Alan Calder on IT Governance, information security & ISO 27001

Symantec reports a decline in the use of Distributed Denial of Service attacks as an extortion tool. Their reasoning for the drop off is that DDoS is becoming less profitable and carry a greater risk of detection. The downside is that instead hackers are turning their attention to spamming well-followed blogs, which is far easier and therefore more lucrative. With more businesses using blogs to communicate with customers, this is a new vulnerability that businesses need to consider as part of their risk assessment. For more information click here.

Some encouraging words about what is becoming a very depressing problem for most people. MessageLabs’ chief security analyst is turning the spotlight on ISPs as the organisations best placed to arrest the rising tide of spam. Particularly as spam acts as a conduit for dangerous malware it is vital that ISPs start to play a constructive role in this. The smart ones will realise that they can win business by acting quickly; the others may very well deserve to go out of business.

I would have thought by now that infosec professionals would have been aware of the extent to which spam is part of the malware armoury – but this article identifies the need to ensure that staff are also appropriately trained to identify and deal with those threats that inevitably bypass the best defences. ISO 27001, of course, provides clear guidance on staff training.

The ever-watchful Bruce Schneier has flagged up a story which, while no doubt eye-opening for Congress, will come as no surprise to anyone who’s aware that, in spite of their CAN-SPAM Act, the US is the world’s spam capital. What Congress needs to do is to take some determined action against spammers – otherwise it’s just going to go on being surprised by the obvious.