McAfee’s latest Threats Report shows a growth in malicious websites replacing botnets as the primary infection mechanism. This means that by just simply visiting a website you could be exposed to malicious things that can do harm to your computer, mobile device, finances or identity.

Websites with bad reputations are influenced by the hosting of malicious software (malware), potentially unwanted programs, or phishing sites. By the end of June 2012, the total number of bad URLs referenced by McAfee Labs™ overtook 36 million! This quarter McAfee recorded an average of 2.7 million new bad URLs per month. Of the new bad-reputation URLs, 94.2% host malware that have been specifically designed to hijack your computer.

It is important to make sure you are aware of things that can happen when you are exposed to a malicious site. The web is a dangerous place for the uninformed and unprotected. Protect yourself:

Make sure your OS is updated: Keeping your operating system updated is a must to protect against security threats. The updates protect you from any known holes that could expose you.

Keep your browser updated: Running the latest versions of the browser also help to protect you against threats that you could be exposed to.

Use security software: Having up to date comprehensive security software is a must. It should include antivirus, anti-spyware, anti-spam, anti-phishing, a firewall and a safe search tool.

Use strong passwords: Little yellow sticky notes on your monitor with your passwords isn’t good. Use a combination of upper and lower case letters, numbers and symbols that are at least 8 characters in length. Also use different passwords for each of your accounts and if possible consider changing them up every 6 months.

Stay educated: Make sure you stay up to date on the latest tricks and tools that hackers use by reading blogs, and getting tips from trusted security sources.

Robert Siciliano is an Online Security Evangelist to McAfee. 

Consumers with smartphones understand they are carrying around the functions of a computer, but most users are unaware that smartphones are susceptible to the same security threats that plague laptops and desktops.

As more online retailers introduce mobile e-commerce applications, criminal hackers are taking notice. Existing mobile operating systems are under attack and, like standard PC operating systems, they sometimes fail to provide the necessary security to support a payment application.

Malicious software (malware) can invade a device when consumers click a malicious link in a text message or email, surf a risky website or download a potentially unsafe app.  Once the device is infected, malware allows the collection of data from the device such as a location information, financial information, and login credentials.

Verizon Wireless has always protected devices on its network using sophisticated network intrusion and data analysis tools.  Now they will extend their network security to customers with the introduction of Verizon Mobile Security, an application that helps secure and protect Android smartphones against digital and physical threats.

The new offering covers concerns such as device infection, misplacement or loss, reaffirming Verizon Wireless’ commitment to protect its customers, devices and network by providing resources with robust security capabilities. Representing the next level of protection, Verizon Mobile Security, co-developed by Asurion and McAfee, is available on Android smartphones running Android 2.1 or higher.

To help protect yourself, I also recommend:

Refrain from clicking links in text messages, emails, especially if they are from someone you don’t know

Set your smartphone to lock automatically and unlock only when you enter a PIN

Keep your phone’s operating system updated with the latest patches

Invest in mobile security protection, which includes antivirus, for your smartphone

Robert Siciliano is an Online Security Evangelist to McAfee.

In the real world there is little difference between an employer’s issued device and a personal mobile device. The most important difference should be that a digital device issued by your employer requires and should have a “company mobile liability policy”. Businesses generally provide and pay for employee mobile devices, and also strictly dictate what you can or cannot do on the device. For IT security reasons, the employer may have remote capabilities to monitor activity and in the event of loss or employee termination wipe the data.

Mobile device security policies” are for the BYOD or “Bring Your Own Device” employees. The employee may pay for the device and its monthly plan and has also imposed security restrictions and limitations on employees who use their personal devices at work.  If you choose to use your personal device for employment purposes at any time for any reason then your employer may take control over that device to protect themselves. In a company mobile liability policy, the employer often has remote capabilities to monitor activity and in the event of loss or employee termination wipe the data.

A recent study shows less than 10% of people BYOD employees auto lock their tablets and people were more security-savvy about their smartphones, with 25% locking.

Most employee issued mobile management software will require the device to be locked and the password to be changed quarterly. These mobile device security programs tell you in the terms and conditions that the contents on the device is subject to being monitored and at any time the device can be wiped by the employer.

The employer is liable for potentially lost data on your mobile. So, to maintain security in a BYOD world, plan on giving up some liberties.

Cloud computing continues to have a significant impact on the way enterprises operate, and companies are increasingly migrating to the cloud as a result of its value. But security and data privacy concerns are critical issues to consider before adopting cloud-computing services. Security Considerations for Cloud Computing, a new book from global nonprofit IT association ISACA, presents practical guidance for IT and business professionals to help them securely move to the cloud. 

The book, available as a complimentary download for ISACA members and at $75 for nonmembers, details how cloud computing will gain importance as both the cloud and cloud-service-provider markets mature. Particularly in times of cost optimization and economic downturn, the cloud can be perceived as a more cost-effective approach to technological support of the enterprise.

Before migrating to the cloud however, ISACA recommends considering the following factors, which can increase risk:

·         Transborder legal requirements—Cloud-service providers are often transborder, and different countries have different legal requirements, especially concerning personal or private information.

·         Absence of disaster-recovery plans—The absence of proper backup procedures implies a high risk for any enterprise.

·         Physical security of computer resources—Physical computer resources can be shared with other entities in the cloud. If physical access to the cloud-service provider’s infrastructure is granted to one entity, that entity could potentially access information assets of other entities.

·         Data disposal—Proper disposal of data is imperative to prevent unauthorized disclosure.

·         Cloud provider authenticity—Although communications between the enterprise and the cloud provider can be secured with technical means, it is important to verify the identity of the cloud provider to ensure that it is not an imposter.

Just as cloud computing is about more than just IT infrastructures, platforms and applications, the developers of Security Considerations for Cloud Computing stress that the decision to operate in the cloud should not be made solely by IT organizations. The use of cloud services might entail high risk for the business and should be evaluated by responsible parties from the different control functions within an enterprise.

“Cloud computing can present a number of challenges and risks with respect to security, privacy and trust,” said Yves Le Roux, CISM, principal consultant with CA Technologies and a member of the publication’s development team. “This book gives practical guidance to prospective cloud users on issues that must be addressed by business management and those responsible for ensuring the protection of information and business processes when selecting or implementing a cloud solution.”

Security Considerations for Cloud Computing is designed to enable effective analysis and measurement of risk through a tool kit that contains items such as decision trees and checklists outlining the security factors to be considered when evaluating the cloud as a potential solution.

Additional information is available at www.isaca.org/cloud

Most of us have heard the saying “It’s 2am, what are your kids doing?” and you may know, but do you know what your mobile apps are doing? I know before I started working in the industry, I would not have given a second thought to this, but consider this.

Why would an app designed to monitor your mobile’s battery need to know your location via your GPS? How come some gaming applications ask users for their phone numbers? Mobile applications, especially free ones, require some level of your personal data in order to supplement development costs. This means “free” isn’t exactly free.

Unsurprisingly 97% of users don’t understand how permissions correspond to the risk of an app. The consequences of not knowing is once you share your personal data, it now can be use and sometimes abused and is out of your control forever. Check out this infographic…

If it’s digital then that means it’s also “repeatable” and can be copied, pasted, duplicated and sent an infinite amount of times. For example 18.3 million US adult Smartphone owners have looked up medical information.  32.5 million US adult Smartphone owners access banking information. Using applications that don’t care much about your privacy can expose this data.

Android applications can ask for 124 types of permissions and with these permissions someone can turn on your camera, monitor or modify or even kill outgoing calls, record images of your screen while you enter personal information, monitor and view texts or pictures and even scarier capture conversations in the room when no call is active!!

What’s troubling is 33% of apps ask for more permissions than they need, 42% of users don’t know what these permissions are and 83% of users don’t pay attention to permissions when installing an app. This all adds up to needing to know what your apps are doing.

To help you protect your privacy and identity when using apps you should:

Research apps by checking their ratings and reviews before you download

Only download apps from reputable apps stores

Read the Terms of Service (TOS) to determine what data the app is going to access on your mobile device.

Use comprehensive  mobile security app with app privacy features, such as McAfee Mobile Security, that will provide insight into the activity and safety of your apps

Robert Siciliano is an Online Security Evangelist to McAfee. 

If you told me 10 years ago that mobile phone security was going to be a huge issue I would have told you to put down your cocktail and give me your keys. Back then all we had was feature phones or “dumb phones” and your phone was high tech if it had games on it or you could get pictures via text message.

Of course, today we have smartphones and the actual phone function is just one of many features. Today’s mobile devices are high-powered mini personal computers that have most, if not all and many more of the capabilities of a desktop computer.

So I eat crow when I tell you that McAfee Mobile Security was the first mobile security app to combine antivirus, anti-theft, web and app protection and call/text filtering. It also recently surpassed one million downloads on Google Play.

The Android operating system is the most popular target for writers of mobile malware—including text-sending malware, mobile botnets, spyware, and destructive Trojans.  In fact, Android apps can ask for over 100 different types of permissions—and these apps could be invading your privacy and exposing your personal life.

McAfee Mobile Security provides Android smartphone and tablet owners with additional privacy features that help them ensure apps are not accessing their personal information without their knowledge. The app protection feature gives consumers access to an added layer of protection to preserve their privacy and protection against financial fraud, identity theft and viruses. It also checks against a URL reputation database, part of McAfee’s Global Threat Intelligence network, and reports the apps that are associated with and/or may be sending personal data to risky sites, such as adware and spyware networks.

To protect your personal information, finances and privacy from being exposed through apps:

Research apps and their publishers thoroughly and check the ratings before installing.

Purchase apps from a well-known reputable app store market

Watch for permissions (stay away from installing apps that don’t look right)

Install comprehensive mobile security on your mobile device

Robert Siciliano is an Online Security Evangelist to McAfee. 

The past 24 months have seen a number of man-made and natural disasters bring risk management demands to the forefront of executives and board directors. Whether these have been natural disasters, such as the Japanese Tsunami or man-made disasters, such as the Gulf of Mexico oil spill, fat-tail disasters have created a renewed interest in enterprise risk management (ERM) practices.

Although demand for these practices and the discussion level for their use is high inside the C-suite of many corporations and private enterprises, studies have shown that there is a discontinuity of both talent and practice in Western economies. So, how can organizations ensure a culture of risk awareness is put into place?

 “Get a commitment from senior management that encouraging a risk culture throughout the organization is a priority.  Put together a communication strategy that can include newsletters, lunch-and-learns, speaking at head office and regional business meetings.  Look at the gaps or challenges in your Risk Appetite and Material Risks for ideas on where to focus your efforts” says Diana L. Graham, Chief Risk Officer at ResMor Trust Company.

marcus evans spoke to Ms. Graham, before the forthcoming 2^nd Annual Enterprise Risk Management Canada Conference, October 2-3, 2012 in Toronto, Canada. Within her role at Resmor Trust, she has built a successful internal risk culture involving individuals from every level of the organization. Key to this success is developing transparency across these risk buckets to enhance communication and minimize potential gap risk from falling through the cracks.

“Ideally, risk management would be included as a business stakeholder in budgeting decisions when areas seek to streamline operations resulting in the elimination or weakening of controls” says Graham.

“Risk management should be an influencing stakeholder regarding certain compensation decisions, i.e., risk management targets in areas outside risk management and weighting of the risk management segment in balanced scorecards. Additionally, risk management should sign-off on all new product/new business decisions” says Graham.

Companies in Canada are in a unique position because they are in various levels of implementing enterprise risk strategies within their organizations. The key to the success of establishing an enterprise risk management (ERM) framework lies within the creation of risk appetite and tolerance levels across risk buckets.

 “Canadian companies tend to be more conservative than those in the US, so there may be more of a foundation in place across the organization. Generally, I have found that there is a “healthy tension” among stakeholders in Canada as opposed to that found in the US in building a risk culture” says Graham. While the need to incorporate the Board of Directors within the ERM framework is a global challenge, Canadian companies’ cultures are more open to implementing risk structures and processes at every level of the organization.

Diana Graham has been Chief Risk Officer at ResMor Trust Company since January, 2010.  Prior to this, she worked on behalf of the FDIC in the closure of US banks, and in senior risk management positions in large US and Canadian financial institutions.  Ms. Graham received her MBA from New York University, Stern School of Business. 

For more information, please contact Michele Westergaard at 312-540-3000 ext. 6625 or This email address is being protected from spambots. You need JavaScript enabled to view it..