Search

Brian Pennington

A blog about Cyber Security & Compliance

Month

July 2013

Is your data secure?  Infographic

Hostwinds have produced a great Infographic on how data is secured. Focused on Google but the processes could be anyone or anywhere.

Who breached the Data Protection Act in the first half of 2013?

As we have passed the first half of 2013, I thought it would be a good time to publish the entire list of who fell foul of the UK Data Protection Act and were punished by the Information Commissioner (ICO).

There are three types of punishments administered by the ICO

  1. Monetary. The most serious of the actions and one normally reserved for organisational entities.
  2. Undertaking. Typically applied when an organisation has failed to adhere to good business practice and needs the helping guidance of the ICO
  3. Prosecutions. Normally reserved for individuals who have blatantly breached the Act.

Monetary penalty notices

A monetary penalty will only be served in the most serious situations. When deciding the size of a monetary penalty, the ICO takes into account the seriousness of the breach and other factors like the size, financial and other resources of an organisation’s data controller. The ICO can impose a penalty of up to £500,000. It is worth noting that monetary penalties are paid to HM Treasury and not to the ICO. Many argue that the ICO would be a stronger body if it had more money and penalties is a good way to generate more revenue – a self funding government department.

  • 12 July 2013 NHS Surrey. A monetary penalty notice has been served on NHS Surrey following the discovery of sensitive personal data belonging to thousands of patients on hard drives sold on an online auction site. Whilst NHS Surrey has now been dissolved outstanding issues are now being dealt with by the Department of Health.
  • 8 July 2013 Tameside Energy Services Ltd. A monetary penalty notice has been served to Tameside Energy Services Ltd after the Manchester based company blighted the public with unwanted marketing calls.
  • 18 June 2013 Nationwide Energy Services and We Claim You Gain. Monetary penalty notices have been served to Nationwide Energy Services and We Claim You Gain – both companies are part of Save Britain Money Ltd based in Swansea. The penalties were issued after the companies were found to be responsible for over 2,700 complaints to the Telephone Preference Service or reports to the ICO using its online survey, between 26 May 2011 and end of December 2012.
  • 13 June 2013 North Staffordshire Combined Healthcare NHS Trust. A monetary penalty notice has been served to North Staffordshire Combined Healthcare NHS Trust, after several faxes containing sensitive personal data were sent to a member of the public in error.
  • 7 June 2013 Glasgow City Council. A monetary penalty notice has been served to Glasgow City Council, following the loss of two unencrypted laptops, one of which contained the personal information of 20,143 people.
  • 5 June 2013 Halton Borough Council. A monetary penalty notice has been served to Halton Borough Council, in respect of an incident in which the home address of adoptive parents was wrongly disclosed to the birth family.
  • 3 June 2013 Stockport Primary Care Trust. A monetary penalty has been served to Stockport Primary Care Trust following the discovery of a large number of patient records at a site formerly owned by the Trust.
  • 20 March 2013 DM Design Bedroom Ltd. A monetary penalty has been served to DM Design Bedroom Ltd. The company has been the subject of nearly 2,000 complaints to the ICO and the Telephone Preference Service. The company consistently failed to check whether individuals had opted out of receiving marketing calls and responded to just a handful of the complaints received.
  • 15 February 2013 Nursing and Midwifery Council. A monetary penalty has been served to the Nursing and Midwifery Council. The council lost three DVDs related to a nurse’s misconduct hearing, which contained confidential personal information and evidence from two vulnerable children. An ICO investigation found the information was not encrypted.
  • 24 January 2013 Sony Computer Entertainment Europe Limited. A monetary penalty has been served to the entertainment company Sony Computer Entertainment Europe Limited following a serious breach of the Data Protection Act. The penalty comes after the Sony PlayStation Network Platform was hacked in April 2011, compromising the personal information of millions of customers, including their names, addresses, email addresses, dates of birth and account passwords. Customers’ payment card details were also at risk. They failed in their bid to appeal.

Undertakings

Undertakings are formal agreements between an organisation and the ICO to undertake certain actions to avoid future breaches of the Data Protection Act, typically this involves, Encryption, Training and Management Procedures.

