Brian Pennington

A blog about Cyber Security & Compliance


September 2011

10 Identity Management Metrics that matter

Frank Villavicencio of Identropy is an expert in Identity and Access Management (IAM). In a recent article he produced a list of 10 Identity Management Metrics that will help focus the security aspirations of almost any organisation.

The 10 pieces of advice are below:

1. Password reset volume per month. This one is a classic in identity management, and it’s key to helping organizations measure the effectiveness of their IAM programs. Businesses typically look at password-related help desk calls, account lockouts, and self-service resets per month as good indicators of password-policy effectiveness. This metric should generally trend downward, although there may be peaks and valleys driven by business events. If it doesn’t, your organization’s password policies and management tools require a closer look.

2. Average number of distinct credentials per user. Another IAM classic, and for years, a key business justification for single sign-on (SSO) initiatives. The industry average ranges from 10 to 12 unique accounts per user. Organizations should strive to bring this average down as close to one as possible.

3. Number of uncorrelated accounts. These are accounts that have no owner, and occur most frequently when a change happens, such as a promotion or a termination, and that person’s accounts were not transitioned properly. Too many uncorrelated accounts can lead to unnecessary risks—they are open, live accounts that can be easily hijacked for un-authorized use.

4. Number of new accounts provisioned. This number should closely follow the number of new joiners to the organization. An effective IAM program should always account for any new user who needs to be granted access to systems and applications. If there’s a discrepancy or a significant lag between the number of provisioned accounts and the total number of new joiners for a given period, that indicates inefficient processes or poor identity data.

5. Average time it takes to provision or de-provision a user. This shows how long a new user waits to get access to the resources they need to do their work. It has implicit productivity and ROI ramifications. Nine times out of 10, if someone doesn’t get access to applications in a timely fashion, there are process issues behind the delay. This metric can flag a business process that needs to be reviewed and possibly adjusted.

6. Average time it takes to authorize a change. This metric can provide insight into the efficiency of an organization’s approval processes. For example, if there are four people involved in approving a sales rep’s access to, but it takes two weeks for that approval to be granted, that’s two weeks the sales rep is limited in his capacity to sell. Knowing how long it takes for approvals to be granted can help identify bottlenecks or out-of-date processes.

7. Number of system or privileged accounts without an owner. These are also known as orphaned accounts. They crop up when people who had the credentials to grant them access to important resources—making them privileged users—no longer need access to those resources but never had their privileges removed. This problem here is obvious—who wants privileged accounts that don’t belong to anyone floating around?

8. Number of exceptions per access re-certification cycle. A high number of exceptions is expected for new applications or user sets being brought under governance, but over time this should trend toward zero. A consistently high number of exceptions is a strong indicator of poor identity data quality (that is, lots of users having access that they should not have), or of process problems (that is, the person requesting re-certification does not have all the information they need to complete the process.)

9. Number of reconciliation exceptions. Reconciliation exceptions are typically caused be the inability of an IAM platform to reliably tie an identity to an account in a target system. This is usually the result of manual entry errors (that is, user names or unique identifiers are not matched), or worse yet, of an account created by backdoor channels. These exceptions should trend toward zero over time, and any spikes should trigger a thorough investigation and further discussion.

10. Separation of duty violations. Examples of separation of duty violations include developers who have admin access to production databases and traders who can submit and approve their own transactions. These are more difficult to catch and measure, given their sophistication and cross-application nature, but are also the riskiest to miss, given the potential damage that could be inflicted if they’re exploited. Exploitations of these problems are the kind that often make headlines. The organization should implement preventive controls to monitor these violations, report them and orchestrate their remediation.

The original article can be found here.


Travel sector suffering more than most from credit card fraud

Travel Guides
Image by Evil Yoda via Flickr

Travel companies suffer a higher rate of card fraud than the average UK business as a result of the explosion in card-not-present transactions.

An industry conference in London yesterday was told that overall card fraud is falling, but card-not-present transactions have ballooned and retailers invariably bear the cost of the fraud loss.

Tony Mooney, business development director of merchant acquirer First Data, said:

“As an industry, travel suffers more fraud than average. A lot of travel is sold remotely and that is when the problems with fraud occur.”

Mooney told the Elman Wall travel directors conference at Arsenal’s Emirates Stadium in London that card fraud typically takes place online or over the phone. He said: “These are the safest methods for a fraudster.”

He warned: “If you are defrauded online, it is likely you will pay,”

The value of card-not-present fraud to UK business hit £227 million last year – almost two-thirds of the total card fraud and 236% up on 2001. The overall cost of card fraud fell over the same period.

There are no figures for card fraud specific to travel. However, Trevor Sears, external UK counsel to IATA and partner at law firm Davenport Lyons, confirmed Mooney’s warning. He said: “Travel suffers more than other sectors at the moment.”

Fraud makes up a fraction of the total value of card transactions, however. Total transactions were worth £412 billion last year. Mooney said fraud accounted for about 0.12%.

The original article was published on


The majority of adults are worried about possible exposure of their personal information

According to SailPoint’s Market Pulse Survey, the majority of adults in the United States, Great Britain and Australia are worried about possible exposure of their personal information, and a large percentage of adults have lost confidence in how companies protect their personal information. As an example, 80% of Americans, 81% of Britons and 83% of Australians who have personal medical information are concerned about moving that information to an electronic form because of the risks of identity theft or invasion of privacy resulting from their personal information being exposed on the Internet, to other staff members or even their employers. The frequent incidence of data breaches is reflected in the fact that many adults think they have become commonplace at financial institutions and retailers: 12% of Americans, 8% of Britons and 8% of Australians believe these breaches happen all the time.

The widespread impact of data breaches like Epsilon and Sony PlayStation, where millions of consumers were impacted around the world, is making customers more cautious about conducting business with certain financial institutions and retailers,” said Jackie Gilbert, vice president of marketing and co-founder at SailPoint. “These companies obviously spent millions to recover from these data breaches, but the longer term and harder-to-measure costs will be the erosion of customer loyalty and decline in brand perception.”

The Market Pulse Survey indicates that a security breach at a financial institution or retailer can severely impact customer loyalty. Case in point: 16% of Americans, 24% of Britons and 26% of Australians said they would no longer do business with a bank, credit card company or retailer if a security breach occurred that potentially exposed their personal and financial information to theft. Within these groups, 10% of Americans, 14% of Britons and 16% of Australians would not only not do business with that organization, but also would tell their family and friends not to do business with that same organization.

In all three regions, the growing use of electronic medical records is a main concern because adults believe that having healthcare organizations manage their personal data electronically exposes them to more threats. Specifically, of the adults in these countries who have personal medical information: 29% of these Americans, 26% of these Britons and 30% of these Australians are most concerned that medical records being made available electronically might result in those records being exposed on the Internet. 35% of these Americans, 33% of these Britons and 37% of these Australians are most concerned about the use of their private information being used to steal their identity. Finally, 10% of these Americans, 14% of these Britons and 11% of these Australians are most concerned about staff members not directly related with their care being able to view their private data.

Consumers have reason to be concerned about the safety of their personal information and to question how effective organizations are at protecting that information,” continued Gilbert. “In some widely publicized cases, the very basics of user access control were not put in place to safeguard sensitive data, making it child’s play for intruders to gain access to it. SailPoint is working with some of the largest financial services, retail and healthcare organizations around the world to ensure strong controls over data access. Unfortunately, as this survey shows, there is still a lot of work to do to win back customer confidence in light of the number of bad examples across industries.”

