Hackers have had a bonanza in April, May and June
(so far). Nary has a day gone by without news of yet another major attack.
Here’s a partial list of some of the most publicized hacks of the last
10 weeks:

• RSA
  Security: On April 1, in a move akin to raiding Fort Knox,
  RSA’s Secure ID technology (one of the industry’s gold standards in security
  software) was hacked. RSA executives described the hack as “very
  sophisticated.” They characterized it as an advanced persistent threat
  (APT)-type targeted attack. It used a routine tactic – a phishing Email that
  contained an infected attachment that was triggered when opened.
• Epsilon:  This Irving, TX –based company handles
  customer email messaging for over 150 firms, including large banks and
  retailers like Best Buy, JPMorgan Chase, Citigroup and L.L.Bean. In April,
  millions of consumers learned that Epsilon’s networks were breached when they
  received Emails from their banks and credit card companies informing them that
  the hack might have exposed their names and Email addresses to the hackers.
  Epsilon released a statement assuring consumers that only Email addresses and
  names were compromised and that no sensitive data was disclosed.
• Sony:
  Sony’s
  PlayStation gaming network suffered a series of massive security attacks in
  April/May that affected more than 100 million online accounts and shuttered the
  site for days. Sony executives estimate the hacks cost the Japanese electronics
  firm $170 million.
• Lockheed
  Martin: On May 21, the aerospace giant released a statement
  saying its internal information systems network had been penetrated by what it
  called a “significant and tenacious” attack. The company declined to
  divulge details other than stating that “no customer, program or employee personal
  data had been compromised.”
• Public
  Broadcasting System: the PBS website was hacked in mid-May
  and the perpetrators planted an erroneous story stating that deceased rapper Tupac
  Shakur was alive in New Zealand. The group that claimed credit for the hacking was
  apparently unhappy about PBS’ recent “Frontline” investigative news program on
  WikiLeaks.
• Google:
  At least 84 instances of malware have been discovered in the company’s Android
  Market app store in the last three months. In March Google removed 50
  applications from the store that contained malicious code embedded in
  legitimate applications. Over the Memorial Day weekend Google was forced to
  pull an additional 34 smart phone applications off Android Market because of
  suspected malware infections. Google’s security woes don’t stop there. In early
  June, Google disclosed that Chinese hackers targeted the email accounts of top
  U.S. officials and hundreds of other prominent people in a fresh computer
  attack certain to intensify growing concern about the security of the Internet.
  The victims, including government and military personnel, Asian officials,
  Chinese activists and journalists, were tricked into sharing their Gmail
  passwords with “bad actors” based in China, according to a Google
  blog post. The attack’s goal was to read and forward the victims’ email.
• Apple
  (yes, Apple!): The Mac OX X 10.x OS has been under attack for
  the last month from the malicious Mac Defender/Mac Guard malware. A few days
  ago, Apple engineers released a fix and 24 hours later the hackers struck again
  with a new virus variant called Mindinstall.pkg which is specifically designed
  to bypass Apple security.

It’s time for corporations to wise up and use the latest, most effective weapons to safeguard and secure their data.
High tech devices, software applications, Emails, user accounts, social media and networks – even those presumed safe — are being hacked with alarming alacrity and ease.
Security tools, encryption and updating your networks with the latest patches are certainly necessary, but they are not enough. Corporations must arm themselves with the latest security tools and devices in order to effectively combat the new breed of malware, malicious code and ever more proficient hackers. I’m referring to the new breed of continuous monitoring tools that identify, detect and shut down vulnerabilities before hackers can find and exploit them.
In the late 1980s – the “early days” of computer networking hacking was a means to an end. The modus operandi of hackers, (usually white males in their teens and twenties) was to perfect their skills, perform a high profile penetration, claim it was a mistake and then land a well paying job with a legitimate security company. Many of today’s hackers are professionals who operate within an organized ring. Hacking is the means and the end. It’s an extremely lucrative business.
“The hackers have upped their game,” says Stu Sjouwerman, founder and CEO of KnowBe4, a Clearwater, FL company that trains corporate knowledge workers on how to avoid spam, phishing, spear phishing and social engineering hacks. “Hackers have gone completely professional. They’ve graduated from identity theft to full-fledged Internet bank robbery or cyber heists. There are now highly organized computer security “Mafias” in Eastern Europe, Russia, the Ukraine and Romania that employ highly qualified computer science majors who do nothing but hack. Most companies are woefully ignorant and unprepared to deal with the new threats,” Sjouwerman asserts.
On June 1, 2010 The National Institutes of Standards and Technologies (NIST) published new guidelines that require enterprises to engage in continuous monitoring of their networks. These guidelines are based on a wealth of real-world experience, and highlight the necessity of using new tools to facilitate implementation, says Major General John P. Casciano, USAF-Retired served as director of intelligence, surveillance and reconnaissance, deputy chief of staff, air and space operations, Headquarters U.S. Air Force, Washington, D.C. He is currently President and CEO of GrayStar Associates LLC, and consults on Cyber Security issues.
“ In the dynamic and ever- changing network, continuous monitoring simply can’t be performed manually; it must be supported by software that provides powerful new weapons with which to successfully defend and thwart attacks,” Casciano says.
Continuous monitoring encompasses both a new approach as well as new products and tools is a preventive and prescriptive measure. It Continuous monitoring enables organizations to detect threats as they occur, and most importantly to identify vulnerabilities that can be mitigated or plugged in advance of a cyber “intrusion” or “attack.” The NIST guidelines are based on a wealth of real-world experiences. These include “routine” attacks launched on individuals’ online social media accounts like Facebook and Twitter. Each day the headlines deliver yet another sobering call for corporations and consumers alike to wise up and defend their data.
We all know that there is no such thing as a 100% hack proof network, application or device. Hacks from malware (phishing, Trojans, bots, worms, zombies et al) to exploits that result in forgotten back doors to targeted corporate espionage are facts of 21st Century computing life.
Hackers are more organized and the attacks themselves are becoming more sophisticated and more pernicious. They use the Internet as a superhighway to circumnavigate the globe faster than you can say “Magellan.” What’s worse, the hackers are aided and abetted by corporations with lax, porous and often outdated computer security measures. Consumers too, are often the hackers’ best helpmates particularly when they don’t keep their anti-virus and firewalls up-to-date and don’t check the privacy settings on the many social networking sites they frequent!
Security experts warn that malware is proliferating at the astounding rate of 73,000 new threats cropping up on a daily basis; a 26% increase over the 2010 statistics. Even if we apply the 10/90 rule: 10% of all malware and rogue code is responsible for 90% of the damage, the upswing in security threats is alarming.
Unfortunately, corporations and consumers tend to get complacent in the absence of a data breach that directly impacts them or their organizations. It’s easier to rationalize and downplay the very real security threats and delay implementing the necessary proactive measures. It takes headlines or more recently those messages appearing with alarming regularity in our personal Email boxes to give us all a much needed jolt. Computer, cell phone/smart phone, notebook, tablet and networking security are fragile, ephemeral and fluid. Meaning the risks are always present and exploits are always lurking and waiting to happen.
This is War: Continuous Monitoring, the Latest Weapon in the Ongoing Security Battle
In response to the growing cyber-threat, United States Senators John Kerry and John McCain have introduced a bi-partisan online privacy bill designed to protect and control personal information. If the legislation passes it will prohibit the collection and sharing of private data by businesses that have no relationship to the consumer for purposes other than advertising and marketing.
The 2010 Verizon Data Breach Investigations Report, released last July and based on a first-of-its kind collaboration with the U.S. Secret Service, found that breaches of electronic records last year involved more insider threats, greater use of social engineering and the continued strong involvement of organized criminal groups.
The report cited stolen credentials as the most common way of gaining unauthorized access into organizations in 2009, pointing once again to the importance of strong security practices both for individuals and organizations. Organized criminal groups were responsible for 85 percent of all stolen data last year, the report said.
The stories behind the statistics are even more alarming. Hackers collaborating via the Web and forming their own online communities to exchange data and perfect hacks, And now they’re moving from V2P: virtual to physical, with entire communities – most prominently in Eastern Europe devoted to the pursuit of career cracking. The city of Râmnicu Vâlcea, population 120,000 and located three hours outside of Bucharest in the Transylvania Alps has been dubbed “Hackerville” by global law enforcement agencies. The town is brimming with cyber crooks that specialize in targeted corporate malware attacks and Ecommerce scams. Business is so profitable that the town is home to luxury car dealerships and apartment buildings and upscale restaurants, shops and nightclubs. The town’s reputation as a malware maelstrom has become so notorious that it was the subject of a feature article in the March issue of Wired Magazine.
The real lesson of the Verizon Business Data Breach Report and even Hackerville is that the overwhelming majority of data breaches can be thwarted if companies establish and follow good computer security practices and back these up with the latest technical weapons. Astoundingly, only four percent of breaches assessed in the Verizon Business Data Breach report required difficult and expensive protective measures. The report further claimed that 87% of attacks could be prevented using simple, proactive measures.

The 2010 Verizon report concluded that being prepared remains the best defense against security breaches. For the most part, organizations still remain sluggish in detecting and responding to incidents. Nearly two-thirds of breaches — 60% — continue to be uncovered by external parties and then only after a considerable amount of time. And while most victimized organizations have evidence of a breach in their security logs, they often overlook them due to a lack of staff, tools or processes.
Casciano maintains that any corporation that is serious about creating and maintaining a secure environment needs to deploy continuous monitoring tools. Right now there are two types of continuous monitoring devices: “those that address what’s going on in the enterprise and identify vulnerabilities and those that enable companies to plug holes and correct vulnerabilities in advance so the attack is not effective,” Casciano says. There are several companies that address this emerging market segment. Veteran security firm ArcSight which was acquired in 2010 by Hewlett-Packard Co. and the Einstein Program developed by the Dept. of Homeland Security produce products that enable businesses to identify the potential weak spots in their networks. Other companies like RedSeal in San Mateo, CA and the Security Content Automation Protocol (SCAP) address the rapidly emerging secure product class of both identifying and closing the holes in the network.
RedSeal’s Systems Network Advisor v4.1 and Vulnerability Advisor v4.1, for example, are near real-time risk management solutions that use network and vulnerability data to determine risk and provide prioritized remediation recommendations. RedSeal security packages allow organizations to assess and strengthen their cyber defenses. Unlike systems that detect attacks once they occur, RedSeal identifies holes in the security infrastructure that create risk – before they are discovered by hackers.
Casciano says organizations must utilize both types of continuous monitoring. The products in the first group (HP’s ArcSight and the Einstein Program) provide business with “tactical warnings and a snapshot in time of the activities within the IT enterprise” so that management can react to specific events. The second class of products (RedSeal and SCP) “exposes the strengths and weaknesses of the entire IT enterprise, identifies potential avenues of attack and enables management to take defensive actions well in advance of an attack,” Casciano notes.
Ultimately though, computer security products represent only half the solution. The other 50% is human element. Companies and their IT departments must construct strong computer security policies and procedures, disseminate them to the entire staff and employee population and enforce them. In an age where hackers’ ranks are swelling and successful penetrations are increasing, corporations would be wise to arm themselves with the continuous monitoring tools to thwart cyber terrorists.
Ask yourself: “What have you got to lose?”

IBM AIX v7 and Windows Server 2008 R2 Highest Security Marks
Nine out of 10 — 90% — of the 470 respondents to ITIC’s 2010-2011 Global Server Hardware and Server OS Reliability survey rated the security of Microsoft’s Windows Server 2008 R2 and IBM’s AIX v7 as “Excellent” or “Very Good.” This was the highest security ratings out of 18 different Server Operating System distributions (See Exhibit below). Three-quarters or 75% of survey participants gave HP UX 11i v3 “Excellent” or “Very Good” security ratings; this was the third highest ranking of the 18 major server OS distributions polled. This was followed by Ubuntu Server 10 and Debian GNU/Linux 5, which tied for fourth. Seven out of 10 survey participants — 71% — of those polled ranked the two most popular open source distributions’ security as “Excellent” or “Very Good.” Red Hat Enterprise Linux v 5.5 and Novell SuSE Linux Enterprise 11, the two most widely deployed Linux distributions trailed Debian and Ubuntu but were nearly tied with each other in security rankings. Just over two-thirds — 67% — of Red Hat users rated its security as “Excellent or Very Good” while 66% of survey participants judging Novell SuSE Linux Enterprise 11 security to be “Excellent” or “Very Good.”
Some 58% of Apple Mac OS X 10.6 survey respondents rated its security as “Excellent” or “Very Good,” putting it at the bottom of the pack, beating only Oracle’s Solaris 10 which was rated “Excellent” or “Very Good” by 63% of respondents.
, which in the past two years has been notching modest gains among corporate users,
Also noteworthy was the fact that only a very small percentage of respondents gave thumbs down “Poor” or “Unsatisfactory” security grades to their server operating system vendors. In this category, Apple had the highest percentage of respondents – 7% — who gave its Mac OS X 10.6 both “Poor” and “Unsatisfactory” marks. This might appear puzzling to some since Apple’s users have long touted the security of the platform. Apple users have long boasted about the fact that there are far fewer viruses and malicious code written targeting Macs compared to Windows. However, now that Apple is once again re-emerging as a significant presence in corporate networks, the Mac OS X 10.6 will no longer enjoy the “security by obscurity” that it claimed as a standalone consumer OS. Macs, iPhones, iPads and tablets are becoming mainstream staples as business tools. Hence, the number of exploits, including such malware as worms, Trojans and bots that target the Mac is increasing commensurately. Apple will have to respond accordingly with tighter security.
Survey Methodology
ITIC and our survey partner GFI Software conducted an independent Web-based survey of 470 corporate IT mangers and C-level executives worldwide from November 2010 through February 2011. The survey’s objective was to poll corporate customers on the reliability of 14 of the most popular server hardware platforms and 18 of the top server OS distributions.
Survey participants came from 23 countries worldwide; approximately 83% hailed from North America. The survey consisted of multiple choice questions and one essay question. ITIC supplemented the Web survey two dozen first person customer interviews. In order to maintain objectivity, ITIC accepted no vendor sponsorship monies.
Solid Security is Essential to Network Reliability
Solid security is an essential element for every network environment. The server operating system upon which corporate middleware and software e.g., databases, word processing applications, spreadsheets and other mainstream line of business (LOB) applications run is the cornerstone of the entire network computing environment. As the saying goes, “the chain is only as strong as the weakest link.” Server and their operating systems literally run the business and incorporate a significant percent of organizations’ sensitive data and intellectual property (IP). If server OS security is flawed, buggy or easily hacked, the entire business and its operations are potentially at risk.
Each GFI/ITIC survey invariably serves up some unexpected responses. And in this survey the biggest came in the responses regarding server operating system security.
The biggest of these, of course, was Microsoft, which like the Bible’s Prodigal Son, has returned home to rejoicing and rave reviews. Over the past decade Microsoft has struggled to shed the stigma that Windows is a porous server OS, perennially plagued with security flaws and easily compromised. It is now nine years since Microsoft publicly launched its Trustworthy Computing Initiative which was designed to make all of the company’s software inherently more secure by default and by design. Based on the survey responses, Microsoft has succeeded – particularly with Windows Server 2008 R2.
Of particular note, Windows Server 2003, Windows Server 2008 and Windows Server 2008 R2 are the only three operating systems out of the 18 different server OSes in the GFI/ ITIC poll in which the majority of the respondents indicated that the security has improved over the past 3 years. This is an 18 percent improvement over Windows Server 2008 and a 30 percent jump in the number of survey participants who gave a similar rating to Windows Server 2003.
It is equally true in analyzing the responses that the Windows Server OS was the platform that most needed to strengthen and shore up its security. Based on the results of prior ITIC surveys as recently as 2008, user perception was that Windows Server security lagged behind nearly all of the other server OSs by a substantial margin.
Other Server Operating Systems Stay the Course
In all of the other 15 distributions, the majority of survey participants indicated that the security of the other server OS platforms “has remained the same.”
