From CNet

IT managers in small and midsize businesses blame their fellow workers for online security breaches–despite the fact many small enterprises still don’t enforce Web usage policies.

More than a fourth of European IT managers in small businesses said they believe that company employees are responsible for security problems, according to research commissioned by security software company Websense.

The most frustrating problem for IT managers is employee behavior (cited by nearly a third of managers), followed by security not being high enough on the corporate agenda and then budget constraints.

The survey found that nearly a third of employees said they need to access sites known to present a high security risk, such as peer-to-peer services and free software-downloading sites.

Site

There are some days (usually when I work from home) where I have a moment of pause and reflect on some of the pearls of wisdom I have gathered over the years. Here is a sampling of some of my favourites. Enjoy.

* “Of course it’s secure, we have a firewall.” (comment made by a Fortune 500 VP)
* “We have two factor authentication, a) username b) password”
* “We don’t need to harden internal servers, we have a firewall”
* ‘UDP is far more reliable than TCP” (a former CTO imparted that one)
* “No one can hack the application because it uses SSL”
* “Disable “view source” in the browser to secure the application”
* “Just disable the users telnet client” (comment made in relation to an internet facing ecommerce app)
* “Just fdisk the hard drive to wipe the data” (made prior to disposal)
* “I have a complicated SSID that people will not be able to guess” (indeed)
* “That’s not the way the application is supposed to work so, users will not see that behaviour.”
* “Cross Site Scripting? Just disable javascript.” (Sigh)
* “You can see that data because you are using a proxy. If you go directly to the web app it is secure.”
* “The storage tapes do not have to be encrypted because no one will have a device to read these tapes.”
* “We use base64 encryption.”
* “Oracle 8 is totally secure. There is no reason to upgrade.”
* “Yes, I know what a cross over cable looks like”
* “It’s 100% secure.”

Site

Monster.com waited five days to tell its users about a security breach that resulted in the theft of confidential information from some 1.3 million job seekers, a company executive told Reuters on Thursday.

Hackers broke into the U.S. online recruitment site’s password-protected resume library using credentials that Monster Worldwide Inc said were stolen from its clients, in one of the biggest Internet security breaches in recent memory.

They launched the attack using two servers at a Web-hosting company in Ukraine and a group of personal computers that the hackers controlled after infecting them with a malicious software program known as Infostealer.Monstres, said Patrick Manzo, vice president of compliance and fraud prevention for Monster, in a phone interview.

The company first learned of the problem on August 17, when investigators with Internet security company Symantec Corp told Monster it was under attack, Manzo said.

“In terms of figuring out what the issue was, that was a relatively quick process,” he said. “The other issue is you want to make sure exactly what you are dealing with.”

Site

A recent poll by vendor Credant Technologies Inc. found that 88% of employee laptops carry sensitive information; everything from patient, customer and employee records to intellectual property, financial data and passwords. Between business risks, security breach headlines and regulatory compliance, companies have plenty of motivation to use encryption as a last line of defense against data leaks that result from laptop theft or loss. But which laptop encryption approach would work best for your company’s workforce?

Site