Unfortunately that’s a significant challenge — and the majority of websites are vulnerable to hacks, according to a new report from WhiteHat Security.

Attacking websites is one of the preferred methods for hackers — it’s one way for them to steal a company’s data, and they also often compromise trusted sites to spread malware or launch other attacks.

And it isn’t too hard for hackers to find websites they can attack. In fact, 86% of websites have at least one serious vulnerability that could be exploited by cyber attackers, based on data collected from thousands of websites managed by 650 WhiteHat customers.

The most common vulnerabilities discovered by the study were:

1. Information leakage (55% of sites were vulnerable)
2. Cross-site scripting (53%)
3. Content spoofing (33%)
4. Brute force attacks (26%)
5. Cross-site request forgery (26%)
6. Fingerprinting (23%)
7. Insufficient transport layer protection (22%)
8. Session fixation (14%)
9. URL redirector abuse (13%)
10. Insufficient authorization (11%)
11. Directory indexing (11%)
12. Abuse of functionality (9%)
13. Predictable resource location (8%)
14. SQL injection (7%)
15. HTTP response splitting (4%)

What IT can do

The study points out that many of the practices companies follow to keep their websites secure may not be working that well. For example, organizations that used Web Application Firewalls had 11% more vulnerabilities than those that didn’t, and companies that conducted static-code testing on their sites had 15% more bugs.

While preventing all security problems is impossible, one thing IT departments can do better is monitor their sites to find and patch those bugs quickly. The bugs discovered in WhiteHat’s study were fixed within 30 days in just 18% of cases.

Another key: Offer security training to the employees who are developing the websites. Companies that did experienced 40% fewer vulnerabilities and fixed problems 59% faster than others.

In addition, it’s important to keep an updated inventory of all the websites the company operates. In many cases, according to WhiteHat’s report, vulnerabilities aren’t fixed because a site is expected to be decommissioned – but then the site is forgotten about and stays online.

Someone within the IT department should be given responsibility for managing that inventory and seeing that all sites are kept patched or taken offline when they’re no longer needed.

The post The top vulnerabilities leaving websites open to hackers appeared first on IT Manager Daily.

_____________________________________________________________

If you want to move into a career in IT there are a few basics that you should make sure you have covered before you apply for any jobs. Although experience and qualification are of course a big factor in making you a valuable candidate, there are other skills that an employer may look for that can make you stand out from the crowd.

Many IT jobs involve teams jumping on and off various tasks, and this means that an individual’s skill set should cover a broad range of basic topics. Now by basic, we don’t mean knowing how to type up a Word document, we mean what an IT firm owner would consider. That may include:

1. Photoshop

Photoshop is a brilliant tool for editing images, developing graphics and all round makes producing media for various things easy. In areas such as web design, by learning how to use at least some of the tools of the software you will be sure to put yourself ahead of the competition.

If you’re going for a designer’s position, you should seriously consider purchasing a copy and getting to grips with it. There are plenty of published works you can get hold of.

2. Multivariate data analysis

If you want to move into a position that involves the production of websites, you should make sure that you understand various methods of testing their effectiveness once they go live. This includes A/B Split and Multivariate Data Testing (see Camo if you want to learn about software you can use).

Both of these analyse the way certain elements of a site affect the way people visiting the sites respond to them. This can include using different text, using different colors or deciding whether to use images or a block of text. This is especially good to know if you’re looking to move into work where design and testing website responsiveness is a big part of the role.

3. Social media

It’s valuable to understand how Social Media works and how different sites can benefit businesses if they begin to use them. Clue up on sites such as Pinterest and Tumblr which are on the rise for business use to keep yourself ahead of the game.

4. Spreadsheets

Brush up on your Excel skills. The difference between being able to use the program and being able to master it could make the difference between you getting a job and someone else being taken on. If you can learn how to use various functions, you’ll be surprised at what you can do in terms of managing data in a new role. Explaining the skills you have to a potential employer will more than likely work in your favor.

Remember, you shouldn’t ever try and overestimate your skills when going into a new job, and honesty is always the best policy. If you exaggerate on your abilities you may come under scrutiny later down the line. Be yourself, and make the most of your opportunity.

About the Author: Katie Belliveau loves blogging and helping people make the most of the Internet. She regularly blogs on Social Media, Online Marketing and IT.

The post 4 skills everyone in the IT sector should have appeared first on IT Manager Daily.

While a strong information security stance will help keep businesses running after data breaches, the real goal to prevent the attack from happening in the first place.

However, the unfortunate truth is that, until a breach happens and money and confidential data are lost, many businesses don’t take information security seriously. Often, the reason is a lack of resources.

But preventing security attacks — both technical and physical — is critical for protecting the business’s bottom line. Here are some key — and cost-effective — strategies that businesses should have covered in order to minimize the threat of an attack:

1. Communicate

One strategy that costs nothing is communication. Data breaches often happen because people do not communicate enough. You should put procedures in place for checking visitor authenticity and access to your business and systems. This could range from asking your staff to have a clear desk policy requiring them to file away papers at the end of the day to asking staff to lock computers when they’re away from their desks.

2. Check on the staff

Be certain that your employees and others throughout the company know where their responsibilities lie, and well as how to recognize attempted hacks and scams. A short period of time out of the normal working day spent training them on these issues can really make a difference.

You should also audit your staff regularly – employees often pose the greatest threat to a security breach. According to ISO 27002’s code of practice, this is a sure-fire way of protecting your business.

3. Protect keys

A common cause of physical break-ins is an employee leaving the company without returning a key. Having several people as key holders is a good idea, as is knowing where all keys are at any time and removing access to technical systems when an employee leaves.

4. Don’t be soft on software

Evolving businesses should always be freshening up their systems with new programs and software initiatives, but they don’t always uninstall old and unused applications quite so quickly. Outdated applications often carry security issues and don’t meet modern day security requirements. Equally important is installing effective anti-virus programs.

5. Keep servers separate

A frequent security faux pas is that businesses don’t do enough to ensure that any attackers who do crack the system are not welcomed into the very core of the business. Web servers should always be segmented from main file servers for this reason.

The future of information security

To prevent your business from being one of the break-in statistics, make sure you apply the three ‘A’s to your business’s security strategies – authentication, authorization and accountability.

Your authentication procedures should also take a multi-level approach. For example, by using knowledge (such as a password), possession (a key or swipe card) and embodiment (the person’s fingerprints) as levels of security for every member of staff, you can drastically reduce threats to your business.

Remember to take a balanced approach to security. A conglomerate is unlikely to have identical security needs to a sole trader’s café. Above all, communication will help to make sure your security measures are put into place properly.

About the author: Beverly James works for Acumin, an international recruitment specialist offering executive searches in areas such as Penetration Testing, Information Security and Risk Management, Technical Security, and Governance and Compliance. Acumin was established in 1998 and is the host of RANT (Risk and Network Threat Forum), an event which provides regular, informal networking opportunities for senior-level professionals operating in London’s Risk Management and Information Security market. As an international specialist in IT security recruitment, Acumin works with clients across Europe, the UK, and the United States. Find out more at www.acumin.co.uk

The post 5 cost-effective ways to beef up IT security in your business appeared first on IT Manager Daily.

Click here to learn more!  

The post Practical Guidance for Evaluating and Simplifying Your Business Continuity Program Requirements appeared first on IT Manager Daily.

Click here to learn more!  

The post Finding the Best Phone Systems Companies appeared first on IT Manager Daily.

Many common password security rules are built around incorrect or outdated understandings of how password protection works. But as hackers’ methods evolve, password practices must do the same.

Here are a few of the most common password security myths many companies still believe:

1. Special characters are what matters

Users are often advised to create passwords using a variety of character types — capital and lowercase letters, punctuation marks, etc. The thinking goes that when the character set is limited to just lowercase letters, passwords are easier to guess in brute force or dictionary attacks.

While that makes sense, incorporating variety doesn’t have nearly as big an impact as simply increasing the length of the password, according to a new infographic posted by McAfee’s Robert Siciliano.

The security firm offers the example of the password “Br3ak1ead&7″. If a hacker used a software tool that could guess 1,000 passwords per second, it would take three days to crack the account.

In comparison, the password “thunder showers before sunset” would take 550 years to crack using the same tool. On the surface, it seems simpler, but the greatly increased length makes a big difference.

McAfee recommends using multi-word phrases, with spaces between words when sites allow them, and dashes when they don’t.

2. Password checkers guarantee complexity

Many websites and software programs try to enforce password security by requiring passwords of a certain length and with certain elements.

For example, Microsoft’s Active Directory requires passwords to be at least six characters, and use three out of the five character types (lowercase letters, capital letters, numbers, non-alphanumeric characters, and Unicode characters).

So what do many business users choose for a password? “Password1“, according to a study from IT security firm Trustwave. It’s technically “complex” enough to meet the software’s requirements, but it would still be easy for a hacker to guess.

3. IT employees know better

Actually, IT staffers likely know better than regular end users why secure passwords are important — but that doesn’t always mean they behave as if they do.

Many cyber attacks are carried out by exploiting the default passwords used for networking equipment, software systems and other items administered by IT departments. For example, a group of TV stations recently had their emergency broadcast systems infiltrated because their IT employees never changed the passwords for some equipment after it was shipped by the manufacturer.

IT departments need to set a good example regarding password security. That means making sure tech employees choose strong passwords for themselves, as well as that users are given accounts protected by strong passwords. For example, if a new employee starts and the password for her email account is “12345″, that sends a bad message about the importance of secure passwords.

4. Mandatory password resets are necessary

Some organizations require users to periodically change the passwords for their accounts. However, that may be an outdated way to enforce password security, according to Paul Ducklin and Chester Wisniewski of Sophos.

In fact, those requirements can be a negative because they force users to choose simpler passwords that are easier to remember. The only time users really need to change their passwords? When there’s reason to believe their credentials have been compromised, Ducklin and Wisniewski say.

5. What’s true about password protection today will remain true

One thing to keep in mind as IT departments set password security rules: Hackers’ methods for getting into accounts are evolving along with password protection trends.

New tools can help cyber criminals crack more difficult passwords. For example, security researchers at Carnegie Melon University recently demonstrated a new password-cracking algorithm that can understand grammar to crack passwords built from phrases.

The key to better password protection: Continually update policies and tips for choosing secure passwords. And, as many experts point out, it may be time to stop relying so heavily on passwords and use other methods such as two-factor authentication for the most sensitive accounts.

The post 5 password security myths to forget now appeared first on IT Manager Daily.

While many of BYOD’s complex legal questions have yet to be answered by laws or court decisions, there are two rules experts say companies should keep in mind when they start allowing users to bring in personal smartphones and tablets:

• Don’t access more data than you need to, and
• Inform employees about what you’ll be able to do with their personal property.

To minimize the security and other risks of employees’ personal devices, companies are beginning to write BYOD policies that outline what people are allowed to do with devices that are also used for work. But to avoid lawsuits and employee gripes, those rules should also make clear what the company is and isn’t allowed to do with a personal device.

One of the key features that should be included in a BYOD policy, according to management consulting firm Janco Associates: Prohibit IT staff and management from accessing an employee’s personal social media accounts that employees may be logged into on those devices.

Janco cites the Stored Communications Act (SCA), which prohibits unauthorized people from accessing password-protected accounts and data. In one 2009 court case, two employees successfully sued their former employer after their boss forced them to hand over passwords for a MySpace page they had created.

A similar complaint could be made, Janco warns, if a manager uses the company’s access to an employees smartphone to get into one of those accounts.

Inform employees before they sign up

There are also activities that companies are within their rights to do but that might lead to complaints from employees. That may include remotely wiping a personal device if it’s lost or stolen.

To avoid problems if and when that must be done, experts say companies should include in their BYOD policy everything the company may do with a personal device, and have employees sign off on the policy before they’re allowed to participate in the BYOD program.

The post BYOD policy keys to avoid legal trouble appeared first on IT Manager Daily.

Salary isn’t what matters the most to IT employees.

In fact, there are five factors that have a greater impact than money on whether IT pros stay with their employers or leave., according to a recent study conducted by Information Week.

When asked what was most important to them, the top answers given by survey respondents were:

• That their knowledge and opinion are valued in the organization
• The chance to be involved in setting the company’s strategy and goals
• The opportunity to do work that is important to the company’s success
• Challenging roles and responsibilities, and
• The company’s culture and values.

Emphasize those factors

The surveyed group was made up of CIOs and others higher up the ladder in IT departments. Therefore, according to Information Week, those are most likely the same things that matter to the CIOs of the future — in other words, the most talented and ambitious IT staff members right now.

Therefore, keeping those people on the team requires more than just a competitive salary — IT managers should make it clear that the department is connected to the company’s success.

Also, managers should take the time to ask their most talented IT employees for input regarding projects and strategy, and make sure they’re being assigned challenging work that helps them learn new skills.

Of course, salary will always have some degree of importance for employees too, so it’s important to make sure compensation is in line with market rates.

That’s especially the case for certain groups of IT employees who are in especially high demand will see the biggest salary increases over the next few months. That includes specially skilled employees such as:

• Cloud computing professionals
• Big data specialists
• Mobile application developers
• Wireless network engineers, and
• Web developers.

The post What do IT employees want the most from their employers? appeared first on IT Manager Daily.

Click here to learn more!  

The post VoIP: A Cost-Effective Next Generation Communications Solution appeared first on IT Manager Daily.

Click here to learn more!  

The post IBM Announces New Generation of Storage Systems for SMBs appeared first on IT Manager Daily.