Search

Brian Pennington

A blog about Cyber Security & Compliance

Month

May 2013

Schools are concerned about cloud security

SafeGov.org and the Ponemon Institute have released the results of a survey of UK schools designed to measure the views of school staff on the rapidly rising use of cloud services in the education sector and the potential risks to student privacy.

The study focused on cloud versions of email and document collaboration tools:

  • a majority of schools expect to migrate to such services in the near future
  • 81% of respondents object strongly to the mining of student emails, web browsing and online behaviour for profit by cloud providers
  • 84% say providers should never profile students
  • 70% say that even the option to turn on ad serving, or the delivery of advertisements to users online, should be completely removed from school-provided cloud services

The findings also show that schools are increasingly looking to move to cloud services because they expect them to bring significant educational and social benefits to students, as well as being cheaper and easier to manage.

SafeGov.org commissioned the Ponemon Institute to conduct the survey of senior staff and IT practitioners in primary and secondary schools and related administrative organisations in the UK.  Respondents were asked to describe their schools’ current and expected use of cloud-based services such as email and document collaboration, and to give their views about student online privacy and cloud provider business models based on data mining for profit.

Key findings of the research include the following:

  • Schools believe cloud services will offer many benefits, helping students to acquire skills needed for employment (78%), thrive in modern society (63%), and obtain better results on national exams (51%)
  • Cloud deployment in UK schools is growing rapidly: 68% of respondents expect to provide cloud email or document creation in the foreseeable future, while 25% already provide such services to their students
  • Schools recognise that cloud services have a dark side: 74% see threats to student privacy as the top risk of cloud, followed by security breaches (70%)
  • But the vast majority reject for-profit data mining of student information: 84% say cloud providers should never profile students for profit, while 70% say ad serving should never be an option •Some schools admit to a conflict of interest regarding student privacy, but want to give parents the tools to protect their children: 47% say they might be tempted to trade student privacy for lower costs, but 44% also say parents should have the right to opt-out of data mining for their children

We’re very impressed and pleased to find that UK schools are rapidly adopting cloud services and see significant educational and social benefits in doing so, as well as cost savings,” said Jeff Gould , President of SafeGov.org. “But our study also shows that UK schools clearly recognise the dark side of cloud computing, especially when cloud providers are allowed to data mine student emails and documents in order to create profiles that can be used for ad serving and other commercial purposes. As the migration to cloud services continues, UK schools, local councils and education authorities as well as the Department for Education at the national level need to develop concrete measures to ensure that strong privacy protections for students and school staff are put in place. Above all, we call on parents to recognise the risks to their children and to take action to ensure that the authorities adopt the proper response

Larry Ponemon , chairman and founder, Ponemon Institute, added:

These results demonstrate significant potential for cloud services in UK schools, with IT administrators contemplating deployments in the immediate to near future, but at the same time overwhelming concerns regarding mining of student data for commercial use. The numbers indicate that these practices must be tackled before the full benefits of cloud computing can be realised

  • Most schools already provide email to staff (85%) and students (59%)
  • 25% already offer students cloud email
  • 61% of schools that don’t yet provide email expect to offer cloud email in the foreseeable future Schools believe cloud tools will help students improve skills, thrive in modern society, obtain better exam results

But schools also see a darkside in Cloud: Data Mining

Schools overwhelmingly recognise that data mining for profit by cloud providers is a threat to student privacy and strongly object to the practice. But some schools admit they are tempted to trade student privacy for lower costs. A solution to this conflict of interest is to let parents opt-out of cloud data mining for their children. – Schools believe cloud email will be easier to manage and cheaper, but not necessarily safer or more secure

  • Schools see threats to student privacy as top risk of cloud (74%), followed by security breaches (70%)
  •  Vast majority of schools (81%) object to cloud providers that data mine student online behavior (i.e. analyse emails or track web browsing) for profit
  • 84% of schools say cloud providers should never profile students for profit, 70% say ads should not be an option
  • Conflict of interest? 47% of schools admit they might trade student privacy for lower costs, but 44% also say parents should have right to opt-out for children

.

The drivers for BYOD

In the recent F5 document promoting their BYOD solutions F5 had an interesting section on what were the drivers for BYOD.

The F5 “BYOD Drivers” section is below.

In 2013, the mobile workforce is expected to increase to 1.2 billion, a figure that will represent about 35% of the worldwide workforce and many of those workers will be using their own devices.

People have become very attached to their mobile devices. They customize them, surf the web, play games, watch movies, shop, and often simply manage life with these always-connected devices. Those organizations that have implemented BYOD programs are reporting increased productivity and employee satisfaction at work.

The 2012 Mobile Workforce Report from enterprise Wi-Fi access firm iPass found that many employees are working up to 20 additional hours per week, unpaid, as a result of their company’s BYOD policies. Nonetheless, 92% of mobile workers said they “enjoy their job flexibility” and are “content” with working longer hours.

In addition, 42% would like “even greater flexibility for their working practices.”

Organizations have been able to reduce some of their overall mobile expenses simply by not having a capital expenditure for mobile devices and avoiding the monthly service that come with each device. In addition, in some cases, BYOD implementations can brand the IT organization as innovators.

The flipside of the convenience and flexibility of BYOD are the many concerns about the risks introduced to the corporate infrastructure when allowing unmanaged and potentially unsecured personal devices access to sensitive, proprietary information. Applying security across different devices from a multiple number of vendors and running different platforms is becoming increasingly difficult. Organizations need dynamic policy enforcement to govern the way they now lock down data and applications. As with laptops, if an employee logs in to the corporate data centre from a compromised mobile device harbouring rootkits, keyloggers, or other forms of malware, then that employee becomes as much of a risk as a hacker with direct access to the corporate data centre.

Mobile IT is a major transformation for IT departments that is deeply affecting every major industry vertical, and the effects will continue for years to come.

F5 data sources:

  • International Data Corporation (IDC), Worldwide Mobile Enterprise Management Software 2012-2016 Forecast and Analysis and 2011 Vendor Shares, Sept. 2012
  • Computerworld UK, “BYOD Makes Employees Work Extra 20 Hours Unpaid,” August 22, 2012

Irish Data Protection Commissioner publishes his 2012 Annual Report

This week sees the Irish Data Protection Commissioner, Billy Hawkes, release his annual report for 2012.

The report summarises activities of the Commissioner’s Office during 2012 and like his UK counter part focuses on investigations and audits undertaken and provides a commentary on the impact of European and International Data Protection activities.

As with the UK the use and sharing of personally identifiable information (PII), especially in the public sector has been a major issue.

The Commissioner accepts that data sharing can bring benefits in terms of efficient delivery of public services but cautions that it should be done in a way that respects the rights of individuals to have their personal data treated with care and not accessed or used without good reason. Appendix 4 of this year’s report contains the full audit report carried out by the Office of external public agency access to the Department of Social Protection INFOSYS database* which uncovered significant breaches of the data protection legislation in relation to access to and governance of personal data

In the 2011 Annual Report the Commissioner drew attention to the increased demand on the resources of the Office. The Commissioner in his 2012 report points to the Government’s response by providing additional staffing and funding to the Office. In addition, the Government has also given a commitment to keep the resourcing of the Office actively under review to ensure that any additional resources required will be made available. The Commissioner acknowledges that his Office is now well placed to discharge its current statutory responsibilities. Given the likely increased role for the Office, which will emerge from the new “one-stop-shop” arrangement being proposed at EU level for oversight of multi-national companies, the Commissioner welcomes the commitment to ongoing review of further resource requirements.

Complaints:

During 2012, the Office opened 1,349 complaints for investigation, exceeding last year’s record high number with an increase of 188. Complaints from individuals in relation to difficulties gaining access to their personal data held by organisations accounted for just under one-third of the overall complaints investigated during 2012. There was a marked increase in the number of complaints under the Privacy in Electronics Regulations during 2012 (up from 253 in 2011 to 606 during 2012).

The report includes case studies of a number of specific investigations including:

  • Prosecution of three Insurance Companies for Data Protection Registration offences after social welfare data, sourced via a private investigator, was found on insurance claim files held by those companies.
  • Prosecution of a number of companies for unsolicited marketing offences
  • High Court ruling that Dublin Bus must supply copy of CCTV footage requested under the right of access

Breakdown of complaints

Electronic Direct Marketing 44.93% 606
Access Rights 32.77 448
Disclosure 7.86% 106
Unfair Processing of Data 2.59% 35
Unfair Obtaining of Data 0.96% 13
Use of CCTV Footage 2.37% 32
Failure to secure data 2.59% 35
Accuracy 1.41% 19
Excessive Data Requested 1.78% 24
Unfair Retention of Data 1.26% 17
Postal Direct Marketing 0.74% 10
Other 0.74% 10
TOTALS 100.00% 1349

Number of complaints since 2003

Year Complaints Received
2003 258
2004 385
2005 300
2006 658
2007 1037
2008 1031
2009 914
2010 783
2011 1161
2012 1349

Data Breach Notifications

During 2012, the Office dealt with 1,666 personal data security breach notifications. This is again an increase in the numbers dealt with compared to previous years. Of the 1,666 notifications received, it was found that 74 cases were not deemed to be personal data security breaches on the part of the data controller making the notification. This was due to either appropriate security measures, such as encryption, being in place to protect the data or to individuals failing to update their contact details with the data controller, resulting in letters issuing to an incorrect address. A total of 1,592 valid data breach notifications were therefore recorded. This is an increase of over 400 on last year.

The introduction, in July 2011, of S.I. 336 of 2011 made it a legal requirement for telecommunication companies and Internet Service Providers (ISPs) to notify this Office, without undue delay, of a data security breach and to also notify affected individuals of such a breach. In September 2012, two telecommunications companies were prosecuted for failing to meet their legal obligation in this regard. In the first full year of S.I. 336 being in effect, a total of 60 data security breach notifications were received from Telecommunications companies and ISPs.

Due to the year on year increase in the number of data security breach notifications received by the Office, additional resources were allocated to the area. A Technology Advisor has also been appointed to allow the Office properly investigate the more complex Information Technology (IT) related matters that are brought to its attention. During 2012, we have taken a more proactive stance in relation to potential data security breaches and have initiated investigations into matters that have been identified through mention in areas such as social media sites.

While the complexity of certain data security breaches increases, it is the more mundane situation of correspondence being issued to an incorrect address that continues to account for the largest percentage of data security breaches. Over two thirds of all breach notifications received by the Office involved letters being issued by post, either to an incorrect address or containing a third party’s personal data.

The annual report includes a number of “case studies” detailing specific organisations who sustained breaches.

Privacy Audits:

In the course of 2012, 40 audits and inspections were carried out by this Office. This is an increase on the previous year – 2011 – in which 33 audits were completed in total. Included in the list of the audits/inspections, is the INFOSYS investigation which, although initially a ‘desk audit’, eventually led to a large number of meetings and visits to agencies within the public sector who had access to INFOSYS.

Examples of who was audited is below:

  • O2
  • An Garda Síochána
  • Facebook-Ireland (follow-up review)
  • Ulster Bank (reporting procedures with the Irish Credit Bureau)
  • Permanent TSB (reporting procedures with the Irish Credit Bureau)
  • National Irish Bank (reporting procedures with the Irish Credit Bureau)
  • Bank of Ireland (reporting procedures with the Irish Credit Bureau)

The report is 127 pages long with almost 80% focusing on specific case studies. It make interesting reading. The full document can be found here.

.

76% of companies have had a data breach or expect to have a breach

Experian Data Breach Resolution and the Ponemon Institute have released a study that finds that, despite the majority of companies experiencing or anticipating significant cost and business disruption due to a material data breach, they still struggle to take the proper measures to mitigate damage in the wake of an incident.

The report, “Is Your Company Ready for a Big Data Breach?” examines the consequences of data breach incidents and the steps taken to lessen future damage.

Respondents include senior privacy and compliance professionals of organisations that experienced at least one data breach. The top three industries represented are retail, health and pharmaceuticals, and financial services.

A majority of companies we surveyed indicate they have already or are very likely to lose customers and business partners, receive negative publicity and face serious financial consequences due to a data breach,” said Michael Bruemmer, vice president at Experian Data Breach Resolution. “Yet, despite understanding the consequences, many companies struggle to take the right steps to mitigate the fallout following an incident, demonstrating a need for better awareness and investment in the tools that can alleviate negative customer perceptions

The study’s key findings include:

Companies experience and anticipate harm due to breaches Companies that suffer data breaches experience significant costs and business disruption, including the loss of business and trust from customers, negative media attention and legal action.

  • 76% of privacy professionals say their organisation already had or expects to have a material data breach that results in the loss of customers and business partners.
  • 75% say they have had or expect to have such an incident that results in negative public opinion and media coverage.
  • 66% of companies have or believe they will suffer serious financial consequences as a result of an incident.

Despite consequences, incident response remains a challenge Companies struggle to properly handle potential damage due to a data breach and implement technologies to help prevent future incidents, even after suffering an incident.

  • Despite experiencing a breach, not all companies prepare for a future breach.
  • 39% of companies say they have not developed a formal incident breach preparedness plan even after experiencing a breach.
  • 10% of organizations have data breach or cyber insurance.
  • A majority of organisations surveyed do not provide clear communication and notification to victims following an incident.
  • 21% of respondents have communications teams trained to assist in responding to victims.
  • 30% of respondents say their organisations train customer service personnel on how to respond to questions about the data breach incident.
  • 65% also lack mechanisms to verify that contact with each victim was completed, and only 38% have mechanisms for working with victims with special circumstances.
  • The survey also finds that organizations are missing security technology safeguards and tools to prevent or understand the extent of an incident.
  • Encryption is not widely deployed: Less than one-third of respondents say sensitive or confidential personal and business information stored on computers, servers and other storage devices is generally encrypted.
  • Forensics is lacking. Many organizations lack the forensics capabilities to fully understand the nature and extent of the incident.
  • Only 36% have the tools or technologies to assess the size and impact of a data breach.
  • 19% have advanced forensics to determine the nature and root causes of cyberattacks.
  • 25% have the ability to ensure the root cause of the data breach was fully contained.

The study findings show that organizations need to prioritize preventing future breaches and better manage post-breach response,” said Dr. Larry Ponemon, Chairman and founder of the Ponemon Institute. “In addition to improving technical safeguards, it’s clear that companies also should focus more attention on meeting the needs of affected consumers that suffer a data breach

.

UK Government’s update on its activities to protect children on the Internet

Earlier this month the UK Government provided an update to their activities around protecting children on the Internet.

