The Community for Technology Leaders

News Briefs

Pages: pp. 5-9


Spike in Phishing and Malware a Danger to IT

Security firms are reporting that IT departments must be careful of increased threats to corporate networks and data from phishing and malware attacks. There are 33 million unique phishing messages every week, according to Dave Cole, director of security product management at Symantec Security Response. He says this plus an increase in the distribution of malware designed to steal confidential information presents a challenge for IT.

"With adware and spyware, there is a massive problem this year," says Cole. "There is money written all over this stuff."

Phishing, according to the Anti-Phishing Working Group (APWG), an industry association devoted to eliminating phishing, is definable as attacks that "use both social engineering and technical subterfuge to steal consumers' personal identity data and financial account credentials." Corporations often find that they are victims of another type of phishing attack in which attackers use their good brand names and logos to trick people into responding to bogus solicitations.

"Technical subterfuge schemes plant crimeware onto PCs to steal credentials directly, often using Trojan keylogger spyware. Pharming crimeware misdirects users to fraudulent sites or proxy servers, typically through DNS [Domain Name Service] hijacking or poisoning," according to the industry group.

"It means it's more important than ever to be vigilant," says Cole. This means protecting users and infrastructure. "It's not enough just to have a firewall." He says these attacks "ups the ante at the desktop."

Although basic security approaches can protect against phishing and malware, Cole says it is also important to have "good Internet security hygiene" and multiple levels of protection for mail clients, servers, and client machines.

The biggest losses for corporations are in time and resources. Some corporate espionage takes place through these sorts of attacks, but the bulk the problem is in financial and productivity losses. These losses can also come from attacks that load software, turning computers into so-called zombies that enable hackers to spew more spam, phishing attacks, and engage in other illegal activities.

"Threats today are silent and more effective," says Cole. IT departments should, he says, apply security patches, have utilities that delete adware and spyware, and undertake regular sweeps of desktops to keep these problems at bay. "The new threats typically won't bring an organization to its knees," he says, "but they cause all sorts of more hidden problems that are equally severe. They're just not as noisy."


Microsoft Issues Big Patches

Microsoft announced a giant group of security patches in June, some of which were considered "critical." This can mean a lot of work for IT, but it is also part of the software giant's approach to giving customers cyclical security information they can use to protect their enterprises.

This month's security bulletins released by Microsoft contained information about 12 vulnerabilities, three of which the company categorized as critical. Each of those was in Microsoft Windows. The company released other notices on 14 June for Microsoft Exchange Server, Microsoft Interactive Training, Microsoft Windows and Microsoft Services for Unix, and Microsoft ISA (Internet Security and Acceleration) Server.

Microsoft declined to answer questions, but released this statement: "Microsoft is aware that the large number of bulletins being released may create a lot of work for our customers, and as a result, we have put into place a number of things to help make the process of becoming more secure as easy as possible. … For instance, on Thursday, June 9, 2005, we announced the number and severity of this month's release as part of the Advance Notification Program."

"It's really kind of hard to quantify them. What concerns me is people tend to want to do it based on the number. There's this tendency to want to look at the count," says Michael Cherry, lead analyst, Windows and mobile, for the independent analysis firm, Directions on Microsoft. He says a single vulnerability in a widely deployed product such as XP Home Edition can make exposure worse. He characterized this monthly bulletin as "still kind of an average one—even for IT."

Dave Cole, director of security product management for Symantec Security Response, said of these announcements, that there were a few "of interest" worth noting, particularly a vulnerability related to rendering PNG images. Hackers can use this vulnerability to surreptiously install malicious software on a user machine. He said this is not the first time such a possibility existed in regards to exploiting images, but is part of "a continuous theme of client side vulnerabilities."

How involved the update process is for IT staffs depends on "the location and number of machines. It touches every Microsoft desktop you have out there."