  • 16 July 2013 Janet Thomas. An undertaking to comply with the seventh data protection principle has been signed by Janet Thomas. This follows a report made by a member of the public that approximately 7,435 CV files, containing personal data, were being stored unprotected on the website
  • 9 July 2013 Health & Care Professions Council (HCPC). An undertaking to comply with the seventh data protection principle has been signed by the Health & Care Professions Council (HCPC) after an incident in which papers containing personal data were stolen on a train in 2011.
  • 12 June 2013 (issued 10 September 2012) Bedford Borough Council. An undertaking to comply with the seventh data protection principle has been signed by Bedford Borough Council relating to the removal of legacy data from a social care database.
  • 2 June 2013 (issued 18 September 2012) Central Bedfordshire Council. An undertaking to comply with the seventh data protection principle has been signed by Central Bedfordshire Council relating to the removal of legacy data from a social care database and in relation to the preparation of planning application documentation for publication.
  • 31 May 2013 Leeds City Council. A follow up has been completed to provide an assurance that Leeds City Council has appropriately addressed the actions agreed in its undertaking signed November 2012.
  • May Prospect. A follow up has been completed to provide an assurance that Prospect has appropriately addressed the actions agreed in its undertaking signed January 2013.
  • 21 May 2013 (issued 9 November 2011) News Group Newspapers. An undertaking to comply with the seventh data protection principle has been signed by News Group Newspapers, following an attack on the website of The Sun newspaper in 2011.
  • 26 April 2013 The Burnett Practice. An undertaking to comply with the seventh data protection principle has been signed by The Burnett Practice. This follows an investigation whereby an email account used by the practice had been subject to a third party attack. The email account subject to the attack was used to provide test results to patients and included a list of names and email addresses.
  • 4 April 2013 East Riding of Yorkshire Council. An undertaking to comply with the seventh data protection principle has been signed by the East Riding of Yorkshire Council, following incidents last year in which personal data was inappropriately disclosed.
  • 25 January 2013 Mansfield District Council. An undertaking to comply with the seventh data protection principle has been signed by the Managing Director of Mansfield District Council. This follows a number of incidents where personal data of housing benefit claimants was disclosed to the wrong landlord.
  • 16 January 2013 Prospect. An undertaking to comply with the seventh data protection principle has been signed by the union Prospect. This follows an incident in which two files containing personal details of approximately 19,000 members of the union had been sent to an unknown third party email address in error.

Prosecutions

  • 23 May 2013 A former manager of a health service based at a council-run leisure centre in Southampton has been prosecuted under section 55 of the Data Protection Act for unlawfully obtaining sensitive medical information relating to over 2,000 people.
  • 8 April 2013 A Hertfordshire estate agent has been prosecuted under section 17 of the Data Protection Act after failing to notify with the ICO.
  • 12 March 2013 A former receptionist at a GP surgery in Southampton has been prosecuted under section 55 of the Data Protection Act for unlawfully obtaining sensitive medical information relating to her ex-husband’s new wife.

Also read

List of businesses targeted by global hacking ring that stole 160 million credit and debit card numbers

List of businesses targeted from 2005 to 2012 by an international hacking ring that stole more than 160 million credit and debit card numbers, according to an indictment announced Thursday in Newark, N.J. The government did not provide figures in each case of the number of card numbers stolen, or of the estimated losses. It also said not all of the breaches of corporate computer networks resulted in financial losses. 

  • 7-Eleven Inc., based in Dallas. Starting in 2007, malware placed on its network, resulting in the theft of an undetermined number of credit and debit card numbers.
  • Carrefour S.A., French multinational retailer. Starting in 2007, computer networks breached, about 2 million credit card numbers were covertly removed.
  • Commidea Ltd., European provider of electronic payment processing for retailers. In 2008, malware used in other attacks found on its networks; about 30 million card numbers covertly removed.
  • Dexia Bank Belgium. In 2008 and 2009, malware placed on its network, with theft of card numbers resulting in about $1.7 million in losses.
  • Discover Financial Services Inc., issuer of Discover Card and owner of Diners Club charge card network. In 2011, malware placed on network of Diners Singapore, exposing more than 500,000 Diners credit cards and causing losses of about $312,000.
  • Dow Jones Inc., publisher of news, business and financial information. In or before 2009, malware placed on network, about 10,000 sets of log-in credentials stolen.
  • Euronet, based in Leawood, Kan., global provider of electronic payment processing. In 2010 and 2011, malware placed on its network, resulting in theft of about 2 million card numbers.
  • Global Payment Systems, based in Atlanta, one of world’s largest electronic transaction processing companies. In 2011-12, malware placed on its payment processing system; more than 950,000 card numbers stolen, losses of nearly $93 million.
  • Hannaford Brothers Co., supermarket chain operating in northeastern U.S. In 2007, malware placed on network of related company, resulting in theft of about 4.2 million card numbers.
  • Heartland Payment Systems Inc., based in Princeton, N.J., one of world’s largest credit and debit card payment processing companies. Starting in 2007, malware placed on its payment processing system, resulting in theft of more than 130 million card numbers, losses of about $200 million.
  • Ingenicard US Inc., based in Miami, provider of international electronic cash cards. In 2012, malware placed on its network resulted in theft of cards used to withdraw more than $9 million within 24 hours.
  • J.C. Penney Co., based in Plano, Texas. Starting in 2007, malware placed on its network.
  • JetBlue Airways, based in Long Island City, N.Y. Starting in 2008, malware placed on portions of computer network that stored employee data.
  • Leading Abu Dhabi bank, identified only as “Bank A.” In 2010-11, malware placed on computer networks, facilitating theft of card numbers.
  • Nasdaq, the largest U.S. electronic stock exchange, which offers its customers online access to their accounts. Starting in 2007, malicious software, or malware, was placed on its computer network, resulting in the theft of log-in credentials. Prosecutors said its trading platform was not affected.
  • Visa Inc., manager of the Visa brand, providing payment processing services through a centralized network. In 2011, malware placed on network, about 800,000 card numbers stolen.
  • Wet Seal Inc., retailer based in Foothill Ranch, Calif. In 2008, malware placed on network.

 Copyright 2013 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

RSA’s July 2013 Online Fraud Report featuring the Carberp Trojan Code

RSA’s July 2013 Online Fraud Report delivers the results from RSA’s fraud monitoring centre, a summary of the report is below

Be it internal disagreements within the Carberp team, or law enforcement pressure following the arrests in 2012, the Carberp cyber gang members have disbanded, leaving their Trojan code publicly available following a failed attempt to sell it. Reminiscent of the ZeuS Trojan’s source code leak, we can expect a few things to happen following the incident. But before doing so, let’s review the events that followed the ZeuS leak in 2011.

An attempt to sell the ZeuS source code in an underground forum for, according to some estimates, as high as $100,000 started in early 2011. Following the failed sale, Slavik, the developer of ZeuS, handed over the code to a cyber rival, Gribodemon, the notorious SpyEye developer. The underground, abuzz with the news, keenly awaited the release of a merged, mighty SpyEye-ZeuS variant. Before one could be released, the ZeuS code was leaked and made publicly available.

As predicted by many, different offspring began appearing, built on top of the ZeuS v2.0.8.9 codebase, and included Ice IX and Odin (both appearing in 2011), and most considerably, Citadel making its appearance in early 2012.

As opposed to Ice IX, that mainly fixed bugs in the ZeuS code, Citadel was a major leap forward in terms of the malware’s functionality. Citadel not only repaired bugs in ZeuS, but deployed clever security measures to protect the malware and its infrastructure, as well as provided numerous new plug-ins to boost the Trojan’s functionality. In terms of a Fraud-as-a-Service (FaaS) business offering, Citadel became a lucrative commercial operation, offering its “customers” a CRM, paid tech support and constant version updates. In fact, Citadel was so successful that botmasters started replacing/upgrading existing bots with the malware.

Starting in mid-2012, RSA researchers began noticing the slow demise of commercial Trojan offerings. In April, the Ice IX business shut down with the disappearance of its developer; SpyEye then made its exit in May; and in a surprising turn of events, Citadel’s spokesperson – “Aquabox”, was banned from the only forum he was selling on (following a quarrel over customer support).

So, if history repeats itself, what are we to expect? With the above in mind, the following may transpire:

We’ll see a proliferation of Carberp-based attacks. While this is likely less probable, the leak could spawn an entire business of low-level developers recompiling Carberp and offering it for sale “as is,” with no further feature developments or bug fixes. To demonstrate, the ZeuS code that once sold for $3,000 to $5,000 is now readily available for as low as $11 in the underground. In terms of Trojan operation and feature set, Carberp is far more complex than ZeuS and less organized for the untrained cybercriminal, making it less appealing for would-be botmasters (or script kiddies). Not to mention the major weaknesses reported in the Carberp server-side, that make it “easier to hack than SpyEye” according to one security researcher. With the abundance of ZeuS and ZeuS-based malware – according to RSA’s Anti-Fraud Command Center (AFCC), this malware’s share is over 83% of all Trojan attacks and at very cheap prices, it would be surprising to see Carberp make a big impact in this strong market segment.

The Carberp code spawns a commercial offspring and/or offerings. This scenario is more likely. As mentioned previously, Carberp is an extremely sophisticated piece of malware, boasting bootkit functionality. As a result, it is more likely that the code will be picked up by a cybercrime gang looking to develop the next big thing in malware. With the trend towards privatizing malware development operations, the underground is currently lacking a (true) commercial Trojan; this vacuum may provide the right time and place for such an offering. Development may continue in closed, private groups, which develop the software for their own criminal purposes.

RSA conclusion
There’s never a dull moment in cybercrime and the Carberp code leak only adds fuel to that fire. The complexity of Carberp makes it less appealing as an “as-is” offering, but organized professional cybercrime teams may see the opportunity to be the first to finally offer a new, commercial Trojan based on the Carberp code, in the now very privatized underground.

RSA FraudAction Research Labs continues to investigate and analyze the code and will publish its findings as those are made

Phishing Attacks per Month

RSA identified 35,831 phishing attacks launched worldwide in June, marking a 3% drop in attack volume from May, and a 31% decline year-over-year in comparison to June 2012

US Bank Types Attacked

Nationwide banks remained the most targeted by phishing in June, with 76% of phishing volume directed at them. Regional banks saw a 6% decrease in volume while credit unions witnessed a 3% increase.

Top Countries by Attack Volume

The U.S. remained the country enduring the highest volume (55%) of phishing attacks in June – a 5% increase from May. The UK was the second most targeted at 10% of volume, followed by Canada, South Africa, India, and the Netherlands.

Top Countries by Attacked Brands

U.S. brands remained the most targeted by phishing at 25% of volume, followed by the UK and India. Other countries’ brands that were targeted heavily by phishing in June include Australia, Italy, China, Canada and France.

Top Hosting Countries

The U.S. remained the top hosting country in June, having hosted 45% of global phishing attacks, followed by Canada that hosted 9% of attacks. Chile and Turkey were both introduced as top hosts for phishing, each hosting 3% of phishing attacks for the month.

Previous 3 months of RSA Online Fraud Report Summaries

The RSA June 2013 Online Fraud Report Summary

The RSA April 2013 Online Fraud Report Summary

The RSA March 2013 Online Fraud Report Summary

Outside of London Slough is the largest fraud centre but is still smaller that the Top 10 London zones

CIFAS, the UK’s Fraud Prevention Service have revealed emerging hotspots of fraud activity in the UK during the first six months of 2013. While fraud remains at its most concentrated within the area of densest population (the boroughs of Greater London), some other, perhaps more surprising, areas have been shown to be fraud epicentres during the first half of the year.

In particular, postal districts around Slough, Luton, St Albans, Leicester and Coventry are areas where fraudulent activity has been most prevalent, as opposed to larger urban centres such as Birmingham, Manchester, and Glasgow.

London: the capital of fraud

With the highest population levels of the UK, it is unsurprising that London is the area where the highest number of confirmed frauds has been committed during the first half of 2013. 

CIFAS Communications Manager, Richard Hurley, comments: That fraud is at its most prevalent in London is not surprising. This has been the case for many years. A larger population means more individuals who may consider making fraudulent applications, but it also means that there are more potential victims for an organised identity criminal. The top ten postal areas, however, show a divergence of locations within the Greater London boroughs: from Wembley and Enfield to East Ham and Barking, and from Woolwich and Thamesmead to Croydon. This shows that any notion that fraud is concentrated solely within a specific area of London is not true and that fraud can, and will, take place anywhere 

Greater London  Break down of areas  
Postal area Name No. of confirmed frauds
E6 East Ham District 840
SE18 Woolwich District 751
IG11 Barking 740
EN3 Enfield 722
CR0 Croydon 691
SE1 South Eastern Head District 647
SE28 Thamesmead District 629
E7 Forest Gate District 575
E16 Victoria  Docks & North Woolwich District 570
HA0 Wembley 564

Other fraud hotspots are not the most populous UK centres

Outside the postal areas that fall within the Greater London boroughs, however, there are some notable clusters of activity – and these are not to be found in other large centres of population within the UK. Instead, the SL1 and LU1 postal areas (Slough and Luton) are the areas with the highest levels of fraud, while the Coventry and Leicester postcode areas both feature more than once in the top ten areas outside London (four times and twice respectively).

Richard Hurley concludes: What these figures prove is that fraud will take place anywhere. While Coventry and Leicester, for example, are populous cities, it is surprising to see these areas identified as having higher levels of fraud than other, much larger, cities. This demonstrates that fraud is no longer a crime that can simply be thought of as occurring in the largest cities. But it also presents a challenge to individuals and organisations based in these areas. It is vital that both work together with a view to diminishing the risks, not least to ensure that individuals understand what precisely constitutes fraud. For example, it is important that individuals and organisations share the responsibility of ensuring that personal data is protected from identity fraudsters who might be targeting these areas

Rest of the UK
Postal area Name No. of confirmed frauds
SL1 Slough 441
LU1 Luton 377
AL10 Hatfield 368
CV1 Coventry 334
LE2 Leicester 334
CV3 Coventry 314
NN1 Northampton 301
LE3 Leicester 299
CV2 Coventry 272
CV6 Coventry 242

Infographic: BYOD Security is still a problem

Insufficient BYOD security management and lax exit processes puts organisations at risk.

Merchants and Aquirers to Share PCI Lessons Learned at PCI SSC Community Meetings

The PCI Security Standards Council (PCI SSC), have announced PCI in Practice sessions for the 2013 PCI Community Meetings in Las Vegas, Nevada; Nice, France; and Kuala Lumpur, Malaysia. Case studies from members of the PCI community will share best practices in implementing payment card security programs.

PCI in Practice sessions for the North American and European Community Meetings will feature Chase Paymentech, Southwest Airlines and Time Warner Cable, Reliant Security, BT PLC and the Pan-Nordic Card Association. Australia Post will discuss its PCI journey at the Asia-Pacific Community Meeting:

  • The Importance of Merchant and Acquirer Communications Chase Paymentech, David Wallace, vice president of global merchant compliance; Southwest Airlines, Shawn Irving, senior manager of information security systems; Time Warner Cable, Erika Root, director, internal controls compliance, PCI Professional (PCIP) and Internal Security Assessor (ISA)
  • Secure Payment Systems Implementation – QIR in practice Reliant Security, Mark Weiner, managing partner, PCI Qualified Integrator & Reseller (QIR)
  • Successful Acquirer Collaboration on PCI – A Nordic case study Pan-Nordic Card Association, Mats Henriksson
  • QSAC Engagement – Tracing the PCI compliance journey of a multi-national corporation BT PLC, Sarah Nicholson, security policy & compliance manager; Candice Pressinger, head of group PCI-DSS compliance
  • Achieving and Maintaining Compliance – One approach to the PCI DSS journey Australia Post, Janelle Bull, risk manager, CardSafe program; Sharon Jokic, program director, CardSafe program

To register for the 2013 Meetings:

The Community Meetings are about sharing experiences and best practices with a large audience of peers for improved payment security,” said Bob Russo, general manager, PCI Security Standards Council. “And learning from one another is one of the best ways we as a community can continue to work together to increase payment card data protection globally. We’re looking forward to this year’s PCI in Practice sessions to hear about how these organizations representing different industries and geographies are effectively addressing PCI security within their unique business

Infographic: Email Security Perception v Reality

Overconfident Employees and Lack of Email Security Tools Lead to Risky Behavior

A study by SilverSky, reveals that when it comes to email security in the workplace, 98% of employees believe they demonstrate either equally secure or more secure behaviours than their colleagues.

The study examines corporate email security habits and perceptions, and is based on an online, quantitative survey conducted in July 2013. Respondents included 119 business professionals at U.S. organizations across a variety of industries.

Key findings from the study include:

  • 43% of respondents indicated they were “very concerned about email security and go above and beyond the company prescribed procedures” to protect their business communications.
  • 30% of respondents claimed to be “much more security conscious” than their co-workers.
  • 56% have accidently sent an email to the wrong person while at work
  • 53% have received unencrypted, risky corporate data (credit card numbers, social security numbers, etc.) via emails or email attachments.
  • One in five respondents know of someone within their organization who has been caught and reprimanded for sending out sensitive information without adhering to corporate protocol.
  • 53% were quick to single out co-workers, saying they’ve received unencrypted, sensitive data – such as sensitive attachments, social security numbers, protected health information, and valuable corporate secrets – via email
  • 17% admitted to sending out this risky data themselves.
  • 32% of organizations currently use an email data loss prevention (DLP) solution
  • 21% use an email encryption solution
  • 46% of respondents indicated that email security could be improved within their organizations

This study points to a strong “superiority bias” effect, or inflated employee overconfidence, when it comes to corporate email security. However, this overconfidence could be potentially dangerous for businesses, as it could lead to poor email security habits, which ultimately lead to real legal, regulatory and reputational risks through data loss.

How many times have you been slapped with a speeding ticket in the past year? Now think about how many times you’ve driven over the speed limit in the same time period, my guess is for most of us, that number is significantly higher,” said Andrew Jaquith, Chief Technology Officer and SVP, Cloud Strategy at SilverSky.

The new SilverSky study draws many parallels between email security habits and driving habits. The vast majority of drivers perceive themselves to be attentive, safe operators, but in reality, most speed, eat and talk or text while behind the wheel. Likewise, many employees consider their email security behaviours to be superior to those of their colleagues. However, this hubris is likely to lead to careless behaviour that could have serious consequences for the organization

Customers are demanding suppliers prove their security credentials

IT Governance surveyed 260 board level individuals across a variety of industries and countries to establish perceptions and knowledge of their organisations IT Security position.

The findings of the survey are below:

Do you believe the greatest threat to your company’s data and IT systems results from:

  • Criminals           26.9%
  • Competitors      7.7%    
  • State -sponsored cyber-attacks 11.9%
  • Your own employees     53.5%

Has your business received a concerted cyber-attack in the past 12 months?

  • Yes      25%
  • No        54.2%
  • Do not know     20.8%

Does your organisation have any method of detecting and reporting cyber-attacks or cyber-incidents?

  • Yes      76.9%
  • No        16.5%
  • Do not know     6.5%

Do your company’s board directors receive regular reports on the status of your company’s IT security?

  • Yes      58.1%
  • No        29.6%
  • Do not know     12.3%

If yes, are these reports received:

  • Daily     4.6%
  • Weekly 10.8%
  • Monthly            32.7%
  • Annually            17.3%
  • Less than annually         34.6%

My knowledge of IT governance is adequate given today’s cyber threats.

  • Agree   69.6%
  • Disagree           30.4%

For our size of business, we are making the right level of investment in information security.

  • Agree   57.3%
  • Disagree           30.8%
  • Do not know     11.9%

I have lost sleep in the past 12 months because of worries about my company’s IT security.

  • Agree   25.8%
  • Disagree           4.2%

Do your customers prefer to deal with suppliers with proven IT security credentials?

  • Yes      74.2%
  • No        7.3%
  • Do not know     18.5%

Have any of your customers enquired about your company’s IT security measures in the past 12 months?

  • Yes      50.4%
  • No        34.6%
  • Do not know     15%

Do you know what ISO 27001 is?

  • Yes      87.3%
  • No        9.2%
  • Unsure  3.5%

Is your business compliant with ISO 27001?

  • Yes      34.6%
  • No        45.8%
  • Unsure  19.6%

The survey can be found here.

IT Security Still Not Protecting the Right Assets Despite Increased Spending

Most IT security resources in today’s enterprise are allocated to protecting network assets, even though the majority of enterprises believe a database security breach would be the greatest risk to their business, according to a report issued by CSO Custom Solutions Group and sponsored by Oracle.

In the survey with 110 companies from industries including Financial Services, Government, High Tech, more than two thirds of IT security resources remain allocated to protecting the network layer, while less than one third of the staff and budget resources were allocated to protecting core infrastructure such as databases and applications.

Key findings from the report

  • When comparing the potential damage caused by breaches, most enterprises believed that a database breach would be the most severe as they contain the most vital and valuable information intellectual property as well as sensitive customer, employee, and corporate financial data.
  • An un-balanced and fragmented approach to security has left many organizations’ applications and data vulnerable to attacks both internally and externally.
  • Today’s findings underscore the relevance of Oracle’s “security inside-out” approach which means focusing attention on the organizations most strategic assets which include databases, applications and users.
  • Nearly 66% of respondents said they apply a security inside out strategy, where as 35% base their strategy on end point protection.
  • Even with this fundamental belief in strategy, spending does not truly align as more than 67% of IT security resources including budget and staff time remain allocated to protecting the network layer and less than 23% of resources were allocated to protecting core systems like servers, applications and databases.
  • 44% believed that databases were safe because they were installed deep inside the perimeter.
  • 90% report the same or higher, level of spend compared to 12 months prior. The survey shows that 59% of participants plan to increase security spending in the next year.
  • In 35% of organizations, security spend was influenced by sensational informational sources rather than real organizational risks.
  • 40% of respondents believed that implementing fragmented point solutions created gaps in their security and 42% believe that they have more difficulty preventing new attacks than in the past.

“IT Security has to focus attention on the most strategic assets. Organizations cannot continue to spend on the wrong risks and secure themselves out of business. When attackers do break through the perimeter, they can take advantage of weak security controls against the core systems by exploiting privileged user access, vulnerable applications, and accounts with excessive access,” said Mary Ann

Davidson, Chief Security Officer at Oracle. “Organizations have to get the fundamentals right which are database security, application security and identity management.”

“The results of the survey show that the gap between the threat of severe damage to a database attack versus the resources allocated to protecting the database layer is significant, highlighting the disconnect in how organizations are securing their IT infrastructures,” said Tom Schmidt, Managing Editor, CSO Custom Solutions Group.

The full report can be found here.

Most companines are vulnerable to BYOD risks

A UK survey from Acronis® and the Ponemon Institute reveals that the majority of companies are putting critical data at risk by not having policies in place to protect it once it leaves a company, whether that be through BYOD or public cloud-based file sharing. By ignoring simple security steps and employee BYOD education, companies are jeopardising its confidential data, exposing it to theft, corruption, hackers, malware and more.

Acronis’ 2013 Data Protection Trends Research, which evaluated responses from more than 570 UK IT professionals, discovered that:

  • Almost 60% have no personal device policy in place
  • 23% with policies make exceptions for executives, who may handle even more sensitive data
  • 23% actually forbid personal devices from accessing the network
  • 79% of organisations have not educated employees on BYOD privacy risks
  • 21% of companies mandate a device password or key lock on personal devices
  • 18% perform remote device wipes when employees leave the company, drastically increasing the risk for data leakage.
  • 69% of organisations do not have a policy in place around public clouds
  • 80% have not trained employees in the proper use of these platforms
  • 59% of organisations will support Macs® in the next year
  • 61% say compatibility and interoperability are still big obstacles to getting Macs compliant with IT, which puts data stored and shared across the corporate network and on Apple devices at risk.

Personal devices have permanently and positively changed the workplace, particularly in the way employees collaborate, work remotely and interact with company data,” said Rick Powles, managing director UK & Ireland, Acronis. “BYOD is a huge opportunity for companies, but our research shows troubling signs of negligence in the face of these dangers. However, with policies and solutions that manage the flow of data between multiple devices and environments, companies can practice safe BYOD with confidence

Acronis suggest matching BYOD Productivity with Policy

To optimise BYOD, protect the bottom line, and avoid data loss and serious compliance issues, organisations should take immediate steps to ensure employees are trained in safe BYOD practices, that personal device and public cloud use are monitored and managed, and that effective data protection solutions are in place to prevent data loss. These are the critical steps to achieving safe BYOD.

IT Security Still Not Protecting the Right Assets Despite Increased Spending

Most IT security resources in today’s enterprise are allocated to protecting network assets, even though the majority of enterprises believe a database security breach would be the greatest risk to their business, according to a report issued by CSO Custom Solutions Group and sponsored by Oracle.

In the survey with 110 companies from industries including Financial Services, Government, High Tech, more than two thirds of IT security resources remain allocated to protecting the network layer, while less than one third of the staff and budget resources were allocated to protecting core infrastructure such as databases and applications.

Key findings from the report

  • When comparing the potential damage caused by breaches, most enterprises believed that a database breach would be the most severe as they contain the most vital and valuable information intellectual property as well as sensitive customer, employee, and corporate financial data.
  • An un-balanced and fragmented approach to security has left many organizations’ applications and data vulnerable to attacks both internally and externally.
  • Today’s findings underscore the relevance of Oracle’s “security inside-out” approach which means focusing attention on the organizations most strategic assets which include databases, applications and users.
  • Nearly 66% of respondents said they apply a security inside out strategy, where as 35% base their strategy on end point protection.
  • Even with this fundamental belief in strategy, spending does not truly align as more than 67% of IT security resources including budget and staff time remain allocated to protecting the network layer and less than 23% of resources were allocated to protecting core systems like servers, applications and databases.
  • 44% believed that databases were safe because they were installed deep inside the perimeter.
  • 90% report the same or higher, level of spend compared to 12 months prior. The survey shows that 59% of participants plan to increase security spending in the next year.
  • In 35% of organizations, security spend was influenced by sensational informational sources rather than real organizational risks.
  • 40% of respondents believed that implementing fragmented point solutions created gaps in their security and 42% believe that they have more difficulty preventing new attacks than in the past.

IT Security has to focus attention on the most strategic assets. Organizations cannot continue to spend on the wrong risks and secure themselves out of business. When attackers do break through the perimeter, they can take advantage of weak security controls against the core systems by exploiting privileged user access, vulnerable applications, and accounts with excessive access,” said Mary Ann

Davidson, Chief Security Officer at Oracle. “Organizations have to get the fundamentals right which are database security, application security and identity management.”

“The results of the survey show that the gap between the threat of severe damage to a database attack versus the resources allocated to protecting the database layer is significant, highlighting the disconnect in how organizations are securing their IT infrastructures,” said Tom Schmidt, Managing Editor, CSO Custom Solutions Group.

The full report can be found here.

Tripwire’s second installment of research on the state of risk-based security management with the Ponemon Institute has once again revealed some interesting insights into the workings of the IT Department. 

The survey covers risk-based security metrics and evaluates the attitudes of 1,321 respondents (749 U.S. and 571 U.K.) from IT security, IT operations, IT risk management, business operations, compliance/internal audit and enterprise risk management.

The key findings from the survey are:

  • 75% of respondents say metrics are ‘important’ or ‘very important’ to a risk-based security program
  • 53% don’t believe or are unsure that the security metrics used in their organizations are properly aligned with business objectives
  • 51% didn’t believe or are unsure that their organizations metrics adequately convey the effectiveness of security risk management efforts to senior executives

When asked, “Why don’t you create metrics that are well understood by senior executives?”:

  • 59% said the information is too technical to be understood by non-technical management
  • 48% said pressing issues take precedence
  • 40% said they only communicate with executives when there is an actual security incident
  • 35% said it takes too much time and resources to prepare and report metrics to senior executives
  • 23% of U.S. respondents and 20% of those in the U.K. think security metrics can be ambiguous, which may lead to poor decisions
  • 18% said senior executives are not interested in the information

 So, why isn’t communication between security professionals and executives more effective? Respondents were asked to select all the factors that apply from a list of nine possible reasons, and their answers present a wide range of serious challenges. The top three responses include organizations hampered by siloed information, presenting information not easily understood by non-technical managers, and the practice of filtering “bad news” from the C-suite.

  • 68% of U.S. and 57% of U.K. respondents say communications are confined to one department or line of business
  • 61% say the information is too technical and occurs at too low a level
  • 59% state that negative facts are filtered before getting to executives

Commenting on these results, Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, said,

Even though most organizations rely on metrics for operational improvement in IT, more than half of IT professionals appear to be concerned about their ability to use metrics to communicate effectively with senior executives about security

These results correlate with the dozens of conversations we have been having with CISO’s across the globe,” said Rekha Shenoy, vice president of marketing and corporate development at Tripwire

CISO’s talk about the importance of leveraging metrics as a way to influence business leadership and build a risk management practice within their companies. Unfortunately, they struggle with the bigger challenge of producing meaningful metrics while those they use are rarely aligned with business goals

Tripwire summary

While the majority of security professionals agree they need significant amounts of data in order to build a culture of ac­countability, they aren’t sure how to distill this information into metrics that are understandable, relevant and actionable to senior business leadership. Business metrics tend to reflect the value of strategic goals rather than technical goals, and may prioritize cost over less tangible security benefits. Security metrics tend to reflect operational goals and may prioritize technical improvement over business context.

RSA’s June 2013 Online Fraud Report featuring the Bugat Trojan

RSA’s June 2013 Online Fraud Report delivers the results from RSA’s fraud monitoring centre, a summary of the report is below

RSA researchers analyzing Bugat Trojan attacks have recently learned that Bugat’s developers managed to develop and deploy mobile malware designed to hijack out-of-band authentication codes sent to bank customers via text messages.

Bugat (aka: Cridex) was discovered and sampled in the wild as early as August 2010. This privately owned crimeware’s earlier targets were business and corporate accounts, its operators attempting high-value transactions ($100K-$200K USD per day) in both automated and manual fraud schemes. It is very likely that Bugat’s operators started seeing a diminished ability to target high-value accounts due to added authentication challenges, forcing them to resort to developing a malware component that is already used by many mainstream banking Trojans in the wild.

Bugat joins the lineup of banking malware that makes use of SMS capturing mobiles apps. The first occurrences of such malware were observed in use by Zeus and SpyEye Trojan variants, which were respectively dubbed ZitMo and SPitMo (Zeus-in-the-Mobile, SpyEye-in-the-Mobile). In mid-2012, RSA coined the name CitMo to denote the Citadel breed of in-the-Mobile activity. The fourth Trojan for which malicious apps were discovered was Carberp in early 2013, and with this case, Bugat is the most recent banking Trojan to have its own SMS-forwarding app, now coined BitMo.

Among other banking Trojan features, Bugat comes with a set of HTML injections for online banking fraud and possesses Man-in-the-Browser script functionality. This very feature is what allows it to interact with victims in real time and lead them to download the BitMo mobile malware to their Android/BlackBerry/Symbian devices. iOs remains almost entirely exempt from this type of malware since the Apple policy limits app downloads from third party sites.

When Bugat infected online banking customers access their financial provider’s login page, the Trojan is triggered to dynamically pull a relevant set of injections from the remote server, displays them to the victim and leads them to the BitMo download under the guise of AES encryption being adopted by the bank.

The malware requests application permissions linked with the SMS relay, while the next injection on the PC side requests that the victim enter a code appearing on the mobile device – connecting the infected PC and the mobile handset. Once installed and deployed BitMo begins hijacking and concealing incoming text messages from the  bank, disabling the phones’ audio alerts, and forwarding the relevant messages to its operators’ drop zones. Bugat’s entrance to the mobile space only demonstrates the increasing use of SMS forwarders as part of Trojan-facilitated fraud.

Although the injection set created by Bugat’s developers, as well as the distribution mechanism designed for delivering APKs/BlackBerry OS BitMo apps are indeed sophisticated, the actual malware apps are rather basic and show no innovation. That being said, it is very clear that all banking Trojans, both commercial and privately operated codes, are increasingly making use of SMS forwarders in their criminal operation.

Phishing Attacks per Month

RSA identified 36,966 phishing attacks launched worldwide in May, marking a 37% increase in attack volume. Trending data shows that a rise in phishing attacks typically occurs in Q2.

Number of Brands Attacked

In May, 351 brands were targeted in phishing attacks, marking a 13% increase. Two new entities suffered their first attack in May.

US Bank Types Attacked

U.S. nationwide banks maintained the highest volume of phishing in May while regional banks saw a 7% increase in phishing volume, from 12% to 19%. Since February, the attack volumes targeting regional banks and credit unions have fluctuated quite a bit.

Top Countries by Attack Volume

The U.S. remained the country most targeted by phishing in May, absorbing 50% of the total phishing volume. The UK held steady, once again recording 11%  of attack volume. South Africa, the Netherlands, Canada, Australia, and India accounted for about one-quarter of attack volume.

Top Countries by Attacked Brands

U.S. brands remained the most targeted by phishing among worldwide brands, absorbing 30% of phishing volume in May. UK brands were targeted by one-tenth of phishing volume followed by India, China and Brazil.

Top Hosting Countries

The U.S. remained the top hosting country in May, hosting 47% of global phishing attacks. Germany was the second top hosting country with 8% of attacks hosted within the country, followed by the UK, the Netherlands, France, and Canada.

See Previous 3 months of RSA Online Fraud Report Summaries:

  • The RSA April 2013 Online Fraud Report Summary here.
  • The RSA March 2013 Online Fraud Report Summary here.
  • The RSA February 2013 Online Fraud Report Summary here.

.

UK Digital Economy Act 2010: Copyright Update

The Digital Economy Act 2010 received Royal Assent at the very end of the last Parliament. Sections 3 to 18 of the Act cover online infringement of copyright. Several provisions have proved controversial and have not yet been implemented.

Section 17 grants the Secretary of State a power to bring in regulations for the blocking of infringing websites. The present Government has indicated that it does not intend to use this power. Copyright owners have brought successful court actions against infringing websites under existing laws.

The Government is proceeding with implementation of an “initial obligations code” (allowed for under section 11 of the Act). Under the proposed system, an internet service provider would send a warning letter to a customer detected downloading copyright material for free from the internet. If the infringing activity continued, two follow-up letters would be sent. Once the third letter was dispatched, the customer’s download history could be released to the owners of the copyrighted material, enabling legal action to be initiated against the infringer. However, the copyright owner would first have to gain a court order to determine the identity of the filesharer, as the download history provided would be anonymised. Customers thus accused would be able to file an appeal for £20, which would be refunded if the appeal were successful.

The proposed notification system has survived the challenge of a judicial review instigated by BT and TalkTalk. Ofcom has conducted public consultations on the draft code and on the allocation of costs for administering the regime. On current plans and subject to parliamentary approval, the first customer notification letters would be sent in late 2015.

The Act also envisaged further measures which might be taken against infringers such as blocking their internet access or temporarily suspending their accounts. Such measures could only be considered after the Code has been in force for at least 12 months, and would require further legislation and approval by Parliament.

The full document can be found here.

Blog at WordPress.com.

Up ↑

%d bloggers like this: