Sophos has published its first report focused on data security, “The State of Data Security”.
The report is excellent read with 25 pages packed full of information and advice.
The report provides advice and guidance to businesses interested in protecting their data, including “Today’s IT and business managers must take a hard look at the risks and costs of potential data loss. Creating a proactive data security plan arms you with the knowledge you need to manage the risk and helps you to stay compliant with data protection rules and regulations.”
Some statistics and quotes from the report:-
The U.S. had the highest cost per compromised record at $204, followed by Germany at $177, France at $119, Australia at $114 and the U.K.at $98
CSO magazine’s 2011 CyberSecurity Watch Survey found that 81% of respondents’ organizations experienced a security event during the past 12 months, compared with 60% in 2010.Twenty-eight percent of respondents saw an increase in the number of security events as compared with the prior 12 months
In a survey of 1,000 people in the U.K., 94% ranked “protecting personal information” as their top concern, equal to their concerns about crime, according to The Telegraph.
according to security expert Rebecca Herold, you’ll cover roughly 85 to 90% of compliance regulations if you practice effective data protection
About 85% of all U.S. companies have experienced one or more data breaches, according to the Ponemon Institute
In 2010, malicious attacks were the root cause of 31% of the data breaches studied, according to the Ponemon Institute – up from 24% in 2009 and 12% in 2008
According to the Identity Theft Resource Center, at least 662 data breaches in the U.S. occurred in 2010, which exposed more than 16 million records. Nearly two-thirds of breaches exposed Social Security numbers, and 26% involved credit card or debit card data
With over 500 million U.S. records of data breaches and loss since 2005, it’s no surprise that these data loss stories are headline news.
McAfee have released their report “Mobility and Security: Dazzling Opportunities, Profound Challenges”.
“Devices are no longer just consumer devices or business devices. They are both,” said Richard Power, a CyLab Distinguished Fellow at Carnegie Mellon University, the primary author of the report. “Devices are more than extensions of the computing structure, they are extensions of the user. The way users interact with their personal data mirrors the way they want to interact with corporate data.”
Key Report Findings:
Reliance on mobile devices is already significant and accelerating rapidly; the emerging mobile environment is both diverse and freewheeling
IT is becoming increasingly consumerized as evidenced by the fact that 63 percent of devices on the network are also used for personal activities.
Lost and stolen mobile devices are seen as the greatest security concern for IT professionals and end-users – Four in 10 organizations have had mobile devices lost or stolen and half of lost/stolen devices contain business critical data. More than a third of mobile device losses have had a financial impact on the organization and two-thirds of companies that had mobile devices lost/stolen have increased their device security after this loss.
Risky behaviors and weak security postures are commonplace – Although the need for mitigating mobile security risks and threats is acknowledged, fewer than half of device users back up their mobile data more frequently than on a weekly basis. Around half of device users keep passwords, pin codes or credit card details on their mobile devices. One in three users keeps sensitive work-related information on their mobile devices.
There is a serious disconnect between the policy and reality – 95 percent of organizations have policies in place in regard to mobile devices
Mobile devices are being used by much of the workforce, over extended periods of time, for a significant percentage of tasks previously conducted on desktops.
On average, employees use mobile devices for work purposes between 2 and 4.5 hours a day. On average, use of laptops was 4.5 hours per day.
Mobile devices are used in a wide range of job functions
Business executives using them most – 56%
Sales and others in the mobile workforce – 47%
Mobile phone usage
Email – 93%
Contacts – 77%
Web access – 75%
Calendaring – 72%
Four different types of mobile devices are used by at least one-third of employees both for professional and personal use,
Laptops – 72%
Smartphones – 48%
Removable media, including USBs – 46%
External hard drive – 33%
Almost Half of Users Keep Sensitive Data on Mobile Devices
Passwords/Pin Codes
Credit Card details
Professional & personal information & data
23%
19%
Only professional information & data
11%
7%
Only personal information & data
17%
15%
I do not use, store or send this information or data using mobile devices
49%
58%
Recommendations for Businesses
Mobility is ushering a new computing paradigm into the workplace. With devices eclipsing PCs and virtually every business application being device-ready, mobile computing offers an opportunity to make workers more productive, competitive, and happy. Mobility done right is a major competitive advantage in the workplace.
