7 Things Every CEO Should Know About Information Security

In this technology savvy business environment, organizations are enjoying a high level of comfort in their daily operations. However, do the CEOs aware of the significant of IT Security Infrastructure towards their organizations, which top its organizations expenses?

I always believe that the role of IT Security in an organization is more and more important as the organizations continue to grow. Why? As I said: “IT Security breach may cost organizations a fortune, not only financially but ruining its corporate image and losing its customer confidence”. The effort and the result your organization developed after spending millions of dollar may vanish at once with your customer confidential information or identity being sold at RM1 due to an information breach.

At this time, IT Security employees will never have the same mindset with their top management. For all the time, the C-level management of an organization only focuses on developing and expanding their business. They will never ever concern about the IT infrastructure, as they are not aware of the importance of IT Security. Unless… something bad really happen to them, their competitor or their business partner, but sometimes it may be too late.

Therefore, I would like to recommend this informative and educative video to all the C levels management - 7 things Every CEO should know about information security from Pat Clawson, Chairman & CEO, Lumension Security.

SMALL and MEDIUM Business, BIG Investment?

Today, investment in IT Security is no longer a solely big players’ concern, after investing a huge fund in their IT Security system, the big players manage to loose themselves as the main target of cyber criminal. With the best hardware, software and well trained workforce in place, the cyber criminal have difficulties to break through their well-built defense. As a result, cyber criminal switched their target from the big players to the small and medium business.

In stead of surrendering to the cyber criminal, many small and medium businesses make a decision to take the challenge and get prepared to battle with the cyber criminal. Many small and medium businesses increased the IT Security Budget as to advance their IT Security system and skilled their IT Security workforce.

According to “The Global State Of Information Security 2008” report, investment in IT security is going up, especially in medium business. Although there are small numbers of businesses decrease their IT security budget: small business – 4%, medium business – 5% and big players – 7%. However, 46% of small businesses, 55% of medium businesses and 50% of the big players decided to increase their IT Security Budget. This is a clear sign for the increasingly importance of IT Security to today’s businesses. Size Does Not Matter When It Come To IT Security!

References:The Global State Of Information Security 2008 – A Joint Research Rroject of CIO and CSO in partnership with PricewaterhouseCoopers

Is E-mail charm or harm?

E-mail (electronic mail) is possibly the greatest invention of online communication. It is an easy, quick and relatively low cost communication way for both personal and business usage. With expanding number of global Internet user and technology enhancement, email has emerged as the main medium for information exchange and document delivery.

With billions of email transaction daily, it has created a pathway for the cyber criminals to deliver malware into targeted network system. Malware is one of the most menacing software and it is designed to damage a computer system and open pathway for unauthorized access to the computer’s data storage.

Although, many organizations have installed firewall system to prevent intrusion and unauthorized access to its network, however every security system has its own loophole, so does the firewall system. Firewall may be effective to filter malware-attached-emails from unauthorized users, yet it is defenseless to sort out threats from authorized senders. Firewall does not look into the content of authorized user’s emails; therefore malware are able to enter an organization’s network via emails from business partners, product or information enquirer, employees’ personal email and many more.

Obviously, firewall system is not able to stop cyber criminals from breaching into an organization security system completely. Though it is important to constantly update the organization’s security software and hardware tools, consistent training to the IT workforce must not be overlooked. An excellent IT security infrastructure combines the finest and up-to-date security software and hardware with a well trained IT workforce.

About Malware

There is a wide range of malware available in today’s cyber world, but Trojan / Agent and Trojan / Invo has gathered IT professionals’ attention through out 2008. According to Sophos Security Threat Report: 2009, Trojan/Agent and Trojan/Invo have dominated the email attachment-based malware popularity in 2008. With Trojan/Agent’s 31% and Trojan/Invo’s 18.1%, they have attain approximately half of today’s email attachment-based malware with the combination of 49.1%.

Malware Characteristic

According to Sunbelt Malware Research Labs, malware can be define by three characteristic:

1. Malware program installs itself on a user’s computer without the user realizing it being installed.


2. Malware provides computer users with no easy way for user to uninstall it. Malware posts no listing in the Add/Remove Programs section and often installs a “helper” program to re-downloads and reinstalls the application if malware is removed.


3. Malware has the ability to track what the user does with the infected computer and do various other malicious activities.

Source: research.sunbelt-software.com

Password is no longer a trustworthy security?!

In 1990s, six-characters-password is extremely reliable and defendable authentication system against cyber criminals. Ten years later, computer users are forced to advance to eight-characters-password, due to the enhanced computer that shortens the breaching process. Today, computer users start questioning: IS PASSWORD STILL A TRUSTWORTHY SECURITY?

The advanced technology has pushed the computer beyond its limit again and again; on the other hand, password breaching has gotten easier. By running the highly developed Dictionary Attack software with today’s advanced computer, cyber criminals are able to test thousands of passwords per second.

What is Dictionary Attack?

“A dictionary attack is a method of breaking into a password-protected computer or server by systematically entering every word in a dictionary as a password. A dictionary attack can also be used in an attempt to find the key necessary to decrypt an encrypted message or document”.

Source:Dictionary Attack

At the same time, human has limitation on managing password. A complicated password with ten characters or more would be hard to remember. Changing password from time to time would trap you with thousand of passwords, and the worst part is computer users have more than one account password to remember. Nowadays, computer users have a practice with writing down all the passwords on a piece of paper or diary; this is an effective way to retain the passwords. Still, this is not a perfect method to overcome the problem as a piece of paper is easy to lose while a diary is always the target for physical information theft.

These negative facts have cost computer users perceive password as an out-dated and defenseless security towards up-to-date hardware and software equipped cyber criminals. However, this perception is wide of the mark and the truth is more complex. To date, password is still creditable and effective towards many applications, but the computer users need to use it wisely.

The hint to be a wise password user is not to use a common name, place, phonetic or word which contained in the dictionary as your password. If you think that using a foreign language would be safe, you are really underestimate the cyber criminals. Cyber criminals are much smarter than what you can imagine; they would apply multiple dictionary attack in different language to breach the defense. Computer users need to spend some time to figure a “self-made” word containing nine alphabets or more, a non-existing word that contains specific meaning to the user.

For example: John can use tiJ0HNyep as his Yahoo E-mail’s password. This is a sample password to keep away from dictionary attack detection while contain special meaning to John. tiJOHNyep is actually equals to “This Is John Yahoo E-mail Password”. A combination of upper case letters, lower case letters, numbers and special characters would be a perfect password.

Password can still perform its security function effectively, yet it has to depend on how the computer users utilize it. Computer users need to update themselves with the up-to-date IT security and breaching knowledge constantly. Without the knowledge to maximize the security tools, even the greatest IT security hardware and software are ineffective to stop the cyber criminals from breaching your confidential data.