If Windows Server 2008 R2 is the Prodigal Son, then IBM’s AIX v 7.1 is the “Good Son” which has consistently delivered superlative security year after year, always garnering top ratings for overall reliability and security in each of the annual ITIC Reliability surveys. The 2010-2011 Global Server Hardware and Server OS Reliability poll was no exception. IBM tied for first place with nine out of 10 respondents – 90% — giving AIX v 7.1 an “Excellent” or “Very Good” rating. Many of the IBM security managers ITIC interviewed, cited the consistency and inherent ‘bullet proof” nature of the server OS source code and the fact that IBM is quick to discover, inform them and issue a fix when a security issue does arise.
Other distributions like HP’s UX, Red Hat Enterprise Linux , Novell SuSE Linux Enterprise and Apple’s Mac OS X 10.x also received high security marks and praise from customers.
The results of ITIC’s latest 2010-2011 Global Server Hardware and Server OS Reliability survey indicated that organizations of all sizes and across all vertical markets feel that it is critical that they monitor the server OS and associated server-based line of business (LOB) applications for vulnerabilities. A 51 percent majority of businesses feel that the security of the OS has an impact on the overall security and reliability of the network. Specifically, 60% of respondents indicated they place equal importance on monitoring the vulnerabilities of all network components followed by 56% that rated the OS as crucial and 42% say they feel the security of their databases and other main LOB applications are pivotal to the overall security of their network computing environments.
Among the other security highlights in the ITIC/GFI 2010-2011 Global Server Hardware and Server OS Reliability Survey:
• In response to the question: “Estimate the impact or perceived impact that server OS security has on overall network reliability”
o 10% of respondents said “No impact, they are separate and distinct”
o 37% of participants said “minimal impact
o 21% said “moderate impact
o 17% said “significant impact
o 12% said “extremely crucial, server OS and security are intertwined”

Based on ITIC’s first person customer interviews, we determined that the biggest customer complaint was not with the inherent security of a specific server OS platform, but rather in finding fixes and getting technical service and support when the organization was stymied. In many of these particular instances, the organizations were very large enterprises and a common complaint was that searching for a fix was akin to finding “proverbial needle in a haystack.” Since the underlying reliability and security of nearly all the server operating systems and server hardware has improved, the majority of the more moderate and severe Tier 2 and Tier 3 outages are mainly due to integration and interoperability issues e.g., incompatible applications or drivers.

Conclusions and Recommendations
Server OS security is fluid and not static. No server operating system, application or hardware component is immune to penetration. Customer perception can and does change the minute a security flaw is found or malware is unleashed that successfully penetrates or threatens to compromise the security of any platform.
None of the server operating system vendors can rest on their laurels. Microsoft has made impressive security gains making Windows Server inherently secure by default, design and deployment, now it must endeavor to maintain the consistency of its security. Windows Server also has the biggest bull’s eye on its back since it is one of the most widely deployed server operating systems. Other server OS distributions, most notably Apple’s OS X 10.6x, which has so far managed to avoid falling prey to very major or public security holes, must likewise maintain its vigilance as the OS increases its presence in corporate enterprises.
Corporations also bear at least 50% of the responsibility for securing their respective environments. Even the most bulletproof server OS can be compromised and undone by configuration errors and failure to install and turn on OS security features. Organizations are also advised to conduct quarterly threat assessments of their environments. Staying current on the latest patches and fixes is also a must, as are regular updates of anti-virus applications and other security packages. Corporations should also review and update their security policies and procedures annually.
These results are especially important considered in light of the ongoing economic crunch which has caused companies to cut their IT budgets and reduce staff. As they strive to accomplish more with fewer resources, IT departments must rely even more heavily on their vendors to deliver more reliable and secure servers and server OS platforms.
Time is literally money. Even a few minutes of downtime – especially when a hack or a suspected security leak occurs — can result in significant costs and cause internal business operations to grind to a halt. Downtime as a result of a security breach can also undermine company’s relationship with its customers, business suppliers and partners. Reliability or lack thereof can potentially damage a company’s reputation and result in lost business.