The update paper follows on from the June 2012 announcement of a consultation seeking views on three broad options for protecting children:

  • “Default-on” or “opt-in” – where people’s home Internet Service Provider (or each internet-enabled device) blocks harmful content automatically before any customer buys it. Parents can later choose to adjust or remove the blocks
  • “Active choice” – where customers are always presented with a choice about whether or not they want filters and blocks installed on their home internet service and/or each internet-enabled device they are buying
  • “Active choice plus” – where customers are presented with a list of online content that will be blocked automatically unless they choose to unblock them

A large majority of respondents, including parents, did not like any of the above options. The Government said its policy would therefore develop so that it:

  • actively helps parents to make sure they have appropriate safety features in place when their children access the internet and encourages them to think about issues such as grooming, bullying and sexting as well as potentially harmful or inappropriate content
  • existing ISP customers as well as new ones
  • makes it easier for parents to take charge of setting up the internet access their children will have, and less likely that they will abdicate this responsibility to their children

According to an August 2011 report by the Childhood Wellbeing Research Centre

  • 99% of children aged 12-15 now use the internet
  • 93% of 8-11 year olds
  • 75% of 5-7 year olds

This routine use of the internet by children has led to concern about the potential dangers they face, particularly about access to pornography, online bullying, ‘sexting’, and the use of social networking sites to sexually solicit children.

In her March 2008 report “Safer children in a digital world”, Tanya Byron identified three strategic objectives for child safety on the internet:

  • reducing the availability of harmful and inappropriate material in the most popular part of the internet
  • restricting children’s access to harmful and inappropriate material
  • building children’s resilience to the material to which they may be exposed so that they have the confidence and skills to navigate the online world more safely

Professor Byron highlighted the key role of parents in managing children’s access to harmful material:

There is a range of technical tools that can help parents do this (e.g. safe search), but they only work effectively if users understand them.

So restricting children’s access to harmful and inappropriate material is not just a question of what industry can do to protect children (e.g. by developing better parental control software), but also of what parents can do to protect children (e.g. by setting up parental control software properly) and what children can do to protect themselves (e.g. by not giving out their contact details online)

The report recommended the creation of a UK Council on Child Internet Safety to lead the development of a strategy with two core elements:

  • better regulation, in the form, wherever possible, of voluntary codes of practice that industry can sign up to
  • better information and education, where the role of government, law enforcement, schools and children’s services will be key.

The UK Council on Child Internet Safety (UKCCIS) was launched in September 2008. It is chaired by Ministers from the Department for Education and Home Office and brings together organisations from government, industry, law enforcement, charities and parenting groups.

A March 2010 progress report, also by Professor Byron, “Do we have safer children in a digital world”, reviewed the work of UKCCIS and, amongst other things, said that future work should “promote the availability and use of parental controls”.

An Independent parliamentary inquiry into online child protection (April 2012), chaired by Claire Perry, noted that

while parents should be responsible for monitoring their children’s internet safety, in practice this is not happening”.10 The report went on to recommend that the Government “should launch a formal consultation on the introduction of an Opt-In content filtering system for all internet accounts in the UK” as well as seeking “backstop legal powers to intervene should the ISPs fail to implement an appropriate solution

On 28 June 2012 a Department for Education (DfE) press release announced details of a ten week consultation on whether automatic online blocks should be introduced to protect children from adult and harmful websites:

The discussion paper asks for views on three broad options for the best approach in keeping children safest online, in a rapidly changing digital industry:

  • A system, known as default-on or opt-in, where people’s home Internet Service Provider or each internet-enabled device (laptop and desktop computers; mobile phones; tablets and television) blocks harmful content automatically before any customer purchases it. They can later choose to adjust or remove the blocks if parents want to access the blocked websites.
  • A system where customers are always presented with an unavoidable choice about whether or not they want filters and blocks installed either on their home internet service and/or each internet enabled device they are buying, an approach known as “active choice”. This applies at either the ‘point of purchase’, either online, telephone or over the counter or when a customer first switches on a new device or internet subscription.
  • A system that combines features of both systems, where customers are presented with a list of online content that will be blocked automatically unless they choose to unblock them, or active choice plus.

It follows work over the last year led by Government working with UKCCIS members to strengthen practical steps to improve child internet safety, following last year’s independent Letting Children Be Children report by Reg Bailey, Chief Executive of Mothers’ Union.

The Bailey report argued that parents are best placed to manage what their children’s access online, but while many want to take control, all too often they do not know how.

Progress to date includes:

  • All four main internet service providers BT, TalkTalk, Virgin Media and Sky signing up to the first ever code of practice last October, to give all new customers an active choice of whether or not to apply controls and filters to block harmful content – with the aim that eventually it would be extended to all existing customers as the norm, as TalkTalk has with its free HomeSafe service.
  • Ongoing work with major laptop and hardware manufacturers to sell new products with active choice prompts at first switch-on. UKCCIS has also been working with mobile phone manufacturers and public wifi providers to block access to adult material in public places – for instance Virgin Media’s forthcoming service on the London Underground network and O2’s wifi links in McDonalds restaurants.
  • Major high street retailers such as Tesco, John Lewis, Dixons and PC World piloting or introducing new schemes so staff ask all customers if they want parental controls activating, when they buy new products.

The Government’s response was published on 17 December 2012 and noted that there were 3,509 responses, 69% of these were from members of the public and 22% from parents.

The key findings were as follows:

  • Respondents very clearly said that children’s online safety is the responsibility of parents or a shared responsibility between parents and businesses. A majority of parents think that it is their responsibility solely, and parents are more likely than other groups (with the exception of VCS organisations) to think it is a shared responsibility with business.
  • A large majority of respondents, including parents, said that they did not like any of the three options for parental controls the consultation invited responses on. There was marginally more support for default filtering at network level (14% of respondents) than for the other options, parents choosing controls (9% of respondents) and a combination of default filtering and parental choice (7% of respondents).
  • Parents also recognise that their children are more likely to be worried by other people’s behaviour on the internet, such as bullying, than by inappropriate content.
  • Pornography is the issue that parents are most likely to say they want help with to protect their children online, with bullying, violent content and grooming other key concerns. However, nearly a quarter of parents say they do not need help with any of the issues the consultation asked them about.
  • Parents say they would like to be made more aware of parental controls and to have more information about how to use them.

The Government’s response to these findings began by noting that, to date, its “approach has been based on expert advice that default filtering can create a false sense of security since:

  • It does not filter all potentially harmful content: given the vast amount of material on the internet, it would not be possible to identify all the possible content to be filtered, and very large numbers of websites are created each day.
  • There is also a risk from “over-blocking”, preventing access to websites which provide helpful information on sexual health or sexual identity, issues which young people may want information on but find difficult to talk to their parents about.
  • It does not deal with harms such as bullying, personal abuse, grooming or sexual exploitation which arise from the behaviour of other internet users.
  • It does not encourage parents to engage with the issues and learn about keeping their children safe online. There is a risk that parents might rely on default filtering to protect their children from all potential online harms and not think about how their children might want to use the internet, the kind of content that is appropriate for each child according to their own circumstances, and the risks and harms their children might face.

The UK Government has therefore been working with all parts of the information and communication industries through UKCCIS to promote the approach recommended by Reg Bailey, “that the internet industry should ensure that customers must make an active choice over what sort of content they want to allow their children to access those providing content which is age restricted, whether by law or company policy, should seek robust means of age verification as well as making it easy for parents to block underage access.”

Although little consensus emerged from the findings, there were “clear messages” suggesting the way in which policy could “evolve”, supporting parents in their desire to be responsible for their children’s safety and making it easier for parents to choose what is right for their own children. The Government’s approach would therefore develop so that it:

  • actively helps parents to make sure they have appropriate safety features in place when their children access the internet and also encourages them to think about issues such as grooming, bullying and sexting as well as potentially harmful or inappropriate content
  • covers existing ISP customers as well as new ones
  • prompts or steers parents towards those safety features
  • makes it easier for parents to take charge of setting up the internet access their children will have, and less likely that they will abdicate this responsibility to their children

The UK Government is now asking all internet service providers to actively encourage people to switch on parental controls if children are in the household and will be using the internet. This approach should help parents make use of the available safety features without affecting internet users aged 18 and over who can choose not to set up controls.

Internet service providers have made great progress to date in implementing “active choice” controls where all new customers are asked if they want to switch on parental controls. The Government is urging providers to go one step further and configure their systems to actively encourage parents, whether they are new or existing customers, to switch on parental controls. The Government believes providers should automatically prompt parents to tailor filters to suit their child’s needs e.g. by preventing access to harmful and inappropriate content. We also expect ISPs to put in place appropriate measures to check that the person setting up the parental controls is over the age of 18.

All of the information and communication industries, including retailers and device manufacturers, should work to develop universally available family friendly internet access which is easy to use. The Government wants to see all internet-enabled devices supplied with the tools to keep children safe as a standard feature.

The response said that the Government would work with industry, charities and relevant experts, through UKCCIS, to develop the approach set out above. UKCCIS would also look at what more can be done to:

  • define which children are most likely to be vulnerable online.
  • improve online protections for the more vulnerable children, including making it
  • easier for parents and carers to find out what kinds of controls can allow these children to use the internet safely and how children in families where their safety is a low priority can be helped to have positive experiences of the internet;
  • define inappropriate content and improve the means for identifying it online, starting with an exploration of “community regulation”
  • establish clear, simple benchmarks and classifications for parental control solutions, so that parents can more easily understand what those tools will help them with and how various products compare; and encourage a deeper understanding of the reasons why parental controls are not taken up by more parents.

Claire Perry, who chaired the independent parliamentary inquiry into online child protection, expressed disappointment that an ‘opt-in’ option had been ruled out but said that:

this was not the preferred choice of those responding to the Consultation and it is right that government policy is based on the responses that are received to Consultations”

However, the all-important issue of getting Internet Service Providers to do more to verify the age of the person setting up any form of filter or control has clearly been highlighted and I am really pleased that UKCCIS has been tasked with sorting out age verification procedures, working with the ISPs we will end up with age verification and active filters that will mean Britain will lead the world in keeping young people safe online

The Internet Service Providers’ Association (ISPA) welcomed the Government’s position:

Online safety is a shared responsibility between parents and the wider industry, including ISPs, manufacturers and retailers, via providing easy to use tools, advice and information

In a written parliamentary response of 25 April 2013, Edward Timpson, Minister for Children and Families in the Department for Education, said that the Government was “challenging the internet industries” to meet the requests set out in the Government’s response and through a series of separate project groups, ISPs, public Wi-Fi providers and device manufacturers are regularly reporting to the UKCCIS Executive Board on their commitments to put in place systems to reduce children’s access to harmful internet content.

On 23 April 2013, the Telegraph reported that the Prime Minister is to announce a Government backed code of conduct which will mean that access to pornography is blocked on Wi-Fi in public spaces:

Mr Cameron said that he wanted

good, clean Wi-Fi in public spaces which would give parents confidence that their children cannot access illicit websites on smart phones or mobile computers.

We are promoting good, clean, Wi-Fi in local cafes and elsewhere to make sure that people have confidence in public Wi-Fi systems so that they are not going to see things they shouldn’t

His intervention comes after a long-running campaign from children’s charities to ensure a blanket ban on unacceptable sites on public Wi-Fi networks.

The Children’s Charities Coalition on Internet Safety wrote to BT, the country’s biggest internet provider, last month demanding urgent action.

Talks have been taking place for months between internet service providers and government officials over the new deal. It is not clear whether the internet firms will automatically impose the restrictions on access or whether it will be the duty of shops and other public areas used by children to bar adult content.

.

Small firms lose up to £800 million to cyber crime a year

New research from the Federation of Small Businesses (FSB) shows that cyber crime costs its members around £785 million per year as they fall victim to fraud and online crime.

The report shows:

  • 41% of FSB members have been a victim of cyber crime in the last 12 months, putting the average cost at around £4,000 per business.
  • Around 30% have been a victim of fraud, typically by a customer or client (13%) or through ‘card not present’ fraud (10%).

For the first time, the FSB has looked at the impact that online crime has on a business. The most common threat to businesses is virus infections, which 20% of respondents said they have fallen victim to; 8% have been a victim of hacking and 5% suffering security breaches.

The FSB is concerned that the cost to the wider economy could be even greater as small firms refuse to trade online believing the security framework does not give them adequate protection. Indeed, previous FSB research shows that only a third of businesses with their own website use it for sales.

The report also finds:

  • almost 20% of members have not taken any steps to protect themselves from a cyber crime
  • 36% of respondents say they regularly install security patches to protect themselves from fraud
  • almost 60% regularly update their virus scanning software to minimise their exposure to online crime

In response to this, the FSB has developed 10 top tips for small firms to make sure they stay safe online

  1. Implement a combination of security protection solutions (anti-virus, anti-spam, firewall(s))
  2. Carry out regular security updates on all software and devices
  3. Implement a resilient password policy (min eight characters, change regularly)
  4. Secure your wireless network
  5. Implement clear and concise procedures for email, internet and mobile devices
  6. Tran staff in good security practices and consider employee background checks
  7. Implement and test backup plans, information disposal and disaster recovery procedures
  8. Carry out regular security risk assessments to identify important information and systems
  9. Carry out regular security testing on the business website
  10. Check provider credentials and contracts when using cloud services

Launching the report at an event in London today, Mike Cherry, National Policy Chairman, Federation of Small Businesses, said:

Cyber crime poses a real and growing threat for small firms and it isn’t something that should be ignored. Many businesses will be taking steps to protect themselves but the cost of crime can act as a barrier to growth. For example, many businesses will not embrace new technology as they fear the repercussions and do not believe they will get adequate protection from crime. While we want to see clear action from the Government and the wider public sector, there are clear actions that businesses can take to help themselves.

“I encourage small firms to look at the 10 top tips we have developed to make sure they are doing all they can. We want to see the Government look at how it can simplify and streamline its guidance targeted specifically at small firms and make sure there is the capacity for businesses to report when they have been a victim of fraud or online crime

James Brokenshire, MP Parliamentary Under Secretary for Security, Home Office, said:

Having personally been involved in the cyber security debate for several years now, I am pleased that the Home Office is working with the FSB to highlight the current experiences of small businesses.

“Cyber security is a crucial part of the Government’s National Cyber Security Strategy and we need to make sure that all businesses, large and small are engaged in implementing appropriate prevention measures in their business. This report will help give a greater understanding of how online security and fraud issues affect small businesses, giving guidance as well as valuable top tips to protect their business

David Willetts, MP Minister for Universities and Science, Department for Business, Innovation and Skills

The Department for Business, Innovation and Skills (BIS) published guidance in April 2013, ‘Small businesses: what you need to know about cyber security’, based on our comprehensive ‘10 Steps to Cyber Security’ guidance. This guidance sets out the current risks, how to manage these, and plan implementation of appropriate security measures.

“We know only too well of the importance of securing buy-in from both big and small business in implementing appropriate protection against cyber risks – business success can depend on it. Increasing security drives growth.

“I support all efforts, like the FSB’s, to provide clarity on the issues small businesses are facing, and more importantly, what they can do about them. I urge all small businesses to follow the FSB’s advice

.

PCI Security Standards Council announces new board of advisors

The PCI Security Standards Council (PCI SSC), announced election results for the 2013-2015 PCI SSC Board of Advisors.

The Board will represent the PCI community by providing counsel to SSC leadership.

The Council’s more than 690 Participating Organizations selected individuals from the following organizations to represent their industry’s unique perspectives in the development of PCI Standards and other payment security initiatives:

  • Bank of America N.A.
  • Bankalararasi Kart Merkezi
  • Barclaycard
  • British Airways PLC
  • Carlson
  • Cartes Bancaires Cielo S.A.
  • Cisco
  • Citigroup Inc.
  • European Payment Council AISBL
  • FedEx
  • First Bank of Nigeria
  • First Data Merchant Services
  • Global Payments Inc.
  • Ingenico
  • Micros
  • Middle East Payment Systems
  • PayPal Inc.
  • Retail Solutions Providers Association
  • RSA, The Security Division of EMC
  • Starbucks Coffee Company
  • VeriFone Inc.
  • Wal-Mart Stores, Inc
  • Woolworths Limited

Board of Advisor members provide strategic and technical input to PCI SSC on specific areas of Council focus. Past board members have provided reach into key industry verticals and geographies to help raise awareness and adoption of PCI Standards; have shared their experience with implementing PCI Standards in presentations at the annual Community Meetings; and have contributed guidance on training product development and led Special Interest Groups (SIGs).

Active involvement from our Participating Organization base is critical to ensuring the PCI Standards remain at the front line for protection against threats to payment card data. Once again I am impressed by the turn out in the election process. It’s particularly encouraging to see new markets looking towards open global standards like the PCI Standards to help secure payment card data worldwide,” said Bob Russo, general manager, PCI Security Standards Council.

The Council and wider stakeholder community will benefit from the breadth of experiences and perspectives that this new board represents.” The board will support the Council’s mission to raise awareness and drive adoption of PCI Standards worldwide and will kick off its work in June with its first face-to-face meeting with Council management. “This year saw more European involvement than ever in the Board of Advisors election process. Although Europe contains mature EMV markets, this level of involvement in the PCI SSC confirms that the combination of PCI Standards and EMV chip is a powerful force for protecting payment card data,” said Jeremy King, European director, PCI Security Standards Council. “Our new board is a truly global group, and the Council will benefit greatly from its input as we continue to drive awareness and adoption of PCI Standards worldwide.

.

RSA’s April Online Fraud Report 2013, with a focus on the changes in Phishing tactics

Phishing still stands as the top online threat impacting both consumers and the businesses that serve them online.

In 2012, there was an average of over 37,000 phishing attacks each month identified by RSA. The impact of phishing on the global economy has been quite significant: RSA estimates that worldwide losses from phishing attacks cost more than $1.5 billion in 2012, and had the potential to reach over $2 billion if the average uptime of phishing attacks had remained the same as 2011.

This monthly highlight goes beyond the growing numbers recorded for phishing attacks and looks deeper into the evolution of attack tactics facilitating the sustained increase witnessed over the last year.

Phishing kits recently analyzed by RSA show another phish tactic increasingly used by phishers. Although this is not entirely new, it is interesting to see it implemented by miscreants planning to evade email filtering security.

The scheme includes a number of redirections from one website to another. What kit authors typically do in such cases is exploit and take over one legitimate website, hijacking it but not making any changes to it. They will be using this site as a trampoline of sorts, making their victims reach it and then be bounced from there to a second hijacked website: the actual phishing page.

What good can this serve? Simple: the first site is purposely preserved as a “clean” site so that phishers can send it as an unreported/unblocked URL to their victims, inside emails that would not appear suspicious to security filtering. The recipient will then click the link, get to the first (good) URL and be instantly redirected to the malicious one.

Another similar example is reflected in time-delayed attacks again, not new, but increasingly used by attackers. This variation uses the same clean site, sends the email spam containing the “good” URL and stalls. The malicious content will only be loaded to the hijacked site a day or two later. These are often weekend attacks, where the spam is sent on a Sunday, clears the email systems, then the malicious content is available on Monday. The same scheme is used for spear phishing and Trojan infection campaigns.

Research into attack patterns proves that Fridays are a top choice for phishers to send targeted emails to employees spear phish Friday if you will. Why Friday? When it comes to phishing, phishers make it their business to know their targets as well as possible. It stands to reason that employees may be a little less on guard on the last day of the week, clean their inbox from the week’s emails and browse the Internet more making them more likely to check out a link they received via email that day.

Typo squatting is a common way for phishers to try and trick web users into believing they are looking at a legitimate URL and not a look-alike evil twin. The basics of typo squatting is registering a website for phishing, choosing a domain name that is either very similar to the original or visually misleading. The most common ways of doing this are: –Switching letters, as in bnak or bnk for “bank”, adding a letter at the end of the word or doubling in the wrong place, as in Montterrey for “Monterrey” – Swapping visually similar letters

Phishers are creative and may use different schemes to typo squat. This phish tactic can be noticed by keen-eyed readers who actually pay close attention to the URL they are accessing, however, for more individuals on a busy day, typo squatting can end with an inadvertent click on the wrong link. This is especially important today, since fake websites look better than ever and are that much harder to tell apart.

A quick search engine search for domain iwltter.com immediately revealed that it was registered by someone in Shanghai and already reported for phishing.

But the notion plays against phishers in other aspects. Typos are one of the oldest tell-tale signs of phishing. You’d think that by now phishers would have learned that their spelling mistakes and clunky syntax impairs their success rates, but luckily, they haven’t. This could be in part due to the fact that many kit authors are not native English speakers Another phish tactic analyzed by RSA in the recent month came in the shape of a kit that selected its audience from a 3,000 strong pre-loaded list. It may sound like a long list, but is it very limiting in terms of exposure to the phishing attack itself. This case showed that phishers will use different ways to protect the existing campaign infrastructure they created and make sure strangers, as in security and phish trackers, keep out of their hijacked hostage sites while they gather credentials and ship them out to an entirely different location on the web.

Water-holing in the phishing context became a tactic employed by attackers looking to reach the more savvy breed of Internet users. Instead of trying to send an email to a security-aware individual, attempting to bypass security implemented in-house and reinventing the phish, water-holing is the simple maneuver of luring the victim out to the field and getting him there. A water-hole is thus a website or an online resource that is frequently visited by the target-audience. Compromise that one resource, and you’ve got them all. Clearly fully patched systems will still be rather immune and secured browsers that will not allow the download of any file without express permission from the user will deflect the malware.

Water-holing has been a tactic that managed to compromise users by using an exploit and infecting their machines with a RAT (remote administration tool). This is also the suspected method of infection of servers used for the handling of payment-processing data. Since regular browsing from such resources does not take place on daily basis, the other possibility of a relatively wide campaign is to infect them through a resource they do reach out to regularly.

Water-holing may require some resources for the initial compromise of the website that will reap the rewards later, but these balance out considering the attacker does not need to know the exact contacts/their email addresses/the type of content they will expect or suspect before going after the targeted organization.

RSA’s Conclusion

Although there is not much a phishing page can surprise with, one can’t forget that the actual page is just the attack’s façade. Behind the credential-collecting interface lay increasingly sophisticated kits that record user hits and coordinates, push them from one site to the next, lure them to infection points after robbing their information and always seeking the next best way to attack. According to recent RSA research into kits, changes in the code’s makeup and phish tactics come from intent learning of human behavior patterns by logging statistical information about users and then implementing that knowledge into future campaigns.

Phishing Attacks per Month

In January, RSA identified 30,151 attacks launched worldwide, a 2% increase in attack volume from December. Considering historical data, the overall trend in attack numbers in an annual view shows slightly lower attack volumes through the first quarter of the year.

Number of Brands Attacked

In January, 291 brands were targeted in phishing attacks, marking a 13% increase from December.

US Bank Types Attacked

U.S. nationwide banks continue to be the prime target for phishing campaigns – targeted by 70% of the total phishing volume in January. Regional banks’ attack volume remained steady at 15%, while attacks against credit unions increased by 9%.

Top Countries by Attack Volume

The U.S. was targeted by phishing most in January – with 57% of total phishing volume. The UK endured 10%, followed by India and Canada with 4% of attack volume respectively.

Top Countries by Attacked Brands

Brands in the U.S were most targeted in January; 30% of phishing attacks were targeting U.S. organizations followed by the UK that represented 11% of worldwide brands attacked by phishers. Other nations whose brands were most targeted include India, Australia, France and Brazil.

Top Hosting Countries

In January, the U.S. remained the top hosting country, accounting for 52% of global phishing attacks, followed by Canada, Germany, the UK and Colombia which together hosted about one-fifth of phishing attacks in January.

See Previous 3 months of RSA Online Fraud Report Summaries:

  • The RSA March 2013 Online Fraud Report Summary here.
  • The RSA February 2013 Online Fraud Report Summary here.
  • The RSA January 2013 Online Fraud Report Summary here.

.

PCI Security Standards Council publishes card production security requirements

The PCI Security Standards Council (PCI SSC), has announced the publication of a standard for secure payment card production.

The standard consists of two sets of requirements:

  1. PCI Card Production Physical Security Requirements
  2. PCI Card Production Logical Security Requirements

Together, these documents provide card vendors with a comprehensive source of information describing the security requirements to follow for card production activities including card manufacture, chip embedding, magnet-stripe encoding, embossing, card personalization, chip initialization, chip personalization.

Formerly managed as separate requirements by each payment card brand, the Council aligned these requirements and solicited feedback from the PCI community to produce one set of criteria recognized across the industry. The resulting standard is designed to secure the components and sensitive data involved in the production of payment cards and protect against the fraudulent use of card materials.

It’s broken down into two core areas:

  1. Physical security requirements – for all card vendors, these requirements address the presence, movement, and accountability of a card, including tangible features such as the security of the premises, personnel access to secure areas, and CCTV surveillance.
  2. Logical security requirements – for card personalization vendors, these requirements address threats to the confidentiality of personalization data during data transfer, access, storage, and destruction; and all aspects associated with cryptographic key management, including the protection of issuer keys used in the personalization process.

The security requirements are available for immediate download here. Vendors should work with the individual card brands to confirm timing for when future security reviews must be performed against the new PCI Card Production Security Requirements.

In line with other PCI Standards, the requirements will be updated on a three-year lifecycle, based on feedback from the PCI community.

There are a lot of pieces involved in securely producing payment cards, from design all the way through delivery,” said Bob Russo, general manager, PCI Security Standards Council. “The publication of these requirements gives card vendors one set of criteria to follow, and as we’ve seen with our other standards, will help drive improved security across the payments chain

Blog at WordPress.com.

Up ↑

%d bloggers like this: