SMBs Downplay Web Threats

• By Lafe Low
• 10/17/2007

SMBs make up the majority of the world's businesses, accounting for more than 99.5 percent of the survey's respondents. Since they make up the bulk of the business world, they're frequent targets for online criminals. Several other factors increase their collective risk:

• Pervasive Internet use; 77 percent said their success depends on the Internet
• Home-based and remote workers; as much as 52 percent of new businesses are home-based or remote
• Lack of in-house security expertise
• Limited budget and resource constraints
• Keeping pace with a mobile workforce
• Lack of policies managing personal use of work computers
• Increasing volume of sensitive customer and employee data
• A rapidly evolving threat landscape

In general, the report revealed a misperception and low sense of awareness of online threats. While companies fear and prepare for virus attacks, spyware is actually the more significant problem.

The State of Internet Security report is a quarterly analysis of current security concerns, with each focusing on a specific aspect of security. The survey results come from companies in six countries: Canada, France, Germany, Japan, the United Kingdom and the United States. You can find the full report at http://www.webroot.com/sois.

Budget constraints or blissful ignorance on the part of those seven out of 10 SMBs? How do you protect your SMB or larger enterprise? What's your greatest Web-borne concern? Clue me in at [email protected].

Ellison Dumps Oracle Shares
It's been said that yacht racing is the most expensive sport in the world. If you have to ask how much it costs, you can't afford it. Sounds like it might be out of my league.

Larry Ellison, however, has no problem keeping his America's Cup racing yacht afloat. It must need a new coat of paint though, because the pugnacious Captain Ellison just sold 2 million shares of Oracle stock.

I'm just guessing on what Ellison plans to do with the loot, of course, but consider this: He sold each of those 2 million shares for slightly more than $22 a pop. It's good to be Larry.

This was actually a prearranged sale called a 10b5-1 Trading Plan, according to SEC filings. These permit company insiders to establish transactions in advance and continue with them even if the seller learns some critical inside scoop. They have to file a Form 4 with the SEC to report the transaction within two business days.

Do you think this is just some small-change accounting for Captain Ellison? Do you think it's a sign of trouble at Oracle? Send your opinions and any good stock tips you might have to me at [email protected].

TSA Laptops Missing
Should I have called this bit "Missing Laptops with Personal Info: Part 6,000,003?" It's happened again folks, although like most before it, this is probably a case of laptops being stolen to sell for cash. Little do the perps know -- or thankfully they just don't care -- these purloined laptops are like an all-you-can-eat buffet for identity thieves.

The bigger issue here is that this isn't the first time sensitive data has gone missing from the TSA. Earlier this year, the TSA lost a computer with bank and payroll data for nearly 100,000 employees. (By the way, that acronym stands for "Transportation Safety Administration." I'd question the "S" and the "A" if they continue to have laptops lifted from them on a semi-regular basis. Aren't these the people who're supposed to keep bad guys from bringing bad things onto airplanes?)

This time, two laptops with detailed personal information about commercial drivers licensed to transport hazardous materials are gone. The laptops belonged to a contractor called Integrated Biometric Technology that works for the TSA. Since they were reported missing, TSA has instructed the contractor to encrypt its hard drives. So far, there have been no reports of data misuse.

Has your organization ever experienced data theft or loss like this? How did you deal with it? What was your plan? Steal a few moments and let me know at [email protected].

Microsoft Along for the Ride
You can now get Microsoft technology in your car, and I'm not talking about Windows. Several new Ford models will have an integrated entertainment and communication system called Microsoft Sync. You can operate your phone, music player or PDA with voice commands and buttons on the steering wheel. All devices are connected via Bluetooth.

Cool technology aside, let's hope that this helps reduce driver distraction when making calls or cranking tunes. Beyond that, I don't think there's any hope for the morons I see on the MassPike reading the paper (I swear I'm not making that up), shaving, putting on makeup or eating their breakfast.

One nice thing to note is that this isn't going to be an exclusive option available only on high-end cars. You can get Sync on a range of Ford, Lincoln and Mercury models. The first cars with Sync installed should be in dealerships by now.

What do you think of Sync? Is Microsoft nailing a market or is it spreading itself too thin (see the "Foley on Microsoft" column in the upcoming November issue of Redmond magazine)? Let me know at [email protected].

Mailbag: Fixing the Patch-Hack Circle
Patches on Tuesday, exploits on Wednesday. Doug asked readers this week how they would fix Microsoft's patching process. Here's what some of you had to say:

There's nothing wrong with the Patch & Hack cycle that can be avoided. The problem is that this question is a strawman. The real problem is the elephant in the room known as Windows.
-Anonymous

I think that Microsoft, with all its resources, should be able to put out code that doesn't have any exploits. If a hacker can find the holes in Microsoft's code, why can't Microsoft? We need to break this circle of patches and re-patches and re-patches and...
-Joachim

It would be nice to have more time to update servers once a patch is released. However, it doesn't bother me too much. Management will always fail to understand the severity of not patching; they will always postpone until the next change control meeting (every seven days); they will always continue to choose current uptime over closing security holes (regardless if it is NTFS permissions or unpatched servers); and they will never reward those that arrive at work at 4 a.m. to watch 200 servers reboot for patches (never mind the 150 we have to patch manually because we are not allowed to automate the process). And management will continue to be people that have NEVER worked at the help desk, desktop support, software integration, or as a server engineer.

In my mind, hackers do us a favor. They force management and low-end systems engineers to do their job properly. Without hackers, every system (Unix, MS, Linux, etc.) would still be unpatched and unsecured for foreign entities to hack or destroy our systems in times of war or peace. You or I could write paragraphs about this topic. While I'm not a hacker, I do like to learn the trade little by little so I can tune snort and log sensors to watch for their activity. Hackers have made our systems safer.
-Brett

Tell us what you think! Leave a comment below or send an e-mail to [email protected].