What's important is getting patches installed. As Cherry points out, once Microsoft announces vulnerabilities, there are people who will then try to exploit them. Cole says to "buy a little time" IT managers can use intrusion prevention tools until they can thoroughly test the patches.

"IT departments should be in expedited testing mode—getting the patches out, security software updated and be in vigilant mode." Cole says this includes aggressively watching logs and firewall activity.

In general, Cherry says, "IT is getting quite used to" the bulletin cycle. "Microsoft is trying to get this into an ongoing cyclical patch program." He says this can enable IT departments to more efficiently staff and manage their resources, as well as help them decide which patches are most critical to their organization.

Additionally, Microsoft stated that its enterprise customers should "use Windows Server Update Services and the Microsoft Baseline Security Analyzer to aid in the deployment of the Windows bulletins." The Enterprise Scanning Tool helps detect vulnerable computers beyond what the MBSA is capable of detecting. The company will release new versions of the tool each time the bulletins affect products where MBSA is not able to help.

For more information, visit Microsoft online at


Outsourcing to Rural US

Outsourcing remains a hot topic for IT departments interested in finding a pool of qualified workers at attractive costs. Now, instead of looking to India or Ireland, IT departments are finding the workers they want in rural parts of the US.

Kathy White, former CIO at Cardinal Health, who founded Rural Sourcing Inc. in 2003, says outsourcing within the US isn't a trend; it makes good business sense. A graduate of Arkansas State University who taught for a decade in the University of North Carolina system, she says many talented employees were languishing outside major cities.

When she was still a CIO for Chicago-based Cardinal, White started recruiting in Jonesboro, Arkansas, and Durham, North Carolina. "I felt we could get loyal workers who were excited about the opportunity to work with our company." She saw pent-up demand and a ready labor pool and founded her firm to unite the two.

These areas, she says, share much in common. "They have good, strong universities, economic development interest for the region, and a lower cost of living." She expects to be operational in five regions by the end of 2006; 50 in the next five to 10 years. Rural communities stand to gain much. Commonly, residents seeking high-tech jobs would be forced to look to urban areas for suitable career opportunities.

White says their database contains some 1,100 resumes from 35 states. Many of these are new college graduates, but it also includes people wanting to relocate who may be under- or unemployed. It also includes people frustrated with the cost of living where they currently reside, including California. "It really is surprising," she says. "There are an amazing number of people wiling to relocate."

Rural Sourcing Inc. is involved in what White calls "mid-tier knowledge work"—application development, Web development, and similar tasks. The firm's customers include Cardinal Health, Mattel, and the State of Arkansas.

Rural Sourcing Inc. isn't the only firm with this strategy. Ciber, a Colorado outsourcing firm with interests outside the US, has created two application development centers—Cibersites—in the US, to "provide an affordable alternative to offshore outsourcing and an extension to outsourcing choices." The two facilities are located in Tampa, Florida, and Oklahoma City.

White says their customers sometimes choose rural-US outsourcing because of security and privacy issues prevent them from going offshore.


Gartner: IT Shift to Utility Computing Inevitable

By 2010, vendors will deliver one-fourth of all applications via IT-utility-style computing on a real-time infrastructure, according to a report from Gartner. Analysts say this might initially cause confusion for corporations reliant on existing operational models, but they must "adapt or die." "It's really the emergence of a new option for customers," says Ben Pring, research vice president at Gartner and coauthor of the report. Rather than work with consultants, systems integrators, or other more traditional and costly approaches to implementing and deploying technology, he says IT will turn to this "new alternative borne out of frustration with the current model."

Data is growing at 36 percent a year, while IT department budgets are only growing at a rate of 6 percent annually, and this "disconnect," according to Aisling MacRunnels, senior director of utility computing at Sun Microsystems, means IT departments need to make a fundamental operational shift.

Gartner analysts have stated for several years that in-house IT departments are on the cusp of change. Pring says CIOs have to adjust. "We see a fundamental change in the role for CIOs to become process owners." In other words, they are no longer a "100 percent provider of that process."

This approach fits with the idea many IT departments are trying to adopt of right-sizing to be more business aligned, says Helen Donnelly, vice president of marketing for utility software provider Evident Software. "The consumer should be paying for what they use. That's the idea of a utility mode … It's ultimately a catalog of services priced and allocated based on usage."

To move the applications to a utility model makes sense. Enterprises have seen success with CRM and sales force automation as evidenced by the success of, but other options—namely utility computing infrastructure services such as those offered by IBM and Sun—are also viable, even if the concept is "more abstract," says Pring. Moving to utility computing can also provide a foundation for the more-efficient hardware use available from grid computing.

Sun offers utility computing services through its Sun Grid—a multitenant data center that customers can share. McRunnels says utility computing is not just metered pricing. Their offering resides "at the intersection point between utility computing and grid technology." As Sun defines this, grid computing is the facilitator for the utility business model. IT departments working toward utility computing—which Donnelly says is a growing number of enterprises—are seeing "a huge cost savings in auditing assets." Why? Because utility computing can make available detailed data on resource utilization.

For example, a common goal, Donnelly says, is to move servers into the data center to lower costs, particularly maintenance costs. One customer with a $500 million network realized a 7 percent cost savings, she says, just from having that analysis available to then make changes in the IT operation.

Evident monitors "conversation flows in and out of the data center, across different servers," according to Donnelly. "We're not going into SAP to see how many transactions there are." Customers can map use at a macrolevel to then make decisions about applications and hardware.

She says some firms are finding surprising use of their networks. Some legacy applications that were once fought over to remain in use simply aren't being used at all. Other resources are overused. She cites cases where IT managers have found desktops altered by employees to run as servers. "The impact to resource consumption was significant."

Another benefit for IT is that by looking IP flows and obtaining hard data, IT departments then have information they can present to department managers about their network use. "This goes a long way to improving customer satisfaction," says Donnelly. And this gives IT "phenomenal credibility" because they have facts to present. "Rather than head butting … they now have a factual basis for a conversation."

MacRunnels says that to make the transition to utility computing, some companies start by having their computing hosted in a single-user environment before moving to a shared, multitenant data center. Doing so helps eliminate security and corporate cultural concerns that, she says, are among the challenges for early adopters. Some industry segments looking to this model, she says, include financial services and manufacturing.

"These are inevitable trends … the inevitable consequences of a market that is maturing," says Pring. "For in-house IT to retain its relevancy it has to adapt to changes." Shifting to a utility model also can focus IT on differentiating its services, also enabling IT managers to prioritize and maximize investments without becoming spread too thinly.


Corporate Best Practices

McAfee Research suggests the following ways to protect your networks and data:

  • Establish corporate policies and communicate them to users. Create corporate policies for e-mail content so users cannot confuse legitimate e-mail with phishing. Communicate these policies to users and follow them.
  • Provide a way for the e-mail recipient to validate that e-mail is legitimate. The recipient should be able to identify that the e-mail is from the institution, not a phisher. To do that, the sending institution must establish a policy for embedding authentication information into every e-mail that it sends to consumers.
  • Institute stronger authentication at Web sites. If institutions did not ask users for sensitive information when logging onto a Web site (such as Social Security numbers or passwords), then it would be more difficult for phishers to extract such information from users.
  • Monitor the Internet for potential phishing Web sites. The phishing Web site generally appears somewhere on the Internet prior to the launch of the phishing e-mails. These sites often misappropriate corporate trademarks to appear legitimate.
  • Implement good-quality antivirus, content filtering, and antispam solutions at the Internet gateway. Gateway antivirus scanning provides an additional layer of defense against desktop antivirus scanning. Filter and block known phishing sites at the gateway. Gateway antispam filtering helps end users avoid unwanted spam and phishing e-mails.

About the Authors

Linda Dailey Paulson is a technology writer based in Ventura, Calif. Contact her at
64 ms
(Ver 3.x)