Consumerization of IT is here to stay. Many smart companies are allowing, encouraging, and, in some cases, providing a stipend for, employee owned technology to work. Businesses need to find ways to enable, secure, and manage employee-owned technology in an optimal way to drive cost savings.
Users are changing the way they think about policies. Because employee-owned devices are artifacts of the more entrepreneurial employee-employer relationship, organizations need to apply policies in a nuanced, risk-based way that depends on the industry, the role, and the situational context.
Data loss and leakage are of utmost concern to individuals and enterprises, and there is no silver bullet. Classify data, even at a high level, and apply data leakage processes and mechanisms in order to protect corporate data while respecting users’ privacy.
User awareness about mobile threats is still nascent. Apply security and management paradigms from laptops and desktops to mobile devices. Educate users about the risks and threats through employee agreements and training. “Businesses must find ways to protect corporate data, and call it back when an employee leaves, while ensuring the privacy of the employee,” says David Goldschlag, vice president of Mobility for McAfee. “Employees are no longer lifelong members of the organization, but rather consumers, who often change jobs every few years. When they do, they come with a kit of stuff, but once they leave, they need to give you back the data that belongs to the company. Businesses need a way to facilitate that process while respecting the ‘kit’ that the employee brings to the company.”
Recommendations for Mobile Users
You are part of a computing sea of change. With devices eclipsing PCs, and virtually every app device-ready, mobile computing offers you an opportunity to be entertained, informed and connected wherever you are. Use this to your advantage to be more productive on the go.
Driven by users’ desire for device choice and employers’ need for cost savings, individuals are increasingly bringing their own devices to work. Take advantage of your employers’ program and use your technology to be more nimble in your work.
Familiarize yourself with your employer’s mobile device policy and the intent behind it, and decide whether it fits your needs. If so, accept the policy and move on; if not, use two devices, one for personal use and one for work.
Take steps to secure your device. Install anti-theft technology, and back up your data. Configure your device to auto-lock after a period of time. Don’t store data you can’t afford to lose or have others access on an insecure device.
Be aware of mobile device threats. In many ways, they are the same as in the online world. You can be hacked, infected, or phished on a mobile device just as easily (and often more easily) as you can online.
Vesta Corporation conducted a survey of Mobile Network Operators (MNOs) in the USA and Europe and discovered that over a quarter of them were non-compliant to the Payment Card Industry Data Security Standards (PCI DSS).
Of equal concern are the 35% who did not know of the potential financial penalties they could face in the event of an Account Data Compromise (data breach).
Key findings of the survey
25% of respondents are not currently PCI DSS compliant
35% of respondents unaware of potential penalties for non-compliance
The average cost of initial PCI DSS compliance was approximately $700,000 USD
Over 50% were spending over $1,390,000 USD annually in PCI compliance maintenance costs.
69% of respondents stated that more than three people in their organization work full time on maintaining PCI compliance.
56% felt that the greatest impact of a security lapse or data breach to their business would be a loss of customer confidence.
Over a third of these maintain an internal security group for PCI compliance.
Under a quarter of respondents maintain PCI DSS via cross functional teams that receive direction on a group level with local implementation.
All respondents regard the touchpoints of live agent, Web and retail as very important to the success of their organization’s PCI compliance.
The areas of highest concern mentioned by the operators included ensuring applications and systems are compliant; network monitoring and scanning; and vulnerability management.
“The survey shows that there is clearly room for improvement by the mobile operator community in addressing PCI DSS compliance, and it is critical that operators not yet compliant take appropriate measures to ensure the security of their customer’s sensitive cardholder data,” said Joshua Rush, VP Marketing at Vesta. “However, compliance should not be viewed as a mandatory demand by the card associations but as a competitive sales and marketing differentiator at a time where data security is of paramount concern to subscribers.”
CyberSource Corporation’s survey found that while airlines are gaining in their war against fraud, much work remains to be done. Airlines reported a loss of about $1.4 billion USD to online payment fraud in 2010.
