Brian Pennington

A blog about Cyber Security & Compliance


August 2012

Advance malware threats are growing at an alarming rate

FireEye have published their Advanced Threat Report for the first half of 2012. The results are based on their knowledge of Advanced Persistent Threats and the rest of the malware market.

Their key findings are:

  • Organizations are seeing a massive increase in advanced malware that is bypassing their traditional security defenses.
  • The patterns of attack volumes vary substantially among different industries, with organizations in healthcare and energy/utilities seeing particularly high growth rates.
  • The dangers posed by email-based attacks are growing ever more severe, with both link and attachment-based malware presenting significant risks.
  • In their efforts to evade traditional security defenses, cybercriminals are increasingly employing limited-use domains in their spear phishing emails.
  • The variety of malicious email attachments is growing more diverse, with an increasing range of files evading traditional security defenses.

Finding 1: Explosion in Advanced Malware Bypassing Traditional Signature-Based Defenses

The malicious advanced malware organizations have to contend with has grown dramatically, not just in terms of volume, but in its effectiveness in bypassing traditional signature-based security mechanisms. On average, organizations are experiencing a staggering 643 Web-based malicious events each week, incidents that effectively penetrate the traditional security infrastructure of organizations and infect targeted systems.

This figure includes file-based threats that are delivered over the web and email. File-based threats can be malicious executables, or files that contain exploit s targeting vulnerabilities in applications. They are downloaded directly by users, via an exploit, or links in emails. The statistic of 643 infections per week does not include callback activities, which largely happen over the Web.

Compared to the second half of 2011, the number of infections per company rose by 225% in the first half of 2012. If you compare the first six months of 2011 with the first six months of 2012, the increase seen is even larger at 392%.

These figures are not the total found in the so-called “wild”, but are the number of Web-based infections that successfully evaded organizations’ existing security defenses, such as next-generation firewalls and AV.

  • Users remain very susceptible to clicking on malicious links, especially when those links exploit social engineering tactics.
  • Embedding malicious code within Hypertext Transfer Protocol (HTTP) traffic is proving effective at bypassing traditional security mechanisms.
  • As a result of these two dynamics, cybercriminals see that their tactics are working, so the number of attacks they launch continues to grow

Explosive Growth in Advanced Malware Infections

  • Growth from 2H 2011 to 1H 2012: 225%
  • Growth from 1H 2011 to 1H 2012: 392%

Finding 2: Patterns of Attacks Vary Substantially by Industry—Attacks on Healthcare up 100%, 60% in Energy/Utilities

When assessing the average number of incidents that evade traditional security defenses, patterns and trends vary substantially across industries. For the most part, each industry experiences peaks in attack volumes at different times.

A couple of industries that are prone to high incidents were excluded from this report. Education was excluded since little, if any, control can be had over student systems and in general students are surfing more and visiting more risky sites. Also government was excluded since it is common for government agencies to receive data from FireEye but not send information back to FireEye.

The figures below illustrate the monthly incidents, including inbound attacks as well as outbound exfiltration and communication attempts. These incidents were identified by the FireEye MPS appliances deployed globally within the networks of customers and technology partners.


Between January 2012 and June 2012, the number of events detected at healthcare organizations has almost doubled. Compared to other industries, however, there has been a more consistent pattern of malicious activity, indicating a persistent and steady threat confronting these organizations.

As healthcare organizations move toward the adoption of electronic health record systems and digitally store and manage Personally Identifiable Information (PII), these sensitive assets seem to be coming under increasing attack by cybercriminals.

Financial Services

Between the second half of 2011 and the first half of 2012, the financial services industry has seen a massive increase in terms of the average number of events per customer for that industry. In May 2012 the industry saw more events than the entire second half of 2011. Compared to healthcare, there have been more dramatic fluctuations in this market. The most dramatic shift discovered was a huge spike in May 2012, followed by a drop-off in June, which was a pattern also seen in May and June of 2011.


Companies in the technology sector continue to be the most targeted organizations. While total numbers have remained relatively stable on a month-to-month basis, overall numbers remain high compared to other industries.


In the energy/utilities sector, there have also been some significant fluctuations in incidents, however the overall trend indicates a huge increase. In the past six months, energy and utility organizations have seen a 60% increase in incidents.

As the Night Dragon attack dramatically illustrated, critical infrastructures of energy and utility companies are under attack. In this case, criminals went after intellectual property, information on ongoing exploration, and records associated with bids on oil and gas reserves. Due to current geopolitical dynamics, data surrounding the sources of fossil fuel-based energy in particular are some of the most targeted assets.

Finding 3: The Intensified Dangers of Email-Based Attacks, Both Via Links and Attachments

While the APT attacks that have been reported on in recent years have exhibited a range of different tactics, it is clear that there is one very common characteristic: email is the primary channel through which the attacks are initiated. Operation Aurora, GhostNet, Night Dragon, the RSA breach, and the majority of the other APTs that have been publicly documented have been initiated at least in part through targeted spear phishing emails. The bottom line is that organizations looking to stop APTs absolutely have to have capabilities for detecting and guarding against these kinds of attacks.

To gain entry into an organization’s network, cybercriminals are launching their attacks through spear phishing emails. These emails either use attachments that exploit zero-day vulnerabilities or malicious and dynamic URLs. Between 1Q 2012 and 2Q 2012, there was a 56% increase in the amount of email-based attacks that successfully penetrated organizations’ traditional security mechanisms.

During the course of 2012, there has been significant fluctuation in the amount of malware delivered via attachments versus links. In January 2012, the number of malicious links represented about 15% of the volume of malicious emails. By May and June however, the volume of malicious links outnumbered malicious attachments.

Moving forward, we expect to see continued fluctuation in the relative numbers of these categories on a monthly basis, but don’t expect that either one will dramatically or permanently overtake the other in the long term. The critical takeaway is that both of these types of threats exist in significant numbers, and that organizations need to guard against both of these threat vectors to effectively strengthen their security posture.

As zero-day application vulnerabilities are patched, file attachments used in attacks wane and cybercriminals return to Web-based vectors. However, as we have seen in the past, a new crop of zero-day application vulnerabilities is always just around the corner, leading cybercriminals to return to file attachment-based attacks.

Finding 4: Increased Prevalence of Limited-Use Domains in Spear Phishing Attacks

In their efforts to bypass organizations’ security mechanisms, cybercriminals have continued to employ increasingly dynamic tactics. The continued explosion of malicious domains used in spear phishing attacks illustrates the unsolvable problem facing technologies that rely on backward-facing signatures, domain reputation analysis, and URL blacklists.

Criminals are increasingly employing malicious URLs for only a brief period of time before they move on to using others. “Throw-away” domains are malicious domain names used only a handful of times, say in 10 or fewer spear phishing emails. These domains are so infrequently used that they fly under the radar of URL blacklists and reputation analysis and remain largely ignored and unknown. As the chart on the next page illustrates, the number of throw-away domains identified increased substantially in the first half of 2012.

Through social engineering, cybercriminals are personalizing emails and then using throw-away domains to bypass the signature and reputation based mechanisms that organizations rely on to filter out malicious emails. It is important to note that these URLs are sometimes randomly generated, and sometimes tailored to a specific tactic. In the second half of 2011, domains that were seen just once comprised 38% of total malicious domains used for spear phishing.

In the first half of 2012, that figure grew to 46%. The graph below shows that the overall volume of spear phishing emails is increasing and our domain analysis also shows the ratio of emails that use limited-use domains is also on the rise.

Finding 5: Increased Dynamism of Email Attachments

As outlined earlier, email-based attacks are used to initiate the bulk of the APT s reported, and guarding against both malicious attachments and URLs distributed via email is a critical mandate for organizations. Email-based attacks are the first tactic cybercriminals employ in order to get through the target’s perimeter defenses and gain a foothold in the network. As security teams seek to guard against malicious email attachments, however, they are encountering a fundamentally evolving dynamic in the makeup of these files. Just like URLs, the use of malicious attachments is growing increasingly dynamic.

Over the past twelve months, the diversity of attachments that led to infections has expanded dramatically. In the second half of 2011, the top 20 malicious attachments accounted for 45% of attachments that evaded organizations’ perimeter defenses. In the first half of 2012, the variety of malicious attachments increased so that the top 20 malicious attachments only accounted f or 26%, nearly half of the figure in the second half of 2011. These numbers make clear that cybercriminals are changing their malware more quickly, employing a longer list of file names, and reproducing malware and morphing it in an automated fashion. In this way, the task of creating signature based defenses to thwart these malicious files grows increasingly difficult.

Between the second half of 2011 and the first half of 2012, the average number of times a given malicious attachment was sent in an email dropped from 2.44 to 1.87.

FireEye’s conclusions on its report

As this report amply illustrates, organizations are under persistent attack, and the attacks being waged continue to grow more dynamic, effective, and damaging. For organizations that continue to rely solely on firewalls, IPS, AV, and other signature, reputation, and basic behavior-based technologies, it is abundantly clear that compromises and infections will continue to grow. To effectively combat these attacks, it is imperative that organizations augment their traditional security defenses with technologies that can detect and thwart today’s advanced, dynamic attacks. This requires capabilities for guarding against attacks being waged on the Web, and those being perpetrated through email, including spear phishing emails that use malicious attachments and URLs.


An overview of EU security legislation and the impact of cyber incident reporting

The European Network and Information Security Agency (ENISA) is a centre of network and information security expertise for the EU, its member states, the private sector and Europe’s citizens.

ENISA has responded to the growing threat posed by cyber security incidents by producing an overview paper of current legislation and the impact of incident reporting.

I have summarised the ENISA paper below.

ENISA started the paper by quoting five recent incidents to support their findings and conclusions:-

  1. In June 2012 6.5 million (SHA-1) hashed passwords of a large business-focussed social network appeared on public hacker forums. The impact of the breach is not fully known, but millions of users were urged to change their passwords and their personal data could be at risk.
  2. In December 2011, the storm Dagmar affected power supplies to electronic communication networks in Norway, Sweden and Finland. As a result millions of users were without telephony or internet for up to two weeks.
  3. In October 2011 there was a failure in the UK datacentre of a large smartphone vendor. As a result millions of users across the EU and globally could not send or receive emails, which severely affected the financial sector.
  4. Over the summer 2011, a Dutch certificate authority experienced a security breach, allowing attackers to generate fake PKI certificates. The fake certificates, the result of the breach, were used to wiretap the online communications of around half a million Iranian citizens. Following the breach many Dutch e-government websites were offline or declared unsafe to visit.
  5. In April 2010 a Chinese telecom provider hijacked 15% of the world’s internet traffic through Chinese servers for 20 minutes, routing traffic to some large e-commerce sites, such as and as well as the .mil and .gov domains, et cetera. As a result, the internet communications of millions of users were exposed (to eavesdropping).

The five quoted incidents are just the tip of the iceberg, as you will find out later in the post, but to give an insight into UK breaches read my post on who the UK’s Information Commissioner has caught this year for breaching the current Data Protection Act here.

Article 13a of the Framework directive: “Security and Integrity”

The Telecoms reform passed into law in 2009, adds Article 13a to the Framework directive, regarding security and integrity of public electronic communication networks and services. Article 13a states:

  • Providers of public communication networks and services should take measures to guarantee security and integrity (i.e. availability) of their networks.
  • Providers must report to competent national authorities about significant security breaches.
  • National authorities should inform ENISA and authorities abroad when necessary, for example in case of incidents with impact across borders.
  • National authorities should report to ENISA and the European Commission (EC) about the incident reports annually.

Article 13a also says that the EC may issue more detailed implementation requirements if needed, taking into account ENISA’s opinion.

The EC, ENISA, and the national regulators have been collaborating for the past 2 years to implement Article 13a and to agree on a single set of security measures for the European electronic communications sector and a modality for reporting about security breaches in the electronic communications sector to authorities abroad, to ENISA and the EC.

In May 2012 ENISA received the first set of annual reports from Member States, concerning incident that occurred in 2011. ENISA received 51 incident reports about large incidents, which exceeded an agreed impact threshold. The reports describe services affected, number of users affected, duration, root causes, actions taken and lessons learnt. While nationally incident reporting is implemented differently, with different procedures, thresholds, et cetera, nearly all national regulators use a common procedure, a common template and common thresholds for reporting to the EC and ENISA.

Article 4 of the e-Privacy directive: “Security of processing”

The Telecoms reform also changed the e-Privacy Directive, which addresses data protection and privacy related to the provision of public electronic communication networks or services. Article 4 of the e-Privacy directive requires providers to notify personal data breaches to the competent authority and subscribers concerned, without undue delay.

The obligations for providers are:

  • to take appropriate technical and organisational measures to ensure security of services,
  • to notify personal data breaches to the competent national authority,
  • to notify data breaches to the subscribers or individuals concerned, when the personal data breach is likely to adversely affect their privacy
  • to keep an inventory of personal data breaches, including the facts surrounding the breaches, the impact and the remedial actions taken.

Article 4 also says that the EC may issue technical implementing measures regarding the notification formats and procedures, in consultation with the Article 29 Working Party, the European Data Protection Supervisor (EDPS) and ENISA.

Articles 30, 31 and 32 of the Data Protection regulation

The EC has proposed to reform the current European data protection framework (Directive 95/46/EC), and has proposed an EU regulation on data protection. The regulation regards organisations that are processing personal data, regardless of the business sector the organisation is in. Security measures and personal data breach notifications are addressed in Articles 30, 31 and 32:

  • Organisations processing personal data must take appropriate technical and organisational security measures to ensure security appropriate to the risks presented by the processing.
  • For all business sectors the obligation to notify personal data breaches becomes mandatory.
  • Personal data breaches must be notified to a competent national authority without undue delay and, where feasible, within 24 hours, or else a justification should be provided.

Personal data breaches must be notified to individuals if it is likely there will be an impact on their privacy. If the breached data was unintelligible, notification is not required, e.g. Tokenised data.

Read my summary of the proposed New EU Data Protection Act here.

Article 15 of the e-Sig and e-ID regulation: “Security requirements”

The EC recently released a proposal for a regulation on electronic identification and trust services for electronic transactions in the internal market. Article 15 in this proposal introduces obligations concerning security measures and incident reporting:

  • Trust service providers must implement appropriate technical and organisational measures for the security of their activities.
  • Trust service providers must notify competent supervisory bodies and other relevant authorities of any security breaches and where appropriate, national supervisory bodies must inform supervisory bodies in other EU countries and ENISA about security breaches.
  • The supervisory body may, directly or via the service provider concerned, inform the public.
  • The supervisory body sends a summary of breaches to ENISA and the EC.

EU Cyber Security Strategy

The European Commission is developing a European Cyber Security Strategy. The roadmap for the strategy refers to Article 13a and mentions extending Article 13a to other business sectors. The Commission has indicated that there will be five main strands:

  • Capabilities and response networks, for sharing information with public and private sector
  • Governance structure including the national competent authorities, to address incidents and develop an EU contingency plan.
  • Incident reporting for critical sectors like energy, water, finance and transport.
  • Pre-commercial procurement of security technology and public-private partnerships to improve security across the single market
  • Global cooperation, to address global interdependencies and the global supply chain.

A European Cyber Security Strategy is an important step to increase transparency about incidents, and ultimately to prevent them or limit their impact.

ENISA’s Review

Security measures and incident reporting, implemented across the EU’s digital society, are important to improve overall security. EU legislation plays an important role here as it allows harmonization across the EU member states. This in turn prevents weak links and unnecessary costs for providers operating cross-border.

The European Commission, in collaboration with the EU Member States, has undertaken a number of legislative initiatives aiming to further improve transparency about incidents. Another important step is the proposed Cyber Security Strategy, which emphasizes incident reporting and the importance of exchange across the EU about incidents and how to address them. We conclude with some general remarks.

Regulatory gaps: In the introduction we gave five examples of cyber incidents with a severe impact on the security or privacy of electronic communications. The 2nd incident, caused by the Dagmar storm, is in scope of existing incident reporting legislation and as such reported to authorities. The proposed regulation on electronic trust providers would also cover the 4th incident. But the remaining incidents (the 1st, 3rd, and 5th) are not clearly in scope or subject of debate between providers and the national regulator.

It is important that national authorities and the EC discuss, agree, and clarify the scope of legislation on electronic communications and address these and other gaps. This can be done without necessarily changing the text of existing legislation, such as the telecom regulatory framework, but rather the interpretation of what the services are, because the landscape of electronic communications is continuously changing (from landline telephones and minitel in the past, to mobile phones, internet and VoIP).

Model security articles: There is a lot of similarity between Article 13a of the Framework directive and Article 15 of the e-Signatures and e-Identities regulation. The former has been taken as a model for drafting the latter. Both articles combine security measures and incident reporting, at a national level and at an EU level. Consistency and standardization in the legislative texts allows for more easy governance by the member states, and more easy implementation by the providers. Furthermore, the combination of national reporting and EU reporting (present in both Article 13a and Article 15) allows national authorities room to adjust to national circumstances, while at the same time providing overview and feedback at an EU level, which allows Member States to optimize implementation and to ensure a harmonized approach across EU member states.

Governing security measures: Mandatory breach reporting receives a lot of media attention and it is arguably the most visible part of the security articles. The ultimate goal is to limit the impact of security and personal data breaches or prevent them altogether by making sure appropriate security measures are taken. This type of governance is crucial and not easy. In security much depends on the technical details of the implementation and these details are hard to capture in (high-level) legislation and subject to change.

National authorities should exchange knowledge about an effective and efficient combination of high-level legal obligations and technical implementation requirements. For the latter it is important to adopt a bottom up approach (i.e. commonly agreed recommendations), taking into account the (changing) state of the art and the practical experiences of regulators and experts from the private sector.

As a second, but related point, the need to take “appropriate technical and organisational security measures” is mentioned in all the security articles. Although these articles are aimed at different providers and different types of breaches, there is still a large overlap between the security measures that have to be taken. The competent national authorities should collaborate (nationally and at an EU level) to ensure that these security measures are implemented consistently and where there is an overlap, similarly, to allow providers to comply more easily, and to allow equipment vendors to adapt their products accordingly.

Optimizing incident reporting procedures:

  • Incident response versus incident reporting: To prevent incidents from escalating Member states should encourage providers to quickly contact technical experts, incident response teams (like national CERTs), crisis coordination groups, and other organizations relevant in the response phase, should this be necessary. Member states should underline that incident response receives priority. The purpose of mandatory incident reporting to national authorities is supervision over whether or not providers comply with legal requirements, while the purpose of information exchange in the response phase, for example with a national CERT, is to tackle the incident. Member states should encourage transparency and trusted information sharing in the response phase and ensure that response processes are independent and not slowed down by legal reporting requirements. Member states should for instance ensure that incident reporting procedures are easy and quick to apply.
  • Exchange and sharing: Over the past years CERTs have developed effective platforms for collaboration and information exchange. Beyond the response phase, however, there is still little exchange of information about breaches between different national authorities. The EC should continue to support the working groups and platforms for exchanging information between national authorities, about breaches, about lessons learnt and best practices.
  • Granularity and tools: An important aspect of the evaluation of existing legislation on incident reporting should be an analysis of costs and benefits. Both for national and EU level reporting it is important to review over time the thresholds for reporting, the type of information that is reported, the level of detail, and so on. If too few incidents are reported, then it will be difficult to draw meaningful conclusions about common root causes or trends. This would defeat the purpose of the legislation altogether and make the legislation cost ineffective. National authorities should analyse what is a good balance, taking into account the costs and benefits for providers as well as the national authorities. Providers and national authorities should investigate automated tools and computer interfaces to allow for cost-effective incident reporting at a sufficient level of detail, while avoiding the burden of manual and ad-hoc reporting procedures. For example, one could distinguish between small and large incidents and use less reporting detail for the (many) smaller incidents.

ENISA Conslusion

ENISA would like to remark that in recent years a lot of progress has been made, in terms of addressing incidents and increasing transparency about incidents. The national authorities, for example, recently submitted to ENISA and the EC, the first Article 13a incident reports regarding severe incidents that occurred in 2011. The vast majority of national authorities use a single set of security measures and a common reporting template allowing for efficient collection and analysis. ENISA will publish an analysis of the 51 severe incidents in September 2012. From next year, every spring ENISA will collect annual incident reports and publish an analysis of the incidents of the previous year. For example, next spring 2013 ENISA will publish an analysis of the 2012 incidents.

ENISA looks forward to continuing our work with national authorities and the European Commission to support an efficient and effective implementation of Article 13a, Article 4, and the other security articles across the single digital market, and to support collaboration and information exchange between national authorities across the EU, to improve security across the EU’s digital society.

Find the ENISA press release here.


RSA’s August Online Fraud Report 2012 including a summary of Fraud as a Service (FaaS)

In their August Online Fraud Report RSA reports on the activity of online fraudsters, a summary is below.

A five-year retrospect on Fraud as a Service (FaaS) reveals that the types of services sold today have changed very little; the more noticeable changes came in the shape of scalability, service relevancy, higher availability, better deals, customer support and buyer guarantees.

Underground criminals buy and sell goods and services around the clock. The fact that these markets operate online eliminates borders and physical distance, allowing people from different parts of the world to wheel-and-deal and to partner-up in the orchestration of fraud cash-out cycles without ever meeting or speaking on the phone.

What do they sell?

For phishing – scam pages, complex phishing kits and custom kit plugins, spamming services, email databases, junk traffic, SEO poisoning, email cracking tools, spam software, and SMS spoofers, to name a few. After the attacker gathers the spoils, fraudsters can opt to buy the already-harvested databases of phishing attacks or purchase unitary ‘logins’ in an online shop selling compromised data.

For botmasters –  Trojan-related facilitators exploit kits, malware spam, botnets, Trojan kits, HTML injections, customized malicious code, encryption services, bulletproof hosting, pay-per-installs/affiliate infection schemes, plugins, set-up and tech support.

Hardly ever does one fraudster take on the complete fraud cycle; rather, fraudsters opt to partner with more experienced criminals or offer up their own expertise (such as performing in-store pick up of goods obtained with stolen credit card data). Much like real-world crime, each actor ‘gets his hands dirty’ to different extents. Bottom line – the fraudulent transaction is turned into cash in different ways and the profits are shared among those involved.

Those who don’t have any trustworthy connections in the world of fraud find and use transfer and cash-out services. Money mule, cash-out services and Item-drop mules have become ever so popular, that some vendors have already automated them for those who attempt the bulk of transactions each day bot herders and ‘carders’.

Almost all busy criminals today connect with a mule repository operator and have their fraudulent transactions go through the vendor’s mules, receiving a cut of each successful transaction as per a mutual agreement. Some cases of mule-repositories are part of the fraud cycle of one gang.

