Don’t let the word “virtual” in virtual servers fool you. You’re the only one who knows it’s virtual. From the perspective of the virtual server itself, the devices connected to it, applications running on it, end-users connecting to it, or security threats trying to compromise it, the server is very, very real. A new survey from Kaspersky Labs found that many IT professionals understand that securing virtual environments is important, but don’t fully understand the threats or how to properly defend against them.
Kaspersky Lab surveyed nearly 4,000 IT professionals around the world to gather research for the Global IT Security Risks Survey 2014—Virtualization report. Security concerns were cited by 43 percent of respondents as a significant barrier to implementing virtualization, and 41 percent stated that managing security solutions within virtual environments is a struggle.
Those numbers aren’t horrible, but could be better. Where things take a turn for the worse is when Kaspersky Labs asked the IT professionals about their awareness of the security threats facing virtual environments and how to defend against them. According to Kaspersky, 36 percent claim that security concerns facing virtual servers are significantly lower than those for physical servers, and 46 percent believe the virtual environment can be adequately protected using conventional security solutions. More than half of the survey respondents indicated their company has only partially implemented security solutions in the virtual environment.
Congress has been pursuing an investigation into alleged misconduct at the IRS, and as a part of that investigation it requested emails from former IRS director Lois Lerner for the timeframe in question. The response Congress got was those emails—along with any archive or backups of those emails—have been erased and are no longer available. There are legal and compliance requirements organizations must abide by when it comes to retention of information, and the IRS apparently dropped the ball.
Dr. Barbara Rembiesa, president and founder of IAITAM (International Association of Information Technology Asset Managers), didn’t pull any punches when talking about the plausibility of the claim that the emails have been destroyed. She is quoted in an IAITAM blog post stating, “The notion that these emails just magically vanished makes no sense whatsoever. That is not how IT asset management at major businesses and government institutions works in this country.”
According to Rembiesa, there are some serious questions to be asked of how the IRS handled the situation, and the answers could prove to be a bit of a smoking gun for the larger investigation.
I wrote yesterday about a report from Microsoft researchers, which goes against established password security best practices. The new guidance from the Microsoft researchers makes sense to me, because it fits how I handle password management already. However, at least one security expert feels that there is a fatal flaw that makes the new password advice impractical: You.
Almost every aspect of computer security and privacy seems to come back to that one fundamental issue. You—the user—are the weakest link in the security chain. No matter how effective a security process or tool has the potential to be, user error can undermine the whole thing and render the security useless.
In a nutshell, the Microsoft researchers assert that the default advice to use unique, complex passwords for every site and service you use doesn’t work. Users can’t remember that many complex passwords, so instead they opt to ignore the advice entirely and use the same often ridiculously simple password everywhere, increasing their exposure to risk and compromise. What the Microsoft researchers propose is that people group credentials based on their importance or access to sensitive data and feel free to re-use simple passwords for accounts that don’t really matter.
Stop me if you’ve heard this one before: You should use unique, complex passwords for every login you have to manage, and you should employ a password management utility to keep track of it all. That is the prevailing advice, but a couple Microsoft researchers have come to the conclusion that it might be the wrong approach.
At face value, the guidance makes sense. If you use strong, complex passwords composed of random strings of characters for your logins, and you use a unique password for each site or service, the odds of a password getting cracked or compromised are greatly diminished, and the potential fallout of a password compromise would be limited to that one site or service. It is difficult to remember 10 or 20 or more random strings of complex characters, so using a password vault or password management utility lets you keep track of them all. Simple enough.
In early June the U.S. Department of Justice revealed that the Gameover Zeus (GOZ) botnet had been disabled thanks to the success of a joint effort dubbed “Operation Tovar.” The celebration appears to have been premature, though, as security researchers have already discovered a resurgence of Gameover malware infections.
While the Gameover botnet has lain dormant since the takedown, a new massive spam campaign has Sophos Labs researcher James Wyke concerned the threat has returned. A blog post reveals details of why it seems to be part of the same malware family.
As predicted last week, Microsoft published six new security bulletins for the July Patch Tuesday, and only two of them are rated as Critical. There are also three Important, and one Moderate security bulletin this month. The two Critical security bulletins are a cumulative update for Internet Explorer and a patch for an issue with Windows Journal that could allow an attacker to execute malicious code remotely on the vulnerable system. The Important security bulletins address flaws with the on-screen keyboard, ancillary function driver (AFD) and DirectShow, and the Moderate security bulletin deals with a potential denial of service vulnerability in Microsoft Service Bus.
As much of the workforce in the United States coasts through the rest of the day looking forward to an extended weekend to grill hot dogs and drink beer—I mean, celebrate the nation’s independence—Microsoft released its advance notification for next week’s Patch Tuesday. The six security bulletins include two ranked Critical, three Important, and one listed merely as Moderate.
Six security bulletins is fewer than usual—with 106 security bulletins in 2013, the average has been just under nine security bulletins per month. But it’s still enough to keep IT admins busy.
One of the two Critical security bulletins is related to Internet Explorer. It is most likely a new cumulative update patch. Ross Barrett, senior manager of security engineering at Rapid7, said, “It will be interesting to see just how many CVEs are in this round after the 59 patched in MS14-035. Rather than 59 being the new normal, I expect this round will return to the 8-12 CVEs addressed per IE patch standard.”