Dr. Akif Khan, CyberSource’s Director, Products and Services said: “The good news is that in terms of fraud loss rates, 2010 results showed a 31 percent improvement over 2008. Clearly, airlines have not only recognized the challenge but have made timely adjustments to it.” According to the survey, changes made by airlines in the last two years include higher use of fraud detection tools in automated screening (7.3 on average, compared to 5.8 in 2008), along with rejecting more bookings due to suspicion of payment fraud.
Selected survey findings
Experience counts: airlines with less than three years of online selling experience have higher fraud loss rates, manual review rates, and higher reject rates than their more experienced competitors. For example, airlines with more than ten years of online selling experience manually review 15 percent of their bookings; those with fewer than three years review 53 percent
Airlines may be ignoring a powerful anti-fraud tool: Only three percent of airlines surveyed used public record searches to validate bookings. But those that used the tool felt it was one of their most effective anti-fraud measures. (Public record searches are not universally available). Device fingerprinting and third-party fraud scoring models were among the top tools merchants cited as considerations for future use
Automated review requirements will accelerate: According to the International Air Transport Association, passenger revenue will increase by 7.3 percent in 2011, but nearly 90 percent of airlines surveyed say their manual review staff levels will remain the same. Automation will have to make up the difference.
“Fraudsters will move to the weakest link in the chain,” said Christopher Staab, Managing Partner of Airline Information. “And that weak link is most likely going to be the airlines unfamiliar with how sophisticated fraud can be perpetrated with online ticketing sales. That’s why this type of data is so critical for the airline industry worldwide. There are solutions out there–airlines need to implement them.”
CyberSource report that a typical fraud scenario in the airline industry plays out as follows:
Fraudster illegally obtains credit card data;
Fraudster obtains name, address, and other appropriate information for a genuine customer interested in buying “discount” tickets;
Fraudster buys the ticket in the innocent person’s name, using the stolen credit card number;
Fraudster delivers ticket to the customer and receives payment in cash
On the 20th May 2011, the PCI Council announced its new Board of Advisors. More than 600 Participating Organisations elected the Board of Advisors. Participating organisations include merchants, financial institutions and processors from around the world.
The 2011-2013 PCI Board of Advisors will provide strategic and technical guidance to the PCI Security Standards Council that reflects the varied and unique industry perspectives of those across the payment chain. In addition to advising on standards development, the Board of Advisors plays a critical role in soliciting feedback and ideas, leading Special Interest Groups (SIGs); and helping the Council fulfil its mission to raise awareness and the adoption of the PCI Standards.
More than 76 organisations from across the payment industry were nominated for their direct experience and leadership in the field. The 21 seats were distributed within the categories of:
Financial Institutions
Merchants; Processors
Vendors,
Others (Industry Associations, etc)
The new Board of Advisors is comprised of representatives from the following organisations:
Barclaycard
British Airways
Cartes Bancaires
Cielo
Cisco
Citi
Disney
European Payments Council
First Data Corporation
Heartland Payment Systems
Ingenico
International Air Transport Association (IATA)
JPMorgan Chase & Co
McDonald’s, PayPal
RSA
Tesco Stores Limited
TSYS
VeriFone Systems
Wal Mart Stores
Woolworth’s
“Industry participation is crucial to our work here at the Council. I am ecstatic to see the record number of people who were involved in this year’s election process and the breadth of experiences and perspectives that this new Board represents,” said Bob Russo, general manager, PCI Security Standards Council.
“As we continue to strengthen the standards and their adoption globally, this group will play a leading role in the protection of cardholder data against security threats worldwide.
“I am thrilled about the increase in European representation on the Board this term. It is a testimony to the excellent work and collaboration that is taking place in Europe to drive payment security forward,” said Jeremy King, European regional director, PCI Security Standards Council. “With their input, I’m confident that we can continue to make great strides in engaging European stakeholders in this important global initiative.”
For more information on PCI DSS visit the PCI Resources page here.
In study commissioned by Juniper Networks the study found that enterprise and consumer mobile devices are being exposed to a record number of security threats.
The study’s key findings Include:
App Store Anxiety: The single greatest distribution point for mobile malware is application download, yet the vast majority of Smartphone users are not employing an antivirus solution on their mobile device to scan for malware
Wi-Fi Worries: Mobile devices are increasingly susceptible to Wi-Fi attacks, including applications that enable an attacker to easily log into victim email and social networking applications
The Text Threat: 17 percent of all reported infections were due to SMS Trojans that sent SMS messages to premium rate numbers, often at irretrievable cost to the user or enterprise
Device Loss and Theft: 1 in 20 Juniper customer devices were lost or stolen, requiring locate, lock or wipe commands to be issued
Risky Teen Behavior: 20 percent of all teens admit sending inappropriate or explicit material from a mobile device
“Droid Distress”: The number of Android malware attacks increased 400 percent since Summer 2010
“These findings reflect a perfect storm of users who are either uneducated on or disinterested in security, downloading readily available applications from unknown and unvetted sources in the complete absence of mobile device security solutions,” said Dan Hoffman, chief mobile security evangelist at Juniper Networks.
“App store processes of reactively removing applications identified as malicious after they have been installed by thousands of users is insufficient as a means to control malware proliferation. There are specifics steps users must take to mitigate mobile attacks. Both enterprises and consumers alike need to be aware of the growing risks associated with the convenience of having the Internet in the palm of your hand.”
“The last 18 months have produced a non-stop barrage of newsworthy threat events, and while most had been aimed at traditional desktop computers, hackers are now setting their sights on mobile devices. Operating system consolidation and the massive and growing installed base of powerful mobile devices is tempting profit-motivated hackers to target these devices”, Jeff Wilson, principle analyst, Security at Infonetics Research.
“In a recent survey of large businesses, we found that nearly 40 percent considered smartphones the device type posing the largest security threat now. Businesses need security tools that provide comprehensive protection: from the core of the network to the diverse range of endpoints that all IT shops are now forced to manage and secure.”
The study specifically reports the following:-
400 percent increase in Android malware since summer 2010
1 in 20 mobile devices was lost or stolen, requiring locate, lock, or wipe commands
20% of all teens admit sending inappropriate or explicit pictures or videos of themselves from a mobile device
61% of Juniper Networks-detected malware infections are from spyware
17% of Juniper Networks-detected mobile malware infections are from SMS Trojans
Mobile malware grew 250% from 2009 to 2010
1 in 20 mobile devices is lost or stolen, risking loss of confidential and sensitive data.
83% of teens use mobile technology to stay connected with friends and family.
20% of all teens have been cyberbullied through a mobile device.
20% of all teens admit to sending inappropriate or explicit pictures or videos of themselves from a mobile device.
20% of teens admit to having sent inappropriate or explicit pictures or videos from their cell phones
39% of teens admit to sending sexually suggestive messages from their device
29% of teens admit that they are sending suggestive messages, or inappropriate and explicit pictures or videos to someone they have never met
44% of teens admit that it is common for suggestive messages that were received to be shared with someone else
The study recommends the following:
For Consumers:
Install an on-device anti-malware solution to protect against malicious applications, spyware, infected SD cards, and malware-based attacks on the device
Use an on-device personal firewall to protect device interfaces
Require robust password protection for device access
Implement anti-spam software to protect against unwanted voice and SMS/MMS communications
For parents, use device usage monitoring software to oversee and control pre-adult mobile device usage and protect against cyberbullying, cyberstalking, exploitative or inappropriate usage, and other threats
For Enterprises, Government agencies and SMBs:
Employ on-device anti-malware to protect against malicious applications, spyware, infected SD cards and malware-based attacks against the mobile device
Use SSL VPN clients to effortlessly protect data in transit and ensure appropriate network authentication and access rights
Centralize locate and remote lock, wipe, backup and restore facilities for lost and stolen devices
Strongly enforce security policies, such as mandating the use of strong PINs/Passcodes
Leverage tools to help monitor device activity for data leakage and inappropriate use
Centralize mobile device administration to enforce and report on security policies
In its recent study, Juniper Networks uncovered some very interesting facts on the growing risk to Android base mobile devices.
The time line for the development of the threats is as follows
Android Attacks: 2010
January 2010: First bank phishing application for Android
March 2010: First Android “botnet”
July 2010: GPS monitoring embedded in Tap Snake game
August 2010: First Android SMS Trojan
November 2010: “Angry Birds” proof-of concept malware demonstrated
December 2010: First pirated Android application, Geinimi
Android Attacks: 2011
January 2011: ADRD and PJApps available in China
March 2011: Myournet/DroidDream, the first Android malware available and distributed through Android Market on a large scale, affects 50,000 users.
Google’s solution, the Android Market Security Tool, was also pirated and turned into malware in China.
April 2011: Walk-and-Text pirate puts egg on users’ faces.
April 2011: Research at IU Bloomington results in “Soundminer” proof-of-concept communications interception application.
Overall there was a 400% increase in Android malware since summer 2010
In summary, the bad guys have see the growth of the Smartphone market and are turning their skills into the development of tools and attack vectors for the operating systems on them, including Android.
The Cisco Quarter 1 2011 Global Threat Report has been released. The Cisco Global Threat Report is a compilation of data collected across the four segments of Cisco Security: ScanSafe, IPS, RMS and IronPort.
The highlights for Quarter 1 2011 include:-.
105,536 unique Web malware were encountered in March 2011, a 46% increase from January 2011
Malicious webmail represented 7% of all Web-delivered malware in March 2011, a 391% increase from January 2011
45% of all malicious webmail resulted from Yahoo! mail, 25% from Microsoft Live/Hotmail, and only 2% from Google’s Gmail
Search-engine-related traffic resulted in an average of 9% of all Web malware encountered in 1Q11
33% of search engine encounters were via Google search engine results pages (SERPs), with 4% each from Yahoo! and Bing SERPs
SERPs and webmail encounters are impacted by the popularity of a particular service and are likely not indicative of any heightened risk specific to that service
Likejacking increased significantly during the first quarter of 2011, from 0.54% of all Web malware encounters in January 2011 to 6% in March 2011
At 13%, Miley Cyrus–themed likejacking scams beat out all other celebrities and events in March 2011. Likejacking themes for Indian actress Nayantara were at 7%, while Charlie Sheen was at 3%, Justin Bieber at 2%, and Lady Gaga at 1%
At 4% of all Web malware encounters in 1Q11, website compromises that attempted to download the Hiloti Trojan were the most frequently encountered, followed by malicious GIF injections (3%). Website compromises related to the Lizamoon series of SQL injection attacks represented just 0.15% of Web malware encounters for the quarter
Though far less successful than in years past, SQL injection attempts continued to be the most prevalent event firing (55%) observed by Cisco Remote Management Services in 1Q11
Malware activity related to the MyDoom worm was the 10th most frequently RMS-observed IPS event in 1Q11, demonstrating that legacy malware can still pose a threat to unprotected systems
As expected, Rustock activity declined significantly over 1Q11, but, interestingly, the sharp decline commenced weeks prior to the botnet takedown
Following 4Q10 declines, global spam volume increased and then subsequently decreased during 1Q11, but levels remained above that of December 2010
With an increase of 248%, Indonesia overtook the United States as the top spam-sending country in 1Q11
Microsoft Internet Explorer Invalid Flag Reference Remote Code Execution
3.27%
Windows MHTML Protocol Handler Script Execution
2.47%
WWW WinNT cmd.exe Access
1.30%
Web Application Security Test/Attack
1.19%
MyDoom Virus Activity
1.16%
Note that the MHTML vulnerability described in Microsoft KB 2501696, IntelliShield alert 22310, and Cisco Intrusion Prevention System (IPS) 6.0 – 33379/0 also appears on the Cisco RMS top 10 signature events list for 1Q11. Microsoft released an update for this former zero-day vulnerability in April 2011 (MS11-026).
While a significantly occurring event in 1Q11, SQL injection attempts remained at a fairly steady pace throughout the quarter with the only notable increase occurring in the latter part of March 2011.
Cisco RMS Top 10 by Port Activity
Port
Percentage
80
69%
40436
2.23%
25
2.17%
161
1.39%
5060
1.27%
123
1.16%
34227
1.13%
443
1.05%
21
1.00%
20
0.71%
Although they represent a relatively small percentage of overall spam, phishing attacks pose a serious risk to security, both from a financial and sensitive information disclosure perspective. In 1Q11, attackers increasingly turned their attention toward phishing Twitter accounts.
This interest in Twitter credentials is likely due in part to Twitter users’ acceptance of shortened URLs. By compromising Twitter accounts, attackers can take advantage of shortened URLs to entice followers to visit malicious links the users might ordinarily view as suspicious. Such attacks are further fuelled by the trust engendered through social networking in general.
Internet Identity (IID) has released their eCrime Trends Report: First Quarter 2011.
The report is a summary of statistics and news items from this year’s first quarter and serves as a useful reminder of how regularly breaches occur and how easy it is to forget about the last big breach.
Every month seems to have another record for the largest breach, Epsilon was usurped by Sony, who will be next? This is why quarterly reviews are so important.
The highlights of the IID report are below:
IT security firms in the cybercrime crosshairs
Breach of HBGary Federal reveals vulnerability of the extended enterprise
Internal emails exposed information about partners and clients
Banks outside the U.S. increased most dramatically
Recent database breaches could lead to increased spear phishing in the coming quarter
Compared to Q4 2010, Phish targeting larger, national banks increased 11%. Much of the growth was seen in non-US based banks, which took three of the top five spots among banks
Phishing in Q1 2011 grew 12% over Q1 2010.
Parts of the Internet went dark in Q1 for a variety of reasons
Egyptian ISPs ordered to shut down following Internet-led protests
Mooo.com seizure by DHS temporarily suspended 80,000 subdomains
Rabobank blackholed its own DNS records in an attempt to combat DDoS attack
“As we’ve seen with recent attacks against Sony’s PlayStation Network and Epsilon, cyber criminals now have inside information about tens of millions of customers to use in highly targeted phishing campaigns,” said IID President and CTO Rod Rasmussen.
“The worry is that with all of this specific data, cyber criminals have all they need to convince people to share their highly valuable personal information. Organizations must ensure they are taking every measure to stop these attacks, including blocking access to phishing sites and command and control domains for malware that exfiltrates data. This should be done with e-mail filtering, firewalls and secure domain name system resolvers.”
The report states, “approximately 90% of compromises came from the Level 4 merchant space in 2010.” The PCI DSS categories a Level 4 merchants as a businesses that process less than 20,000 Visa e-commerce transactions annually, and all other merchants processing up to 1 million Visa transactions annually.
The top 5 Industry Sectors that experience a PCI DSS compromise are:
57.0%
Food and Beverage
18.0%
Retail
10.0%
Hospitality
6.0%
Government
6.0%
Financial
Breaches occur in 5 specific areas with the majority occurring because of weaknesses in software:
75.0%
Software POS
11.0%
Employee Workstation
9.0%
e-commerce
3.0%
Payment Processing
2.0%
ATM
The Report has the Top Five Areas where Merchants are Falling Short of Compliance as:
Do you have written security policies and procedures that address the protection of paper with credit card numbers such as receipts and the physical security of your card processing device?
Do you have a formal training program for all relevant employees that teaches them about security as it relates to credit cards, paper with credit card numbers on them and the devices that process credit card transactions?
Do you or does anyone at your business log or record your customers’ credit card numbers in a computer, for example, in a back office computer, a laptop or financial application?
Do you check your store or office for unauthorized wireless access points on at least a quarterly basis?
Do you perform external (Internet) network vulnerability scans at least once per quarter?
Cost of non-compliance
Trustwave’s Report states “Fines have averaged $5,000 to $15,000 per card brand. We see forensic investigations start in the $10,000 to $15,000 range as well. Card re-issuance and fraud loss are dependent on the size of the breach. However, fines can vary greatly depending on a number of factors and can reach into the hundreds of thousands of dollars in some cases”.
Brian Pennington 