Recent underground fraud services:-

Hire a “Man-in-the-Middle”

One of the more interesting recent FaaS offers was found in an underground forum, posted by a Russian-speaking member offering his infrastructure for very temporary hire, alongside his own services as a man-in-the-middle facilitator. The botmaster had a few perks for customers who wish to attempt Trojan attacks without having to set up anything whatsoever:

  • Rent the infrastructure – gain access to infected bots
  • Pay to target and harvest – send over a trigger and a Trojan injection and those will be pushed to existing infected bots on the botnet (through a Trojan configuration file update)
  • Pay to attack – the botmaster will facilitate fraudulent transaction attempts using his Trojan’s remote administration access to bots

Buy a Botnet

The vendor behind this offer was also working in collaboration with other cybercriminals, each offering a related service a bot herder would need for the set up and operation of a botnet.

Automated Customer Support

In the recent past, Trojan developers only offered support via live chat using instant messaging services (Jabber, ICQ). A developer could only support a limited number of chats until the burden of supporting his customers became too great and support deteriorated or stopped altogether.

Trojan developers did understand the substantial need for customer/technical support and took pains to find new ways to preserve their customer base. To get an idea about just how ‘real’ customer support has become, take a quick look at this SpyEye vendor’s page. Notice the headers on the page; much like legitimate software companies – they direct users to an FAQ page, an “About SpyEye” section, and provide a detailed web form that can be sent directly to the vendor’s alleged support team, automating the process.

Many of today’s fraud service vendors put strong emphasis on supporting their buyers, offering guarantees and assistance, from the exchange of faulty or invalid cards and access credentials, all the way to providing set-up, tutorials, and tech support to those who have to operate on going online fraud operations (botnets, CC shops, exploits etc.).

One cannot mention excellent cybercrime customer support today without “Citadel” coming to mind. The team developing the Citadel Trojan has long established itself as the new go-to crimeware vendor, well on their way to inheriting the Zeus Trojan market share they built upon. The most unique feature this team offers to botmasters using Citadel is a clever CRM model that supports, tickets, listens and advises members on how to set up and operate their Trojans. The CRM is not optional! All botmasters must join it and pay a fixed monthly fee for their membership.

RSA’s conclusion

A better cybercrime marketplace, much like organized crime in the physical world, increasingly affects the world’s economy by the sheer amounts of money it taxes it every year. The worst part about this dark economy is its faceless, covert nature and thus the hardship in quantifying and understanding the extent of its damage.

Stronger crime economies are a burden on the legitimate economy in hard costs but do not stop there. This large scale clandestine operation also affects crime statistics and touches real-life aspects of law enforcement and the legal system. Due to cybercrime’s global, scattered nature, fighting it often requires internationally coordinated investigations and arrests, further taxing the resources of each nation touched by digital crimes.

Phishing Attacks per Month

Phishing attacks in July increased 14% from June, marking yet another high of 59,406 attacks in a single month. In examining an overall spike in attacks, the bulk of last month’s increase can be attributed to highly targeted phishing campaigns launched against a series of financial institutions in Europe.

Number of Brands Attacked

In July, a total of 242 brands were targeted with phishing attacks, marking a 7% drop from June. As compared to July 2011, last month’s list of phishing targets demonstrates a 25% year-over-year drop in the number of targeted brands.

US Bank Types Attacked

There was very little change in how the U.S. banking sector was targeted by phishing in July. Nationwide banks still continue to be targeted by about three out of every four phishing attacks. This reflects the tendency of cybercriminals to attack larger financial institutions.

Top Countries by Attack Volume

For the fifth consecutive month, the UK was targeted by the highest volume of phishing attacks, followed by the U.S. and Canada. The UK endured 70% of worldwide attacks, its highest portion ever.

Top Countries by Attacked Brands

Although the UK was targeted by 70% of phishing volume in July, the U.S. continues to be the country with the greatest number of targeted brands. Brands in the U.K., Brazil, India, and Australia collectively were targeted by 27% of attacks in July.

Top Hosting Countries

The U.S. hosted 79% of worldwide phishing attacks last month, its highest portion to date according to the RSA Anti-Fraud Command Center. Canada, the UK and Germany accounted for hosting an additional 10% of attacks.

Previous RSA Online Fraud Report Summaries:

  • The RSA July 2012 Online Fraud Report Summary here.
  • The RSA June 2012 Online Fraud Report Summary here.
  • The RSA April 2012 Online Fraud Report Summary here.
  • The RSA March 2012 Online Fraud Report Summary here.
  • The RSA February 2012 Online Fraud Report Summary here.
  • The RSA January 2012 Online Fraud Report Summary is here.
  • The RSA December 2011 Online Fraud Report Summary is here.
  • The RSA November 2011 Online Fraud Report Summary is here.
  • The RSA October 2011 Online Fraud Report Summary is here.
  • The RSA September 2011 Online Fraud Report Summary is here.


65% of businesses do not protect their customers’ private data

According to a survey by GreenSQL more than 65% of businesses do not protect their customers’ private data from unauthorised employees and consultants.

The results are interesting because every day we hear of another data breach or another form of malware which can steal data or at least damage data and you would think that with this amount of coverage business would sit up and start protecting their livelihood because that is what customer information is, their livelihood.

For an idea of the scale of the UK’s problem have a look at my post “Who has breached the Data Protection Act in 2012? Find the complete list here“.

Maybe it is bad news fatigue? Maybe the constant flow of horror stories makes them think that they cannot do anything about it so why bother.

I can understand the sentiment because on a personal level I do not wear a Kevlar jacket and carry pepper spray when I walk my dogs on a cold dark winter evening on the distant chance I might be mugged.

However, business cannot escape their contractual commitment to protect credit card data under the Payment Card Industry’s Data Security Standards (PCI DSS) and they cannot escape the legislative requirements to protect Personally identifiable Information (PII) for example the Data Protection Act and the pending European Wide Data Protection Act.

The survey results fall into three categories

  1. Ignore. 65% take no preventative measures
  2. Think about it. 23% use masking techniques only in non-production environments, such as dummy data and scrambling
  3. Try. 12% deploy dynamic data masking solutions on their production environments

I suspect that those who indicated that they deploy technologies to mask data are talking about credit card data where all payment applications are governed by the Payment Card Industry’s PA DSS but it should be applied to all sensitive data that could cause financial or reputational damage to anyone; customer, employee or contractor.

“Most companies would say protecting customer data is critical to maintaining their business and reputation,” said GreenSQL CEO, Amir Sadeh. “However, something is wrong when we discover that many IT departments are making no masking efforts whatsoever, and others are taking tepid approaches.”

GreenSQL surveyed “hundreds of IT managers and developers at large organizations” about the measures they took to prevent developers, QA, DBAs, consultants, outsourced employees, suppliers and application users from having access to sensitive data.

In summary adding protection to data bases and sensitive data is not hard and with current market trends moving towards cloud based solutions the costs are no longer prohibitive compared to becoming one of those horror stories people keep ignoring.


Counting the cost of e-crime to retailers. Actually it’s £205.4 million a year.

The British Retail Consortium (BRC) has released the findings of their first e-crime study. The study is based on responses to a quantitative survey conducted between April and May 2012. Respondents were members of the BRC drawn from a selection of key retailing types including supermarkets, department stores, fashion, health and beauty and mixed retail. The retailers questioned constitute around 45 per cent of the UK retail sector by turnover.

The headline finding is the total cost of e-crime to the retail sector was £205.4 million in 2011-12

This estimate comprises three main components:

1. E-crime Overall. The UK retail sector lost £77.3million as a result of the direct costs of e-crime.

2. Security Data, provided by retailers questioned in this survey suggests that, in 2011-12, at least £16.5 million was spent by the retail sector to provide better protective security for customers against e-crime. This figure excludes payments to banks for systems such as 3D Secure and ‘chargebacks’.

3. Lost Revenue. Estimated losses in revenue experienced as a result of legitimate business being rejected through online fraud prevention measures came to £111.6 million in 2011-12.

The key components making up the direct costs of e-crime were:

  • Identification-Related Frauds such as account takeovers which were the most costly variety of online fraud for retailers, resulting in at least £20 million of losses in 2011-12
  • Card and Card Not Present Frauds which were the next most costly variety, resulting in a minimum of £15 million of losses to the sector in this period
  • Refund Frauds which produced £1.2 million in known losses

The costs of e-crime to the retail sector are further inflated by the need to guard or restore systems against other kinds of threat such as malware, Distributed Denial of Service (DDoS) attacks or hacking. Since retailers do not yet collect precise data on this type of compromise to their systems, the research was unable to derive an overall cost estimate for these losses.

However, the research did find that repairing or restoring systems after DDoS attacks alone now costs up to £100,000 on average. Once these other varieties of threat are factored in, the true cost of e-crime to the retail sector is likely to be far higher than the estimate provided above.

E-Crime – The Emerging Threat

  • The most common fraud experienced by retailers in 2011-12 was Card Not Present fraud, with nearly 80% of UK retailers questioned in the survey stating that this was now common or very common.
  • Identification-Related Fraud was the second most common category with around 50% of retailers saying that the use of false identification was now a common or very common tactic in attempts to defraud their online systems.
  • If other misuses of personal identification (such as account-takeover frauds) are included under the heading of Identification-Related Fraud, then this emerges as the most prevalent category – with around 78 per cent of UK retailers reporting such frauds to be common or very common.
  • Increased threats to e-commerce were also found to be linked to disruptions caused by attacks upon online trading systems. For example, over 20% of retailers reported that Distributed Denial of Service (DDoS) attacks caused serious or very serious disruptions to their systems in the period surveyed.
  • Phishing appears to be a particular problem for UK retailers, with some respondents indicating that a single phishing attack within the period surveyed could have cost the company concerned up to £2 million to deal with. The negative impacts of phishing upon retail reflect a global trend which has indicated that, after US companies, UK brands and companies are now the second most targeted globally (RSA 2012). Find a link to 10 RSA monthly summaries at the bottom of the post.
  • Although more sophisticated attacks like phishing or hacking are often carried out by perpetrators from outside the UK, retailers questioned in this survey suggested that the majority of frauds continue to be perpetrated domestically. Retailers reported that around 86% of attacks originate within the UK
  • The extent and sophistication of the threat is likely to be due to the high level of online sales in the UK.
  • 75% of respondents reported that over 80 per cent of their sales occurred in the UK. Nevertheless, the research found that retailers were often unclear about the breakdown between UK and foreign originated e-crime perpetrated against them.
  • When combined with the difficulties retailers face in tracing the origin of e-crime and the lack of intelligence from law enforcement, the level of e-crime originating outside the UK is likely to be far higher than the estimates provided in this research.

Managing e-crime – Security and Effectiveness

  • 8% of the current losses from e-crime relate to security costs, with the survey indicating that firms across the retail sector spent at least £16.5 million on internal and external security provision.
  • The most significant component of this figure was staffing security systems which cost the sector at least £10.5 million in 2011-12.
  • Investment in security technology amounted to around £6 million for the same period.
  • Online security is managed through both internal and external provisions with third party screening continuing to be the most common, and most expensive, option. The data was not sufficiently robust to enable an overall projection of costs for outsourcing security provision to third parties. However some respondents indicated that this could be as high as 7 pence per transaction.
  • 71% of respondents supplemented third party screening with other automated methods of security such as 3D Secure.
  • 71% of retailers were also deploying the Address Verification System (AVS).
  • 78% of respondents stating that they use customer order history to make online purchases more secure.
  • 64% of respondents also contact the customer or card issuer directly to verify the details of a purchase.
  • 50% of respondents were contemplating investment in new methods or technologies in the future.
  • This increasing expenditure will inevitably lead to higher costs than those outlined within this research.

Law Enforcement Responses and Government Support

Respondents highlighted a number of concerns around the policing of e-crime with the survey finding uniformly low levels of satisfaction with current police responses to retail e-crime.

  • At least half of retailers said they were dissatisfied with current responses
  • Over a quarter of the total expressing strong dissatisfaction
  • 14% indicated that they were very satisfied with current law enforcement support

The reason for such low levels of reporting and satisfaction was that e-crime is not considered to be a priority by many police forces. There were also concerns that national units such as the National Fraud Intelligence Bureau or the Police Central e-Crime Unit (PCeU) do not have the resources or capacity necessary to carry out further investigations.

The research found that there were significantly low levels of reporting.

  • 60% of retailers questioned said they would be unlikely to report any more than 10% of e-crimes to the police. This was largely due to retailers’ concerns with the law enforcement approach to policing e-crime offences.

Of the frauds that were reported to the police, Card Not Present Frauds were the most common

  • 36% of respondents indicating that these would be reported
  • 14% said that they would report other kinds of fraud such as Credit Fraud (by Account Takeover).

Retailers also raised the need for greater government support

  • 57% of respondents expressed strong or moderate dissatisfaction with current support from government
  • Many retailers felt that there was scope for government to offer more support to UK businesses by informing them about potential threats to their business and providing guidance or advice on how best to mitigate these threats

British Retail Consortium Director General Stephen Robertson, said:

“The rapid growth of e-commerce in the UK shows it offers great benefits for customers but also new opportunities for criminals.

“Online retailing has the potential for huge future commercial expansion but Government and police need to take e-crime more seriously if the sector is to maximise its contribution to national economic growth.

“Retailers are investing significantly to protect customers and reduce the costs of e-crime but law makers and enforcers need to show a similarly strong commitment.

“This first comprehensive survey assessing the make-up and scale of e-crime shows where efforts need to be directed.

“Law enforcement and the Government need to work with us to develop a consistent, centralised method for reporting and investigating e-crime and resources must be directed to e-crime in line with the emerging threat. This will encourage retailers to report more offences and allow the police to better identify and combat new threats.”

Find 10 monthly RSA Online Fraud report summaries here.


Who has breached the Data Protection Act in 2012? Find the complete list here.

So far 2012 has been a busy year for the Information Commissioners Office (ICO) and with almost three quarters of the year gone I thought I would look at who has fallen foul of the Data Protection Act.

There are normally three types of punishments administered by the ICO

  1. Monetary. The most serious of the actions and one normally reserved for organisational entities.
  2. Undertaking. Typically applied when an organisation has failed to adhere to good business practise and needs the helping guidance of the ICO
  3. Prosecutions. Normally reserved for individuals who have blatantly breached the Act.

In the near future I expect the proposed revised and consolidated European wide Data Protection Act to lead to more activity by the ICO, in the UK and across the other 27 member states. Read my summary of the propose European Data Protection Act here.

Below is a summary of the ICO’s activity in 2012 across all three “punishment” areas.

Monetary penalty notices

A monetary penalty will only be served in the most serious situations. When deciding the size of a monetary penalty, the ICO takes into account the seriousness of the breach and other factors like the size, financial and other resources of an organisation’s data controller. The ICO can impose a penalty of up to £500,000. It is worth noting that monetary penalties are to HM Treasury.

  • 6 August 2012 A monetary penalty of £175,000 was issued to Torbay Care Trust after sensitive personal information relating to 1,373 employees was published on the Trust’s website. Read the details here.
  • 12 July 2012 A monetary penalty of £60,000 was issued to St George’s Healthcare NHS Trust after a vulnerable individual’s sensitive medical details were sent to the wrong address.
  • 5 July 2012 A monetary penalty notice of £150,000 has been served to Welcome Financial Services Limited following a serious breach of the Data Protection Act. The breach led to the personal data of more than half a million customers being lost.
  • 19 June 2012 A monetary penalty notice of £225,000 has been served to Belfast Health and Social Care Trust following a serious breach of the Data Protection Act. The breach led to the sensitive personal data of thousands of patients and staff being compromised. The Trust also failed to report the incident to the ICO.
  • 6 June 2012 A monetary penalty for £90,000 has been served to Telford & Wrekin Council for two serious breaches of the seventh data protection principle. A Social Worker sent a core assessment report to the child’s sibling instead of the mother. The assessment contained confidential and highly sensitive personal data. Whilst investigating the first incident, a second incident was reported to the ICO involving the inappropriate disclosure of foster carer names and addresses to the children’s mother. Both children had to be re-homed.
  • 1 June 2012 A monetary penalty notice for £325,000 has been served on Brighton and Sussex University Hospitals NHS Trust following the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff – including some relating to HIV and Genito Urinary Medicine patients – on hard drives sold on an Internet auction site in October and November 2010. Read the details here.
  • 21 May 2012 A monetary penalty notice for £90,000 has been served on Central London Community Healthcare NHS Trust for a serious contravention of the DPA, which occurred when sensitive personal data was faxed to an incorrect and unidentified number. The contravention was repeated on 45 occasions over a number of weeks and compromised 59 data subjects’ personal data. Read the details here.
  • 15 May 2012 A monetary penalty of £70,000 was issued to the London Borough of Barnet following the loss of sensitive information relating to 15 vulnerable children or young people, during a burglary at an employee’s home. Read the details here.
  • 30 April 2012 A monetary penalty of £70,000 has been issued to the Aneurin Bevan Health Board following an incident where a sensitive report containing explicit details relating to a patient’s health – was sent to the wrong person. Read the details here.
  • 14 March 2012 A monetary penalty of £70,000 was issued to Lancashire Constabulary following the discovery of a missing person’s report containing sensitive personal information about a missing 15 year old girl. Read the details here.
  • 15 February 2012 A monetary penalty of £80,000 has been issued to Cheshire East Council after an email containing sensitive personal information about an individual of concern to the police was distributed to 180 unintended recipients. Read the details here.
  • 13 February 2012 A monetary penalty of £100,000 has been issued to Croydon Council after a bag containing papers relating to the care of a child sex abuse victim was stolen from a London pub. View a PDF of the Croydon Council monetary penalty notice
  • 13 February 2012 A monetary penalty of £80,000 has been issued to Norfolk County Council for disclosing information about allegations against a parent and the welfare of their child to the wrong recipient.
  • 30 January 2012 A monetary penalty of £140,000 was issued to Midlothian Council for disclosing sensitive personal data relating to children and their carers to the wrong recipients on five separate occasions. The penalty is the first that the ICO has served against an organisation in Scotland. Read the details here.


Undertakings are formal agreements between an organisation and the ICO to undertake certain actions to avoid future breaches of the Data Protection Act, typically this involves, Encryption, Training and Management Procedures.

  • 6 August 2012 An undertaking to comply with the seventh data protection principle has been signed by Marston Properties. This follows the loss of 37 staff members’ details when the filing cabinet the information was stored in was sent to a recycling centre and crushed.
  • 13 July 2012 An undertaking to comply with the seventh data protection principle has been signed by West Lancashire Borough Council. This follows the theft of a business continuity bag containing emergency response documents and personal data relating to 370 council employees.
  • 26 June 2012 An undertaking to comply with the seventh data protection principle has been signed by South Yorkshire Police. This follows the inclusion of personal data relating to drug offences, in response to a Freedom of Information request made by a journalist.
  • 23 May 2012 An undertaking to comply with the seventh data protection principle has been signed by Holroyd Howe Independent Ltd. This follows the release of a document containing details of employees’ pay to a former employee.
  • 30 April 2012 An undertaking to comply with the seventh data protection principle has been signed by the Aneurin Bevan Health Board. This follows an incident where a sensitive report – containing explicit details relating to a patient’s health – was sent to the wrong person. This breach was also the subject of a monetary penalty.
  • 25 April 2012 An undertaking to comply with the seventh data protection principle has been signed by Safe and Secure Insurances Services Limited. This follows the purchase of a hard drive from the Internet which contained personal data relating to the company’s clients.
  • 18 April 2012 An Undertaking to comply with the seventh data protection principle has been signed by Brecon Beacons National Park Authority. This follows two data security incidents which relate to the unauthorised disclosure of personal data on the data controller’s website.
  • 17 April 2012 An undertaking to comply with the seventh data protection principle has been signed by Leicestershire County Council, following the theft of a briefcase containing sensitive personal data from a social worker’s home.
  • 17 April 2012 An undertaking to comply with the seventh data protection principle has been signed by Toshiba Information Systems UK Ltd. This follows a web design error that created the potential for unauthorised access to individual’s personal data.
  • 11 April 2012 An undertaking to comply with the seventh data protection principle has been signed by Hertfordshire County Council. This follows the loss of an Attendance and Pupil Support consultation folder in January 2011.
  • 11 April 2012 An undertaking to comply with the seventh data protection principle has been signed by South London Healthcare NHS Trust. This follows the loss of two unencrypted memory sticks, the leaving of a clipboard with ward lists attached in a grocery store and a failure to adequately secure some patient paper files when not in use. All of the information was recovered.
  • 27 March 2012 An Undertaking has been signed by Pharmacyrepublic Ltd following the theft of a patient medication system containing the medication details of 2000 patients. The system, which was supplied by another firm, should have been securely returned to them by Pharmacyrepublic Ltd before the premises were vacated. Read the details here.
  • 14 March 2012 An undertaking to comply with the seventh data protection principle has been signed by the Lancashire Constabulary. This follows the discovery of a missing person’s report on a street in Blackpool. A monetary penalty has also been issued to the authority in connection with this incident.
  • 9 March 2012 An undertaking to comply with the seventh data protection principle has been signed by Enable Scotland (Leading the Way), after two unencrypted memory sticks and papers containing the personal details of up to 101 individuals were stolen from an employee’s home.
  • 1 March 2012 An undertaking to comply with the seventh data protection principle has been signed by Community Integrated Care, a national social care charity. This follows the theft of an unencrypted laptop containing personal and sensitive personal data.
  • 1 March 2012 An Undertaking to comply with the seventh data protection principle has been signed by Durham University. This follows the disclosure of personal information in training materials published on its website.
  • 1 March 2012 An Undertaking to comply with the seventh data protection principle has been signed by London Borough of Croydon. This follows the theft of a bag belonging to a social worker from a public house in London. The bag contained a hard copy file of papers concerning a child who is in the care of the Council. This incident was also subject to a monetary penalty which was announced earlier this month.
  • 1 March 2012 An undertaking to comply with the seventh data protection principle has been signed by Dr Pervinder Sanghera of Arthur House Dental Care. This follows the discovery of an unencrypted memory stick containing personal and limited sensitive personal data relating to patients and employees of the practice.
  • 10 February 2012 Youth charity Fairbridge has signed an undertaking committing the organisation to taking action after the loss of two unencrypted laptops containing employee information.
  • 10 February 2012 Healthcare provider Turning Point has signed an undertaking committing the organisation to take action after the loss of three service users’ files during an office relation.
  • 10 February 2012 Five local authorities have signed undertakings to comply with the seventh data protection principle, following incidents where the councils failed to take appropriate steps to ensure that personal information was kept secure.
  • 10 February 2012 Basingstoke and Deane Borough Council breached the Data Protection Act on four separate occasions during a two month period last year. The breaches included an incident in May when an individual was mistakenly sent information relating to 29 people who were living in supported housing.
  • 10 February 2012 Brighton and Hove Council emailed the details of another member of staff’s annual salary – and the deductions made from this – to 2,821 council workers. A third party also informed the ICO of a historic breach which occurred in May 2009 when an unencrypted laptop was stolen from the home of a temporary employee.
  • 10 February 2012 Undertakings have been signed by • Dacorum Borough Council • Bolton Council • Craven District Council
  • 3 February 2012 An undertaking to comply with the seventh data protection principle has been signed by E*Trade Securities Ltd. This follows a report to the Commissioner concerning missing client files. The files contained limited sensitive personal data including identification documents.
  • 20 January 2012 An undertaking has been signed by Manpower UK Ltd following a breach of the Data Protection Act where a spreadsheet containing 400 people’s personal details was accidentally emailed to 60 employees.
  • 18 January 2012 An undertaking has been signed by the Chartered Institute of Public Relations, following the loss of up to 30 membership forms on a train. The organisation didn’t have a policy in place for handling personal data outside of the office at the time of the incident.
  • 18 January 2012 Praxis Care Limited breached both the UK Data Protection Act and the Isle of Man Data Protection Act by failing to keep peoples’ data secure. An unencrypted memory stick, containing personal information relating to 107 Isle of Man residents and 53 individuals from Northern Ireland, was lost on the Isle of Man.


  • 2 August 2012. Mohammed Ali Enayet, owner of The Lime Lounge in Cleveleys has been prosecuted by the ICO for failing to register his premises’ use of CCTV equipment.
  • 30 March 2012. SAI Property Investments Limited, trading as IPS Property Services and one of its directors Mr Punjab Sandhu unlawfully obtained details about their tenants from a rogue employee at Slough Borough Council have been found guilty of committing offences under Section 55 of the Data Protection Act 1998 (DPA).
  • 27 February 2012. Pinchas Braun, a letting agent who unlawfully tried to obtain details about a tenant’s finances from the DWP has been found guilty of an attempt to commit an offence under section 55 of the Data Protection Act and the Criminal Attempts Act.
  • 12 January 2012. Juliah Kechil, formerly known as Merritt, a former health worker has pleaded guilty to unlawfully obtaining patient information by accessing the medical records of five members of her ex-husband’s family in order to obtain their new telephone numbers.

The ICO is not just an enforcer, he offers advice too The Information Commissioner’s 5 Tips on how to better protect personal information .

The list was compiled on the 16th August 2012, updates will be added later so why not subscribe to the blog and automatically get the updates.


See Who breached the Data Protection Act in 2013? Find the complete list here.

PCI Security Standards Council’s Qualified Integrators and Resellers program is now live

The PCI SSC’s the Qualified Integrators and Resellers (QIR)™ Program will train and qualify integrators and resellers that sell, install and/or service payment applications on the secure installation and maintenance of PA-DSS validated payment applications to support merchant PCI DSS security efforts.

Eligible organizations can now register for the QIR program by visiting the PCI SSC website. Training will be available beginning October 1, 2012.

“Integrators and resellers play a key role in securing the payment ecosystem as merchants depend on these providers to install, configure, and maintain their PA-DSS validated applications in a way that facilitates their PCI DSS compliance. Industry reports point to errors being made during the implementation and maintenance process as a significant risk to the security of cardholder data. The QIR program provides integrators and resellers with highly specialized training to help address these risks, such as ensuring that remote access is used securely and that all vendor default accounts and values are disabled or removed before the customer uses the application.

Merchants will benefit from a global list of QIRs on the PCI SSC website, providing them with a trusted resource for selecting PCI approved implementation providers. The program also includes a feedback loop for merchants to evaluate a QIR’s performance.”

QIR customers will have the opportunity to submit a formal feedback form online, which the Council will review as part of its quality assurance process.

The QIR training curriculum is comprised of an eight-hour self-paced eLearning course made up of three modules covering:

  • PCI DSS awareness overview and understanding industry participants
  • QIR roles and responsibilities
  • PA-DSS and key considerations for QIRs when applying expertise to installing and configuring the PA-DSS application
  • Guidance for preparing and implementing a qualified installation

After taking the eLearning course, participants will be eligible to schedule the 90-minute exam at one of more than 4,000 Pearson VUE Testing Centers worldwide. Once a company has two employees complete the training and pass the exam, the company and QIRs will be listed on the PCI SSC website for merchants to use as a resource for choosing a PCI SSC approved provider. The training course and exam will be available October 1, 2012.

The Council will also host a webinar for those interested in learning more about the QIR program, followed by a live question and answer session with PCI SSC experts:

  • To register for the Thursday, August 16, 2012 session, click here.
  • To register for the Wednesday, August 29, 2012 session, click here.

“Although the merchant community continues to accept and adopt PCI, small merchants are increasingly being targeted as opportunities to steal card data,” said PCI SSC Chair and Vice President of Global Data Security Policies and Process for American Express, Mike Mitchell.

“This new and exciting PCI program will continue to close the gap from implementation, to ongoing compliance and in the assessment processes. Merchants should start to feel better about having a “hard-hitting” partner in their fight to prevent fraud.”


Who is responsible for data protection in the cloud?

Encryption in the Cloud is a Ponemon Institute report sponsored by Thales.

The study considers how encryption is used to ensure sensitive or confidential data is kept safe and secure when transferred to external-based cloud service providers. 4,140 business and IT managers in the United States, United Kingdom, Germany, France, Australia, Japan and Brazil were surveyed.

Following is a summary of key findings relating to data protection, encryption and key management activities in the cloud.

  1. Currently, about half of all respondents say their organizations transfer sensitive or confidential data to the cloud environment. Within the next two years, another one-third of respondents say their organizations are very likely to transfer sensitive or confidential to the cloud. At 56%, German companies appear to have the highest rate of sensitive or confidential data transferred to the cloud.
  2. 39% of respondents believe cloud adoption has decreased their companies’ security posture. However, 44% of respondents believe the adoption of cloud services has not increased or decreased their organization’s security posture. Only 10% of respondents believe the move to the cloud has increased their organization’s security posture. With respect to country differences, results suggest that French organizations are most likely to view cloud deployment as diminishing the effectiveness of data protection efforts.
  3. 44% of respondents believe the cloud provider has primary responsibility for protecting sensitive or confidential data in the cloud environment and 30% believe it is the cloud consumer. There are also differences among countries as to who is most responsible. 67% of French companies appear to be the most likely to hold the cloud provider responsible for data protection activities. In contrast, 48% of Japanese companies hold the cloud consumer primarily responsible for data protection.
  4. Companies that currently transfer sensitive or confidential data to the cloud are much more likely to hold the cloud provider primarily responsible for data protection. In contrast, companies that do not transfer sensitive or confidential information to the cloud are more likely to hold the cloud consumer with primary responsibility for data protection.
  5. 63% of respondents say they do not know what cloud providers are doing to protect the sensitive or confidential data entrusted to them. Once again, French respondents (76%) are least likely to say they know what their cloud providers do to safeguard their organization’s information assets.
  6. In general, respondents who select the cloud provider as the most responsible party for protecting data are more confident in their cloud provider’s actual ability to do so (51%) compared to only 32% of respondents who report confidence in their own abilities to protect data even though they consider their own organization to be primarily responsible for protecting data.
  7. Where is data encryption applied? According to 38% of respondents, their organizations rely on encryption of data as it is transferred over the network (typically the internet) between the organization and the cloud. Another 35% say the organization applies persistent encryption data before it is transferred to the cloud provider. Only 27% say they rely on encryption that is applied within the cloud environment.
  8. Among the companies that encrypt data inside the cloud, nearly 74% believe the cloud provider is most responsible for protecting that data. However, only 34% of organizations that encrypt data inside their organization prior to sending it to the cloud hold the cloud provider primarily responsible for data protection.
  9. Who manages the encryption keys when sensitive or confidential data is transferred to the cloud? 36% of respondents say their organization is most responsible for managing the keys. 22% say the cloud provider is most responsible for encryption key management. Another 22% says a third party (i.e. another independent service provider) is most responsible for managing the keys. Even in cases where encryption is performed outside the cloud, more than half of respondents hand over control of the keys. With respect to country differences, German organizations appear to be the least likely to relinquish control of encryption keys to the cloud provider. Companies in Australia and Brazil appear to be the most likely to transfer control of encryption keys to the cloud provider.
  10. Companies with the characteristics that indicate a strong overall security posture appear to be more likely to transfer sensitive or confidential information to the cloud environment than companies that appear to have a weaker overall security posture. In other words, companies that understand security appear to be willing and able to take advantage of the cloud. This finding appears to be at odds with the common suggestion that more security aware organizations are the more skeptical of cloud security and that it is the less security aware organizations are willing to overlook a perceived lack of security. Here, we use the Security Effectiveness Score (SES) as an objective measure of each organization’s security posture.

Larry Ponemon, chairman and founder, Ponemon Institute, says:

“It’s a rather sobering thought that nearly half of respondents say that their organization already transfers sensitive or confidential data to the cloud even though thirty-nine percent admit that their security posture has been reduced as a result. This clearly demonstrates that for many organizations the economic benefits of using the cloud outweigh the security concerns. However, it is particularly interesting to note that it is those organizations that have a strong overall security posture that appear to be more likely to transfer this class of information to the cloud environment – possibly because they most understand how and where to use tools such as encryption to protect their data and retain control . What is perhaps most surprising is that nearly two thirds of those that move sensitive data to the cloud regard their service providers as being primarily responsible for protecting that data, even though a similar number have little or no knowledge about what measures their providers have put in place to protect data. This represents an enormous opportunity for cloud providers to articulate what they are doing to secure data in the cloud and differentiate themselves from the competition.”

Richard Moulds, vice president, strategy, Thales e-Security, says:

“Staying in control of sensitive or confidential data is paramount for most companies today. For any organization that is still weighing the advantages of using cloud computing with the potential security risks of doing so, it is important to know that encryption is one of the most valuable tools for protecting data. However, just as with any type of encryption, it only delivers meaningful value if deployed correctly and with encryption keys that are managed appropriately. Effective key management is emblematic of control and the need for centralized and automated key management integrated with existing IT business processes is a necessity. Even if you allow your data to be encrypted in the cloud, it’s important to know you can still keep control of your keys. If you control the keys, you control the data.”


The Information Commissioner’s 5 Tips on how to better protect personal information

The UK’s Information Commissioners office has created a list of 5 useful tips for protecting personally identifiable information (PII).

The list comes on the back of an offer by the ICO to help charities and other third sector organisations to help them protect data and avoid potential fines of up to £500,000.

Louise Byers, Head of Good Practice at the ICO, said:

“We are aware that charities are often handling extremely sensitive information relating to the health and wellbeing of vulnerable people. With these organisations often lacking the money to employ dedicated information governance staff, there’s a danger that many charities may be struggling to look after people’s data.

“We have published today’s top five areas for improvement to show the voluntary and charity sector that good data protection practices can be cheap and easy to introduce, providing they have the right help and support.

“A one day advisory visit from the ICO provides charities with a data protection ‘check up’ and practical advice on how they can look after people’s information. We are now calling on these organisations to use the summer period to check that their data protection practices are adequate and get in touch before it is too late.”

Sam Younger, Chief Executive of the Charity Commission said:

“Trustees are responsible for ensuring their charity complies with relevant legislation – including the Data Protection Act – and for protecting their charity’s reputation. Mishandling sensitive data not only causes individuals serious distress, it can also damage the good name of your charity. So I encourage trustees of charities that handle sensitive data to take note of the ICO’s guidance and consider taking part in an ICO advisory visit.”

The ICO’s top five areas for improvement are:

  1. Tell people what you are doing with their data. People should know what you are doing with their information and who it will be shared with. This is a legal requirement (as well as established best practice) so it is important you are open and honest with people about how their data will be used.
  2. Make sure your staff are adequately trained. New employees must receive data protection training to explain how they should store and handle personal information. Refresher training should be provided at regular intervals for existing staff.
  3. Use strong passwords. There is no point protecting the personal information you hold with a password if that password is easy to guess. All passwords should contain upper and lower case letters, a number and ideally a symbol. This will help to keep your information secure from would-be thieves.
  4. Encrypt all portable devices. Make sure all portable devices – such as memory sticks and laptops – used to store personal information are encrypted.
  5. Only keep people’s information for as long as necessary. Make sure your organisation has established retention periods in place and set up a process for deleting personal information once it is no longer required.

I would like to add that whilst these tips are useful most businesses, especially charities, should review their requirements under the Payment Card Industry Data Security Standard (PCI DSS) as credit cards are the life blood to most organisations.


Torbay Care Trust (NHS) fined £175,000 for breaching the Data Protection Act

Torbay Care Trust in Torquay has been fined £175,000 after it published the sensitive details of over 1,000 employees on the Trust’s website.

Staff at the Trust published the information in a spreadsheet on their website in April 2011 and only realised when a member of the public reported it 19 weeks later.

The data covered the equality and diversity responses of 1,373 staff and included individuals’ names:-

  • Dates of birth
  • National Insurance numbers
  • Religion
  • Sexuality

The Information Commissioners Office’s investigation found that the Trust had no guidance for staff on what information shouldn’t be published online and had inadequate checks in place to identify potential problems.

Stephen Eckersley, Head of Enforcement, said:

“We regular speak with organisations across the health service to remind them of the need to look after people’s data. The fact that this breach was caused by Torbay Care Trust publishing sensitive information about their staff is extremely troubling and was entirely avoidable. Not only were they giving sensitive information out about their employees but they were also leaving them exposed to the threat of identity fraud.

“While organisations can publish equality and diversity information about staff in an aggregated form, there is no justification for unnecessarily releasing their personal information. We are pleased that the Trust are now taking action to keep their employees’ details secure.”

With the proposed European Data Protection Act the scope of what is classified as Personally Identifiable Information (PII) will be better defined but will include more than most business think is actually covered.

It is time businesses undertook thorough risk assessments of their exposure to the PII data leakages because the proposed new fines are potentially up to 2% of global turnover.

Read my summary of the proposed European Data Protection Act here.


PCI Security Standards Council Internal Security Assessor (ISA) training now available as an eLearning course

The new self-paced eLearning course is an online version of the Council’s existing instructor-led ISA training.

ISA training provides businesses the opportunity to educate qualifying employees responsible for managing their PCI DSS security programs on how to assess and validate their company’s adherence to PCI Security Standards.

The curriculum is comprised of a four-hour online pre-requisite course and exam called PCI Fundamentals, followed by the ISA training session and exam. Now candidates have the option to attend the two-day instructor-led session or complete the eLearning training course online. eLearning candidates can then schedule to take the exam locally at one of more than 4,000 Pearson VUE Testing Centers worldwide.

Since 2010 when the ISA programme was launched there have been over 500 people gain the qualification

“We benefited from the interaction with fellow delegates taking the course, said PCI DSS Manager and ISA Parminder Lall, Everything Everywhere. “The ISA training provided a different spin on how to reduce cost when it comes to PCI efforts. We also gained insight into working with a Qualified Security Assessor (QSA) and seeing their side of things.”

The new eLearning option complements the Council’s already available online PCI Awareness training offering, a four-hour introductory PCI course. Businesses can take advantage of ISA training for their security professionals to ensure consistency in understanding their PCI DSS compliance efforts across their organization.

“The ISA program was developed in response to feedback from the PCI community requesting a course that would help organizations in training their own internal PCI experts,” said Bob Russo, general manager, PCI Security Standards Council. “We’re excited to be able to offer this popular session in a new online format, along with our PCI Awareness training, so more companies can take advantage of these resources to improve their PCI security efforts.”

For those who would like to attend an instructor lead course there are two available this year

  1. Orlando, Florida, USA on September 6-7; 10-11
  2. Dublin, Ireland on October 18-19.

For more information visit the PCI SSC website here.

For more information on PCI DSS, PA DSS, etc visit my PCI Resources page here.


Create a free website or blog at

Up ↑

%d bloggers like this: