OptimumSecurity has created an infographic that is a great representation of many significant data breaches.
OptimumSecurity has created an infographic that is a great representation of many significant data breaches.
According to a recent survey conducted at this year’s Black Hat USA security conference, nearly two-thirds of organizations are potential targets for nation-state cyberattacks.
The survey conducted by Tripwire, which includes responses from 215 conference attendees, also found that 86% of those questioned have seen an increase in these targeted attacks directed at their network over the last year.
Even more alarming, however, was that despite the noticeable increase in attacks, less than half of the respondents (47%) said confidence in their organizations’ ability to detect and respond to a cyberattack grew in the last 12 months.
Organizations know they are being actively targeted and that their current capabilities aren’t enough to consistently detect and defend against these attacks,” said Tim Erlin, director of IT security and risk strategy for Tripwire.
“While new defensive technologies are constantly being developed, organizations are hard-pressed to deploy these new tools effectively,” he said.
Erlin noted that in many cases, these organizations would do well to evaluate their investment in foundational security controls.
Additional findings from the Black Hat USA 2015 survey include:
The EDUCAUSE infographic of the Top Five strategic information security issues for Higher Education:-
The Infographic is below:-
Risk managers identify technology, supply chain and regulatory as the “big three” risks currently causing their organisations the greatest concern, according to a survey of 500 companies in Europe, the Middle East and Africa conducted for global insurer ACE’s Emerging Risks Barometer 2015. People risk sits just outside the top-three, while geopolitical risk completes the top-five emerging risk categories.
Technology plays a role in almost every business’s strategic planning, whether in the development of new services or products or as an enabler of operational effectiveness. When it comes to technology risk management, however, our research suggests that companies may not be focusing on the right areas, due to a lack of knowledge about the most likely sources of threat.
Supply chain risk
As in our 2013 Barometer, supply chain risk remains a major concern. As companies expand into new markets using ever more complex networks of suppliers and partners the supply chain is at once an enabler of growth and a key source of risk.
In recent years, we have seen major disruptions to supply chains, caused by events such as Hurricane Sandy which prompted the most extreme fuel shortages since the 1970s and 2014’s widespread flooding in India and Pakistan, which caused US$12 billion in losses. After responding admirably to these and other catastrophes, risk managers say they have achieved a better handle on business interruption risk.
Today, businesses are better prepared and therefore less concerned about interruption caused by natural disasters. Instead, they are focusing more on issues that can harm their corporate reputations. Our respondents rank unethical labour practices as their biggest supply chain worry. Yet 61% admit they cannot always vouch for the ethical and trading standards of every company in their supply chain.
EMERGING RISKS BAROMETER 2015
|Supply chain, finance and logistics risk||32%|
|Regulatory and compliance risk||29%|
|Management liability risk (including directors & officers liability)||14%|
|Environmental liability risk||12%|
|Terrorism and political violence risk||12%|
|Natural catastrophe risk||11%|
|(Don’t know / Not applicable: 2%)|
Regulatory and compliance risk
27% of respondents say regulatory and compliance risk is among their greatest concerns. The category also comes third in the list of risks with the potential to cause significant financial impact over the next two years, cited by 27% of respondents, and third in the list of risks consuming the most time and resources (29%).
|Supply chain, finance and logistics risk||31%|
|Regulatory and compliance risk||27%|
|Management liability risk||17%|
|Natural catastrophe risk||11%|
|Terrorism and political violence risk||11%|
|Environmental liability risk||10%|
|(Don’t know / Not applicable: 2%)|
While highly regulated sectors such as financial services and energy face the most extreme regulatory challenges, no company is immune. As businesses pursue growth on a global scale, they face a patchwork of regulatory regimes, across markets and jurisdictions.
Other risk to watch
The rise of people risk
People risk only narrowly missed out on a place in our Big Three Risks. over a quarter (26%) say this risk, including risks to people, risks caused by people and talent risks is among their greatest concerns.
34% say their greatest concern in relation to people risk is time lost to labour disputes. In recent years, we have seen substantial labour action in the UK and Germany as well as in supplier nations such as China. At the same time 75% of respondents say recent global events, such as political unrest in Ukraine and the Middle East are causing them to review their travel and security policies.
Geopolitical risk to grow in importance?
Regime change, asset confiscation, protectionism and other geopolitical risks also pose a real threat for business. Respondents today are largely confident in their ability to manage this risk, but only 30% say they are very confident. As a quarter (26%) also believe geopolitical risk will have a significant financial impact over the next two years, we could expect the risk to appear higher in the future, especially as companies continue to expand overseas.
Respondents are primarily concerned about foreign governments cancelling operating licences, concessions or contracts. The majority (68%) believe foreign governments are already making it more difficult for them to plan ahead.
2014 was another busy year for the Information Commissioners Office with yet more breaches of the Data Protection Act.
There are normally three types of punishments administered by the ICO
Below is a summary of the ICO’s activity in 2014 across all three “punishment” areas.
Monetary penalty notices
A monetary penalty will only be served in the most serious situations. When deciding the size of a monetary penalty, the ICO takes into account the seriousness of the breach and other factors like the size, financial and other resources of an organisation’s data controller. The ICO can impose a penalty of up to £500,000. It is worth noting that monetary penalties are to HM Treasury.
Undertakings are formal agreements between an organisation and the ICO to undertake certain actions to avoid future breaches of the Data Protection Act, typically this involves, Encryption, Training and Management Procedures.
Who has breached the Data Protection Act in 2012? Find the complete list here.
Who breached the Data Protection Act in 2013? Find the complete list here.
An article in the Coast Guard Journal of Safety & Security at Sea written by David Dickman, Diz Locaria and Jason Wool contains a very interesting article “Reducing Cyber Risk; Marine transportation system cybersecurity standards, liability protection, and cyber insurance”.
Within our nation’s marine transportation system (MTS), computers, information networks, and telecommunications systems support fundamental port and maritime operations.
While this technology provides great benefits, it also introduces vulnerabilities.
In several recent incidents, bad actors exploited cyber weaknesses within MTS elements with significant repercussions.
Some examples include:
The full article can be found in the journal by clicking here.
BlackEnergy is designed to target critical energy infrastructure and is believed to have originated with Russian government-sponsored hackers.
The Department of Homeland Security’s Oct. 29 cyberthreat alert was, unfortunately, business as usual for many of the nation’s companies. However, with the potential attack on water, electricity and other features of the nation’s critical infrastructure linked to Russian cyber criminals, security practices within private companies have become the public’s business.
“It’s really a very serious issue and the fact that sometimes it’s very difficult to detect [this type of malware] and sometimes the places that house industrial control systems may or may not follow very consistent, very rigorous, security practices creates a huge problem,” said James Joshi, a University of Pittsburgh associate professor and lead faculty member of the school’s Information Assurance Program.
DHS announced Oct. 29 that several industrial control systems — vendor-issued programs used by private companies to manage internal systems — had been infected by a variant of a Trojan horse malware program called BlackEnergy.
Infected programs such as GE Cimplicity, Siemens WinCC and Advantech/Broadwin WebAccess have been used by companies responsible for portions of the country’s critical infrastructure, including “water, energy, property management and industrial control systems vendors” according to DHS. BlackEnergy shows enough similarities to a malware called Sandworm — which was used during a 2013 Russian cyber-espionage campaign against NATO, the European Union and overseas telecommunication and energy sectors — that DHS believes they could be “part of a broader campaign by the same threat actor.”
So far, there’s no sign anyone has tried to take control of any critical infrastructure systems through BlackEnergy. However, the malware is described as “highly modular” in the DHS alert and could be lurking inside of yet-to-be discovered files and media.
With control of nuclear facilities and the electrical grid at risk, Mr. Joshi said too much is at stake for the nation to treat this like threats of the past.
“I think we should really seriously consider this. We’re talking about critical infrastructure and I think this kind of malware is very difficult to detect, stays around for a long time and someone who is behind these gets control of the system they can do anything to the system that they compromise,” he said.
Local utilities say they are on alert.
Duquesne Light became aware of the BlackEnergy threat more than three weeks ago, according to spokesman Brian Knavish, and has since performed a “targeted analysis” to determine if it has been impacted. The company concluded it wasn’t.
BlackEnergy is a “credible threat,” Mr. Knavish said, but “there are a lot of these and some of them get more attention than others.”
In recent years, the electric utility that serves 584,000 customers Allegheny and Beaver counties has beefed up its cybersecurity staffing and receives information about threats from many varied sources, including Homeland Security, the Federal Bureau of Investigations, and others in the energy industry.
“Any threat is taken very seriously,” he said. “There’s always viruses out there.”
FirstEnergy Corp., the Ohio-based parent of West Penn Power, which also operates a number of power plants in the region and a transmission line business that serves this area, said it too has been made aware of BlackEnergy and works with industry organizations to monitor the threat.
The flow of electricity in Pennsylvania and 12 surrounding states is managed by PJM Interconnection, a Valley Forge-based grid operator that oversees the largest grid in the U.S. A spokesman for PJM, Paula DuPont-Kidd, said the organization knows about the threat, “however, like all cybersecurity threats, we continually monitor and arm ourselves with the best strategies to protect the grid and our market.”
North Shore-based utility Peoples Natural Gas said it doesn’t use any of the software identified as the target of BlackEnergy and did not detect the malware in its network after it became aware of the threat.
Peoples, which has 14,000 miles of pipeline in its network, operates its assets through a standalone system that’s not connected to the Internet, according to spokesman Barry Kukovich. That’s by design.
“This eliminates over 99 percent of these malicious threats,” Mr. Kukovich said.
Josephine Posti, a spokeswoman for Pennsylvania American Water, said the company, which regularly works with Homeland Security and the Environmental Protection Agency to protect the water supply, is aware of the threat and has not been impacted by it.
“There’s no such thing as 100 percent security,” said Scott Aaronson, senior director of national security policy for the Edison Electric Institute in Washington, D.C. “What we’re doing is not risk elimination, it’s risk management.”
BlackEnergy is one of many threats and vulnerabilities monitored by the trade organization on a regular basis. Some are identified by government agencies, some by companies, and others by researchers, he said.
The Institute, which is central to the information exchange between the groups, has been aware of BlackEnergy for about a month, Mr. Aaronson said.
There has never been a cyberattack in the U.S. that has affected the distribution of power, he said, but there are cyberattacks all the time that successfully target the industry’s business units.
“There are two kinds of companies: those that have been attacked and those that don’t know it yet,” Mr. Aaronson said.
The industry has three lines of defense against such attacks, he said. One is standards — electric utilities and the nuclear industry are the only two sectors with mandatory cybersecurity standards enforceable through hefty fines from the Federal Energy Regulatory Commission. Another is the coordination between government and industry groups. The third is incident response.
“You cannot protect everything from everything,” Mr. Aaronson said. “We may not succeed” in preventing a cyberattack, he said. The question is “how do you recover quickly? How do you make sure that any damage that is done is not catastrophic, but is simply a nuisance?”
Companies operating or managing critical infrastructure generally follow a set of standard practices recommended by the National Institute of Technology, said Mr. Joshi. However he added that individual companies may not follow standards as rigorously as they should, particularly those dealing with industrial control systems. He also said security standards at large might need an across-the-board overhaul in a digital environment that’s more connected than ever before.
The potential link to a nation-state raises the stakes even higher, he continued.
“I think we should be scared and take this very seriously because it could be a nation-state issue. But the fact is, once the tools are there they could just leave it out and anyone could do [the attack.]” he said.
DHS spokesman S.Y. Lee confirmed that the department contacted several entities affected by the malware but declined to say how many. He also said the agency believes there are several entities that do not yet know they have been hacked.
The Oct. 29 threat alert included information to detect the malware and mitigation strategies, including keeping control system devices off the Internet, protecting systems and devices with firewalls and monitoring administrator level accounts used by third party vendors.
By Anya Litvak: firstname.lastname@example.org and Deborah M. Todd / Pittsburgh Post-Gazette. Originally published here.
Infographic from Narus.
The spate of recent data breaches at big-name companies such as JPMorgan Chase, Home Depot, and Target raises questions about the effectiveness of the private sector’s information security.
According to FBI Director James Comey
There are two kinds of big companies in the United States. There are those who’ve been hacked…and those who don’t know they’ve been hacked
A recent survey by the Ponemon Institute showed the average cost of cyber crime for U.S. retail stores more than doubled from 2013 to an annual average of $8.6 million per company in 2014. The annual average cost per company of successful cyber attacks increased to $20.8 million in financial services, $14.5 million in the technology sector, and $12.7 million in communications industries.
This paper lists known cyber attacks on private U.S. companies since the beginning of 2014. (A companion paper discussed cyber breaches in the federal government.) By its very nature, a list of this sort is incomplete. The scope of many attacks is not fully known. For example, in July, the U.S. Computer Emergency Readiness Team issued an advisory that more than 1,000 U.S. businesses have been affected by the Backoff malware, which targets point-of-sale (POS) systems used by most retail industries. These attacks targeted administrative and customer data and, in some cases, financial data.
This list includes only cyber attacks that have been made known to the public. Most companies encounter multiple cyber attacks every day, many unknown to the public and many unknown to the companies themselves.
The data breaches below are listed chronologically by month of public notice.
As cyber attacks on retail, technology, and industrial companies increase so does the importance of cybersecurity. From brute-force attacks on networks to malware compromising credit card information to disgruntled employees sabotaging their companies’ networks from the inside, companies and their customers need to secure their data. To improve the private sector’s ability to defend itself, Congress should:
The recent increases in the rate and the severity of cyber attacks on U.S. companies indicate a clear threat to businesses and customers. As businesses come to terms with the increasing threat of hackers, instituting the right policies is critical to harnessing the power of the private sector. In a cyber environment with ever-changing risks and threats, the government needs to do more to support the private sector in establishing sound cybersecurity while not creating regulations that hinder businesses more than help them.
— Riley Walters is a Research Assistant in the Asian Studies Center, of the Kathryn and Shelby Cullom Davis Institute for National Security and Foreign Policy, at The Heritage Foundation.
The original research article can be found here.