What do cybercriminals love to see when they try to break into an organizations network? A recent survey reveals what vulnerabilities they look to exploit first.

The top security hole hackers look for: poorly configured networks.

That’s the conclusion of a recent survey conducted by Tufin Technologies at Def Con 18, the annual hackers’ convention held last month in Las Vegas.

According to the poll, 73% of data breaches are cause by bad network configurations, which 76% of the hackers in attendance said was the easiest security vulnerability to exploit.

What’s behind all those bad configurations? The main cause: IT staffer’s don’t know what to look for when monitoring and testing their networks, said 58% of the survey’s respondents. Also, many companies don’t have enough time or money for adequate security audits, according to 18% of hackers, and 11% said threats change too fast for many organizations to properly address them.

Another preferred method of gaining network access: having a user or IT staffer within the company as an ally, said 43% of the survey’s respondents.

That finding lines up with those of a recent Verizon survey, which recently published its own study on data breaches. The communications giant found that in 2009, 48% of data breaches involved insiders — that was up from 22% in 2008.

If you need one more reason for instituting an improved data security system, the chance of serious liability (we’re talking over $100 million) has just gotten more real.

Federal courts are getting far more aggressive in penalizing companies that fail to protect confidential client data. That’s the case with a recent court settlement of a class action suit brought for data breaches at a company called Heartland Payment Systems.

Heartland is one of the biggest processors of credit and debit card transactions in the country. In 2009, it revealed that hackers had managed to break into its systems and stole critical information on as many as 130 million customer credit and debt card accounts. The breach, orchestrated by an organized gang of US-based cyberthieves, was the largest of its kind and resulted in a flurry of false charges made on consumer card accounts.

Many of the members of the gang were caught, tried and sentenced, but the affected customers and their banks joined in a large class action suit for the costs and inconvenience of sorting out the false charges. The settlement of the suit required Heartland to pay:

• $60 million to reimburse banks issuing Visa cards for costs related to the breach
• $41 million for settling with MasterCard-issuing banks
• $3.6 million just to settle claims from American Express, and
• $4 million to settle consumer claims.

The agreement may be indicating a new era of liability for data breaches. According to a BusinessWeek story about the settlement:

“Typically, courts have tended to dismiss consumer class action lawsuits in data breach cases involving payment card data. By that measure, Heartland’s settlement offer is unusual even though it might appear small considering the number of cards that were compromised.”

We’ve covered it before, but the tale of the all-too-vulnerable copier hard drive keeps coming up, this time in a recent CBS News exposé.

Investigative reporters bought four random copiers from a New Jersey used office equipment dealer. When they checked out the hard drives, they found that two of the copiers had been owned by the Buffalo, NY, police department.

And on the disks were a number of shockingly confidential police files, including lists of wanted sex offenders, details of domestic-violence complaints and lists of targets in a drug ring investigation.

The two other copiers also had confidential information, One, from a construction company, had lists of employees and their social security numbers. The second, which had been used by an insurance company, had confidential medical records of its customers.

In every case, the data was unencrypted, and not password-protected. And getting access to the data took only a little expertise and software tools available online.

What’s amazing is that all four randomly selected copy machines had data that would be of interest to prying eyes, information which would leave their former owners open to lawsuits.

The lesson is that, unknown to most people, most copier-multifunctionals in the workplace today come with hard drives, and they store jobs you print or scan, without users being aware of it. When the lease expires and the old copier is traded in, most users do not take any steps to clear off that data, and thus leave themselves open to embarrassment, fraud and legal action.

Watch the video of the CBS report here.

The notion that cyber attacks on your business were coming from attention-craving mischief-makers working in their parents’ basements is slow to die. But today’s cybercriminals are a highly sophisticated bunch.

The reality is that the most pernicious attacks on your system are coming from determined criminals with state-of-the-art tools, clear targets and, almost certainly, more cutting-edge software expertise than your company can afford. These criminals are feeding a growing global demand for black-market information, and they are richly rewarded for it.

Take for example the recent Hydraq attack (alias Aurora, Microsoft IE Vulnerability, or Google Attacks), which hit the business world a few months ago.

The software installs a Trojan horse program on a computer and then “attempts to make contact with command and control servers in order to receive instructions and to upload any information that it may have collected. This type of attack is often called an advanced persistent threat because of the sophistication and persistence of the attack within a business.”

The software can capture keystrokes, upload files and replicate itself across the network. It is, according to Francis deSouza, Senior Vice President, Enterprise Security Group at Symantec, part of an increasing pattern of “well-organized attacks that leverage insidious malware and social engineering tactics to target key individuals and penetrate corporate networks.”

If your company has any information that is mission-critical, sensitive or confidential (and few companies larger than a nail salon don’t handle data that fits this description), it is of interest to someone who might be paying for access to it.

And while IT security companies like Symantec, McAfee, and Sophos come out with patches to plug these holes as fast as they can, and even Microsoft is getting better at sending out yet another system update, a good number of companies have already been ripped off, and the cybercriminals are already coming up with a new means of defeating the new obstacles

The organized cybercriminals, according to Symantec’s deSouza, use a four-step process, often having separate expert teams for each step of the attack:

1. an incursion phase, where access is gained to a company’s network through a variety of malware including e-mail attachments
2. a discovery phase, where the topography of the corporate network is mapped out and the locations of key asset are identified
3. a capture phase, where “they find and seize information that has a black market value, such as credit card information, identities, customer or patient records, intellectual property,” and so on, and
4. An exfiltration phase, where the data is moved off the network into the hands of the criminals.

All of this can (and often does) take place without any sign that the intrusion is happening. With the criminal’s team approach and a clear breakdown of roles, the typical company network hasn’t a chance of even knowing that its pockets have been picked.

If your company hasn’t upgraded its security plan within the last year, it is getting more and more vulnerable. Yes apply the patches and updates (though for many companies even that is a low priority), but the more valuable the data the more you need to go beyond the basic steps.

Microsoft’s SharePoint 2010 software suite dominated attention at the annual AIIM data management conference and exhibition, held recently in Philadelphia. The rollout of the updated package was accompanied by third-party offerings that add advanced and specialized features to the basic Microsoft package.

SharePoint, as you may know, is a set of programs that allow for collaborative content management. It allows for rapid development of applications (applets) for password-protected data sharing, and includes tools for searching, collaborative editing and version management. What SharePoint does is establish a common, relatively stable basis for customization.

It is becoming clear that SharePoint is becoming not just a set of programs but a true ecosystem, where Microsoft offers the centralized tools and a host of developers worry about all the refinements aimed at specific applications (saving and indexing email, automatic indexing, collaborative markup) and vertical markets (medical, legal, manufacturing). That allows Microsoft’s internal developers to concentrate on improving the core capabilities of the software, while letting other developers worry about the add-ons.

The growing success of SharePoint signals the death knell for proprietary Enterprise Content Management (ECM) systems. Until recently, companies that have wanted to manage their documents have had to embark on major and expensive IT projects that had long development times, yet had difficulty adapting to the constant changes demanded by the evolution of business and technology.

A second big factor is the crisis in IT services. In all companies, IT departments are stretched to the breaking point, now more than ever. Just performing help desk and setup services chews up many man hours, not to mention server maintenance, backup, and (most crucial of all) security management. That leaves little time for IT to respond to an (inevitably) growing list of requests for upgrades, extensions, and improvements to current data access. Only the most urgent products get priority treatment, while others languish.

SharePoint, with its customized interface options, allow companies to set up new data management tools quickly, and continue to adapt them to changing requirements, without major time commitments. Now, the IT department will still need to maintain core security and compatibility functions, but once those are in place, it seems that projects for viewing and reviewing data can be developed by non-expert users.

Finally, both in-house data users and customers are more impatient than ever. Most employees now have become expert at digging up info on the Internet, whether through Google or Wikipedia or social networking sites. They can manipulate their own personal data (photos, contact lists, blog feeds) with ease and many can create blogs or photo sites for their family and friends with no deep knowledge of how that data is structured. However, once inside their corporate systems, even the smallest changes seem to take ages.

SharePoint has already started changing that equation in a growing number of companies. Just a mobile phones and now tablets are changing the computing world, so too is SharePoint reworking corporate data management. It’s a good bet that those ECM companies that aren’t agile enough to get on the SharePoint bandwagon will not survive.

Attacks on businesses’ most important data keep escalating as hackers get ever more clever at outwitting security software. Now comes a hardware solution that, based on early evaluations, may give the defense a real advantage.

It’s a device from a company called InZero, a box that sits between the PC and the Internet. When you send an email or browse the Web from your desktop, your screen looks like normal.

But actually, it is the InZero device that is intercepting your commands and mirroring them. The device acts as a barrier between malware and other cyber attacks by acting as barrier. Basically, your PC is quarantined from the bad stuff out there.

The OnZero device, which is about the size of a paperback book, has no resident data and no storage device — only hardware and firmware, which cannot be altered by outside attacks.

Initial testing from the U.S. Defense Department and several independent security labs seem to bear out the effectiveness of this approach, according to BusinessWeek. The president and developer of the company has offered to give a new Harley-Davidson to any hacker who could outwit the device — so far, no one’s come forward.

The company is ready to roll out products, with the devices initially costing in the low hundreds of dollars.  Eventually, it is though, such devices could be built into the computers themselves, with much lower costs thanks to volume.  For now, it looks like a promising weapon in the never-ending war against data thieves.

What IT issues are going to give organizations the most trouble in 2010?

Data security company Webroot released the results of its 2010 survey of 803 IT managers at small-to-midsize businesses (companies between 50 and 1,000 employees).

The managers surveyed were asked what threats they anticipated to be most important in the upcoming year.

The overwhelming anxiety was about social networking and Web 2.0 applications, including Facebook, Twitter and the like. That was the biggest worry of 80% of the respondents.

The great majority felt that they had managed to reduce the threats coming from email, but that they keep learning about new issues with social networking sites. In fact 25% reported that their networks had already been compromised in some way by social networking software.

Other results:

• 88% of the companies surveyed had stated policies on employee Internet use
• 54% have totally banned social network use at work
• 25% worried about Windows operating system vulnerabilities
• 24% were concerned about vulnerabilities in Internet browsers
• 24% had seen problems with client-side software (Flash, QuickTime, Java)

In addition, respondents reported recent attacks from: viruses (60%), spyware (57%), phishing attacks (47%), hacking attacks (35%), and SQL injections of their Web sites (32%).

Limit threats

One way to limit the threats of social networking sites: Have a strong company policy, and make sure its communicated to users.

You don’t need to outline every specific thing employees can and can’t do online. Most companies can solve a lot of problems with a policy that covers two basic elements:

1. Make it clear that employees have no right to privacy when they post on a public social-networking site, no matter where they connect from. If it’s done at work, their activity can be monitored, and if they post something at home and it’s publicly displayed on the site, it can be used as grounds for discipline.
2. Remind employees that company policies (like confidentiality agreements) extend to online behavior.

Super-smart hackers make the headlines, but careless database administration is a much bigger vulnerability. The good news: It’s a threat that can be minimized with careful management of employees’ access to company records.

The problem: disgruntled and/or malicious ex-employees whose accounts and access privileges have never been deleted by a busy IT staff. Unless there is a well-documented and reviewed process for closing out accounts when an employee leaves the company, there is a good chance it doesn’t get done, at least not in a timely manner.

That’s the conclusion an article in the Dark Reading data security Web site.

The article cites the case of two recently indicted data thieves who easily managed to get into the database through unexpired accounts they had when they worked for the company. They then gained access to company data and tried to sell it to competitors.

The problem is widespread, according to security experts, and it exists because the task of terminating accounts is not clearly assigned. Add the fact that most companies only have a rough idea of who does and who does not have database access, with relatively primitive manual methods used to track that status. As one expert is quoted as saying, “Many people actually keep Excel spreadsheets manually of how many accounts are in the database and who has ownership, so there is no automation around it.”

There are several recommended practices:

1. Assemble a centralized list of all access permissions currently active. You should be able to produce an active up-to-date list of who currently has access and to what.
2. Make future maintenance of the list a clearly assigned responsibility.
3. Put in explicit procedures for human resources and IT to terminate access for departing employees.
4. Conduct a review of log-in behavior on the database. In a small company, this might be a manual task. In a larger company, you should have software tools installed to create automatic login summaries, highlighting unusual activity from specific users.
5. Larger companies should consider security information and event management (SIEM) tools. These programs make sense if you have hundred to thousands of database searches each day, too many for manual review. The smarts built into these programs allow you to focus on out-of-the-ordinary behavior. They are made by such companies as Q1 Labs, Tripwire and TriGeo.

Do users in your company need to fill out forms away from the workplace? New technology could let them skip the paperwork and send digital docs straight to the office.

Here’s the scenario: You are an insurance claims adjuster. You drive up, inspect a cracked windshield, a dented fender, or house damage from a fallen tree limb, enter the relevant data onto a paper form (in triplicate) that will be used to process the claim, and authorize the repair.

In most cases, you’d have to get the data back to the main office, and that means having someone type the data into a computer. In a now possible scenario, you could simply send the data from your pen to the central office (through your smartphone, for example) and have it immediately and automatically transferred into digital form in an Excel spreadsheet or a database.

Yeah, right.

Those old enough may well remember Apple’s Newton MessagePad fiasco. Introduced in the early 1990s, the Newton had a stylus and built-in handwriting recognition — a feature that worked poorly except in canned demos, and soon became the butt of jokes (see this Doonesbury cartoon).

The Newton was laughed out the market.

But times have changed. The latest generation of digital pens and handwriting recognition software has profited from two decades of research and improvements in processor speed and memory. Handwriting recognition has gone from a joke to a very capable strategic product, one that can analyze writing not just letter by letter, but can process whole words and phrases, making increasingly smart and accurate interpretations of even hard-to-read writing.

One exciting product in this line is one called Capturx from a U.S. company called Adapx.

Here’s how it works: There are two components — a smart digital pen and software that lets you to print forms on ordinary paper while the user’s handwriting is interpreted and integrated into Microsoft Office.

The pen looks and feels like a regular ballpoint pen, but it adds powerful features: a built-in sensor, good memory (capable of storing around 50 pages of handwritten content), plus Bluetooth and USB connectivity. As you write, the pen stores the movements you have made, and can download the data to centralized software which converts it digitally, either as freehand notes or a structured entry form.

The form entry is where the Capturx product shines. You can create and print out a paper form in Microsoft Excel, for example, and have it filled in, box by box by workers in the field or on the shop floor, then transfer their writing strokes into an Excel file or a SharePoint database. (Some other products demand that you write a customer program interface to accomplish this.) What’s more, you can specify data types for each field, so that typically hard-to-distinguish letterforms, such as the number “1” and the letter “l” ca be correctly interpreted.

The product has been gaining traction in a number of areas. One is the construction trade, where forms and invoices need to be filled out on the job site. Another area jobs that involve mobile work, like inspectors, salesmen and survey takers. Finally, the pen is being used widely in court systems, where information about crime scenes, evidence, and witnesses has to be collected far from the nearest computer. Similarly, for police personnel, it can mean more time on the street and less time in the office typing up forms.

As often happens in technology, new advances can be oversold, fail, and then seemingly disappear. They can later sneak back into market with less fanfare but better implementation. That is what has happened to handwriting recognition and digital pen technology. It may be time for a new look about how it can help your business.

Other similar products to check out: Iogear’s Digital Scribe, Logitech’s io2, and Livescribe’s Pulse.

Attacks on corporate data are getting more professional. The image of the lone hacker in his bathrobe playing gotcha is being superseded by one of dedicated, professional industrial espionage.

That’s according to a recent survey by the Center for Strategic and International Studies (CSIS).

The study, commissioned by computer security firm McAfee, interviewed over 600 IT managers in 14 countries and revealed a rapid growth in serious corporate and government espionage.

Almost 60% of the respondents said their networks were “under repeated cyber-attack, often by high-level adversaries such as nation-states, organized crime gangs or terror groups.” The attacks include such things as shutting down sites (denial of service attacks), malware and finding unprotected data on the site.

Only 57% of these companies installed security patches and updated security software on a regular basis. Scariest of all, some of the most vulnerable companies are utilities (electricity, water, sewage) that depend on Internet-connected systems management software to keep in operation.

Your company is probably not the target of interest for international cyber warriors or crime syndicates. Nevertheless, the techniques and tricks keep developing as fast as, or faster than, the technology to defend against them. If the largest global companies with serious IT budgets are having problems keeping the data safe, then smaller operations where the IT departments are being pulled in every direction to support daily operations are even more open to attack.

It’s a good idea for top management, IT staff and other concerned folks (HR, finance and others) to review the current state of the company’s defense strategy and the plans to upgrade it.

The biggest challenge: making the case for an increased security budget. Experts recommend IT explain security as a kind of insurance, with a detailed analysis of how attacks can lead to lost revenue.