In This Issue

• Executive Director’s Message
• CSIA Calls for Strategic National Information Assurance Policy
• The Council of Europe’s Convention on Cybercrime Ratified
• California Passes Wi-Fi Consumer Notification Law
• CSIA Consumer Data Protection Advocacy Goes Mainstream
• CSIA Newsletter Wins Gold Circle Communications Award
• Congressional Spotlight
• Senator Conrad Burns (R-MT)
  
• Fighting a Global Threat on Individual Internet Use
• CSIA Member Spotlight
• SurfControl plc
  
• Burglar in the Basement
  
• Legislative Update
• Global Perspectives
• CSIA in the News
• Upcoming Events
• Member List
• Contact Us
• Archives
• CSIA Home Page

CSIA Member Spotlight

SurfControl

Name: SurfControl plc

CEO: Patricia Sueltz

Founded: 1997

Headquarters: Scotts Valley, CA

Number of Employees: 500 people in offices across the United States, Europe and Asia/Pacific. 

Total Revenue: £52.46M in 2005

About SurfControl: SurfControl plc (LSE: SRF), makes Internet communication a business advantage – and not a threat. Best-in-class products and solutions help customers achieve business and regulatory compliance, increased security and control, and improved resource efficiency.

SurfControl protects at multiple points of Internet vulnerability: in the "cloud" with on-demand mail and web protection services, at the enterprise gateway with software and appliances, and on the desktop or mobile client. All of SurfControl’s products are backed by industry-leading threat detection technologies, delivered by SurfControl's Global Threat Experts who work 24/7 to provide customers with dynamic zero-day protection. The company has more than 23,000 customers worldwide, 14.5 million users, and employs more than 500 people in offices across Europe, the Americas, and Asia/Pacific.

SurfControl’s vision continues to become more relevant as threats increasingly blend multiple methods of transmission, and extend into more Internet technologies. SurfControl will continue to provide customers with unified threat protection solutions that fit seamlessly into their enterprise security infrastructure, and control threats before they jeopardize the network and the business.

The Burglar in the Basement

By Tim Johnson, SurfControl

Historically, the approach to enterprise security has been to make the fortress bigger - install more products, write more policies. Yet despite heightened security awareness and cutting-edge tools, 2005 was the worst year on record for corporate security breaches. The problem is, attackers are as advanced as the defenders — and the attacks don’t always come from the expected direction.

Inside job

The fact is, the biggest threat to an organization lies within its boundaries. In its 2005 survey, "The Global State of Information Security," PricewaterhouseCoopers found that 33% of Information Security attacks originated from internal employees while 28% came from ex-employees and partners. Law enforcement experts estimate that over 50% of breaches result from employees misusing access privileges, whether maliciously or unwittingly.

One of the key internal corporate threats is spyware, because it’s all too often introduced without malicious intent

So securing the enterprise isn’t just about stopping external threats. It’s just as important to contain the threat from hapless or hazardous employees.

One of the key internal threats to corporates is spyware, because it’s all too often introduced without malicious intent, by employees that naively click through a couple of pop-up browser windows, or install an unapproved yet 'cool' application on the network. The situation isn’t helped by the myths that surround spyware.

Mythbusting

Put simply, to keep the burglars out of the basement, prevent employees from letting them in… Use network Web filters, spyware blockers at network and desktop and spyware installation blockers

There are six common spyware myths:

1. It’s an isolated problem
2. Blocking at the gateway is good enough
3. Locking down the desktop is good enough
4. Drive-by downloads are a primary source of penetration
5. The problem comes from the outside in
6. No one wants spyware

But the truth is somewhat different:

1. Most spyware comes in as the direct result of user behavior, whether that user is naïve or ill-intentioned.
   
   
2. Stuff comes in at the desktop all day long. Blocking at the gateway without securing the desktop PC doesn’t make security sense. It’s like locking the doors and windows of the house - with the burglar still in the basement – and not bothering to call the police. What’s more, gateway defenses cannot detect threats already on desktop PCs.
   
   
3. If "locking down" the desktop and restricting user installation were effective, there would be no need for antivirus software. Spyware is designed to get a
round acceptable use policies and exploits users’ inquisitive nature.


4. "Drive-by downloads" should never occur in a corporate environment, because they come from sites that users should not visit at work.
   
   
5. Sure, spyware comes from outside - because someone opened the door and let it in. Not recognizing this results in a porous security infrastructure.
   
   
6. True, no-one actually wants spyware, but it comes as part of that cool application that users do want. So spyware gets installed anyway.

Spy trap

So what can companies do to minimize internal threats? First, make a Web filter a required part of the network security arsenal. This should prohibit users from visiting known spyware and ‘drive-by download’ sites.

Second, deploy an effective email filter that blocks spyware from entering the network via active HTML, attachments, phishing and spam. There also needs to be protection at the desktop to stop spyware as it’s introduced.

Lastly, implement a solution that disallows running or installing programs that in turn install spyware.

Put simply, to keep the burglar out of the basement, organizations need to remove the ability for employees to let burglars in. They need to implement tamper-proof solutions that users cannot easily evade – no matter what the external inducements.