Brian Pennington

A blog about Cyber Security & Compliance


June 2011

90 Percent of Businesses Fell Victim to a Cyber Security Breach

The Ponemon Institute has released the the results of a study conducted to determine what IT and IT security practitioners in the US, UK, France and Germany think about how well their organizations are responding to threats against network security. Sponsored by Juniper Networks, they believe the research is important because “it can provide insights from those who are dealing daily with the prevention and detection of these attacks. Specifically, what do they think about the current threat landscape and what are the most effective strategies to keep networks secure”.

Some of the topics addressed include:

  • Are threats to network security increasing in frequency and sophistication?
  • Is their organization’s IT infrastructure secure enough to prevent successful attacks?
  • What is the nature of the attacks and are the attackers and attack vectors known?
  • Do organizations see complexity as a barrier to effective enterprise-wide network security?

They surveyed 583 IT and IT security practitioners in there US with an average of 9.57 years of experience. More than half (51 percent) are employed by organizations with more than 5,000 employees.

The study found the number of successful network security breaches over the past 12 months were:

None 10%
1 time 21%
2 to 3 Times 32%
4 to 5 Times 18%
More than 5 times 9%
Cannot determine 10%

Some of the most salient findings are as follows:

The financial impact of a security breach can be severe. According to 41% of respondents, the financial impact of these breaches was $500,000 or more. However, 16% cannot determine the amount. Respondents were asked to consider cash outlays, internal labor, overhead, business disruption, revenue losses and other expenses.

Security breaches most often occur at off-site locations but the origin is not often known. Mobile devices and outsourcing to third parties or business partners seem to be putting organizations at the most risk for a security breach. 28% say the breaches occurred remotely and 27% say it was at a third party or business partner location.

Attacks are coming from external agents but insider abuse is prevalent. External agents and insiders (employees) are most commonly behind the security breaches according to 55% and 49% of respondents, respectively. Respondents also report that multiple sources can be blamed for the breaches.

Employee mobile devices and laptops are seen as the most likely endpoint from which serious cyber attacks are unleashed against a company. 34% of respondents say attacks occurred from infected laptops or remotely due to an employee’s insecure mobile device. Further, the top two endpoints from which these breaches occurred are employees’ laptop computers (34%) and employees’ mobile devices (29%). 28% say it is employees’ desktop computers.

Complexity and availability of resources are the most serious challenges to combating cyber attacks. 48% cite complexity as one of their biggest challenges to implementing network security solutions. The same percentage of respondents 48% says it is resource constraints. These challenges are followed by lack of employee awareness, which contributes to the insider risk. In addition to simplifying their security operations and increasing available resources, organizations should consider the importance of training and awareness.

Attacks are becoming more frequent and severe. IT practitioners in the study are worried about continuing and more serious attacks. 78% of respondents say there has been a significant increase in the frequency of cyber attacks during the 12 months, and 77% say these attacks have become more severe or difficult to detect, or contain.

Given the current threat landscape, organizations should make prevention and detection of security breaches a primary focus. Only 32% of respondents say their primary focus or approach to network security is on preventing attacks. 16% say it is on fast detection and containment and 15% say it is on network intelligence. 23% say their network security strategy is to baseline their approach against best practices and 14% say it is IT governance.

Ponemon’s Conclusions

They believe their research provides evidence that many organizations are lacking the right strategy to prevent cyber attacks against networks and enterprise systems. Their study suggests conventional network security methods need to improve in order to curtail internal and external threats.

They believe organizations should consider incorporating the following recommendations in their network security strategy:

  • Understand the risk employees’ mobile devices create in the workplace. In addition to problems created when inappropriately being connected to the network, breaches involving lost or stolen laptop computers or other mobile data-bearing devices remain a consistent and expensive threat. According to Ponemon Institute’s 2010 Annual Cost of a Data Breach Study, 35 percent of organizations report that a lost or stolen mobile device caused the data breach they experienced.
  • Create a comprehensive policy (including detailed guidelines) for all employees and contractors who use mobile devices in the workplace. The policy should address the risks associated with each device and the security procedures that should be followed. Guidelines can range from such topics as to what types of data should not be stored on these devices, how to determine if an application can be safely downloaded and how to report a lost or stolen device.
  • Improve ability through expertise and enabling technologies to detect and prevent breaches. Understanding the source of the breaches can help organizations strengthen their cyber security strategy.
  • Address the insider threat through the creation of an enterprise wide security policy that includes the responsibilities of employees to help protect network security. The policy should be easily accessible. In addition, there should be a training and awareness program to ensure employees understand the various risks to the network and how they can contribute to preventing security breaches.
  • Complexity is recognized as a barrier to effective network security strategy. Organizations should assess their current procedures and technologies to understand how best to streamline their approach and have an end-to-end (holistic) approach to network security. The studies consistently show that the cost of cyber attacks is increasing. Reducing an organization’s vulnerability to such attacks through the combination of proper staffing, enabling technologies and training programs can help prevent the pattern of multiple breaches experienced by so many in our study.

The full study can be downloaded here


How to Contact the Credit Reporting Agencies to Place a Fraud Alert

The National Insurance numbercard issued by th...
Image via Wikipedia

The Identity Theft Resources Centre has some great advice on how and what to do when contacting a Credit Reporting Agency:

  • Please use the report fraud phone numbers from each credit reporting agency to place a fraud alert on your credit report. We recommend that you call all three credit reporting agencies because they may have different information that might cause the fraud alert to be denied.
  • These will be automated systems, please listen for the prompt for the fraud alert.
  • The automated system will ask identifying questions, such as your name, Social Security Number (US), National Insurance Number (UK), address number, and date of birth. This is to verify your identity.
  • If you are successful in placing the fraud alert on your credit report, you will receive a confirmation number immediately or you will receive a notification letter by mail within the next 10 to 14 business days.
  • On your notification letter, there will be a telephone number to request a free copy of your credit report. Please contact theCRA’s immediately to obtain these reports.
  • You are not successful in placing the fraud alert if the automated system asks for you to write to them with documentation. This is common for victims of identity theft. The credit reporting agencies usually require a copy of a current utility bill, copy of your current driver’s license or a state ID, and a letter with your full name, Social Security Number and date of birth, requesting a fraud alert be placed. You will also want to request your free credit report in the letter.


How to Secure Mobile Devices

Drew Robb in his article ” How to Secure Mobile Devices” has created an excellent guide to thinking about the security of mobile devices, not just for consumers but for the enterprise.

The article is recreated below:

“More and more frequently, employees are linked to sensitive data via a number of different devices, providers, and operating systems,” said Will Hedrich, a security architect at CDW-G. “If laptops, tablets, and smartphones are left unattended for even a few minutes, you are at risk.”

Anyone can download an application for $50 to $150, for example, that will allow them to listen to phone conversations, listen to anything around that phone even when it’s not on a call, view the camera, swipe files from the phone, or access the corporate network. They can download, view, or listen to this information wirelessly using the phone’s public IP address, Bluetooth or Wi-Fi. After the program is downloaded on to it, the person would never know it is on his or her phone.

Recently, for example, an employee of a large enterprise left a smartphone in the car while shopping. The phone, which was stolen, contained the social security numbers and other personal information of company employees. Because the phone was not equipped with any security measures, the information was easily accessed.

Most company employees do not even have basic firewall or password protections on their phones, so they are risking this kind of data loss on a regular basis.

The financial consequences can be severe. The government fines companies $204 or more per piece of personal information leaked, such as a social security number, credit card information, and other personally identifiable information (PII) or payment card industry (PCI) compliance information.

“It is important to have a mobile management security strategy in place to prevent data loss and malicious attacks,” said Hedrich. “The strategy should extend to devices, the data center, and cellular carriers.”

He added that a comprehensive solution for locking down the mobile workforce did not exist until recently. Such solutions, now becoming available from a variety of vendors, should encompass a four-pronged approach.

Physical security

Devices accessing the network need data encryption and multi-factor authentication, which includes a user name, password, and a series ofPINnumbers, such as a four digit personalPINand a six digit code that is generated automatically and changes every minute. Device certificates are also important.

Content security

If appropriate security protocols are in place, anyone trying to access information via the public IP address of an encrypted device will find that the information is completely scrambled. A combination of anti-malware, content filtering, encryption, data loss prevention (DLP) software, and intrusion prevention software installed on all devices will prevent unauthorized access to data.

“If a phone, tablet, or other device falls into the wrong hands, you want to be sure that data on it cannot be accessed,” said Hedrich. “Data encryption and multi-factor authentication are crucial to ensuring that only the authorized user can access the information on the device.”

Device management

Organizations should also set access levels and permissions for each person or group on the network, such as legal, marketing, IT, etc. These access policies control the data they can access via their devices and the functions they can perform remotely.

“Centralized device management allows IT to update access rights as well as roll out updates to operating systems and applications from one central console,” said Hedrich. “And, if a device is lost or stolen, the IT manager can wipe the device remotely to prevent data loss.”


Network Barometer Report 2011 – Dimension Data’s annual report

Dimension Data announced the results of its Network Barometer Report for 2011. The findings of the report have been taken from 270 “Technology Lifecycle Management” (TLM) assessments of enterprise organizations.

The annual Dimension Data report gauges the readiness of organizations’ networks to support business by evaluating adherence to best practices, potential security vulnerabilities and the end-of-life status of network devices.

Key findings from the 2011 report are:

  • More than 73% of corporate network devices had at least one known security vulnerability, nearly double the 38% recorded in last year’s report.
  • A single, higher-risk vulnerability identified by Cisco’s PSIRT* (Product Security Incident Response Team) in September 2009 – PSIRT 109444 – was found in a staggering 66% of all devices, and was responsible for this jump.
  • With PSIRT 109444 removed from the equation, the next four vulnerabilities were found in less than 20% of all devices, indicating that organizations are stepping up remediation efforts.
  • 47% of devices were in late stage obsolescence – characterized as “beyond end-of-contract renewal” – which is the highest risk phase of the product lifecycle. At this point, organizations can no longer purchase additional support and are less likely to have access to the latest vendor-supplied security patches, leaving them vulnerable to security breaches and compliance violations.
  • The average number of configuration violations per device has decreased by 30%; however, AAA (authentication, authorization and accounting) errors continue to dominate.
  • A fall in the total number of configuration issues per device indicates that there has been progress in organisations’ response to configuration errors.
  • Despite some improvement, potential security violations still represent the single largest block of configuration errors.
  • Technology obsolescence is running at 38% of organisations’ installed asset base – little change in the past 3 years
  • The percentage of devices in late stage end-of-life dropped from 58% last year to 47% this year, and those beyond LDoS dropped from 31% last year to 9%. This suggests that organisation are managing their network assets in a much more effective manner and refreshing those devices where the risk is greatest.
  • An increase in technology obsolescence in the cases of repeat assessments also suggests that organisations are using an overall understanding of their technology estate to ‘sweat assets’ intelligently.

“The Network Barometer Report 2011 raises the question of whether organizations have the necessary visibility into their overall technology environment to adequately protect customer data, privacy and sensitive business information, and to intelligently manage and ‘sweat’ IT assets,” said Wesley Johnston, chief operating officer, Dimension Data Americas.

“Previous research that we’ve conducted – unrelated to the Network Barometer Report – supports this concern, revealing that companies are unaware of as much as 25% of their networking devices. Organizations need a full view of every device on the network – including where it is, what it does and what the implications are when it breaks or becomes unsupportable – in order to protect themselves and their customers and ensure business productivity and efficiency,” stated Johnston.

 The Dimension Data Network Barometer Report can be downloaded here


Blog at

Up ↑

%d bloggers like this: