Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

BYOD

BYOD, Cloud and the Internet are the top areas of concern for security threats.

A Dell global security survey reveals “the majority of IT leaders say they do not view these threats as top security concerns and are not prioritizing how to find and address them across the many points of origin”.

Key findings of Dell’s research include:

  • 37% ranked unknown threats as a top security concern in the next five years
  • 64% of respondents agree that organizations will need to restructure/reorganize their IT processes, and be more collaborative with other departments to stay ahead of the next security threat. Of those surveyed in the United States, 85% said this approach is needed, contrasting with Canada at 45% followed by the U.K. at 43%
  • 78% in the Unites States think the federal government plays a positive role in protecting organizations against both internal and external threats, which underscores the need for strong leadership and guidance from public sector organizations in helping secure the private sector
  • 67% of survey respondents say they have increased funds spent on education and training of employees in the past 12 months
  • 50% believe security training for both new and current employees is a priority
  • 54% have increased spending in monitoring services over the past year; this number rises to 72% in the United States

Among the IT decision-makers surveyed, BYOD, cloud and the Internet were the top areas of concern for security threats.

BYOD. A sizable number of respondents highlighted mobility as the root cause of a breach, with increased mobility and user choice flooding networks with access devices that provide many paths for exposing data and applications to risk.

  • 93% of organizations surveyed allow personal devices for work. 31% of end users access the network on personal devices (37% in the United States)
  • 44% of respondents said instituting policies for BYOD security is of high importance in preventing security breaches
  • 57% ranked increased use of mobile devices as a top security concern in the next five years (71% in the U.K.)
  • 24% said misuse of mobile devices/operating system vulnerabilities is the root cause of security breaches

Cloud. Many organizations today use cloud computing, potentially introducing unknown security threats that lead to targeted attacks on organizational data and applications. Survey findings prove these stealthy threats come with high risk.

  • 73% of respondents report their organizations currently use cloud (90% in the United States)
  • 49% ranked increased use of cloud as a top security concern in the next five years, only 22% said moving data to the cloud was a top security concern today
  • In organizations where security is a top priority for next year, 86% are using cloud
  • 21% said cloud apps or service usage are the root cause of their security breaches

Internet. The significance of the unknown threats that result from heavy use of Internet communication and distributed networks is evidenced by

  • 63% of respondents ranked increased reliance upon internet and browser-based applications as a top concern in the next five years.
  • More than one-fifth of respondents consider infection from untrusted remote access (Public Wifi) among the top three security concerns for their organization
  • 47% identified malware, viruses and intrusions often available through web apps, OS patching issues, and other application-related vulnerabilities as the root causes of breaches
  • 70% are currently using email security to prevent outsider attacks from accessing the network via their email channel

76% of IT leaders surveyed (93% in the United States) agree that to combat today’s threats, an organization must protect itself both inside and outside of its perimeters.

The full Dell report can be found here.

Challenges to maintaining a strong security posture

A very interesting piece of research by the Ponemon Institute on behalf of the security vendor Sophos.  A summary of the study is below. 

Cyber security is often not a priority

  • 58% of respondents say that management does not see cyber-attacks as a significant risk
  • 44% say a strong security posture is not a priority.
  • Those two findings reveal the difficulty IT functions face in securing the necessary funding for skilled personnel and technologies. As evidence, 42% of respondents say their budget is not adequate for achieving an effective security posture.
  • While an organization’s IT leaders often depend upon the need to comply with regulations and compliance to make their case for IT security funding, 51% of respondents say it does not lead to a stronger security posture. More important is obtaining management’s support for making security a priority.

Senior management rarely makes decisions about IT security

Who is responsible for determining IT Security Priorities?

  • CIO 32%
  • 31% no one

Lack of in-house expertise hinders the achievement of a strong security posture

  • Organizations represented in this research face a lack of skilled and expert security professionals to manage risks and vulnerabilities. Only 26% of respondents say they have sufficient expertise, with 15% not sure. On average, three employees are fully dedicated to IT security.

Security threats and attacks experienced

“Did our organization have a cyber-attack? I don’t really know.” When asked if they were attacked in the past 12 months

  • 42% of respondents say they were
  • 33% are unsure
  • 1/3 of respondents say they are unsure if an attack has occurred in the past 12 months
  • Of the 42% who say an attack occurred, most likely it was likely the result of phishing and social engineering, denial of service and botnets and advanced malware/zero day attacks.

Data breach incidents are known with greater certainty

More respondents can say with certainty that a data breach occurred in their organization. For purposes of the research, a data breach is the loss or theft of sensitive information about customers, employees, business partners and other third parties. 51% say their organization experienced an incident involving the loss or exposure of sensitive information in the past 12 months although 16% say they are unsure.

More than half of respondents say their organization has had a data breach

  • 51% Cited is a third-party mistake or negligent employee or contractor
  • 44% cannot identify the root cause.

Most organizations say cyber-attacks are increasing or there is no change

  • 76% of respondents say their organizations face more cyber-attacks or at least the same
  • 18% are unable to determine

Most organizations see cyber-attacks as becoming more sophisticated

  • 56% say cyber-attacks are more sophisticated
  • 45% say they are becoming more severe
  • 28% of respondents are uncertain if their organizations are being targeted
  • 25% are unsure if the attacks are more sophisticated
  • 23% do not know if these attacks are becoming more severe.

The research reveals there is often confusion as to what best describes advanced persistent threats (APT). When asked to select the one term that best fits their understanding, only one-third of respondents say they are recurrent low profile targeted attacks but the same percentage of respondents are not sure how to describe them. As a result, there may be uncertainty as to what dedicated technologies are necessary for preventing them.

Disruptive technology trends

The cloud is important to business operations

  • 72% of respondents do not view security concerns as a significant impediment to cloud adoption within their organizations
  • 77% say the use of cloud applications and IT infrastructure services will increase or stay the same
  • 39% of their organization’s total IT needs are now fulfilled by cloud applications and/or infrastructure services

The use of cloud applications and IT infrastructure is not believed to reduce security

Effectiveness

  • 45% of respondents say the cloud is not considered to have an affect on security posture
  • 12% say it would actually diminish security posture
  • 25% of respondents say they cannot determine if the organization’s security effectiveness would be affected

The use of mobile devices to access business-critical applications will increase

  • 46% of an organization’s business-critical applications are accessed from mobile devices such as smart phones, tablets and others.
  • 69% of respondents expect this usage to increase over the next 12 months.

While respondents do not seem to be worried about cloud security, mobile device security is a concern.

  • 50% of respondents say such use diminishes an organization’s security posture
  • 58% say security concerns are not stopping the adoption of tablets and smart phones within their organization.

BYOD also affects the security posture

  • 26% of mobile devices owned by employees are used to access business-critical applications.
  • 70% of respondents either expect their use to increase or stay the same
  • 71% say security concerns do not seem to be a significant impediment to the adoption of BYOD

BYOD is a concern for respondents

  • 32% say there is no affect on security posture
  • 45% of respondents believe BYOD diminishes an organization’s security effectiveness.

Effectiveness of security technologies

The majority of respondents have faith in their security technologies

  • 54% of respondents say the security technologies currently used by their organization are effective in detecting and blocking most cyber attacks
  • 23% are unsure

Big data analytics and web application firewalls are technologies growing in demand

Today, the top three technologies in use are:

  1. Antivirus
  2. client firewalls
  3. endpoint management

They are likely to remain the top choice over the next three years. The deployment of certain technologies is expected to grow significantly. Investment in big data analytics and web application firewalls will see the greatest increases (28% and 21%, respectively). These technologies are followed by: endpoint management (19% increase), anti-virus and next generation firewalls (both15% increase) and network traffic intelligence and unified threat management (both 14% increase). The percentage of respondents who say the use of IDS and SIEM technologies decreases slightly (6%) over the next three years.

The cost impact of disruptions and damages to IT assets and infrastructure

Damage or theft to IT assets and infrastructure are costly

  1. 1 the cost of damage or theft to IT assets and infrastructure
  2. 2 the cost of disruption to normal operations

The estimated cost of disruption exceeds the cost of damages or theft of IT assets and infrastructure.

Using an extrapolation, we compute an average cost of $670,914 relating to incidents to their IT assets and infrastructure over the past 12 months. Disruption costs are much higher, with an extrapolated average of $937,197

The uncertainty security index

The study reveals that in many instances IT and IT security practitioners participating in this research are uncertain about their organization’s security strategy and the threats they face. Specifically, among participants there is a high degree of uncertainty about the following issues:

  • Did their organization have a cyber-attack during the past year?
  • Did their organization have a data breach? If so, did it involve the loss or exposure of sensitive information?
  • Are the root causes of these data breaches known?
  • Are the cyber-attacks against their organization increasing or decreasing?
  • Have exploits and malware evaded their intrusion detection systems and anti-virus solutions?
  • Do they understand the nature of advanced persistent threats (APTs)?
  • Is the use of BYOD to access business critical applications increasing and does it affect their organization’s security posture?
  • Is the use of cloud applications and/or IT infrastructure services increasing and does it affect the security posture

Uncertainty about how these issues affect an organization’s security posture could lead to making sub-optimal decisions about a security strategy. It also makes it difficult to communicate the business case for investing in the necessary expertise and technologies. Based on the responses to 12 survey questions, we were able to create an “uncertainty index” or score that measures where the highest uncertainty exists. The index ranges from 10 (greatest uncertainty) to 1 (no uncertainty).

U.S. organizations have the highest uncertainty index. This is based on the aggregated results of respondents in the following countries and regions: US, UK, Germany and Asia-Pacific. With an uncertainty score of 3.8, organizations in Germany seem to have the best understanding of their security risks.

Smaller organizations have the most uncertainty. Those organizations with a headcount of less than 100 have the most uncertainty. This is probably due to the lack of in-house expertise. As organizational size increases, the uncertainty index becomes more favourable.

An organization’s leadership team has the most uncertainty. This finding indicates why IT and IT security practitioners say their management is not making cyber security a priority. Based on this finding, the higher the position the more removed the individual could be in understanding the organization’s risk and strategy.

Retailing, education & research and entertainment have the highest uncertainty. The level of uncertainty drops significantly for organizations in the financial services and technology sectors. The high degree of certainty in the financial sector can be attributed to the need to comply with data security regulations.

Employees and Companies Not Taking BYOD Security Seriously

For the second year in a row, Coalfire examined the BYOD trend for interconnected employees and what it means for companies and the protection of their corporate data. Most organizations want the increase in productivity that mobile devices offer, but the majority do not provide company-owned tablets or mobile phones as a cost-saving measure. Employees who want to use these devices must buy their own and are all too often left to secure potentially private information themselves.

The nightmare of securing your unstructured data in the era of the borderless enterprise

As Big Data and BYOD become the accepted norm this Infographic demonstrates some of the facts about potential data breaches.

Based on ISC2 survey, PraetorianGuard have produced an excellent Infographic on Infromation Security in the workforce.

Q&A on Information Security Workforce

Cisco’s Infographic is an interesting turn on the ROI message as it looks at security from the loss prevention angle rather than earnings.

Especially with Data Centre downtime costing on average $336,000 per hour.

100,000 new security threats are identified each day

The state of corporate mobile data

The state of corporate data is an interesting Infographic showing the extent data could leak from a corporate network.

druva-insync-mobile-corporate-data-corrected jpeg

Infographic: BYOD Security is still a problem

Insufficient BYOD security management and lax exit processes puts organisations at risk.

Most companines are vulnerable to BYOD risks

A UK survey from Acronis® and the Ponemon Institute reveals that the majority of companies are putting critical data at risk by not having policies in place to protect it once it leaves a company, whether that be through BYOD or public cloud-based file sharing. By ignoring simple security steps and employee BYOD education, companies are jeopardising its confidential data, exposing it to theft, corruption, hackers, malware and more.

Acronis’ 2013 Data Protection Trends Research, which evaluated responses from more than 570 UK IT professionals, discovered that:

  • Almost 60% have no personal device policy in place
  • 23% with policies make exceptions for executives, who may handle even more sensitive data
  • 23% actually forbid personal devices from accessing the network
  • 79% of organisations have not educated employees on BYOD privacy risks
  • 21% of companies mandate a device password or key lock on personal devices
  • 18% perform remote device wipes when employees leave the company, drastically increasing the risk for data leakage.
  • 69% of organisations do not have a policy in place around public clouds
  • 80% have not trained employees in the proper use of these platforms
  • 59% of organisations will support Macs® in the next year
  • 61% say compatibility and interoperability are still big obstacles to getting Macs compliant with IT, which puts data stored and shared across the corporate network and on Apple devices at risk.

Personal devices have permanently and positively changed the workplace, particularly in the way employees collaborate, work remotely and interact with company data,” said Rick Powles, managing director UK & Ireland, Acronis. “BYOD is a huge opportunity for companies, but our research shows troubling signs of negligence in the face of these dangers. However, with policies and solutions that manage the flow of data between multiple devices and environments, companies can practice safe BYOD with confidence

Acronis suggest matching BYOD Productivity with Policy

To optimise BYOD, protect the bottom line, and avoid data loss and serious compliance issues, organisations should take immediate steps to ensure employees are trained in safe BYOD practices, that personal device and public cloud use are monitored and managed, and that effective data protection solutions are in place to prevent data loss. These are the critical steps to achieving safe BYOD.

The drivers for BYOD

In the recent F5 document promoting their BYOD solutions F5 had an interesting section on what were the drivers for BYOD.

The F5 “BYOD Drivers” section is below.

In 2013, the mobile workforce is expected to increase to 1.2 billion, a figure that will represent about 35% of the worldwide workforce and many of those workers will be using their own devices.

People have become very attached to their mobile devices. They customize them, surf the web, play games, watch movies, shop, and often simply manage life with these always-connected devices. Those organizations that have implemented BYOD programs are reporting increased productivity and employee satisfaction at work.

The 2012 Mobile Workforce Report from enterprise Wi-Fi access firm iPass found that many employees are working up to 20 additional hours per week, unpaid, as a result of their company’s BYOD policies. Nonetheless, 92% of mobile workers said they “enjoy their job flexibility” and are “content” with working longer hours.

In addition, 42% would like “even greater flexibility for their working practices.”

Organizations have been able to reduce some of their overall mobile expenses simply by not having a capital expenditure for mobile devices and avoiding the monthly service that come with each device. In addition, in some cases, BYOD implementations can brand the IT organization as innovators.

The flipside of the convenience and flexibility of BYOD are the many concerns about the risks introduced to the corporate infrastructure when allowing unmanaged and potentially unsecured personal devices access to sensitive, proprietary information. Applying security across different devices from a multiple number of vendors and running different platforms is becoming increasingly difficult. Organizations need dynamic policy enforcement to govern the way they now lock down data and applications. As with laptops, if an employee logs in to the corporate data centre from a compromised mobile device harbouring rootkits, keyloggers, or other forms of malware, then that employee becomes as much of a risk as a hacker with direct access to the corporate data centre.

Mobile IT is a major transformation for IT departments that is deeply affecting every major industry vertical, and the effects will continue for years to come.

F5 data sources:

  • International Data Corporation (IDC), Worldwide Mobile Enterprise Management Software 2012-2016 Forecast and Analysis and 2011 Vendor Shares, Sept. 2012
  • Computerworld UK, “BYOD Makes Employees Work Extra 20 Hours Unpaid,” August 22, 2012

Lack of guidance on BYOD raises data protection concerns

The UK Information Commissioner’s Office (ICO) has commissioned a survey into business attitudes towards Bring Your Own Device (BYOD).

The survey results shown many employers appear to have a ‘laissez faire’ attitude to allowing staff to use their personal laptop, tablets or smartphone for at work and for work business, which may be placing people’s personal information at risk.

The survey, carried out by YouGov, reveals that 47% of all UK adults now use their personal smartphone, laptop or tablet computer for work purposes. But less than 3 in 10 who do so are provided with guidance on how their devices should be used in this capacity, raising worrying concerns that people may not understand how to look after the personal information accessed and stored on these devices.

Simon Rice, Group Manager (Technology), said:

The rise of smartphones and tablet devices means that many of the common daily tasks we would have previously carried out on the office computer can now be worked on remotely. While these changes offer significant benefits to organisations, employers must have adequate controls in place to make sure this information is kept secure.

“The cost of introducing these controls can range from being relatively modest to quite significant, depending on the type of processing being considered, and might even be greater than the initial savings expected. Certainly the sum will pale into insignificance when you consider the reputational damage caused by a serious data breach. This is why organisations must act now.

“Our guidance aims to help organisations develop their own policies by highlighting the issues they must consider. For example, does the organisation know where personal data is being stored at any one time? Do they have measures in place to keep the information accurate and up-to-date? Is there a failsafe system so that the device can be wiped remotely if lost or stolen?

Today’s guidance from the ICO explains how organisations need to be clear on the types of personal data that can be processed on personal devices and have remote locate and wipe facilities in place so the confidentiality of the data can be maintained in the event of a loss or theft.

Key recommendations from the ICO’s guidance:

  • Be clear with staff about which types of personal data may be processed on personal devices and which may not
  • Use a strong password to secure your devices
  • Enable encryption to store data on the device securely
  • Ensure that access to the device is locked or data automaticaly deleted if an incorrect password is input too many times
  • Use public cloud-based sharing and public backup services, which you have not fully assessed, with extreme caution, if at all
  • Register devices with a remote locate and wipe facility to maintain confidentiality of the data in the event of a loss or theft

The survey results below shows that email is the most common work activity carried out on a personal device (55%) which consider what information can be in the body of an email or attached leaves an organisations open to many commercial, legislative and regulatory risks for example PCI DSS compliance.

All UK Adults online who use a smartphone, laptop or a tablet PC for work purposes access usage
Work email

55%

Accessing work files

35%

Storage   of work documents and work files

36%

Social networking (e.g. LinkedIn, Twitter, Facebook) for work

26%

Editing work documents

37%

Uploading   work information to a website

19%

Work video chat (e.g. skype etc.)

7%

Work related applications (Apps)

16%

Work related online banking

14%

Work related shopping

12%

Work related web browsing

35%

Other

22%

None of these

.

The growing threat of insider fraud not a top security priority for organizations

ponemonAn Attachmate sponsored Ponemon Survey indicates the growing threat of insider fraud is not a top security priority for organizations which is proving to be a costly mistake.

On average, organisations experience approximately one fraud event per week, according to information from the second annual Attachmate and Ponemon Institute survey, “The Risk of Insider Fraud

However, only 44% of respondents say their organisation views insider fraud prevention as a top security priority, a perception which has declined since 2011.

The average cost of a data breach in a 2011 study was $194 per lost or stolen record

The survey reveals some alarming data security trends:

  • On average, it takes 87 days to first recognize that insider fraud has occurred and more than three months (105 days) to get at the root cause of the fraud.
  • 79% of respondents say that in their organization a privileged user has or is very likely to alter application controls to access or change sensitive information and then reset the controls.
  • 73% of respondents, an employee’s malfeasance has caused financial loss and possibly brand damage.
  • 81% say they already had an employee use someone else’s credentials to gain elevated rights or to bypass separation-of-duty control
  • 48% of respondents say that BYOD has resulted in a significant increase in fraud risk
  • 77% of respondents say the lack of security protocols over edge devices presents a significant security challenge and risk

This data demonstrates the invisibility of employee actions across an enterprise,” said Larry Ponemon, chairman and founder of Ponemon Institute. “While organizations may have policies and procedures to thwart insider fraud, it doesn’t mean employees will remain compliant, particularly with the rise of Bring Your Own Device (BYOD) practices

Data security and insider threats continue to be a challenge for organizations, particularly as BYOD brings complexity to enterprise risk management,” said Christine Meyers, director of Attachmate’s enterprise fraud management solutions. “Next-generation enterprise fraud management solutions, such as Attachmate Luminet, are able to correlate cross-channel activity, score risk and provide a screen-by-screen replay of what actually occurred. Add to that the proven deterrence factor that arises from being able to see and monitor use and abuse, and you can see why customers choose to deploy this technology for fraud detection

Fraud statistics

  • On average, organizations have had approximately 55 employee-related incidents of fraud in the past 12 months
  • More than one-third say that employees’ use of personally owned, mobile devices has resulted in malware and virus infections that infiltrated their corporate networks and enterprise systems and another 26% it is very likely to occur
  • 61% rate the threat of insider risk within their organization as very high or high
  • 23% say insider fraud incidents existed six months or longer before being discovered and 9% could not determine when they occurred.
  • 55% of organizations say their organization does not have the ability/intelligence to determine if the off site employee’s non-compliance is due to negligence or fraud

Threats from BYOD, Mobility & Edge Devices

For the first time the study asks questions about the effect Bring Your Own Device (BYOD), mobility and edge devices have on the risk of insider fraud. We define BYOD as the employees’ use of their personally owned mobile devices (typically smart phones, tablets and laptops) for both work and non-work activities.

An edge device is a physical device that can pass packets between a legacy network (like an Ethernet network) and an ATM network, using data link layer and network layer information. An edge device does not have responsibility for gathering network routing information. It simply uses the routing information it finds in the network layer using the route distribution protocol. An edge router is an example of an edge device.

Edge devices and BYOD make it difficult to identify insider fraud

58% agree that BYOD makes it more difficult for the security or compliance department to have complete visibility of employees’ access and computing activities. The majority of respondents (78%) do not agree that employees’ access and possible misuse of edge devices is completely visible to the security or compliance department (100% – 32% of strongly agree/agree responses).

The study defined insider fraud as the malicious or criminal attacks perpetrated upon business or governmental organizations by employees, temporary employees and contractors. Typically, the objective of such attacks is the theft of financial or information assets, which include customer data, trade secrets and intellectual properties. Sometimes, the most dangerous insiders are those who possess strong IT skills or have access to an organization’s critical applications and data.

With this research, we want to reiterate that organizations are not immune,” said Meyers. “The threat of insider fraud is a growing risk that can result in tangible financial loss to businesses. And the longer an organization takes to address it, the more costly it can become

The insider fraud survey includes results from more than 700 individuals at leading global organisations.

.

6 Experts predict the IT security and compliance issues and trends for 2013

Everyone has an opinion on what could be around the corner, some are based on extensive research and market trends, and some are based on customer expectations and experience.

Rather than bore you with my predictions I thought I would extract the predictions of several vendors and a distributor and put them into one single post so it is easier to see trends and when we get to the end of the year we can see if they were right.

The 6 specialist predictors this year are from the following organisations:

  1. Wick Hill
  2. Websense
  3. WatchGuard
  4. Kaspersky
  5. Fortinet
  6. Sophos

Wick Hill Group’s Ian Kilpatrick delivers his top five trends for 2013

  1. BYOD. “BYOD was arguably the biggest buzz word of 2012 and is now an unstoppable, user-driven wave which will continue to make a major impact on the IT world in 2013 and beyond. Smartphones, tablets and laptops all come under this category, as well as desktop PCs used remotely from home. BYOD is a transformative technology and 2013 will see companies trying to integrate it into their networks. While tactical needs will drive integration, strategic requirements will become increasingly important.
  2. Mobile Device Management. The very rapid growth of mobile devices such as smartphones, tablets and laptops, but particularly smartphones, led to concerns about their management and security in 2012. With employees using their smartphones for both business and personal use, the security and management issues became blurred. Mobile Device Management solutions were a strong growth area in 2012, which will accelerate in 2013.
  3. High density wireless. Wireless requirements have been significantly incrementing over the last year and this trend will continue in 2013. BYOD has changed both the data transfer and performance expectations of users.
  4. Data back-up and recovery. While large organisations have always been at the forefront of back-up and recovery, data centres and big data have put significant demands on them during 2012. Alongside that, smaller organisations have been under immense pressures from ever increasing data volumes, archiving and compliance requirements.
  5. Data leakage protection. With growing volumes of data and with regulatory bodies increasingly prepared to levy fines for various non-compliance issues, data leakage protection will continue to be a major cause for concern during 2013. Companies will be looking closely at how to secure and manage their data as their network boundaries spread even wider, with increased use of social networking and BYOD, increased remote access, the rapid growth of wireless, increased virtualisation and the move towards convergence.

Websense’s 2013 Security Predictions (the link also contains a video clip explaining the predictions).

  1. Cross-Platform Threats. Mobile devices will be the new target for cross-platform threats.
  2. Malware in App Stores. Legitimate mobile app stores will host more malware in 2013
  3. Government-sponsored attacks. Government-sponsored attacks will increase as new players enter.
  4. Bypass of Sandbox Detection. Cybercriminals will use bypass methods to avoid traditional sandbox detection
  5. Next Level Hacktivists. Expect Hacktivists to move to the next level as simplistic opportunities dwindle
  6. Malicious Emails. Malicious emails are making a comeback.
  7. CMS Attacks. Cybercriminals will follow the crowds to legitimate content management systems and web platforms.

WatchGuard Technologies reveals its annual security predictions for 2013

  1. A Cyber Attack Results in a Human Death
  2. Malware Enters the Matrix through a Virtual Door
  3. It’s Your Browser – Not Your System – that Malware Is After
  4. Strike Back Gets a Lot of Lip Service, but Does Little Good
  5. We’ll pay for Our Lack of IPv6 Expertise
  6. Android Pick Pockets Try to Empty Mobile Wallets

Additionally WatchGuard believes:

  1. An Exploit Sold on the “Vulnerability Market” Becomes the Next APT
  2. Important Cyber Security-Related Legislation Finally Becomes Law

“2012 was an eye-opening year in cyber security as we saw the number of new and more sophisticated vulnerabilities rise, impacting individuals, businesses and governments,” said WatchGuard Director of Security Strategy Corey Nachreiner, a Certified Information Systems Security Professional (CISSP). “This is a year where the security stakes reach new heights, attacks become more frequent and unfortunately more damaging as many organizations suffer attacks before taking measures to protect themselves from the bad guys.”

Kaspersky Lab’s Key Security Predictions for 2013

The most notable predictions for the next year include the continued rise of targeted attacks, cyber-espionage and nation-state cyber-attacks, the evolving role of hacktivism, the development of controversial “legal” surveillance tools and the increase in cybercriminal attacks targeting cloud-based services

  1. Targeted attacks on businesses have only become a prevalent threat within the last two years. Kaspersky Lab expects the amount of targeted attacks, with the purpose of cyber-espionage, to continue in 2013 and beyond, becoming the most significant threat for businesses. Another trend that will likely impact companies and governments is the continued rise of “hacktivism” and its concomitant politically-motivated cyber-attacks.
  2. State-sponsored cyber warfare will undoubtedly continue in 2013. These attacks will affect not only government institutions, but also businesses and critical infrastructure facilities.
  3. In 2012 an on-going debate took place on whether or not governments should develop and use specific surveillance software to monitor suspects in criminal investigations. Kaspersky Lab predicts that 2013 will build on this issue as governments create or purchase additional monitoring tools to enhance the surveillance of individuals, which will extend beyond wiretapping phones to enabling secret access to targeted mobile devices. Government-backed surveillance tools in the cyber environment will most likely continue to evolve, as law-enforcement agencies try to stay one step ahead of cybercriminals. At the same time, controversial issues about civil liberties and consumer privacy associated with the tools will also continue to be raised.
  4. Development of social networks, and, unfortunately, new threats that affect both consumers and businesses have drastically changed the perception of online privacy and trust. As consumers understand that a significant portion of their personal data is handed over to online services, the question is whether or not they trust them. Such confidence has already been shaken following the wake of major password leaks from some of the most popular web services such as Dropbox and LinkedIn. The value of personal data – for both cybercriminals and legitimate businesses – is destined to grow significantly in the near future.
  5. 2012 has been the year of the explosive growth of mobile malware, with cybercriminals’ primary focus being the Android platform, as it was the most popular and widely used. In 2013 we are likely to see a new alarming trend – the use of vulnerabilities to extend “drive-by download” attacks on mobile devices. This means that personal and corporate data stored on smartphones and tablets will be targeted as frequently as it is targeted on traditional computers. For the same reasons (rising popularity), new sophisticated attacks will be performed against owners of Apple devices as well.
  6. As vulnerabilities in mobile devices become an increasing threat for users, computer application and program vulnerabilities will continue to be exploited on PCs. Kaspersky Lab named 2012 the year of Java vulnerabilities, and in 2013 Java will continue to be exploited by cybercriminals on a massive scale. However, although Java will continue to be a target for exploits, the importance of Adobe Flash and Adobe Reader as malware gateways will decrease as the latest versions include automated update systems for patching security vulnerabilities.

Costin Raiu, Director of Global Research & Analysis Team Kaspersky Lab said, “In our previous reports we categorised 2011 as the year of explosive growth of new cyber threats. The most notable incidents of 2012 have been revealing and shaping the future of cyber security. We expect the next year to be packed with high-profile attacks on consumers, businesses and governments alike, and to see the first signs of notable attacks against the critical industrial infrastructure. The most notable trends of 2013 will be new example of cyber warfare operations, increasing targeted attacks on businesses and new, sophisticated mobile threats.”

Fortinet’s FortiGuard Labs Reveals 2013 Top 6 Threat Predictions

  1. APTs Target Individuals through Mobile Platforms. APTs also known as Advanced Persistent Threats are defined by their ability to use sophisticated technology and multiple methods and vectors to reach specific targets to obtain sensitive or classified information. The most recent examples include Stuxnet, Flame and Gauss. In 2013 we predict we’ll see APTs targeted at the civilian population, which includes CEOs, celebrities and political figures. Verifying this prediction will be difficult, however, because after attackers get the information they’re looking for, they can quietly remove the malware from a target device before the victim realizes that an attack has even occurred. What’s more, individuals who do discover they have been victims of an APT will likely not report the attack to the media. Because these attacks will first affect individuals and not directly critical infrastructure, governments or public companies, some types of information being targeted will be different. Attackers will look for information they can leverage for criminal activities such as blackmail; threatening to leak information unless payment is received.
  2. Two Factor Authentication Replaces Single Password Sign on Security Model. The password-only security model is dead. Easily downloadable tools today can crack a simple four or five character password in only a few minutes. Using new cloud-based password cracking tools, attackers can attempt 300 million different passwords in only 20 minutes at a cost of less than $20 USD. Criminals can now easily compromise even a strong alpha-numeric password with special characters during a typical lunch hour. Stored credentials encrypted in databases (often breached through Web portals and SQL injection), along with wireless security (WPA2) will be popular cracking targets using such cloud services. We predict next year we’ll see an increase in businesses implementing some form of two-factor authentication for their employees and customers. This will consist of a Web-based login that will require a user password along with a secondary password that will either arrive through a user’s mobile device or a standalone security token. While it’s true that we’ve seen the botnet Zitmo recently crack two-factor authentication on Android devices and RSA’s SecurID security token (hacked in 2011), this type of one-two punch is still the most effective method for securing online activities.
  3. Exploits to Target Machine-to-Machine (M2M) Communications. Machine-to-machine (M2M) communication refers to technologies that allow both wireless and wired systems to communicate with other devices of the same ability. It could be a refrigerator that communicates with a home server to notify a resident that it’s time to buy milk and eggs, it could be an airport camera that takes a photo of a person’s face and cross references the image with a database of known terrorists, or it could be a medical device that regulates oxygen to an accident victim and then alerts hospital staff when that person’s heart rate drops below a certain threshold. While the practical technological possibilities of M2M are inspiring as it has the potential to remove human error from so many situations, there are still too many questions surrounding how to best secure it. We predict next year we will see the first instance of M2M hacking that has not been exploited historically, most likely in a platform related to national security such as a weapons development facility. This will likely happen by poisoning information streams that transverse the M2M channel — making one machine mishandle the poisoned information, creating a vulnerability and thus allowing an attacker access at this vulnerable point.
  4. Exploits Circumvent the Sandbox. Sandboxing is a practice often employed by security technology to separate running programs and applications so that malicious code cannot transfer from one process (i.e. a document reader) to another (i.e. the operating system). Several vendors including Adobe and Apple have taken this approach and more are likely to follow. As this technology gets put in place, attackers are naturally going to try to circumvent it. FortiGuard Labs has already seen a few exploits that can break out of virtual machine (VM) and sandboxed environments, such as the Adobe Reader X vulnerability. The most recent sandboxing exploits have either remained in stealth mode (suggesting that the malware code is still currently under development and test) or have actively attempted to circumvent both technologies. Next year we expect to see innovative exploit code that is designed to circumvent sandbox environments specifically used by security appliances and mobile devices.
  5. Cross Platform Botnets In 2012. FortiGuard Labs analyzed mobile botnets such as Zitmo and found they have many of the same features and functionality of traditional PC botnets. In 2013, the team predicts that thanks to this feature parity between platforms, we’ll begin to see new forms of Direct Denial of Service (DDoS) attacks that will leverage both PC and mobile devices simultaneously. For example, an infected mobile device and PC will share the same command and control (C&C) server and attack protocol, and act on command at the same time, thus enhancing a botnet empire. What would once be two separate botnets running on the PC and a mobile operating system such as Android will now become one monolithic botnet operating over multiple types of endpoints.
  6. Mobile Malware Growth Closes in on Laptop and Desktop PCs. Malware is being written today for both mobile devices and notebook/laptop PCs. Historically, however, the majority of development efforts have been directed at PCs simply for the fact that there are so many of them in circulation, and PCs have been around a much longer time. For perspective, FortiGuard Labs researchers currently monitor approximately 50,000 mobile malware samples, as opposed to the millions they are monitoring for the PC. The researchers have already observed a significant increase in mobile malware volume and believe that this skewing is about to change even more dramatically starting next year. This is due to the fact that there are currently more mobile phones on the market than laptop or desktop PCs, and users are abandoning these traditional platforms in favor of newer, smaller tablet devices. While FortiGuard Labs researchers believe it will still take several more years before the number of malware samples equals what they see on PCs, the team believes we are going to see accelerated malware growth on mobile devices because malware creators know that securing mobile devices today is currently more complicated than securing traditional PCs.

Sophos think the following five trends will factor into the IT security landscape in 2013

  1. Basic web server mistakes. In 2012 we saw an increase in SQL injection hacks of web servers and databases to steal large volumes of user names and passwords. Targets have ranged from small to large enterprises with motives both political and financial. With the uptick in these kinds of credential-based extractions, IT professionals will need to pay equal attention to protecting both their computers as well as their web server environment
  2. More “irreversible” malware. In 2012 we saw a surge in popularity and quality of ransomware malware, which encrypts your data and holds it for ransom. The availability of public key cryptography and clever command and control mechanisms has made it exceptionally hard, if not impossible to reverse the damage. Over the coming year we expect to see more attacks which, for IT professionals, will place a greater focus on behavioral protection mechanisms as well as system hardening and backup/restore procedures
  3. Attack toolkits with premium features. Over the past 12 months we have observed significant investment by cybercriminals in toolkits like the Blackhole exploit kit. They’ve built in features such as scriptable web services, APIs, malware quality assurance platforms, anti-forensics, slick reporting interfaces, and self protection mechanisms. In the coming year we will likely see a continued evolution in the maturation of these kits replete with premium features that appear to make access to high quality malicious code even simpler and comprehensive
  4. Better exploit mitigation. Even as the number of vulnerabilities appeared to increase in 2012—including every Java plugin released for the past eight years—exploiting them became more difficult as operating systems modernized and hardened. The ready availability of DEP, ASLR, sandboxing, more restricted mobile platforms and new trusted boot mechanisms (among others) made exploitation more challenging. While we’re not expecting exploits to simply disappear, we could see this decrease in vulnerability exploits offset by a sharp rise in social engineering attacks across a wide array of platforms
  5. Integration, privacy and security challenges. In the past year mobile devices and applications like social media became more integrated. New technologies—like near field communication (NFC) being integrated in to these platforms—and increasingly creative use of GPS to connect our digital and physical lives means that there are new opportunities for cybercriminals to compromise our security or privacy. This trend is identifiable not just for mobile devices, but computing in general. In the coming year watch for new examples of attacks built on these technologies.

Sophos “The last word, Security really is about more than Microsoft. The PC remains the biggest target for malicious code today, yet criminals have created effective fake antivirus attacks for the Mac. Malware creators are also targeting mobile devices as we experience a whole new set of operating systems with different security models and attack vectors. Our efforts must focus on protecting and empowering end users—no matter what platform, device, or operating system they choose”

For a retrospective view why not ready my post from last year “7 experts predict the IT security and compliance issues and trends of 2012

.

RSA’s September Online Fraud Report 2012 including a summary of rogue mobile apps

In their September Online Fraud Report RSA reports on the activity of online fraudsters, a summary is below

Threats and risks in today’s mobile app marketplace

In terms of mobile security, some mobile application (app) platforms, such as Apple’s AppStore, are known to employ strict rules to which application developers are obliged to adhere.

Other mobile app platforms, such as Android’s Google Play, are more flexible with regards to mobile apps. While providing application developers with a programming platform that is optimized for convenience and ease-of-entry into the app marketplace, it is these very qualities that have made Android the most heavily targeted mobile operating system, with Android apps by far the most widely used vehicle for spreading mobile malware.

Apps are one of the driving forces behind today’s smartphone market. Their download to mobile phones makes them an attractive new attack vector for cybercriminals along with other mobile phone attributes: the shortened URL, low security awareness among users, and the ease of copying a mobile webpage’s layout for malicious purposes.

This risk extends to the corporate setting with companies increasingly adopting Bring- Your-Own-Device (BYOD) policies, in which employees’ devices double as platforms for both personal and work-related communications. Apps that intercept a mobile user’s email and phone communications for example, may gain access to corporate communications, as well.

Types of Rogue App Payloads

According to a research study on Android malware conducted by the Department of Computer Science at North Carolina State University, 86% of Android mobile-malware payloads are repackaged with legitimate apps and are not standalone, making their detection more difficult. The same study found that many others piggyback on genuine app updates to remain undetected.

The payloads these apps install after being downloaded to a device vary widely, and can include:

  • SMS Sniffers. Apps that covertly collect SMS text messages, including passwords sent to users’ handsets, and forward this information to a remote drop point. Some of these include other stealth features to avoid raising the user’s suspicion, for example, functionality that turns off the alarm sound when new text messages are received and hides all incoming messages
  • Premium dialers. Apps that install themselves on the user’s handset and start dialing phone numbers or sending dummy text messages to premium-rate service numbers. This type of operation requires the setup of a bogus merchant, along with a fraudulent merchant ID through which cybercriminals can collect funds unwittingly siphoned out of user’s accounts. Handset owners would only become aware of the scam when seeing their bill the following month
  • SEO enhancers. Apps that repeatedly access a certain website, or websites, to increase their rankings in search engine’s results
  • Ransomware. Apps that lock a user’s handset and demand payment from users in return for relinquishing control of the mobile device
  • Spyware. Apps that send the attacker or spy (via a remote drop point) information garnered from a victim’s device including GPS data, intercepted calls and text messages, and phone contacts
  • Botnet clients / Bridgeheads. Apps that communicate with a cybercriminal via a command & control (C&C) server. These may be used as infrastructure for further malware downloads, much like ready-made PC botnets whose infected systems await to download banker Trojans or other malware pushed from the C&C server. These payloads act as a bridgehead by giving the perpetrator an initial foothold on the compromised device. The payload opens a port on the device, and listens for new commands issued from the fraudster’s C&C point. Later on, an encrypted payload may be downloaded to the user’s device

Android apps and their exploitation

At the end of H2 2012, Google announced that the number of devices running Android has reached 400 million, representing 59% of the world’s smartphone market. And to date, Android’s open source code platform has led to the publication of over 600,000 mobile apps. Android’s source code is based on the Java programming language, and its ease of use and low publisher entry fee has made it the most widely targeted mobile platform by malware developers, and the most widely attacked by today’s Trojans. The increased risk for Android app users has already led several anti-virus companies to release AV software for Android-run devices.

A Secure Venue for Apps

The official venue for Android applications is called “Google Play” (formerly known as “Android Market”). By default, each handset running Android is configured to exclusively allow the installation of apps downloaded from Google Play, and to block installation of apps downloaded from any other venue. This is to ensure a minimal level of security.

Downloading apps from Google Play provides an extra security benefit to Android users, as the store provides a “Remote Application Removal” feature, which allows apps that are retrospectively identified by Google as being malicious to be removed from relevant users’ handsets.

Another important security feature added to Google Play is “Google Bouncer,” which scans new apps, acting as a gatekeeper to keep out those identified as malicious.

Despite Android’s default Google-Play-only settings, Android users can still choose to install apps from venues other than Google Play by manually changing their devices’ security settings. Aware of the security issues this may raise, Android users are presented with a warning message when selecting this option.

Android App Permissions

As a second security measure, prior to the installation of an Android app on most Android-based OSs, the app requests certain system permissions, all which have to be approved before the app can be installed on the device. Whereas legitimate apps normally request only one or two permissions, rogue apps are known to request a long list of permissions before installing themselves.

Currently, this is the main security obstacle for rogue Android apps, which some Trojan coders have managed to bypass through socially engineered schemes. For example, RSA has previously detected a mobile-malware app (SMS sniffer), which presented itself as security software. The app requested nine different permissions, including permission to boot the handset, change system settings, and send text messages. Unsurprisingly, the app was offered from a standalone domain not affiliated with any app store.

RSA’s Conclusion

Today, the payload app may remain on a device even after the host app (with which it was downloaded) has been removed. This makes initial detection and removal of the app from the app store that proffers it even more crucial.

As with PC-based malware, educating consumers to raise awareness of today’s mobile threats and urging them to take precautions against rogue apps, will be of paramount importance to mitigating mobile threats in years to come.

Phishing Attacks per Month

In August, 49,488 unique phishing attacks were identified by RSA, marking a 17% decrease from July. The bulk of this decrease is a result of fewer phishing campaigns launched against European financial institutions which have accounted for significant spikes in recent months.

Number of Brands Attacked

In August, 290 brands were subject to phishing attacks, marking a 20% increase from July. This considerable increase shows that cybercriminals are expanding their phishing targets wider, to new organizations and new industries not targeted in recent months. More than half of the brands affected by phishing in August were targeted by more than five phishing attacks.

US Bank Types Attacked

In the U.S. financial sector, nationwide banks experienced a 7% decrease in phishing attacks. However, brands in this segment continue to be most targeted by phishing attacks, hit by two out of every three attacks in August.

Top Countries by Attack Volume

In August, the UK continued to get hit by the majority of worldwide phishing attack volume for the sixth consecutive month, accounting for about 70% of all global phishing volume. The U.S. and Canada continued to remain second and third on the list.

Top Countries by Attacked Brands

In August, the U.S., UK and Australia were the top three countries whose brands were most affected by phishing, targeted by 45% of global phishing attacks during the month.

Top Hosting Countries

The U.S. hosted the vast majority of phishing attacks in August with 80%, followed by Canada, the UK and Germany.

Previous RSA Online Fraud Report Summaries:

  • The RSA August 2012 Online Fraud Report Summary here.
  • The RSA July 2012 Online Fraud Report Summary here.
  • The RSA June 2012 Online Fraud Report Summary here.
  • The RSA April 2012 Online Fraud Report Summary here.
  • The RSA March 2012 Online Fraud Report Summary here.
  • The RSA February 2012 Online Fraud Report Summary here.
  • The RSA January 2012 Online Fraud Report Summary is here.
  • The RSA December 2011 Online Fraud Report Summary is here.
  • The RSA November 2011 Online Fraud Report Summary is here.
  • The RSA October 2011 Online Fraud Report Summary is here.
  • The RSA September 2011 Online Fraud Report Summary is here.

.

The State of Risk-Based Security Management

The Tripwire sponsored Ponemon study called “The State of Risk-Based Security Management: United States” is designed to discover what organizations are doing with respect to Risk-based Security Management (RBSM), where RBSM is defined as the application of rigorous and systematic analytical techniques to the evaluation of the risks that impact an organization’s information assets and IT infrastructure. RBSM can be considered one component of a wider enterprise risk management system.

My summary of the document is below.

  • 77% express significant or very significant commitment to RBSM
  • yet 52% have a formalized approach to it
  • 46% have actually deployed any RBSM program activities

Of those that have a formal function, program or set of activities dedicated to RBSM, 74% have partially or completely deployed some or all RBSM activities. It appears that having a formalized strategy or plan for RBSM is an important precursor for ensuring that RBSM activities are deployed

41% of respondents say that their organizations do not categorize their information according to its importance to the organization. Organizations must take this step to make informed, rational decisions about what data is most critical to protect.

Only 45% have specific metrics for determining RBSM effectiveness. Those responsible for the program need a scorecard that demonstrates its success in order to secure funding and resources.

Few organizations have achieved a balanced approach with their preventive and detective controls. While most (80 to 90%) deploy the majority of necessary and appropriate preventive controls, only around half deploy the majority of necessary detective controls.

30% of organizations have no formal RBSM strategy for the enterprise, and almost a quarter (23%) have only an informal or ad hoc strategy.

The existence of a formal RBSM function, program or set of activities

  • Yes 52%
  • No 48%

The existence of a risk management strategy

  • 30% Do not have a strategy
  • 24% Formal but inconsistently applied strategy
  • 23% Informal or “ad hoc”strategy
  • 23% Formal and consistently applied strategy

The US and UK (25 and 36%, respectively) are less concerned about regulatory non-compliance than Germany and the Netherlands (60 and 58%, respectively). This can be attributed to the strict rules governing the handling of personal and sensitive information in Germany and the Netherlands.

Organizations in Germany and the Netherlands have more concern about the cloud than the US and UK. Specifically, 65%t of German organizations and 59% of organizations in the Netherlands are concerned or very concerned about software as a cloud service.  In contrast, 46% of US and 48% of UK organizations are concerned or very concerned.

US organizations are far more concerned about the human factor risk to their IT infrastructure today and in the immediate future. Specifically, 71% of respondents from US organizations say they are concerned about malicious insiders. In the UK that number drops to 49%.

A larger gap exists between the US and Germany (32%) and the Netherlands (16%). The US and UK are more concerned about employee carelessness (66 and 65%, respectively) than Germany and the Netherlands (34 and 38%, respectively).

Threats to information security faced by organizations

The greatest rise of potential security risk within today’s IT environment

Find the full report here.

.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: