IP addresses at the perimeter outside the firewall and employing enhanced software monitoring tools that can spot and alert security of suspect software. Additionally, staff can improve password requirements, password change frequency, two-factor authentication, inclusion of OT software, and rapid deactivation of access (cyber and physical) to terminated employees. Encryption of data at rest and in transit should also be evaluated. However, IT are not the only ones on the line for corporate security – the board of directors and corporate executives share the fiduciary burden for protecting company assets. IT executives should get boards and corporate executives to understand the challenges, establish the acceptable risk parameters, and play an ongoing role in security governance. IT security executives should work with appropriate parties to collect, analyze, and share incident data so that defenses and detection can be enhanced. IT executives should also recognize that cyber security is not just about technology – the weakest links are the people and processes. These gaps should be aggressively pursued and the problems regularly communicated across the organization. The investment in these corrective actions will be far less than the cost of fixing the problem once the damage is done.

Trends: HPC, Programming, and Security

Jul 11, 2012   //   by admin   //   Blog  //  No Comments

Lead Analyst: Cal Braunstein

 

IBM Corp. regained the top supercomputer ranking with the installation of its “Sequoia” BlueGene/Q beast at Lawrence Livermore National Laboratory (LLNL). According to job listing trends per Indeed.com, PHP and Python adoption is exploding. A recent Symantec Corp. study finds the expanded use of online file sharing is increasing the security risk exposures to small- and medium-sized businesses (SMBs).

Focal Points:

  • IBM took back the top slot in the supercomputer rankings with the LLNL Sequoia installation, which delivered 16.32 petaflops of sustained performance running across the 1.57 million PowerPC cores inside the box during a Linpack benchmark run. Sequoia has a peak theoretical performance of 20.1 petaflops. To deliver the 16.32 petaflops IBM claims it only consumes 7.89 megawatts. The IBM supercomputer shifted the K massively parallel Sparc64-VIIIfx machine built by Fujitsu Group for the Japanese government down to number two. The Fujitsu Sparc machine had a sustained Linpack performance of 10.5 petaflops against a peak of 11.3 petaflops but it consumed 12.7 megawatts. Sequoia is 2.5 times as energy efficient as the Sparc K. IBM now has five of the top 10 high performance computing (HPC) engines. 372 of the processors, or 74.4 per cent of those on the list, are based on Intel Corp. Xeon or Itanium processors, down slightly from the 384 HPC machines on the November list. The latest Top 500 list has 58 Power-based processors, up from 49 six months ago. There are also 63 clusters based on Advanced Micro Devices Inc.‘s (AMD’s) Opteron processors, unchanged from last year.
  • According to Indeed.com companies are embracing the Web to reach customers and employees and are therefore turning to the programming languages and technology stacks made popular by companies such as Facebook Inc. and Google Inc.   Current programming languages such as C++, Java, and .NET will still be the primary languages for enterprise applications but the scripting languages will dominate the Internet. The below chart produced by Indeed.com shows the variances in job growth rates. Aside from the Internet movement another key reason for the adoption of PHP and Python is the movement to open source. Python appears to be a run-away winner because of its design elegance and framework simplicity. The next most used languages are Java and then .NET.

  

  • Symantec released the findings of its 2011 SMB File Sharing Survey of more than 1,325 SMB organizations this week. The survey results found SMB employees are increasingly adopting unmanaged, personal-use online file sharing solutions without permission from IT. These behaviors are making organizations vulnerable to potential data losses and security threats. A Symantec executive observed that a staggering 71 percent of small businesses that suffer from a cyber attack never recover. 74 percent of respondents who adopted online file sharing did so to improve their productivity. Respondents also cited risk concerns included sharing confidential information using unapproved solutions (44 percent), malware (44 percent), loss of confidential or proprietary information (43 percent), breach of confidential information (41 percent), embarrassment or damage to brand/reputation (37 percent), and violating regulatory rules (34 percent). However, only half of the respondents stated they would go to IT for help with sharing large files while only one-third expressed interest in utilizing an already existing IT solution. 14 percent now report the average shared file size is greater than 1 GB. Additionally, more and more people are remote. The survey found that about 37 percent of SMB organizations will have employees working remotely, up from 32 percent today.

 

RFG POV: IBM views the HPC market as only one component of the technical computing markets that it is aggressively pursuing. It has almost half of the HPC market but is in second or third place in the other sectors. With Power Systems once again proving their value at the high end, IBM will seek to differentiate itself with both Power and Intel systems in the other markets where Dell Inc. and Hewlett Packard Co. (HP) are the top competitors. Since IT executives can expect IBM and others to market and sell their solutions to end users directly as well as to IT, IT executives should be communicating with peers as to why IT should be involved in the decision-making process. The shift to PHP and Python will continue to gain steam as companies find these solutions are economical and easier to develop and maintain. This may cause religious wars in some organizations. IT executives need to keep staff focused on the business value of solutions and not on protecting legacy domains and skills. While the Symantec study only looked at the SMB organizations, there is also significant unauthorized use of file sharing amongst large enterprises as well. This is not just an IT issue…it is a corporate policy and governance issue and should be address from both angles. IT executives need to take a leadership role in driving awareness of the problem, gaining buy-in from other executives, providing internal solutions, and communicating the challenge and solutions to employees.