George V. Hulme

The good news for enterprises: Mobile devices are packed with power. A new iPhone is 100 times lighter, 100 times faster, and 10 times less expensive than the luggable notebooks of the early 1980s.

What's good news for enterprises is also bad news for CISOs. Mobile devices can store substantial quantities of data, the applications are powerful, and their network speeds are forever increasing. And, oh yeah, users are bringing their own devices, downloading their own apps, surfing the Web from whatever connections they choose--all with little to no direct control by the enterprise.

Everything works well in the cloud, until it doesn't.

Consider the Microsoft so-called "Leap year" bug that crippled that company's Azure cloud services last month. Bill Laing, vice president for Microsoft's server and cloud division, described the system failure in a blog post and said that Microsoft will overhaul its disaster recovery efforts, as well as other aspects of the business.

Employees bringing in their own devices and choosing their own application services is significantly increasing the risk to enterprise data.

That's the takeaway of a recent analysis of network and application traffic of more than 1,600 organizations conducted by security vendor Palo Alto Networks.

According to industry analysts, mobile device shipments will exceed a billion devices in 2015 and will rapidly outrun PC shipments. That's great news for end user convenience, mobility, and work-anywhere productivity. But it also means that enterprises must brace for the fact that the bad guys will target these devices with attack exploits, spyware, and rogue applications.

And while IBM's IT security research team, X-Force, predicts a modest 33 software exploits targeting mobile devices in the year ahead, that's roughly twice the number of such attack code released in the past 12 months.

Senator Richard Blumenthal, D-CT, says his newly-introduced legislation, the Personal Data Protection and Breach Accountability Act of 2011 will protect individuals' personally identifiable information from data theft and penalize firms that don't adequately secure their customers' information. Naturally, there are skeptics.

The bill would establish " appropriate minimum security plans" for businesses with 10,000 or more customers to safeguard their customer information and hold those businesses accountable through fines should they fail to meet those standards. The bill also calls for more public/private information sharing.

Bug bounty programs are designed to reward security researchers for finding flaws in a vendor's product that have made it past their own quality processes. Some organizations, such as Google and Mozilla, have had bug bounty programs in place for a time, while social networking site Facebook just announced a bug bounty program with a base reward of $500.

Microsoft, however, isn't interested in paying for help for one-off software vulnerabilities. The software vendor instead is swinging for the fence: Getting help from the security research community in exterminating entire classes of bugs. That was the message at the recent Black Hat security conference, with its announcement of the "BlueHat" Prize. The contest promises a first-place award of $200,000 to security researchers who come up with "a novel runtime mitigation technology designed to prevent the exploitation of memory safety vulnerabilities." Second prize will win $50,000.

While the security industry likes to focus on application security and system vulnerabilities, as well as the effectiveness (or lack thereof) of the tools used to defend IT systems -- the vulnerabilities that create real-world breaches are often created by the wetware between our ears -- not defective tools.

Earlier this week, in the story " It's the Human Threat, Stupid" we covered how people social engineer and attack. Since then, some survey results have revealed how people may also often be their own worst enemy when it comes to protecting IT systems. The results hint at why it is so hard to protect networks and IT systems from attack. And the clue is this: Our IT systems are designed, built, managed, and used by us.

During the first quarter of this year, independent IT security testing company, NSS Labs evaluated six network firewalls: Check Point Power-1 11065, Cisco ASA 5585, Fortinet Fortigate 3950, Juniper SRX 5800, Palo Alto Networks PA-4020, and the Sonicwall E8500.

What the company found would likely startle any existing or potential customers: three of the six firewalls failed to stay operational when subjected to stability tests, five out of six didn't handle what is known as the "Sneak ACK attack," that would enable attackers to side-step the firewall itself. Finally, according to NSS Labs, the performance claims presented in the vendor datasheets "are generally grossly overstated."

In the last three months of 2010 attackers managed to serve 3 million malicious advertising, or malvertising, impressions every day. That's the headline figure from a report released today from Web security firm Dasient. According to Dasient, that's a 100 percent increase from the preceding quarter.

Part of the increase may be attributed to Dasient increasing the types of ad networks it tracks. In this report, the firm began tracking so-called remnant advertising networks (networks that sell empty advertising slots at the last opportunity) as part of its study. Because these networks aggregate advertisements and charge a low rate, there is less revenue and possibly less vetting of the safety of advertisements, the report stated.

Just last week news broke that Apple was offering copies of its yet-to-be released Mac OS X 10.7, or Lion, operating system to security researchers and soliciting their feedback.

In an interview with Computerworld's Gregg Keizer, Mac security expert Charlie Miller, with Independent Security Evaluators, and an author of the Mac Hacker's Handbook, acknowledged that he wasn't aware of Apple taking such steps before.

With Stuxnet setting back Iran's disputed nuclear program, that country has vowed to take "pre-emptive" strikes against the powers it believes launched the attack, a recent news story in the Tehran Times reported.

"An electronic war has been launched against Iran," an official was quoted as saying.

Just as computing power rushes to the cloud and users' attention shifts from PCs to their mobile devices and social networks -- so does the focus of the bad guys.

Consider the Bohu Trojan recently spotted in China by Microsoft security researchers Jingli Li and Zhitao Zhou. This Trojan blocks connections to cloud anti-virus applications from customers' Windows systems, and has been active against common anti-virus vendors in that country, according to a Microsoft blog post.