OptimumSecurity has created an infographic that is a great representation of many significant data breaches.
OptimumSecurity has created an infographic that is a great representation of many significant data breaches.
According to a recent survey conducted at this year’s Black Hat USA security conference, nearly two-thirds of organizations are potential targets for nation-state cyberattacks.
The survey conducted by Tripwire, which includes responses from 215 conference attendees, also found that 86% of those questioned have seen an increase in these targeted attacks directed at their network over the last year.
Even more alarming, however, was that despite the noticeable increase in attacks, less than half of the respondents (47%) said confidence in their organizations’ ability to detect and respond to a cyberattack grew in the last 12 months.
Organizations know they are being actively targeted and that their current capabilities aren’t enough to consistently detect and defend against these attacks,” said Tim Erlin, director of IT security and risk strategy for Tripwire.
“While new defensive technologies are constantly being developed, organizations are hard-pressed to deploy these new tools effectively,” he said.
Erlin noted that in many cases, these organizations would do well to evaluate their investment in foundational security controls.
Additional findings from the Black Hat USA 2015 survey include:
The EDUCAUSE infographic of the Top Five strategic information security issues for Higher Education:-
The Infographic is below:-
Risk managers identify technology, supply chain and regulatory as the “big three” risks currently causing their organisations the greatest concern, according to a survey of 500 companies in Europe, the Middle East and Africa conducted for global insurer ACE’s Emerging Risks Barometer 2015. People risk sits just outside the top-three, while geopolitical risk completes the top-five emerging risk categories.
Technology plays a role in almost every business’s strategic planning, whether in the development of new services or products or as an enabler of operational effectiveness. When it comes to technology risk management, however, our research suggests that companies may not be focusing on the right areas, due to a lack of knowledge about the most likely sources of threat.
Supply chain risk
As in our 2013 Barometer, supply chain risk remains a major concern. As companies expand into new markets using ever more complex networks of suppliers and partners the supply chain is at once an enabler of growth and a key source of risk.
In recent years, we have seen major disruptions to supply chains, caused by events such as Hurricane Sandy which prompted the most extreme fuel shortages since the 1970s and 2014’s widespread flooding in India and Pakistan, which caused US$12 billion in losses. After responding admirably to these and other catastrophes, risk managers say they have achieved a better handle on business interruption risk.
Today, businesses are better prepared and therefore less concerned about interruption caused by natural disasters. Instead, they are focusing more on issues that can harm their corporate reputations. Our respondents rank unethical labour practices as their biggest supply chain worry. Yet 61% admit they cannot always vouch for the ethical and trading standards of every company in their supply chain.
EMERGING RISKS BAROMETER 2015
|Supply chain, finance and logistics risk||32%|
|Regulatory and compliance risk||29%|
|Management liability risk (including directors & officers liability)||14%|
|Environmental liability risk||12%|
|Terrorism and political violence risk||12%|
|Natural catastrophe risk||11%|
|(Don’t know / Not applicable: 2%)|
Regulatory and compliance risk
27% of respondents say regulatory and compliance risk is among their greatest concerns. The category also comes third in the list of risks with the potential to cause significant financial impact over the next two years, cited by 27% of respondents, and third in the list of risks consuming the most time and resources (29%).
|Supply chain, finance and logistics risk||31%|
|Regulatory and compliance risk||27%|
|Management liability risk||17%|
|Natural catastrophe risk||11%|
|Terrorism and political violence risk||11%|
|Environmental liability risk||10%|
|(Don’t know / Not applicable: 2%)|
While highly regulated sectors such as financial services and energy face the most extreme regulatory challenges, no company is immune. As businesses pursue growth on a global scale, they face a patchwork of regulatory regimes, across markets and jurisdictions.
Other risk to watch
The rise of people risk
People risk only narrowly missed out on a place in our Big Three Risks. over a quarter (26%) say this risk, including risks to people, risks caused by people and talent risks is among their greatest concerns.
34% say their greatest concern in relation to people risk is time lost to labour disputes. In recent years, we have seen substantial labour action in the UK and Germany as well as in supplier nations such as China. At the same time 75% of respondents say recent global events, such as political unrest in Ukraine and the Middle East are causing them to review their travel and security policies.
Geopolitical risk to grow in importance?
Regime change, asset confiscation, protectionism and other geopolitical risks also pose a real threat for business. Respondents today are largely confident in their ability to manage this risk, but only 30% say they are very confident. As a quarter (26%) also believe geopolitical risk will have a significant financial impact over the next two years, we could expect the risk to appear higher in the future, especially as companies continue to expand overseas.
Respondents are primarily concerned about foreign governments cancelling operating licences, concessions or contracts. The majority (68%) believe foreign governments are already making it more difficult for them to plan ahead.
2014 was another busy year for the Information Commissioners Office with yet more breaches of the Data Protection Act.
There are normally three types of punishments administered by the ICO
Below is a summary of the ICO’s activity in 2014 across all three “punishment” areas.
Monetary penalty notices
A monetary penalty will only be served in the most serious situations. When deciding the size of a monetary penalty, the ICO takes into account the seriousness of the breach and other factors like the size, financial and other resources of an organisation’s data controller. The ICO can impose a penalty of up to £500,000. It is worth noting that monetary penalties are to HM Treasury.
Undertakings are formal agreements between an organisation and the ICO to undertake certain actions to avoid future breaches of the Data Protection Act, typically this involves, Encryption, Training and Management Procedures.
Who has breached the Data Protection Act in 2012? Find the complete list here.
Who breached the Data Protection Act in 2013? Find the complete list here.
An article in the Coast Guard Journal of Safety & Security at Sea written by David Dickman, Diz Locaria and Jason Wool contains a very interesting article “Reducing Cyber Risk; Marine transportation system cybersecurity standards, liability protection, and cyber insurance”.
Within our nation’s marine transportation system (MTS), computers, information networks, and telecommunications systems support fundamental port and maritime operations.
While this technology provides great benefits, it also introduces vulnerabilities.
In several recent incidents, bad actors exploited cyber weaknesses within MTS elements with significant repercussions.
Some examples include:
The full article can be found in the journal by clicking here.
BlackEnergy is designed to target critical energy infrastructure and is believed to have originated with Russian government-sponsored hackers.
The Department of Homeland Security’s Oct. 29 cyberthreat alert was, unfortunately, business as usual for many of the nation’s companies. However, with the potential attack on water, electricity and other features of the nation’s critical infrastructure linked to Russian cyber criminals, security practices within private companies have become the public’s business.
“It’s really a very serious issue and the fact that sometimes it’s very difficult to detect [this type of malware] and sometimes the places that house industrial control systems may or may not follow very consistent, very rigorous, security practices creates a huge problem,” said James Joshi, a University of Pittsburgh associate professor and lead faculty member of the school’s Information Assurance Program.
DHS announced Oct. 29 that several industrial control systems — vendor-issued programs used by private companies to manage internal systems — had been infected by a variant of a Trojan horse malware program called BlackEnergy.
Infected programs such as GE Cimplicity, Siemens WinCC and Advantech/Broadwin WebAccess have been used by companies responsible for portions of the country’s critical infrastructure, including “water, energy, property management and industrial control systems vendors” according to DHS. BlackEnergy shows enough similarities to a malware called Sandworm — which was used during a 2013 Russian cyber-espionage campaign against NATO, the European Union and overseas telecommunication and energy sectors — that DHS believes they could be “part of a broader campaign by the same threat actor.”
So far, there’s no sign anyone has tried to take control of any critical infrastructure systems through BlackEnergy. However, the malware is described as “highly modular” in the DHS alert and could be lurking inside of yet-to-be discovered files and media.
With control of nuclear facilities and the electrical grid at risk, Mr. Joshi said too much is at stake for the nation to treat this like threats of the past.
“I think we should really seriously consider this. We’re talking about critical infrastructure and I think this kind of malware is very difficult to detect, stays around for a long time and someone who is behind these gets control of the system they can do anything to the system that they compromise,” he said.
Local utilities say they are on alert.
Duquesne Light became aware of the BlackEnergy threat more than three weeks ago, according to spokesman Brian Knavish, and has since performed a “targeted analysis” to determine if it has been impacted. The company concluded it wasn’t.
BlackEnergy is a “credible threat,” Mr. Knavish said, but “there are a lot of these and some of them get more attention than others.”
In recent years, the electric utility that serves 584,000 customers Allegheny and Beaver counties has beefed up its cybersecurity staffing and receives information about threats from many varied sources, including Homeland Security, the Federal Bureau of Investigations, and others in the energy industry.
“Any threat is taken very seriously,” he said. “There’s always viruses out there.”
FirstEnergy Corp., the Ohio-based parent of West Penn Power, which also operates a number of power plants in the region and a transmission line business that serves this area, said it too has been made aware of BlackEnergy and works with industry organizations to monitor the threat.
The flow of electricity in Pennsylvania and 12 surrounding states is managed by PJM Interconnection, a Valley Forge-based grid operator that oversees the largest grid in the U.S. A spokesman for PJM, Paula DuPont-Kidd, said the organization knows about the threat, “however, like all cybersecurity threats, we continually monitor and arm ourselves with the best strategies to protect the grid and our market.”
North Shore-based utility Peoples Natural Gas said it doesn’t use any of the software identified as the target of BlackEnergy and did not detect the malware in its network after it became aware of the threat.
Peoples, which has 14,000 miles of pipeline in its network, operates its assets through a standalone system that’s not connected to the Internet, according to spokesman Barry Kukovich. That’s by design.
“This eliminates over 99 percent of these malicious threats,” Mr. Kukovich said.
Josephine Posti, a spokeswoman for Pennsylvania American Water, said the company, which regularly works with Homeland Security and the Environmental Protection Agency to protect the water supply, is aware of the threat and has not been impacted by it.
“There’s no such thing as 100 percent security,” said Scott Aaronson, senior director of national security policy for the Edison Electric Institute in Washington, D.C. “What we’re doing is not risk elimination, it’s risk management.”
BlackEnergy is one of many threats and vulnerabilities monitored by the trade organization on a regular basis. Some are identified by government agencies, some by companies, and others by researchers, he said.
The Institute, which is central to the information exchange between the groups, has been aware of BlackEnergy for about a month, Mr. Aaronson said.
There has never been a cyberattack in the U.S. that has affected the distribution of power, he said, but there are cyberattacks all the time that successfully target the industry’s business units.
“There are two kinds of companies: those that have been attacked and those that don’t know it yet,” Mr. Aaronson said.
The industry has three lines of defense against such attacks, he said. One is standards — electric utilities and the nuclear industry are the only two sectors with mandatory cybersecurity standards enforceable through hefty fines from the Federal Energy Regulatory Commission. Another is the coordination between government and industry groups. The third is incident response.
“You cannot protect everything from everything,” Mr. Aaronson said. “We may not succeed” in preventing a cyberattack, he said. The question is “how do you recover quickly? How do you make sure that any damage that is done is not catastrophic, but is simply a nuisance?”
Companies operating or managing critical infrastructure generally follow a set of standard practices recommended by the National Institute of Technology, said Mr. Joshi. However he added that individual companies may not follow standards as rigorously as they should, particularly those dealing with industrial control systems. He also said security standards at large might need an across-the-board overhaul in a digital environment that’s more connected than ever before.
The potential link to a nation-state raises the stakes even higher, he continued.
“I think we should be scared and take this very seriously because it could be a nation-state issue. But the fact is, once the tools are there they could just leave it out and anyone could do [the attack.]” he said.
DHS spokesman S.Y. Lee confirmed that the department contacted several entities affected by the malware but declined to say how many. He also said the agency believes there are several entities that do not yet know they have been hacked.
The Oct. 29 threat alert included information to detect the malware and mitigation strategies, including keeping control system devices off the Internet, protecting systems and devices with firewalls and monitoring administrator level accounts used by third party vendors.
By Anya Litvak: firstname.lastname@example.org and Deborah M. Todd / Pittsburgh Post-Gazette. Originally published here.
Infographic from Narus.
The spate of recent data breaches at big-name companies such as JPMorgan Chase, Home Depot, and Target raises questions about the effectiveness of the private sector’s information security.
According to FBI Director James Comey
There are two kinds of big companies in the United States. There are those who’ve been hacked…and those who don’t know they’ve been hacked
A recent survey by the Ponemon Institute showed the average cost of cyber crime for U.S. retail stores more than doubled from 2013 to an annual average of $8.6 million per company in 2014. The annual average cost per company of successful cyber attacks increased to $20.8 million in financial services, $14.5 million in the technology sector, and $12.7 million in communications industries.
This paper lists known cyber attacks on private U.S. companies since the beginning of 2014. (A companion paper discussed cyber breaches in the federal government.) By its very nature, a list of this sort is incomplete. The scope of many attacks is not fully known. For example, in July, the U.S. Computer Emergency Readiness Team issued an advisory that more than 1,000 U.S. businesses have been affected by the Backoff malware, which targets point-of-sale (POS) systems used by most retail industries. These attacks targeted administrative and customer data and, in some cases, financial data.
This list includes only cyber attacks that have been made known to the public. Most companies encounter multiple cyber attacks every day, many unknown to the public and many unknown to the companies themselves.
The data breaches below are listed chronologically by month of public notice.
As cyber attacks on retail, technology, and industrial companies increase so does the importance of cybersecurity. From brute-force attacks on networks to malware compromising credit card information to disgruntled employees sabotaging their companies’ networks from the inside, companies and their customers need to secure their data. To improve the private sector’s ability to defend itself, Congress should:
The recent increases in the rate and the severity of cyber attacks on U.S. companies indicate a clear threat to businesses and customers. As businesses come to terms with the increasing threat of hackers, instituting the right policies is critical to harnessing the power of the private sector. In a cyber environment with ever-changing risks and threats, the government needs to do more to support the private sector in establishing sound cybersecurity while not creating regulations that hinder businesses more than help them.
— Riley Walters is a Research Assistant in the Asian Studies Center, of the Kathryn and Shelby Cullom Davis Institute for National Security and Foreign Policy, at The Heritage Foundation.
The original research article can be found here.
The results of the HP Enterprise Security sponsored Ponemon 2014 Global Report on the Cost of Cyber Crime are summarised below.
During the period they conducted interviews and analysed the findings, mega cybercrimes took place. Most notable was the Target cyber breach, which was reported to result in the theft of 40 million payment cards.
More recently, Chinese hackers launched a cyber attack against Canada’s National Research Council as well as commercial entities in Pennsylvania, including Westinghouse Electric Company, U.S. Steel and the United Steel Workers Union. Russian hackers recently stole the largest collection of Internet credentials ever: 1.2 billion user names and passwords, plus 500 million email addresses. While the companies represented in this research did not have cyber attacks as devastating as these were, they did experience incidents that were expensive to resolve and disruptive to their operations.
For purposes of this study, they refer to cyber attacks as criminal activity conducted via the Internet. These attacks can include stealing an organisation’s intellectual property, confiscating online bank accounts, creating and distributing viruses on other computers, posting confidential business information on the Internet and disrupting a country’s critical national infrastructure.
The study’s goal is to quantify the economic impact of cyber attacks and observe cost trends over time. They believe a better understanding of the cost of cybercrime will assist organisations in determining the appropriate amount of investment and resources needed to prevent or mitigate the consequences of an attack.
Approximately 10 months of effort is required to recruit companies, build an activity-based cost model to analyse the data, collect source information and complete the analysis.
For consistency purposes, the benchmark sample consists of only larger sized organizations (i.e. more than 1,000 enterprise seats). The study examines the total costs organizations incur when responding to cybercrime incidents. These include the costs to detect, recover, investigate and manage the incident response. Also covered are the costs that result in after-the-fact activities and efforts to contain additional costs from business disruption and the loss of customers. These costs do not include the plethora of expenditures and investments made to sustain an organization’s security posture or compliance with standards, policies and regulations.
Global at a glance
This year’s annual study was conducted in the United States, United Kingdom, Germany, Australia, Japan, France and for the first time, the Russian Federation, with a total benchmark sample of 257 organizations. Country-specific results are presented in seven separate reports.
The estimated average cost of cybercrime for seven country samples involving 257 separate companies, with comparison to last year’s country averages. Cost figures are converted into U.S. dollars for comparative purposes.
There is significant variation in total cybercrime costs among participating companies in the benchmark samples. The US sample reports the highest total average cost at $12.7 million and the Russian sample reports the lowest total average cost at $3.3 million. It is also interesting to note that all six countries experienced a net increase in the cost of cybercrime cost over the past year, ranging from 2.7% for Japan to 22.7% for the United Kingdom. The percentage net change between FY 2014 and FY 2013 (excluding Russia) is 10.4%.
Summary of global findings
Following are the most salient findings for a sample of 257 organizations requiring 2,081 separate interviews to gather cybercrime cost results. In several places in this report, they compare the present findings to last year’s average of benchmark studies.
Cybercrimes continue to be on the rise for organizations. They found that the mean annualized cost for 257 benchmarked organizations is $7.6 million per year, with a range from $0.5 million to $61 million per company each year. Last year’s mean cost for 235 benchmarked organizations was $7.2 million. They observe a 10.4% net change from last year (excluding the Russian sample).
Cybercrime cost varies by organizational size. Results reveal a positive relationship between organizational size (as measured by enterprise seats) and annualized cost. However, based on enterprise seats, they determined that small organizations incur a significantly higher per capita cost than larger organizations ($1,601 versus $437).
All industries fall victim to cybercrime, but to different degrees. The average annualized cost of cybercrime appears to vary by industry segment, where organizations in energy & utilities and financial services experience substantially higher cybercrime costs than organizations in media, life sciences and healthcare.
The most costly cybercrimes are those caused by malicious insiders, denial of services and web-based attacks. These account for more than 55% of all cybercrime costs per organization on an annual basis. Mitigation of such attacks requires enabling technologies such as SIEM, intrusion prevention systems, applications security testing solutions and enterprise GRC solutions.
Cyber attacks can get costly if not resolved quickly. Results show a positive relationship between the time to contain an attack and organizational cost. Please note that resolution does not necessarily mean that the attack has been completely stopped. For example, some attacks remain dormant and undetected (i.e. modern day attacks).
The average time to contain a cyber attack was 31 days, with an average cost to participating organizations of $639,462 during this 31-day period. This represents a 23% increase from last year’s estimated average cost of $509,665, which was based upon a 27-day remediation period. Results show that malicious insider attacks can take more than 58 days on average to contain.
Business disruption represent the highest external cost, followed by the costs associated with information loss. On an annualized basis, business disruption accounts for 38% of total external costs, which include costs associated with business process failures and lost employee productivity.
Detection is the most costly internal activity followed by recovery. On an annualized basis, detection and recovery costs combined account for 53% of the total internal activity cost with cash outlays and direct labour representing the majority of these costs.
Activities relating to IT security in the network layer receive the highest budget allocation. In contrast, the host layer receives the lowest funding level.
Deployment of security intelligence systems makes a difference. The cost of cybercrime is moderated by the use of security intelligence systems (including SIEM). Findings suggest companies using security intelligence technologies were more efficient in detecting and containing cyber attacks. As a result, these companies enjoyed an average cost savings of $2.6 million when compared to companies not deploying security intelligence technologies.
A strong security posture moderates the cost of cyber attacks. They utilise Ponemon Institute’s proprietary metric called the Security Effectiveness Score (SES) Index to define an organization’s ability to achieve reasonable security objectives. The higher the SES, the more effective the organization is in achieving its security objectives. The average cost to mitigate a cyber attack for organizations with a high SES is substantially lower than organizations with a low SES score.
Companies deploying security intelligence systems experienced a substantially higher ROI (at 23%) than all other technology categories presented. Also significant are the estimated ROI results for companies that extensively deploy encryption technologies (20%) and advanced perimeter controls such as UTM, NGFW, IPS with reputation feeds (19%).
Deployment of enterprise security governance practices moderates the cost of cybercrime. Findings show companies that invest in adequate resources, appoint a high-level security leader, and employ certified or expert staff have cybercrime costs that are lower than companies that have not implemented these practices. This so-called “cost savings” for companies deploying good security governance practices is estimated at $1.3 million for employing expert personnel and $1.1 million for achieving certification against industry-leading standards.
In this section, we provide an analysis of the key findings organized according to the following topics:
The average cost of cybercrime by organizational size and industry
To determine the average cost of cybercrime, the 257 organizations in the study were asked to report what they spent to deal with cybercrimes experienced over four consecutive weeks. Once costs over the four-week period were compiled and validated, these figures were then grossed-up to determine the annualized cost.
The total annualized cost of cybercrime in 2014 ranges from a low of $.56 million to a high of $60.5 million. The median annualized cost of cybercrime in the benchmark sample is $6.0 million, an increase from last year’s median value of $5.5. The mean value is $7.6 million. This is an increase of $357,761 from last year’s mean of $7.2 million. Please note the percentage net change from last year’s mean for six countries is 10.4%.
As can be seen, 86 companies in our sample incurred total costs above the mean value of $7.6 million, thus indicating a skewed distribution. The highest cost estimate of $61 million was determined not to be an outlier based on additional analysis. A total of 171 organizations experienced an annualized total cost of cybercrime below the mean value.
As part of our analysis they calculated a precision interval for the average cost of $7.6 million. The purpose of this interval is to demonstrate that our cost estimates should be thought of as a range of possible outcomes rather than a single point or number.
The range of possible cost estimates widens at increasingly higher levels of confidence. Specifically, at a 90% level of confidence they expect the range of cost to be between $7.2 million to $7.9 million.
Certain attacks are more costly based on organizational size. The study focuses on 9 different attack vectors as the source of the cybercrime. They compare smaller and larger-sized organizations based on the sample median of 8,509 seats. Smaller organizations (below the median) experience a higher proportion of cybercrime costs relating to web-based attacks, viruses, worms, Trojans and other malware.
In contrast, larger organizations (above the median) experience a higher proportion of costs relating to denial of services, malicious code and malicious insiders. In the context of this research, malicious insiders include employees, temporary employees, contractors and, possibly other business partners. They also distinguish viruses from malware. Viruses reside on the endpoint and as yet have not infiltrated the network but malware has infiltrated the network. Malicious code attacks the application layer and includes SQL attack.
The cost of cybercrime impacts all industries. The average annualized cost of cybercrime appears to vary by industry segment. In this year’s study they compare cost averages for 17 different industry sectors. The cost of cybercrime for companies in energy & utilities, financial services and technology experienced the highest annualized cost. In contrast, companies in media, life sciences and healthcare incurred much lower cost on average.
The type of cyber-attack influences the cost of cyber crime
In our studies they look at 9 different attack vectors as the source of the cybercrime. This year, the benchmark sample of 257 organizations experienced 429 discernible cyber-attacks or 1.6 attacks per company each week. The list below shows the number of successful attacks for the past three years, which has steadily increased.
Virtually all organizations had attacks relating to viruses, worms and/or Trojans and malware over the four-week benchmark period. Malware attacks and malicious code attacks are inextricably linked. They classified malware attacks that successfully infiltrated the organizations’ networks or enterprise systems as a malicious code attack.
59% experienced botnets and 58% experienced web-based attacks. Denial of service attacks and stolen devices were experienced by 49% of companies. Only 35% of companies say a malicious insider was the source of the cybercrime.
Costs vary considerably by the type of cyber-attack. The benchmark results for seven countries, showing the proportion of annualized cost of cybercrime allocated to 9 attack types compiled from all benchmarked organizations.
With respect to web-based attacks, the percentage annualized costs seem to be fairly consistent ranging from a low of 13% for Australia to 19% of Japan and Russia. For denial of services, they see a low of 8% for France and a high of 25% for the United Kingdom. In the case of malicious insiders, they see a low of 6% for Germany and a high of 21% for Japan. Finally, the cost of malware has a low of 6% for the US and Japan and a high of 17% of the Russian Federation.
The cost of cybercrime is also influenced by the frequency of attacks. The most to least expensive cyber-attacks when analysed by the frequency of incidents. The most expensive attacks are malicious insiders, denial of service, web-based attacks and malicious code. Malware attacks are most frequently encountered and, hence, represent a relatively low unit cost.
Time to resolve or contain cybercrimes increases the cost. The mean number of days to resolve cyber attacks is 31 with an average cost of $20,758 per day, or a total cost of $639,462 over the 31 day remediation period. This represents a 23% increase from last year’s cost estimate of $509,665 over a 27-day remediation period. Please note that resolution does not necessarily mean that the attack has been completely stopped. For example, some attacks remain dormant and undetected (i.e., modern day attacks).
Some attacks take longer to resolve and as a result are more costly. The time it takes to resolve the consequences of the attack increases the cost of a cybercrime. The analysis reveals that the average days to resolve cyber attacks for 9 different attack types studied in this report. It is clear from this chart that it takes the most amount of time, on average, to resolve attacks from malicious insiders, malicious code and web-based attackers (hackers). Malware, botnets and viruses on average are resolved relatively quickly (i.e., in a few days or less).
An analysis of the cost components of cyber crime
Information theft remains the most expensive consequence of a cybercrime. In this research they look at four primary consequences of a cyber attack: business disruptions, the loss of information, loss of revenue and damage to equipment. Among the organizations represented in this study, business disruption represents the largest cost component (38%). The cost of business disruption includes diminished employee productivity and business process failures than happen after a cyber attack. Information and revenue loss follow at 35% and 22%, respectively.
Companies spend the most on detection and recovery. Cybercrime detection and recovery activities account for 53% of total internal activity cost. This is followed by containment and investigation cost (both at 15%. Detection and recovery cost elements highlight a significant cost-reduction opportunity for organizations that are able to systematically manage recovery and to deploy enabling security technologies to help facilitate the detection process.
The largest portion of the security budget is allocated to the network layer. The network layer receives the highest allocation at 33% of total dedicated IT security funding. At only 7%, the host layer receives the lowest funding level.
The organization’s security posture influences the cost of cybercrime. We measure the security posture of participating organizations as part of the benchmarking process. The annualized cost and regression of companies in descending order of their security effectiveness as measured by the SES.
The figure shows an upward sloping regression, suggesting that companies with a stronger security posture experience a lower overall cost. The SES range of possible scores is +2 (most favourable) to -2 (least favourable). Compiled results for the present benchmark sample vary from a high of +1.90 to a low of -1.7 with an SES mean value at .31.
Organizations deploying security intelligence technologies realize a lower annualized cost of cybercrime. The average amount of money companies can save with SEIM in the 6 activities conducted to resolve the cyber attack. The figure compares companies deploying and not deploying security intelligence systems. In total, 124 companies (48%) deploy security intelligence tools such as SIEM, IPS with reputation feeds, network intelligence systems, big data analytics and others.
With two exceptions (investigative and incident management costs), companies using security intelligence systems experience lower activity costs than companies that do not use these technologies. The largest cost differences in millions pertain to detection ($2.83 vs. $1.63), recovery ($1.77 vs. $1.13) and containment ($1.59 vs. $.94) activities, respectively.
Security intelligence systems have the biggest return on investment. The estimated return on investment (ROI) realized by companies for each one of the 7 categories of enabling security technologies indicated above. At 23%, companies deploying security intelligence systems, on average, experience a substantially higher ROI than all other technology categories in this study.
Also significant are the estimated ROI results for companies that extensively deploy encryption technologies (20%) and advanced perimeter controls such as UTM, NGFW, IPS with reputation feeds and more (19%). The estimated average ROI for all 7 categories of enabling security technologies is 15%.
Certain governance activities can reduce the cost of cybercrime. The top three governance activities are: certification against industry-leading standards, appointment of a high-level security leader (CISO) and employment of expert security personnel.
Find the full study here.
An ACI Worldwide global fraud study of more than 6,100 consumers across 20 countries revealed distrust among global consumers in retailers to protect their data.
Global Consumers: Concerned and Willing to Engage in the Battle Against Fraud,” is the second in a two-part series conducted by ACI Worldwide and Aite Group. Among other findings, only slightly more than 50% of consumers feel stores where they shop use security systems that adequately protect their financial data against hackers and data breaches
Mobile Customer Engagement
Prepaid Card Implications
Consumer distrust is exacerbated by the widely publicized retail data breaches over the past year,” Mike Braatz, senior vice president, Payments Risk Management Solutions, ACI Worldwide.
Retailers have their work cut out for them – to change consumer perception that shopping, be it online or in-store, is unsafe,” Mike Braatz, senior vice president, Payments Risk Management Solutions, ACI Worldwide.
Consumers want to engage in the battle against fraud. Financial institutions must take a proactive role in not only engaging customers in fraud-alerting activities, but educating them on preventative measures to take to most effectively combat it,” Shirley Inscoe, analyst, Aite Group.
Communication is key when it comes to financial institutions making customers aware of the tools available to fight fraud. This can have a big impact in customer satisfaction and loyalty,” Shirley Inscoe, senior analyst, Aite Group.
The second DB Networks sponsored Ponemon Institute report on the SQL injection threat has been released.
The report explores what IT security professionals think about the likely attack chain of recent data breaches involving major retailers such as Target, Michaels and Neiman Marcus. The first report focused on how organizations respond to the SQL injection threat and their awareness about different approaches to managing this risk.
The study surveyed 595 individuals who work in IT and IT security. The majority of respondents are familiar with core IDS technologies that detect rogue SQL statements on the network that connect the web application to the database.
69% of respondents say their organization must comply with Payment Card Industry Data Security Standard (PCI DSS). As such, a majority of the respondents are very familiar with and required to comply with the security requirements for retailers who accept payment cards.
SQL injections have been defined as being used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injections exploit security vulnerabilities in an application’s software. SQL injection is most commonly known as an attack vector through public facing websites but can be used to attack SQL databases in a variety of ways.
Background on retail breaches
Details of the recent retailer network intrusion and data breach haven’t been readily forth coming from either the retailers who were breached or the U.S. Secret Service in charge of the breach investigations. As a result, security professionals are left to piece together the attack chain details based on the nascent amount of information that has been shared thus far.
Target, for example, has revealed the credentials from an HVAC contractor were compromised. Those compromised credentials they claim initiated the attack chain that ultimately resulted in two major breaches. While certainly an interesting factoid, that information actually offers little insight into the events that ultimately resulted in the breach of 40 million credit cards and another 70 million database records containing personally identifiable information (PII).
The HVAC vendor credentials only provided access to Target’s vendor billing and invoicing system. It’s a rather long leap from those systems into Target’s POS systems. How that feat was accomplished hasn’t been made public. Further, a report by BusinessWeek revealed that Target’s IT security systems were able to identify the hacker’s suspicious activity multiple times during the attack. But unfortunately those alerts were not agreed upon by Target’s IT security staff.
Some of the key takeaways from this study include:
Find the report here.
In a CNNMoney commissioned study Ponemon Institute researchers found:;-
It’s becoming more acute,” said Ponemon Institute head Larry Ponemon. “If you’re not a data breach victim, you’re not paying attention
The CNNMoney article points to recent examples of large hack attacks:-
Full article here.
Ponemon Institute have released their The SQL Injection Threat Study sponsored by DB Networks. The purpose of the research was to understand how organisations respond to the SQL injection threat and their awareness about different approaches to managing this risk.
The study surveyed 595 individuals who work in IT and IT security. The majority of respondents were familiar with core IDS technologies that detect rogue SQL statements on the network that connect the web application to the database.
SQL injections are defined as:-
being used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injections exploit security vulnerabilities in an application’s software. SQL injection is most commonly known as an attack vector through public facing websites but can be used to attack SQL databases in a variety of ways
Key findings extracted from the report:-
The full report can be found here.
Based on a study of global cyber activity, hackers continue to be responsible for the largest number of data breaches. The general trend of vulnerabilities that allow attackers to compromise availability, confidentiality, or integrity of a computer system is upward. For 2012, there were approximately 101 new vulnerabilities each week.
The EU’s cyber security Agency ENISA has issued its annual Threat Landscape 2013 report, where over 200 publicly available reports and articles have been analysed.
Questions addressed are:
Among the key findings is that cyber threats have gone mobile, and that adoption of simple security measures by end-users would reduce the number of cyber incidents worldwide by 50%.
The ENISA Threat Landscape presents the top current cyber threats of 2013 and identifies emerging trends. In 2013 important news stories news, significant changes and remarkable successes have left their footprint in the cyber-threat landscape. Both negative and positive developments have formed the 2013 threat landscape. In particular:
Negative trends 2013:
Positive developments in the cyber threat trends in 2013 include:
The top three threats:
Key open issues, identified are:
The Executive Director of ENISA, Professor Udo Helmbrecht remarked: “This threat analysis presents indispensable information for the cyber security community regarding the top threats in cyber-space, the trends, and how adversaries are setting up their attacks by using these threats.”
The full report can be found here.
The AIG has issued a press released on the threat of credit card fraud and how other parties can help reduce what they call the “fast-growing epidemic of credit card fraud”.
In the release, AIG identifies two main culprits for the theft of the credit cards:-
Airline Information’s Managing Partner, Michael Smith, says about hotels: “Front line hotel employees can easily access and steal credit card numbers and your personal details. Couple this with outdated IT and business processes related to franchising and it’s a toxic mix. Hotel chains and their franchises often use different reservations systems, requiring that paper copies of credit cards be used in many hotel properties. This is much less secure than the masked electronic credit card information standard in almost any other industry. The result is that hotels can be traced as the source of nearly one third of all credit card fraud globally, which hits our company’s airline clients particularly hard, since airline tickets are a common item purchased with stolen cards.”
When credit card numbers are hacked or stolen, they are then sold online to be used for online purchases or for making cloned credit cards. Personal data about the cardholders, widely available on the web and Facebook, may also then be used by fraudsters, as credit card criminals are referred to, to assume the identities of the stolen cardholders.
AIG also claims Facebook is used for the selling of credit card data, as well as for sharing information between fraudsters on how to successfully steal card numbers and commit identity theft. Jan-Jaap Kramer, CEO of the Dutch fraud prevention consultancy, FraudGuard, says: “There are numerous pages on Facebook set up by criminal rings to facilitate and share information about credit card fraud. Many of these pages show all credit card details like CVC code, expiry code, the PIN code for online payments and personal data of the cardholder including home address, date of birth, social security numbers and more. We have asked Facebook to block these pages, but it takes no action. The result is greater fraud losses for consumers and merchants, ruined credit records and misery trying to sort out fraudulent transactions.”
The Airline Information “calls on Facebook to stop the practice of facilitating the sharing of fraudulent credit card information via Facebook pages. We encourage consumers and merchants to contact Facebook and their government authorities to have Facebook end this consumer-unfriendly practice”
It is simple, your investment in securing your data will be considerably less than the potential cost of a breach and the subsequent clean up.
In IP EXPO’s 2011 security index survey which was conducted among IT professionals from businesses of all sizes and sectors on behalf of Imago Techmedia and the IP EXPO show organisers.
“Respondents to our survey overwhelmingly agreed that IT security should not be viewed as an isolated activity, but would best be treated as an integrated part of businesses’ entire technology reviews and processes,”
said Mike England, Social Business & Content Director at IP EXPO event organiser Imago Techmedia
The key findings include:
CSA UK & Ireland President Des Ward commented on the results of the survey:
“Lack of collaboration and a perceived disconnect between security and business would explain the view of security being deemed ‘a necessary evil’, or even a cost of doing business online and consequently having little real business value. Businesses need to evolve beyond compliance risk management to information risk management in order to implement strategies that reduce the likelihood of breaches occurring, while at the same time affording a level of business agility fitting today’s interconnected society,” he suggested.
Of the main findings, Nigel Stanley, security practice leader at Bloor Research and IT Security Pathfinder at IP EXPO, said:
“What’s clear is that even if someone’s job doesn’t directly involve security per se, everyone needs to be actively engaged in dealing with the problem. And the way that businesses are going about it is encouraging, because security management needs to be a two-way process with the users actively engaged in the process. Generally, taking compliance steps should enhance an organisation’s security – unless of course it is doing just enough to tick the boxes but failing to see the broader benefits of building a compliant business. However, reducing security posture to achieve compliance is bonkers.
“The IT security industry has been left wanting in respect of the consumerisation of IT that’s been fuelled by smartphone adoption. Only now are we starting to see management tools for these devices, so it’s no surprise that these have been identified by respondents as the biggest risk area,” he commented.
IP Expo will be in london on the 19th and 20th October 2011.