Survey background: SailPoint Market Pulse Survey, conducted online by Harris Interactive, consumers expressed cynicism about how these organizations are protecting their data and a willingness to leave a business that experienced a breach. The recent online survey was conducted among 2,241 adults in Great Britain, 1,023 adults in Australia and 2,309 U.S. adults. SOURCE: SailPoint


PCI SSC publishes its first set of PCI Point-to-Point Encryption Solution requirements

New requirements focus on hardware-based solutions and support optional scope reduction efforts in a secure, PCI DSS compliant environment

The PCI Security Standards Council (PCI SSC), a global, open industry standards body providing management of the Payment Card Industry Data Security Standard (PCI DSS), PIN Transaction Security (PTS) requirements and the Payment Application Data Security Standard (PA-DSS), today announced availability of the first set of validation requirements of its point-to-point encryption program. The PCI Point-to-Point Encryption Solution Requirements document provides requirements for vendors, assessors and merchants, that wish to build and implement hardware- based point-to-point encryption solutions that support PCI DSS compliance and offer scope reduction for merchants. Hardware-based P2PE solutions utilize secure cryptographic devices for both encryption and decryption including at the point of merchant acceptance for encryption and within Hardware Security Modules (HSMs) for decryption.

The PCI Security Standards Council recognizes the potential for new technologies to reduce scope for PCI DSS assessments and provide new ways of securely handling cardholder data. This new document for vendors, assessors and solution providers that play a role in developing, implementing or assessing products, defines requirements for applicable point-to-point encryption (P2PE) solutions, with the goal of reducing the scope of the PCI DSS assessment for merchants using such solutions. Merchants themselves will also find the document a useful resource for understanding more about P2PE and PCI DSS scope. The new requirements do not supersede the PCI Data Security Standard, nor is a merchant mandated to use P2PE technology.

However, merchants interested in this technology are encouraged to consult with the Council’s listing of validated P2PE solutions, targeted for spring 2012, to choose a secure solution that will support compliance with PCI Standards. The new requirements document includes information on:

  • Roles and responsibilities in validating, implementing and assessing hardware based P2PE solutions
  • Six critical domains of hardware-based P2PE that cover; the encryption device and environment, application security, transmission, decryption and key management.
  • Steps required to create and validate a P2PE solution
  • Visual representations of a typical implementation
  • Interrelation between P2PE validation requirements and other PCI Standards such as PTS Point of Interaction (POI), PCI PIN, PA-DSS and PCI DSS

The hardware-based requirements incorporate many requirements and principles covering both physical and logical security that will be familiar to users of other PCI Standards. Requirements focus on securing systems and devices, implementing monitoring and response processes, developing and maintaining secure applications, protecting sensitive data, and using secure cryptographic key management methodologies.

“This is a solid first step in recognizing one popular type of deployment of P2PE solutions,” said Bob Russo, general manager, PCI Security Standards Council. “These P2PE requirements will help vendors, assessors, and merchants that are choosing to use hardware-based versions technology, to build, assess and implement P2PE solutions securely. If implemented in accordance with PCI requirements, P2PE solutions can significantly reduce a merchant’s card data environment, mitigate potential breaches and simplify PCI DSS validation efforts.”

Following the release of this first document the Council will introduce the associated testing procedures before the end of 2011. In addition, the Council will detail training opportunities for assessors and provide a listing of validated solutions on the PCI SSC website in spring 2012. As recently outlined in our program update, additional phases of the point-to-point encryption program this year will focus on requirements for solutions

that combine hardware based encryption and decryption through secure cryptographic devices, with software that may manage transaction-level cryptographic keys for decryption. The Council will also continue to explore the development of requirements for pure software solutions that encrypt cardholder data at the point of merchant acceptance, and/or decrypt cardholder data at a host system. Pure software solutions may use software to conduct encryption and decryption, performing cryptographic key management of both the master and transaction keys.


Six Years of Data Breaches including the TOP 10 largest Breaches

Vault IV
Image by jaygoldman via Flickr

The Leaking Vault 2011 report from the Digital Forensics Association has gathered data from studying 3,765 publicly disclosed data breach incidents, and is the largest study of its kind to date. Information was gleaned from the organizations that track these events, as well as government sources. Data breaches from 33 countries were included, as well as those from the United States.

This study covers incidents from 2005 through 2010, and includes over 806.2 million known records disclosed. On average, these organizations lost over 388,000 records per day/15,000 records per hour every single day for the past six years.

The estimated cost for these breaches comes to more than $156 billion to the organizations experiencing these incidents. This figure does not include the costs that the organizations downstream or upstream may incur, nor that of the data subject victims. Further, it is a low estimate of the cost, due to the fact that 35% of the incidents did not name a figure for records lost.

The Hacking vector remains the records loss leader, responsible for 48% of the records disclosed in the study.

  • In 65% of the cases, the data disclosed included the data subject’s name, address and Social Security Number
  • 16% disclosed medical information
  • 15% of the incidents disclosed Credit Card Numbers

Medical disclosures saw a significant increase with the addition of the 2010 data. This is more likely due to the reporting requirement of existing regulations going into effect than any actual increase of incidents. The incidents where criminal use of the data was confirmed increased by 58% from the prior report.

Here is a small sampling of the incidents from the study to put a personal face on the statistics:

Three servers from a well-known chain restaurant were charged with using skimming devices to make more than $117,000 in fraudulent charges to customer credit card accounts.

  • A restaurant employee stole customer credit card information and used it to purchase $200,000 of Walmart gift cards.
  • In the span of six months, nine employees of a telecommunications company inappropriately accessed confidential customer account information and used it to make cloned cell phones. Over $15 million of unauthorized phone calls resulted from this scheme.
  • An executive turned himself into authorities after being accused of selling customer information to identity thieves in exchange for sports tickets and gift cards.
  • The owner of a medical equipment business used Medicare client information to obtain approximately $1.6 million worth of fraudulent claims.
  • The owner of a farm equipment store pled guilty to federal charges, admitting she stole the identities of customers to obtain more than 80 loans worth $1.7 million.

Breach  Vectors

There has been a rise in snooping and other inappropriate disclosure where the confidentiality of the data is breached, but the data may not have left the control of the organization; or the act was done with the approval of the organization, but found later to be an inappropriate breach of confidentiality. In a recent case, UCLA Medical Center agreed to pay $865,000 to settle instances where employees snooped on the medical records of celebrities being treated at the facility.

Another example is when the California Department of Health Care Services released confidential and identifying information about HIV positive MediCal recipients to a third party service provider. This was later deemed to be both illegal and unauthorized. To classify these types of cases, the new breach vector of Disclosure has been added to the study beginning with 2011.

The Laptop Vector

Laptops increasingly contain significant amounts of organizational data. They are frequently the sole computer employee’s use, and come with a hard drive that can contain very large datasets. It is not uncommon for companies to find out after a breach incident that the individual assigned the asset had spreadsheets, and even whole databases containing sensitive data. When a laptop is issued to an individual, it should be accompanied by a set of rules for the custodian of the device to follow. This should include direction for maintaining physical control offsite (i.e., not to leave it in a vehicle, etc.) and onsite (i.e., lock it to their work surface), as well as controls for when these rules either are insufficient to keep the asset safe, or when the individual does not follow them. Potential controls include encrypting the device, remote wiping capability, tracking/recovery software, etc. The organization has a responsibility to the data subjects to take appropriate steps to ensure their data will not be at risk of disclosure when the unexpected happens.

Of the 3,765 incidents in the study, 719 involved laptops being improperly disposed of, getting stolen, or being lost. In 96% of these incidents, the laptops were stolen. Overall, the laptop vector accounted for 45,500,147 records in the study.

  • The largest quantity of laptops were stolen from the office of the organization suffering the loss. This illustrates the need for locking mechanisms for the laptops when unattended at work.
  • The second largest number of laptops were stolen from inside a vehicle. This is the most preventable, and represents 191 incidents over 4 million records.

The Hacking Vector

The 2010 data increasingly showed the prevalence of skimmer use. Skimmers are credit card readers that are typically hand held or installed in ATMs and point of sale devices to read the credit card track data and steal it. This was most commonly seen in retail establishments, and especially in restaurants. Anywhere the credit card is taken away from the customer’s control; there is a higher risk that a skimmer might be used by the dishonest. However, this is not to say that the card data is safe when in the control of the customer. Another increasingly common incident is the skimmer installed inside the gas pump. In this case, there is either a skimmer on the outside of the pump (these are becoming very clever and difficult to spot), or there is a device inside the pump where the customer has no hope of detecting it, and it can be wirelessly unloaded by the criminals, posing minimal risk of being caught.

The Large Incidents (Involving over 1 Million Records)

Only 66 of 3765 incidents involved over 1 million records. However, those 2% of incidents made up 91% of the records disclosed over the study. The top vector for large incidents was the Hack vector, claiming 29% of the incidents. The Drive/Media vector took 22% of the incidents, with the Fraud – SE vector accounting for 17%.

Breach Vectors of the Ten Largest Incidents   (2005 – 2010)
Organization Record Vector
Heartland Payment Systems 130,000,000 Hack
TJX Companies 94,000,000 Hack
Facebook 80,000,000 Web
National Archives 76,000,000 Drive/Media
Card Systems 40,000,000 Hack
RockYou, Inc. 32,000,000 Hack
U.S. Dept. of Veterans Affairs 28,600,000 Laptop
H.M. Revenue and Customs 25,000,000 Drive/Media
iBill 17,781,462 Fraud-SE
TMobile 17,000,000 Drive/Media

Criminal Use

Criminal or malicious motivation in attacks makes for more expensive breaches. This is true both for the organizations who suffer them, and the people whose data is compromised. Between 2005 and 2010, in 396 cases were confirmed to have been used for criminal activity. This is a difficult metric to track; since the criminal activity associated with breach activity shows that the data is commonly sold and resold.

The crime where the perpetrator has a direct connection to the victim is most frequently where the arrest is reported with the event. To that end, the Fraud-SE category is represented by a much higher margin than some of the vectors that have generated these large scale data disclosures.

Credit Cards

There were 558 incidents where CCN data was involved. They accounted for almost 330 million records. The median records disclosed was 1,000; and 45% of the incidents did not list how many records were disclosed. These records should fall under the Payment Card Industry’s Data Security Standard (PCI-DSS), and the organizations that have experienced these incidents will have to undergo further scrutiny to prove they are compliant with this standard.

The ID Theft Critical Data Elements

The Identity Theft critical data elements are those that, in combination with the Name and Address, facilitate the commission of identity theft and financial fraud—namely the SSN and date of birth. In TLV, we looked at the incidents with these three data items all lost in the same event. At the time of that study, there were only 262 incidents that contained all three items. In contrast, there are now a total of 1,084.

As you can see in the figure below, the Business sector shows a substantial increase. It has gone from 168 incidents in the prior study to 850. However, in only 13% of these cases where the combination of data puts the subject victim into the worst position possible, are these organizations confirmed to have offered credit monitoring. Now, there are a large number of unknowns in this area as well—in the majority of the cases, the reports simply do not say one way or the other whether this service is offered. This is a metric primarily gleaned from the original data breach notification letters obtained through either FOIA requests or from those government entities that are directly posting the original documents as part of the event report. For instance, in the Business sector, 38 cases are confirmed that the service definitely is not offered. In the remaining 701 records, the credit monitoring status is not provided.

Estimated Cost of Data Breaches/Year

Year Records Disclosed Cost Per Record Total Breach Records
2005 68,555,563 $138.00 $9,460,667,694.00
2006 80,377,865 $182.00 $14,628,771,430.00
2007 164,813,878 $197.00 $32,468,333,966.00
2008 182,707,769 $202.00 $36,906,969,338.00
2009 261,759,494 $204.00 $53,398,936,776.00
2010 48,080,863 $204.00* $9,808,496,052.00
Total 806,295,432 $156,672,175,256.00
*Cost figure from 2009.

The full The Leaking Vault 2011 report can be found here.


CIOs Optimistic About Information Security

PwC have released their 2012 Global State of Information Security Survey.

The survey is a worldwide security survey by PwC, CIO Magazine and CSO Magazine. It was conducted online between February 10 and April 18, 2011. Survey respondents were from around the globe and were invited via email to take the survey. The results discussed in this report are based on the responses of more than 9,600 CEOs, CFOs, CISOs, CIOs, CSOs, vice presidents and directors of IT and information security from 138 countries. Twenty-nine percent (29%) of respondents were from North America, 26% from Europe, 21% from South America, 20% from Asia, and 3% from the Middle East and South Africa. The margin of error is less than 1%.

Threats to security, like the weather are hard to predict. Many executives point to the sunshine and clear skies overhead. Others eye the low barometric pressure

The survey produced  17 findings. The findings are summarised below:

A world of front-runners: Respondents categorize their organization

Finding #1 This year, a surprisingly high percentage of respondents consider their organization, in effect, a “front-runner” in information strategy and execution.

Finding #2 These “front-runners” see client requirement as the greatest justification for information security spending—and are passionate about protecting data.

Finding #3 Curiously, “strategists” are far more likely to clamp down on funding for information security than any of the other three groups.

Confidence and progress: A decade of maturation

Finding #4 A clear majority of respondents are confident that their organization’s information security activities are effective.

Finding #5 Companies now have greater insights than they’ve ever had into cyber crimes and other incidents and they’re translating this information into investments specifically focused on three areas: prevention, detection and web-related technologies.

Finding #6 After three years of cutting information security budgets and deferring security related initiatives, respondents are “bullish” about security spending.

Vulnerability and exposure: Capability degradation since 2008

Finding #7 One of the most dangerous cyber threats is an Advanced Persistent Threat attack. Few organizations have the capabilities to prevent this.

Finding #8 After three years of economic volatility and a persistent reluctance to fund the security mission degradation in core security capabilities continues.

Finding #9 Managing the security-related risks associated with partners, vendors and suppliers has always been an issue. It’s getting worse.

Finding #10 That 72% worldwide confidence rating in security practices may seem high but it has declined markedly since 2006.

Windows of improvement: Where the best opportunities lie

Finding #11 What are the greatest obstacles to effective information security? Leaders point to the lack of capital, among other factors—and shine the spotlight hottest at the “top of the house.”

Finding #12 Mobile devices and social media represent a significant new line of risk and defense. New rules are in effect this year for many organizations, though not yet the majority.

Finding #13 Cloud computing is improving security. But many want better enforcement of provider security policies, among other priorities.

Global trends: Asia races ahead while the world’s information security arsenals age

Finding #14 For several years, Asia has been firing up its investments in security. This year’s results reveal just how far the region has advanced its capabilities.

Finding #15 As North American organizations continue their reluctance to fund security’s mission at levels that they have in the past, capabilities continue to degrade.

Finding #16 In the face of economic uncertainty and in spite of a portfolio of security capabilities in decline, Europe pulls the purse strings even tighter.

Finding #17 Like most of the world, South America’s armory of information security defenses is rusting. As the region’s confidence in its security plummets, it thirsts for cash.

What this means for your business Look at the leaders. Learn from what they have done and how they are electing to address the future

Find the full details of the report here.


Test your IT Security and ID Theft Knowledge

Image via Wikipedia

Preparation is often the best way of ensuring you have the right protection.

The Consumer Federation of America have worked to put together some excellent quizzes that will help you understand the potential impact of an Identity Theft and several IT Security threats and risks.

Test your Identity Theft knowledge by participating in any or all of the following Identity Theft Quizzes.

  1.  Pretend that your identity’s been stolen and learn how to get it back by correctly answering questions in the Federal Trade Commission’s ID Theft Face-Off Quiz.
  2. Learn how to keep your wireless Internet connection secure and fend off intruders by taking the Federal Trade Commission’s Invasion of the Wireless Hackers Quiz.
  3. Don’t let spyware sneak onto your computer to give others a peek at information you enter online. Get wise to the spyware guise by taking the Federal Trade Commission’s Beware of Spyware Quiz.
  4. The techie spy and his cunning crew are out to get your personal information. Stop them cold and prove you’re ready to protect yourself online by cracking the Federal Trade Commission’s Case of the Cyber Criminal Quiz.
  5. You’re in big trouble at work because your laptop’s been stolen and the information on it wasn’t secure. It won’t happen again if you take the Federal Trade Commission’s Mission: Laptop Security Quiz.
  6. Phishers are looking to lure you into providing your personal information with bogus emails and pop-ups. Will you take the bait or live to swim another day? Find out by taking the Federal Trade Commission’s Phishing Scams Quiz.
  7. Identity thieves use many methods to steal your key personal and financial information to sell, use to drain your accounts, or set up new accounts using your good name. How much do you know about identity theft, related fraud, and how to reduce your risks? Find out and have some fun by taking the University of Oklahoma Police Department’s Identity Theft and Fraud Quiz.
  8. Are you at risk for identity theft? Take the Privacy Rights Clearinghouse Identity Theft IQ Test to see how you rate.
  9. Identity theft affects people of all ages, including children. Test your knowledge of child identity theft by taking the Identity Theft Risk CheckSM Quiz, a quiz designed by the National Sheriffs’ Association and the National Foundation for Credit Counseling.


ICO takes action against the Child Exploitation and Online Protection Centre and the Serious Organised Crime Agency

Child Exploitation and Online Protection Centre
Image via Wikipedia

The Information Commissioner’s Office (ICO) has taken action against The Child Exploitation and Online Protection Centre (CEOP) and the Serious Organised Crime Agency (SOCA) – its parent organisation after the discovery of a security flaw on CEOP’S website, the Information Commissioner’s Office (ICO) said today.

On 6 April, the ICO received a complaint from an individual who noticed that the information submitted using the online form on the CEOP website was not encrypted. The security problem meant that the details – some of which were sensitive – would have been vulnerable while they were being transmitted to CEOP’s servers.

The ICO’s investigation found that the form had been insecure for several months following the launch of the new CEOP website, although there was no evidence to suggest that any attempts had been made to access the information. Both organisations have now taken action to improve the security of the CEOP website in order to keep the personal information they handle secure.

Acting Head of Enforcement, Sally Anne Poole said:

Organisations must make sure that any personal data transmitted electronically is adequately protected. While there is no evidence to suggest that attempts have been made to access any of the information, it is highly likely that it would have been sensitive in nature and should not have been compromised by insufficient IT security measures.

We are pleased that CEOP and SOCA have taken action to make sure that all of the information sent in by members of the public remains secure.”

Peter Davies, Chief Executive Officer of CEOP, and Trevor Pearce QPM, Director General of SOCA, have jointly signed an undertaking to ensure that CEOP’s website is regularly tested so that the personal data they process remains secure and potential weaknesses are immediately identified. CEOP will also introduce recommendations included in a recent Information Security Review and continue to make sure that they are followed.


Merchants are more concerned about their brand than PCI fines

Image representing Cybersource as depicted in ...
Image via CrunchBase

A joint CyberSource and Trustwave survey has shown that nearly 70% of Merchants cited the need to “protect the brand” as the primary driver for tightening controls against hackers and other payment security risks.

Only 26 percent said avoiding fines resulting from non-compliance with the Payment Card Industry Data Security Standard (PCI DSS) were the key motivator.

A few highlights from the report include:

  • Brand Protection is Key Driver of Investment: The need to protect the organization’s brand and its revenues was given as the primary driver for investment in payment security.
  • Threat from External and Internal Sources Perceived as Equal: While the successes of external hackers often make headlines, employees can be an equally damaging source of risk. The survey found that organizations perceive the threats from internal and external sources as being nearly equal.
  • Trend Towards Remote Data Storage: With the need to secure payment data and efficiently comply with PCI DSS, organizations are planning to shift their payment data security approach from an on-site strategy to a remote one. Those organizations that had already made the shift reported shorter time-to-compliance and fewer full-time equivalent employees managing payment security.
  • Payment Security Cost and Complexity Expected to Increase: Most survey respondents expect that the technological complexity, cost, and resources required to manage payment security will increase over the next 24 months.

A breach has serious consequences for nearly every division of an eCommerce merchant’s organization,” said Dayna Ford, Senior Director, Product Management at CyberSource. “But by far the most damaging impact is to the company’s brand, affecting revenue, customer loyalty, and even stock valuation. Knowledge of this phenomenon is now widespread, so we’re not surprised at the survey finding that puts brand integrity as the most important rationale for payment security investment.”

In the face of increasing numbers of security breaches and data theft, there’s a real urgency for organizations to deploy powerful and effective security strategies,” said James Paul, Senior Vice President of Global Compliance Services at Trustwave.  “Studies like ‘The Payment Security Practices and Trends Report,’ published today, should help organizations learn best practices and likely costs to attain appropriate levels of security.”

Selected survey findings

  • Data moving out:  Over the next 24 months, an increasing proportion of organizations expect to remove payment data from their environment as a way of reducing security risks.
  • Efficiency improving: Organizations that do not capture, transmit, or store data inside their own network tend to employ fewer personnel, validate PCI DSS compliance more quickly, and operate at a lower overall cost of payment security management.
  • “Data out” merchants spend less on infrastructure: 75 percent of PCI DSS Level 1 merchants  that have removed payment data from their environments spend less than $500,000  on their payment security infrastructure.  Only 60 percent of those that keep data in-house can make that claim.
  • Risk not confined to outsiders:  In one counter-intuitive finding, respondents said they felt the threat of payment data theft from inside employees was about equal to the threat from external hackers.

Read the full report here, registration is required.

Learn more about the Payment Card Industry Data Security Standard (PCI DSS) by visiting my PCI DS Resources page here.


Five Ways to Fall Victim to Credit Card Fraud

Fox News Talk
Image via Wikipedia

Originally published on September 09, 2011 by Fox News this article by Lora Shinn is a simple but effective way of avoiding becoming another victim of credit card fraud.

Review these mistakes to avoid becoming a victim of  debit or credit card fraud.

1. Failing to Look for Skimmers

Thieves may attach skimming devices to the exterior  of an ATM or point-of-sale terminals requiring a PIN, or personal identification  number. It’s worth the few seconds it takes to glance before you swipe.

“Always take a look at the machine to see if there  (are) any visible traces of activity, such as glue or scuff marks or loose bits  around the PIN pad or the place where you insert your card,” says Manisha  Thakor, co-author of “On My Own Two Feet: A Modern Girl’s Guide to Personal  Finance.” “Those are telltale signs that an attempt may have been made to attach  a skimmer.”

She says you should pay close attention when you’re  visiting an ATM in a low-traffic locale, where it’s easier for someone to attach  a device. When in doubt, use a different ATM.

2. Banking Online in a Cafe

You may have free Wi-Fi access at your favorite  coffee shop, but you might not want to use it to check the balance in your  savings account. If you’re using an open wireless network, it’s easier for  hackers to intercept online transactions, passwords and other private business.

 “It’s not the time to do financial business, your online banking or your  shopping,” says Marian Merritt, a Norton Internet safety advocate at Symantec,  a manufacturer of security software.

That goes for websites that start with HTTP and  HTTPS as well because you don’t know how securely the coffee shop, hotel or  other free Internet access point is set up. Hackers can set up “man in the  middle” attacks to grab your passwords, card number and other information while  you’re on the public network. So enjoy the latte and save checking your credit  card statement for later.

3. Responding to Phishing Messages

If you receive a text message on your phone from  your bank, and it asks you to log into your card account immediately — but you  didn’t contact the bank — raise your mental drawbridge. The same goes for a  message that arrives via Facebook, Twitter  or any other mode of communication.

“Any unsolicited phone call, email, text or social  media message could be a phishing attempt,” says Erik Mueller, vice president of  payment system integrity at MasterCard  Worldwide. “Be skeptical of these messages, especially if they request credit or  debit card data or personal information, or link to another website or Web  page.” With the right data, a phisher will quickly find a way to commit credit  card fraud.

If you think the message might be legitimate or you  have concerns about fraud, contact your issuer directly using the customer  service phone number on the back of your debit or credit card.

4. Ignoring Your Rights and Responsibilities

If you’ve lost your credit or debit card, suspect it  was stolen or think someone has lifted your number off the Internet, call your  card issuer immediately. Credit cards offer the greatest protection against  fraud. Most card issuers provide zero-liability fraud protection, and federal  law says once you report the loss or theft, you have no further responsibility  for unauthorized charges. Your maximum liability under federal law is $50 per  card.

With debit cards, your responsibilities and rights  change. While you may have zero-liability fraud protection on your debit card,  it may not apply to PIN-based transactions or ATM withdrawals. Federal law also  has some caveats when it comes to debit card fraud protection. If someone made  fraudulent purchases with the debit card data and you don’t report the theft  immediately, your liability could skyrocket, especially if you wait longer than  60 days to report it. In addition, if a thief uses your debit card to drain your  bank account, you’ll be short on cash while your bank investigates.

5. Not Using Free Fraud Protection

Additional fraud protection is available for free by  numerous card issuers and financial institutions, though most require a little  investigation or enrollment. For example, the Verified by Visa program sets up  Visa cardholders with an additional password they can use to shop at  participating online merchants. MasterCard SecureCode works similarly. It  requires the user to enter the correct PIN during checkout at a participating  online retailer.

Another option: Try one-time or “virtual” credit  card numbers, which are offered by some banks such as Citibank  and Bank of America. These numbers are used for only one purchase and then are  no longer usable — so you don’t have to worry they’ll be swiped and reused by a  fraudulent user.

You can also minimize debit and credit card fraud by  making use of free account alerts, which notify you when certain transactions or  changes occur, such as a transaction for more than a certain dollar amount or a  purchase made overseas.

Check your bank or card issuer’s site to find out  whether they participate in these programs and services.

The original Fox News post can be found here.


FBI Releases Bank Crime Statistics for Second Quarter of 2011

The Seal of the United States Federal Bureau o...
Image via Wikipedia

Whilst not being strictly an IT Security or Compliance story the statistics are very interesting and in particular the break down of who has done what and where which are contained in the full report which can be found here.

During the second quarter of 2011, there were 1,023 reported violations of the Federal Bank Robbery and Incidental Crimes Statue, a decrease from the 1,146 reported violations in the same quarter of 2010.1

According to statistics released by the FBI, there were 1,007 robberies, 15 burglaries, one larceny, and two extortions of financial institutions2 reported between April 1, 2011 and June 30, 2011.

Highlights of the report include:

  • Loot was taken in 91 percent of the incidents, totaling more than $7.8 million
  • Of the loot taken, 23 percent of it was recovered. More than $1.8 million was recovered and returned to financial institutions
  • Bank crimes most frequently occurred on Friday. Regardless of the day, the time frame when bank crimes occurred most frequently was between 9:00 a.m. and 11:00 a.m
  • Acts of violence were committed in 4 percent of the incidents, resulting in 31 injuries, one death, and three persons taken hostage3
  • Demand notes 4 were the most common modus operandi used
  • Most violations occurred in the Southern region of the U.S., with 373 reported incidents

These statistics were recorded as of August 2, 2011. Note that not all bank crimes are reported to the FBI, and therefore the report is not a complete statistical compilation of all bank crimes that occurred in the U.S.

1 In the second quarter of 2010, there were 1,135 robberies, 11 burglaries, zero larcenies, and one extortion reported
Financial institutions include commercial banks, mutual savings banks, savings and loan associations, and credit unions
3 One or more acts of violence may occur during an incident
4 More than one modus operandi may have been used during an incident


13% of Britains are “casual hackers” and 16% have been hacked…

CPP Group
Image via Wikipedia

CPP Group Plc a “life assistance company“ has published its research into people accessing other people’s data without their permission, also known as hacking.

The results are alarming, with “13% admitting they have accessed someone else’s online account details without their permission”.

CPP have coined the term “casual hacking” with Facebook and similar social sites being the most targeted. Further research results are below:-

  • 32% casually dismissed their hacking as something they did ‘just for fun’
  • 29% admitted they did it to check up on their “other half”
  • 8% admitted they were checking on a work colleague
  • 2% were not just “spying”, they were aiming to make a financial gain

16% of people have had their own online password-protected information accessed without their permission

Of those who have had their data accessed

  • 24% have had their personal e-mails accessed
  • 7% claim to have had their work e-mails accessed
  • 19% say their eBay accounts have been hacked
  • 16% had their social networking profiles hacked
  • 10% claim to have had money or a loan taken out in their name

Identity fraud expert from CPP, Danny Harrison said: “People may dismiss checking up on their friend or partner’s accounts as a bit of fun, but in reality they are hacking. Looking at someone’s personal information without their knowledge is a serious act and one that could have serious repercussions both personally and professionally. We would urge everyone to be very careful about sharing passwords and to be vigilant about monitoring their accounts.”

The CPP research also polled the “casual hackers” about their knowledge and attitudes towards tutorials and hacking advice being available on the internet.

  • 17% of people aware of their existence
  • 87% agree that this kind of material should not be available online
  • 63% think ‘hacking’ tutorials should be removed from the internet
  • 56% saying the Government should take action to remove ‘hacking’ tutorials from the internet
  • 59% feel these videos and step-by-step guides increase the risk of identity fraud

Danny Harrison continued: “Hacking presents a risk to consumers and businesses and it is important people take the necessary steps to protect their identities and manage any compromised data. People are concerned about their password protected information being accessed without their permission and we are calling on the Government to review access to these online hacking lessons.”

CPP’s have produced their top tips on protecting your information from hackers:

  1. Change your passwords regularly – the longer and more obscure, the better
  2. Leave a website if you notice strange behaviour (unknown certificates, pop-ups etc.)
  3. Avoid transmitting sensitive data over public (free or otherwise) Wi-Fi
  4. When seeking Wi-Fi connections: know who you are connecting to, be wary of free Wi-Fi access
  5. If using a Smartphone: disable Wi-Fi ‘auto-connect’
  6. If you are concerned about identity fraud, consider purchasing an identity fraud protection product to help you detect, prevent and resolve any incidence of the fraud

CPP’s website can be found here.


Who has the Information Commissioner caught in the last 3 months ?

Christopher Graham, the UK Information Commiss...
Image via Wikipedia

On the 7th September, The Information Commissioner’s Office (ICO) announced the results of its investigation into The University Hospital of South Manchester NHS Foundation Trust breached the Data Protection Act after it lost the personal data of 87 patients.

The information was lost after a medical student, who had been on a placement at the hospital’s Burns and Plastics Department, copied data onto a personal, unencrypted memory stick for research purposes. The student then lost the memory stick during a subsequent placement in December last year.

The ICO’s investigation uncovered that the hospital had “assumed” that the student had received data protection training at medical school and therefore did not provide them with the induction training given to their own staff.

Sally Anne Poole, Acting Head of Enforcement said: “This case highlights the need to ensure data protection training for healthcare providers is built in early on so that it becomes second nature. Medics handle some of the most sensitive personal information possible and it is vital that they understand the need to keep it secure at all times, especially when they are completing placements at several health organisations. NHS bodies have a duty to make sure their staff, both permanent and temporary, understands their responsibilities on day one in the job.

“While we are pleased that the University Hospital of South Manchester has taken action to avoid this oversight in the future, we will continue to work with healthcare bodies and education providers to make sure that data protection training is a mandatory part of people’s education.”

The London  Ambulance Service who breached the Data Protection Act after a personal laptop was stolen from a contractor’s home agreed a further undertaking. The laptop contained contact details and transport requirements relating to 2,664 patients who had previously used the Patient Transport Service. The Trust has now taken action to ensure that contractors are made aware of its existing policy on the use of personal data, which states that staff should not store patients’ information on their personal computers.

The list of ICO actions during the last 3 months is below:-

7 September 2011

  • An undertaking to comply with the seventh data protection principle has been signed by London Ambulance Service NHS Trust. This follows the theft of a personal unencrypted laptop containing patient data.
  • An undertaking to comply with the seventh data protection principle has been signed by University Hospital of South Manchester NHS Foundation Trust. This follows the loss of an unencrypted memory stick containing personal information relating to approximately 87 patients.

2 September 2011

  • An undertaking to comply with the seventh data protection principle has been signed by the Scottish Children’s Reporter Administration. This follows the sending of an email containing sensitive personal data relating to a child’s court hearing to an unknown third party and the temporary loss of 9 case files relating to the safety and welfare of children during an office move.
  • An undertaking to comply with the seventh data protection principle has been signed by Luton Borough Council. This follows a self reported breach concerning a flaw in the encryption function of a number of Council issue memory sticks. The flaw could allow memory sticks to be formatted removing encryption protection.

10 August 2011

  • An undertaking to comply with the seventh principle of the DPA has been signed by the London Borough of Greenwich. This follows two incidents where sensitive personal data was inadvertently disclosed, due to the Council’s failure to implement appropriate wording in their ICT policy, stating that the sending of sensitive personal data in business related emails to external webmail addresses should be avoided.

9 August 2011

  • An Undertaking to comply with the seventh data protection principle has been signed by Lush Cosmetics Ltd. This follows a malicious intrusion on their website which compromised approximately 5000 customer credit cards.

8 August 2011

  • An undertaking to comply with the seventh data protection principle has been signed by Bay House School after the personal details of nearly 20,000 individuals, including some 7,600 pupils, were put at risk during a hacking attack on its website.

5 August 2011

  • An undertaking to comply with the seventh data protection principle has been signed by HCA International Limited. This follows the theft of two unencrypted laptops containing sensitive personal data from one of the group’s hospitals in March.

4 August 2011

  • An undertaking to comply with the seventh data protection principle has been signed by the Chief Executives of Lewisham Homes Limited (the ICO website has Lewisham Council listed which is in correct) and Wandle Housing Association. This follows the discovery of an unencrypted USB stick containing thousands of tenant records and financial data in a London pub.

29 July 2011

  • An undertaking to comply with the seventh data protection principle has been signed by Kirklees Metropolitan Council. This follows the inappropriate disclosure of personal data by care workers contracted by Kirklees Metropolitan Council.

20 July 2011

  • An undertaking to comply with the seventh data protection principle has been signed by the University of York after it failed to close a test area on its website that contained thousands of students’ personal details. While no direct link was available for the test area from the University’s website, 148 records were inappropriately accessed.

19 July 2011

  • An undertaking to comply with the seventh data protection principle has been signed by Lancashire Police Authority (LPA). This follows the inappropriate disclosure of personal data on the LPA’s website containing sensitive personal data.

18 July 2011

  • An undertaking to comply with the seventh data protection principle has been signed by Northamptonshire Healthcare NHS Foundation Trust. This follows the loss of one individual’s medical records.

5 July 2011

  • An undertaking to comply with the seventh data protection principle has been signed by Ms Raisa Saley, Barrister at law, further to the loss of a bundle of court papers which containeded a considerable volume of sensitive personal data relating to a number of individuals from the same family.

1 July 2011

  • An undertaking to comply with the seventh data protection principle has been signed by Basildon and Thurrock University Hospitals NHS Foundation Trust. This follows the transmission of a fax containing sensitive personal data to the wrong recipient.
  • An undertaking to comply with the seventh principle of the DPA has been signed by Dunelm Medical Practice, further to the inappropriate facsimilie transmission and subsequent disclosure of two patient’s electronic discharge letters, which contained sensitive personal data, including medical information.
  • An undertaking to comply with the seventh data protection principle has been signed by East Midlands Ambulance Service NHS Trust. This follows the transmission of a fax containing sensitive personal data to the wrong recipient..
  • An undertaking to comply with the seventh data protection principle has been signed by the Ipswich Hospital NHS Trust. This follows the discovery of 29 patient records containing sensitive personal data in a public place.
  • An undertaking to comply with the seventh data protection principle has been signed by Lancashire Teaching Hospitals NHS Foundation Trust. This follows the faxing of sensitive personal data to a member of the public on more than one occasion.

28 June 2011

  • An undertaking to comply with the seventh data protection principle has been signed by Cherubs Community Playgroup. This follows the theft of an unencrypted laptop containing personal information relating to approximately 47 families.

14 June 2011

  • An undertaking to comply with the seventh data protection principle has been signed by CCTV monitoring website Internet Eyes Limited. This follows a complaint about a clip posted on video sharing website YouTube that contained an identifiable image of a person in a shop. The clip appeared to have been uploaded by a viewer who had used the CCTV footage streamed to their computer from the Internet Eyes website.
  • An undertaking to comply with the seventh data protection principle has been signed by Surbiton Children’s Centre Nursery. This follows the theft of a teacher’s bag containing an unencrypted memory stick and paperwork.

8 June 2011

  • An undertaking to comply with the seventh data protection principle has been signed by North Lanarkshire Council. This follows the theft of hard copy documents containing sensitive personal data.

The Commissioner was also very busy prior to the dates above but for the purposes of consolidation I have only included the last 3 Months worth.


9 steps to take if your credit card data is hacked

Credit card
Image via Wikipedia

Lisa Bertagnoli on has produced a list of the 9 things you should do if your credit card is hacked/stolen/cloned or otherwise dealt with in a criminal fashion.

As a checklist it contains some excellent advice, not just for credit card security but for all your data.

1. Make sure there’s really been a breach. “When you get the scary communication, make sure it’s legitimate,” says Steven Weisman, a Boston-based attorney and author of “The Truth About Avoiding Scams.” “People get phony security notifications and that can turn into identity theft,” he says. His advice: Don’t trust email, the U.S. mail or even a phone call. Call your bank yourself to confirm a breach.

2. Find out exactly what information was stolen. “There’s a big difference between a credit card and checking account,” says Jeremy Miller, director of operations for Kroll’s Fraud Solutions, a division of Kroll Inc., a Nashville-based security company. With a credit card account, consumers are responsible (in most states) for only $50 of unauthorized charges. However, most banks will forgive that, particularly if the breach is their fault. “But a checking account is different — you might get your account cleaned out,” Miller says.3. Find out what your bank will do. In late June, thieves breached CitiGroup’s database, accessing 360,000 records and stealing a total of $2.7 million from 3,600 credit card holders. The bank agreed to compensate the cardholders. Other banks may offer a free credit monitoring service that alerts customers about activity over a certain dollar amount. Use them, advises Ed Bellis, CEO of HoneyApps, a Chicago-based data security firm.

3. Find out what your bank will do. In late June, thieves breached CitiGroup’s database, accessing 360,000 records and stealing a total of $2.7 million from 3,600 credit card holders. The bank agreed to compensate the cardholders. Other banks may offer a free credit monitoring service that alerts customers about activity over a certain dollar amount. Use them, advises Ed Bellis, CEO of HoneyApps, a Chicago-based data security firm.

“The best thing consumers can do is have alerts and triggers on their credit card and bank statements,” Ed Bellis says.

Such alerts will tip you off to fraudulent activity before it spins into major trouble. Keep in mind that the free alert offer will expire; find out when so you don’t end up paying an automatic monthly fee.

4. Cancel your cards. If the bank didn’t do so automatically after the breach, do it yourself. Cancel your credit cards and debit cards that were issued by the institution that suffered the breach. Be sure to notify companies that have your card on file for automatic monthly fees, say for website hosting or a newspaper subscription, that your card was cancelled.

5. Reset your passwords, and make them challenging. Weisman  says that “123456” and “password” are the most common passwords: Easy for good guys to remember, easy for bad guys to steal with.  Avoid choosing easily findable information, such as your birthday or street address. Choose something more obscure, and make the password a mix of letters and numbers. For extra security, create a different password for each account. Just make sure to write them down and store them in a safe place, such as a home lockbox.

6. Monitor credit card statements closely. Bellis says thieves love to test the viability of accounts with a small purchase, say a 99% iTunes download. Review every statement, each purchase, each charge,  to make sure you or a household member with access to your card made that purchase. If you see an unauthorized charge, report it to the card issuer immediately.

7. Pull your credit reports. Federal law requires the three main credit bureaus, TransUnion, Equifax and Experian, to give you a free credit report if your account information has been stolen. Review each report carefully for errors or fraudulent activity; if you find any, go to the reporting institution and fix them. If there’s a chance your Social Security number has been stolen, put a security freeze on your files. At minimum, issue a fraud alert, suggests Sheila Adkins, spokeswoman for the Council of Better Business Bureaus, Arlington, Va.

8. Beware of email asking for personal, financial or account information.

“Legitimate companies you rely on for your online shopping, financial needs and college tests will not request this information, they already have it,” Adkins says.

If you want to communicate with an online company, find its website and use that website’s contact information.

9. Tighten up your own security. This won’t keep your data safe if someone hacks into your some other company’s database, but it’s a smart move anyway. Update your home computer’s security. Don’t click on links sent by strangers; such links can contain invisible malware that will monitor your computers’ keystrokes and thus steal passwords. If you bank online, dedicate a browser to online banking, and use it for nothing else. “You have to have data and information discipline,” says Daniel Mohan, president and chief operating officer of ID Watchdog, a Denver-based data monitoring, detection and resolution firm.

The original article is here.


How advanced attacks succeed, despite $20B spend on enterprise IT security

Image representing FireEye as depicted in Crun...
Image via CrunchBase

FireEye has recently released their research into why IT Security attacks continue to be successful despite an annual IT Security spend of $20 billion.

A summary of key findings of the FireEye research are below:

1) 99% of enterprises have a security gap, despite $20B spent annually on IT security. Within a given week, the typical enterprise network has anywhere from hundreds to thousands of new malicious infections and all industries are under sustained attack.

2) 90% of malicious executables and malicious domains changed in just a few hours. The dynamic nature of modern attacks is the primary means to bypass signature-based tools, making defenses such as antivirus and URL blacklists ineffective.

3) The fastest growing malware categories are Fake-AV programs, which take part in extortion tactic and info stealers, which abscond information.

4) The top 50 out of thousands of malware families account for 80% of successful infections. Sophisticated toolkits and other means are enabling the rapid production of advanced malware.

Extended details on the four findings:

Finding 1: 99% of enterprise networks have a security gap despite $20B spent annually on IT security.

Despite the massive investment in IT security equipment each year, our analysis of FireEye MPS deployments shows that essentially all enterprises are compromised with malware: 99% of enterprises had malicious infections entering the network each week, and 80% of enterprises faced more than one hundred infections per week, with many in the thousands per week. The median weekly infection caseload was 450 infections per week (normalized per Gbps of traffic), with wide variations.

These are all events that have made it through standard gateway defenses, such as firewalls, next-generation firewalls, IPS, antivirus, email and web security Gateways. These malicious events make it through because traditional security systems either rely on signatures, reputation and crude heuristics or were originally designed for policy control. They no longer keep up with the highly dynamic, multi-stage attacks that have become common today for targeted and APT attacks.

Even the most security-conscious industries are fraught with dangerous infections.

Every company studied in every industry looks to be vulnerable and under attack. Even the most security-conscious industries, such as Financial services, health care and government sectors, which have intellectual property, personally identifiable information, and compliance requirements—show a significant infection rate.

Based on this data, FireEye see that today’s cyber criminals are nearly 100% effective at breaking through traditional security defenses in every organization and industry, from security-savvy to security laggards.

Today’s attacks also exhibit a global footprint with infected sites, malicious servers, and callback destinations distributed around the world.

Finding 2: Successful attacks employ dynamic, “zero-day” malware tactics. 90% of malicious binaries and domains change in just a few hours; 94% within a day.

Our Q2 2011 data showed that 90% of both malicious binaries (MD5 hash files) and malicious domains (URLs hosting malware) changed almost immediately, and 94% changed within a day. This dynamism increased noticeably from Q1 to Q2 2011.

FireEye believe the daily morphing of malicious binaries and domains is timed to stay ahead of the typical practice of daily DAT and blacklist/reputation updates, enabling the malware to remain undetected and its communications unblocked.

Those that change within a few hours stay ahead of centralized “real-time” threat intelligence services that assess risk based on signatures, reputation, and behavior. Those that change once a day stay ahead of defenses that use scheduled daily updates.

Malicious executables are constantly being repacked to appear new each time. Most of the MD5s FireEye observed are so dynamic that they persist for an hour or less or are seen just once. The curve has moved noticeably up and to the left from Q1 to Q2,  indicating that a smaller fraction of malware samples remain unchanged over the course of days (note that this is despite the fact that the Q2 sample is larger than the Q1 sample, increasing the size of our view into malware behavior). It’s also striking that the curve steps up at each 24-hour interval indicating that some malware authors are using an integer number of days as the expiration  time before they generate a new packing.

Note that FireEye are not implying that all malware attacks are dynamic, just that the successful attacks penetrating through the signature and reputation-based defenses use dynamic tactics to defeat those static defenses.

Therefore, FireEye believe that dynamic binaries and dynamic domains form the core of today’s advanced, zero-day malware tactics. Cybercriminals are moving quickly and building manoeuvrability into their tools and operations.

In part, the move to malware dynamism explains the rapid expansion in botnets. For example, criminals need more IP addresses (aka bots or zombies) to evade signature and reputation-based filters.

Another conclusion from these findings is that network defenses must tool up for constant change and resilience. Countermeasures must be designed for highly dynamic threats across vectors, such as Web and email. FireEye also see a trend in which organizations must treat every attachment or Web object as suspicious.

Finding 3: The fastest growing malware categories are Fake-AV programs and Info-stealer executables.

While malware programs have multiple capabilities, the FireEye research team provides a general categorization of each malware executable with what they believe to be its primary purpose. For example, Click Fraud software makes money by creating automated HTTP transactions to particular websites in the interest of distorting (driving up) payments to advertisers. Fake-AV software is sold on the pretence that it has found non-existent malware on consumer computers and then offering to “clean” out the infection if consumers buy the full version.

Several things stand out. The three largest categories of malware in Q2 are Fake-AV (listed as Rogue Anti_malware), Downloader Trojans (whose primary function is to download other pieces of malware), and information stealers of various forms. Comparing to Q1, they see a striking growth in Fake-AV (Rogue Anti_malware) and information stealing malware most likely due to a successful monetization model.

Of these, the information stealers are clearly the greater threat to corporate integrity. While FireEye would certainly not advocate ignoring Fake-AV programs, they are a threat to employees’ private finances and act as a conduit for more serious malware infections, it’s clear that information theft is currently the highest priority problem for enterprises.

  • Zbot (Zeus) Primarily a banking Trojan, Zbot has become extremely famous for fraud against online banking for both consumers and small and medium enterprises and likely represents a high priority threat even to large enterprises in the form of fraud against senior executives.
  • Papras (aka Snifula) has received far less publicity, but in our sample it appears to have become just as widespread as Zbot. Papras is less specialized: it steals account credentials for various online services and also logs information entered in web forms. As such, it’s probably a basic tool in a number of different kinds of manually directed intrusions and information thefts.
  • Zegost is also primarily a keylogger
  • Multibanker are specialized banking trojans.
  • Coreflood is a botnet that operated in many versions for ten years until taken down by the Department of Justice in April of 2011.
  • Licat is believed to be associated with Zbot.

Finding 4: The “Top 50″ of thousands of malware families generate 80% of successful malware infections.

In  reviewing several hundreds of thousands of events, they found that the vast  majority of them derive from a few hundred malware families (as evidenced by  the particular callback protocol we detected in use), and that the Top 50 most  frequent malware families are represented in about 80% of all cases.

From  the figure, they conclude that the exploding zoo of malware executables can be attributed to a much smaller number of malware toolkit code bases. In reviewing the top 50 families, the more successful code bases have optimized aspects of their malware binary output to be dynamic and deceptive.

Note that the frequency of appearance is not  correlated with risk. One of the most common malware families, Fake-AV, extorts  payments from users for falsified virus scans. This class of malware is less of a concern from an enterprise perspective, though Fake-AV should be seen as a “gateway malware” to introduce more serious information-theft malware into the network. On the other hand, nation-state APT malware used for espionage is likely to be out in the long tail of comparatively rare malware. In the range between these two zones, they find very potent, very dangerous attacks.

Many of the Top 50 attacks reflect advanced malware used by criminal syndicates for financial gain. This variety of threat is characterized by periodic campaigns combining exploit toolkits and specific malware families such as “Rogue AV” or “Fake-AV.” The attacks cast a relatively “wide but shallow” net, harvesting data and relying on automation for efficiency and profitable success rates.

Here’s  the anatomy of a typical “wide and shallow” attack, one that is dynamic and  short-lived (in each campaign), but not especially targeted or heavily  personalized:

  • Hunt new victims for a few hours at certain infectious IP addresses
  • Install malware via drive-by download or phishing campaign (possibly run  through a social networking site)
  • Collect account data from victims’ computers (or install data-stealing malware on these hosts)
  • Pause (or move on to a new site)
  • Monetize the data that has been collected (for perhaps days or weeks)
  • Run another campaign with a tweaked version of the malware and different IP  addresses when we look at malware by family, and the event timeline of malware activity, they see evidence of the compressed timelines used in campaigns today. FireEye see sharp spikes. Even with a relatively protracted activity, like that shown with Rogue.AV, FireEye see significant spikes above a significant baseline.

The other major category of attack is the “Narrow and Deep” attack that includes  targeted and APT attacks. These attacks infect a relatively small number of machines that act as the beachhead from which to further infiltrate other enterprise systems, especially those that contain critical or sensitive information.

The deeper infiltration is accomplished via lateral movement by propagating the malware infection to other systems and servers in the enterprise network. Only real-time monitoring of suspicious code will detect these subtle attacks.

How do criminals make their malware and domains dynamic? Point-and-click Toolkits?

Criminals make code appear new by packing, encrypting, or otherwise obfuscating the nature of the code. Malware toolkits like Zeus (banking Trojan) and Blackhole (drive-by downloads) automate this process today, which FireEye believe explains some of our finding of increasing and almost ubiquitous dynamism.

The prevalence of dynamic domain addresses indicates that criminals are moving their distribution sources very quickly as well, like a drug dealer moving to a different street corner after every few deals. By moving their malware to an unknown site (often a compromised server or zombie), and using short URLs, cross-site scripting or redirects to send traffic to that site, the criminals can stay ahead of reputation-based defenders.

Criminals invest in toolkits and dynamic domains because signatures and reputation engines have become adept at blacklisting known bad content and “bad” or “risky” URLs sites. Any stationary criminal assets will quickly be blacklisted, therefore these assets must move to remain valuable.

FireEye Conclusions

The new breed of cyber–attacks are evading existing defenses by using dynamic malware, toolkits and novel callback techniques, leaving virtually every enterprise vulnerable to data theft and disruption. Although enterprises are investing $20B per year on IT security systems, cybercriminals are able to evade traditional defenses, such as firewalls, IPS, antivirus and Gateways, as they are all based on older technology: signatures, reputation and crude heuristics.

Enterprises must reinforce traditional defenses with a new layer of security that detects and blocks these sophisticated, single-use attacks. New technologies are needed that can recognize advanced malware entering through Web and email, and thwart attempts by malware to call back to command and control centers. This extra  defense is designed specifically to fight the unknown threats, such as zero-day  and targeted APT attacks, thereby closing the IT security gap that exists in all enterprises.

The FireEye report can be found here.


PCI DSS – updated guidelines for WiFi and new guidance on Bluetooth

wireless tower
Image via Wikipedia

The Wireless Special Interest Group (SIG) PCI Security Standards Council (PCI SSC) have released an Information Supplement for PCI DSS Wireless Guidelines.

The update updates the PCI DSS guidance to align to version 2 of the PCI Data Security Standard and incorporates guidance for Bluetooth.

All Merchants and Credit Card processors should read the document which can be found here.

The three main sections in the Information Supplement are:

  1. Wireless Guidance Overview
  2. Generally Applicable Wireless Requirements
  3. Applicable Requirements for In-scope Wireless Networks

For further information on the PCI Data Security Standard visit the PCI Resources page on my blog here.


Blog at

Up ↑

%d bloggers like this: