Brian Pennington

A blog about Cyber Security & Compliance


May 2014

The Aftermath of a Mega Data Breach

A Ponemon Study sponsored by Experian® explores consumers’ sentiments about data breaches. The goal was to learn the affect data breaches had on consumers’ privacy and data security concerns. A similar study was conducted in 2012 and reveals some interesting trends in consumers’ perceptions.

The study asked consumers who were victims of a data breach questions about their experience. It may not come as a surprise that individuals who have had their personal information lost or stolen increased 100% since the 2012 study when only 25% of individuals surveyed were victims of a data breach.

For purposes of the research, they define a data breach as

the loss or theft of information that can be used to uniquely identify, contact or locate you. This includes, but is not limited to, such information as Social Security number, IP address, driver’s license number, credit card numbers and medical records

797 individuals were surveyed and approximately 400 of these respondents say they were the victims of a data breach. By far, the primary consequence of a data breach is suffering from stress (76% of respondents) followed by having to spend time resolving problems caused by the data breach (39% of respondents).

The most significant findings of the research:-

What companies should do following a data breach

  • 63% of consumers continue to believe that organizations should be obligated to provide identity theft protection
  • 58% believe credit monitoring services should be offered
  • 67% believe compensation such as cash, products or services should be offered

–       These findings are similar to the findings in the 2012 study.

Credit card companies and retail stores sent the most notifications

  • 62% of respondents say they received two data breach notifications involving separate incidents. These notifications can be in the form of a letter, telephone call, email or public notice.

Becoming a victim of a data breach increases fears about becoming an identity theft victim.

  • Prior to having their personal information lost or stolen, 24% say they were extremely or very concerned about becoming a victim of identity theft.
  • Following the data breach, this concern increased significantly to 45%.
  • 48% of respondents say their identity is at risk for years or forever.

How important is media coverage of data breaches?

  • The majority of respondents believe it is important for the media to report details about data breaches. Mainly because it requires companies to be more responsive to victims followed by the creation of greater awareness about how the data breach could affect individuals and alerts potential victims to take action to protect their personal information from identity theft.

Other findings:-

  • 25% of data breach notifications offered identity theft protection such as credit monitoring or fraud resolution services. This is a slight decrease from 2012 when 29% of respondents received such an offer
  • 67% of those receiving a notification wanted the organisation to “Explain the risks or harms that I will experience”
  • 32% said “I ignored the notification(s) and did nothing”
  • 78% were most worried about their Social Security number followed by Password/PIN at 71% and Credit card or bank payment information with 65%
  • 81% of respondents who were victims of a data breach did not have any out of pocket costs. If they did, it averaged about $38
  • 34% say they were able to resolve the consequences of the breach in one day
  • 55% say they have done nothing to protect themselves and their family from identity theft

The full report can be found here.

Perspecsys surveyed 117 attendees of InfoSec Europe Conference 2014 on the opinions of security of their data stored in the cloud.

Key findings from the study include:-

  • 80% of InfoSec Europe attendees use some sort of cloud applications
  • 62% of organizations believe using a European based cloud is easier from a regulatory and compliance perspective
  • 51% of respondents claimed that they do not fully trust U.S. based clouds

Many IT departments do not trust U.S. based clouds:-

  • 47% believe their data is more secure contained in European based versus U.S. based clouds
  • 62% believe that negativity toward U.S. based clouds is justified, based on reports of the NSA having visibility into this data
  • 59% do not believe that European based government agencies conduct practices to the same extent as the NSA

See the Infograph here.

Most European organizations believe using a European cloud is easier from a regulatory and compliance perspective

Perspecsys Infograph from research at InfoSec Europe Conference

Top Concerns for 2014 from Today’s CISOs

According to Cisco’s 2014 Annual Security Report Top Concerns for 2014 from Today’s CISOs

As chief information security officers (CISOs) survey today’s threat landscape, they are faced with growing pressure to protect terabytes of data, meet stiff compliance regulations, and evaluate risks of working with third-party vendors and doing it all with shrinking budgets and lean IT teams. CISOs have more tasks than ever and sophisticated, complex threats to manage.

Principal security strategists for Cisco security services, who advise CISOs on security approaches for their organizations, offer this list of the most pressing concerns and challenges for 2014:-

Managing Compliance

The most pervasive concern among CISOs may be the need to protect data that resides throughout an increasingly porous network, while expending precious resources on compliance. Compliance alone is not equal to being secure it is simply a minimum baseline focusing on the needs of a special regulated environment. Security, meanwhile, is an all-encompassing approach that covers all business activities.

Trusting the Cloud

CISOs must make decisions on how to manage information safely with the finite budgets and time they are allotted. For example, the cloud has become a cost-effective and agile way to manage ever-growing storehouses of data, but it raises more worries for CISOs. Chief executive officers and boards of directors see the cloud as a panacea for eliminating costly hardware. They want the benefits of offloading data to the cloud, and expect the CISO to make it happen securely and quickly.

Trusting Vendors

As with the cloud, organizations tap into vendors to provide specialized solutions. The cost model for going with third parties makes sense. However, these vendors are high value targets for criminals, who know that third-party defences may not be as strong.

Bouncing Back from Security Breaches

All organizations should assume they’ve been hacked, or at least agree that it’s not a question of if they will be targeted for an attack, but when. Recent hacks such as Operation Night Dragon, the RSA breach, and the Shamoon attack against a large oil and gas company in 2012 are on the minds of many CISOs.

The Story Of A Phish

Phishme Inc have produced this excellent Infograph which follows the “life” or progress of a phishing attack.

The three key findings from the Cisco 2014 Annual Security Report

1. Attacks against infrastructure are targeting significant resources across the Internet.

  • Malicious exploits are gaining access to web hosting servers, name servers, and data centers. This suggests the forming of überbots that seek high-reputation and resource-rich assets.
  • Buffer errors are a leading threat, at 21% of the Common Weakness Enumeration (CWE) threat categories.
  • Malware encounters are shifting toward electronics manufacturing and the agriculture and mining industries at about 6x the average encounter rate across industry verticals.

2. Malicious actors are using trusted applications to exploit gaps in perimeter security.

  • Spam continues its downward trend, although the proportion of maliciously intended spam remains constant.
  • Java comprises 91% of web exploits; 76% of companies using Cisco Web Security services are running Java 6, an end-of-life, unsupported version.
  • “Watering hole” attacks are targeting specific industry-related websites to deliver malware.

3. Investigations of multinational companies show evidence of internal compromise. Suspicious traffic is emanating from their networks and attempting to connect to questionable sites (100% of companies are calling malicious malware hosts).

  • Indicators of compromise suggest network penetrations may be undetected over long periods.
  • Threat alerts grew 14% year over year; new alerts (not updated alerts) are on the rise.
  • 99% of all mobile malware in 2013 targeted Android devices. Android users also have the highest encounter rate (71%) with all forms of web-delivered malware.

Cisco Security can be found here.

How retail companies describe their Cyber Liability exposures

In a recent Willis Report: “Some Fortune 1000 Retailers Remain Silent on Cyber Threats”, Willis explain how the Retail industry compares to the Fortune 1,000 companies in their approach to Cyber Liability.

When describing the extent of cyber risk

  • 57% of retail firms disclosed their cyber exposures as significant, serious, material or critical, according to the study
  • 9% of the firms did not disclose any risks related to cyber exposures

Willis describe the results as

surprising” given that the retail industry has been the target of many of the highest profile system breaches to date, resulting in some of the largest losses, the report said

Other key findings of the report include:-

The top three cyber risks identified by the retail sector of the Fortune 1000 include:

  1. 74% privacy/loss of confidential data
  2. 66% reputation risk
  3. 61% cyber liability

9% cyber risk at the hands of “outsource vendors” which Willis described as “surprising” given the level of outsourcing across the sector and the reliance on third-party technology partners

In detailing cyber risk remedies

  • 49% of the retail companies cited the use of technical safeguards — more than the Fortune 1000 as a whole (43%)
  • 17% of retail companies reported inadequate resources to limit cyber losses, a potential “cause for concern,” as technical protections may not be sufficient to contain the effects of some cyber or technology events, Willis said.

9% of the sector indicated they purchased insurance for cyber exposures.

In Willis’s view the actual rate of cyber insurance may be substantially higher based on additional Willis data obtained in collaboration with insurance underwriters. This places them below

  • The funds sector (33%)
  • Utilities (15%)
  • Banking and conglomerates tied at 14% each)
  • Tech/telco and insurance (11%)
  • The media industry (10%)

The increasing frequency of “point-of-sale” breaches and “do-not- class-action law suits are described as an evolving cyber exposure.

The full report can be found here.

8 areas of computer security that have arisen during Data Breach investigations

The UK Information Commissioner’s Office (ICO) has identified eight important areas of computer security that have frequently arisen during their investigations of data breaches.

The eight areas are:-

  1. Software updates
  2. SQL injection (65% of organisations have been breached by a SQL Injection attack)
  3. Unnecessary services
  4. Decommissioning of software or services
  5. Password storage
  6. Configuration of SSL and TLS
  7. Inappropriate locations for processing data
  8. Default credentials

The ICO has provided advice for all eight areas. The report can be found here.

ICO response to European Union Court of Justice ruling on online search results

The United Kingdom Information Commissioner’s Office (ICO) has issued the following statement in response to this week’s ruling by the European Union Court of Justice on the need for Google to amend its search results following a request by a member of the public. 

ICO spokesperson said:

This is an important judgement. We welcome the extent to which it upholds the data protection rights of individuals and confirms the powers of data protection authorities to enforce these. We will be studying the judgement in detail and considering its practical implications for individuals, businesses and ourselves. When we have done so we will comment further

When the revised European Data Protection Act finally arrives I hope they further clarify the “right” of being forgotten and how it will be enforced.

Blog at

Up ↑

%d bloggers like this: