Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Information Security

Top 5 Strategic Infosec issues in Higher Education

The EDUCAUSE infographic of the Top Five strategic information security issues for Higher Education:-

  1. Developing an effective information security strategy that responds to institutional organization and culture and that elevates information security concerns to institutional leadership.
  2. Ensuring that members of the institutional community (students, faculty, and staff) receive information security education and training.
  3. Developing security policies for mobile, cloud, and digital resources (includes issues of data handling/protection, access control, and end-user awareness).
  4. Using risk-management methodologies to identify and address information security priorities.
  5. Developing, testing, and refining incident response capabilities to respond to information systems/data breaches.

The Infographic is below:-

educause-infographic'

Advertisements

SMEs are putting larger customers at risk of security breaches

According to Shred-it’s third annual Security Tracker survey SMEs in the UK are putting their own businesses at risk and could also be damaging larger firms they supply services to by not taking enough preventative measures of confidential data.

It’s good business sense for larger companies to ask whether their suppliers have a data protection partner and an information security system in place – not only to prevent sensitive information being lost by a third party but also because the financial and reputational damage of a breach could put that supplier out of business and cause havoc in the supply chain,” warns Robert Guice, Vice President Shred-it EMEA.

The survey reveals SMEs are 10 times less likely to have an information security system set up than is the case with larger businesses.

SMEs continue to hugely underestimate the potential cost of a data breach to them. In terms of financial loss, the Information Commissioner’s Office in the UK can fine companies up to half a million pounds, enough to send many companies into insolvency”, Mr Guice said. “We believe that smaller companies maybe over-estimating the costs involved in making sure confidential information is kept safe

Whilst larger companies may be able to absorb this cost, SMEs risk a huge hit to their bottom line and a tarnished reputation which can impact relationships with customers and other business partners” Mr Guice continued.

There is a worrying gap between the protocols in place between smaller and larger businesses. Whilst companies with revenue over £1m are eight times more likely to use a professional shredding company to dispose of their sensitive documents, 37 per cent of small businesses in the UK have no information security management system in place. Moreover, three in ten (28 per cent) small business owners have never provided any information security training to their employees.

Key findings include

  • 2 in every 5 large businesses suffering a data breach have incurred losses of more than £500,000
  • The average fine is approximately £150,000 – large enough for 30% of companies to have to lay off staff as a result.
  • 77% of larger businesses have an employee directly responsible for managing information security issues at management level (66%) or board level (11%)
  • 48% of SMEs have a nominated person
  • 95% of large businesses have an employee devoted to data protection compared with only 53% of small business owners, suggesting that larger businesses better understand the potential threat of data breaches and have put control systems in place accordingly.
  • 33% of senior business executives and only 4% of small business owners use a professional shredding service
  • 88% of large businesses are more than twice as likely to be aware of the EU Data Protection Directive reforms as small businesses (43%).
  • Although the gap is closer, large businesses are still more likely to be aware of the UK Data Protection Act (92%) than small business owners (72%).
  • With more information being stored in electronic form, it is equally worrying that less than one quarter of large (23%) and small businesses (25%) crush their electronic media – which means the vast majority of UK businesses are inadvertently putting themselves and their customers at risk.
  • Businesses could be giving away private information to fraudsters by not properly disposing of or destroying hard drives. 66% of large business and 49% of small business owners wrongly think that degaussing or wiping a hard drive will remove confidential information kept on them.

.

CIOs Optimistic About Information Security

PwC have released their 2012 Global State of Information Security Survey.

The survey is a worldwide security survey by PwC, CIO Magazine and CSO Magazine. It was conducted online between February 10 and April 18, 2011. Survey respondents were from around the globe and were invited via email to take the survey. The results discussed in this report are based on the responses of more than 9,600 CEOs, CFOs, CISOs, CIOs, CSOs, vice presidents and directors of IT and information security from 138 countries. Twenty-nine percent (29%) of respondents were from North America, 26% from Europe, 21% from South America, 20% from Asia, and 3% from the Middle East and South Africa. The margin of error is less than 1%.

Threats to security, like the weather are hard to predict. Many executives point to the sunshine and clear skies overhead. Others eye the low barometric pressure

The survey produced  17 findings. The findings are summarised below:

A world of front-runners: Respondents categorize their organization

Finding #1 This year, a surprisingly high percentage of respondents consider their organization, in effect, a “front-runner” in information strategy and execution.

Finding #2 These “front-runners” see client requirement as the greatest justification for information security spending—and are passionate about protecting data.

Finding #3 Curiously, “strategists” are far more likely to clamp down on funding for information security than any of the other three groups.

Confidence and progress: A decade of maturation

Finding #4 A clear majority of respondents are confident that their organization’s information security activities are effective.

Finding #5 Companies now have greater insights than they’ve ever had into cyber crimes and other incidents and they’re translating this information into investments specifically focused on three areas: prevention, detection and web-related technologies.

Finding #6 After three years of cutting information security budgets and deferring security related initiatives, respondents are “bullish” about security spending.

Vulnerability and exposure: Capability degradation since 2008

Finding #7 One of the most dangerous cyber threats is an Advanced Persistent Threat attack. Few organizations have the capabilities to prevent this.

Finding #8 After three years of economic volatility and a persistent reluctance to fund the security mission degradation in core security capabilities continues.

Finding #9 Managing the security-related risks associated with partners, vendors and suppliers has always been an issue. It’s getting worse.

Finding #10 That 72% worldwide confidence rating in security practices may seem high but it has declined markedly since 2006.

Windows of improvement: Where the best opportunities lie

Finding #11 What are the greatest obstacles to effective information security? Leaders point to the lack of capital, among other factors—and shine the spotlight hottest at the “top of the house.”

Finding #12 Mobile devices and social media represent a significant new line of risk and defense. New rules are in effect this year for many organizations, though not yet the majority.

Finding #13 Cloud computing is improving security. But many want better enforcement of provider security policies, among other priorities.

Global trends: Asia races ahead while the world’s information security arsenals age

Finding #14 For several years, Asia has been firing up its investments in security. This year’s results reveal just how far the region has advanced its capabilities.

Finding #15 As North American organizations continue their reluctance to fund security’s mission at levels that they have in the past, capabilities continue to degrade.

Finding #16 In the face of economic uncertainty and in spite of a portfolio of security capabilities in decline, Europe pulls the purse strings even tighter.

Finding #17 Like most of the world, South America’s armory of information security defenses is rusting. As the region’s confidence in its security plummets, it thirsts for cash.

What this means for your business Look at the leaders. Learn from what they have done and how they are electing to address the future

Find the full details of the report here.

.

Global Threat Report Quarter 1 2011

Image representing Cisco as depicted in CrunchBase
Image via CrunchBase

The Cisco Quarter 1 2011 Global Threat Report has been released. The Cisco Global Threat Report is a compilation of data collected across the four segments of Cisco Security: ScanSafe, IPS, RMS and IronPort.

The highlights for Quarter 1 2011 include:-.

  • 105,536 unique Web malware were encountered in March 2011, a 46% increase from January 2011
  • Malicious webmail represented 7% of all Web-delivered malware in March 2011, a 391% increase from January 2011
  • 45% of all malicious webmail resulted from Yahoo! mail, 25% from Microsoft Live/Hotmail, and only 2% from Google’s Gmail
  • Search-engine-related traffic resulted in an average of 9% of all Web malware encountered in 1Q11
  • 33% of search engine encounters were via Google search engine results pages (SERPs), with 4% each from Yahoo! and Bing SERPs
  • SERPs and webmail encounters are impacted by the popularity of a particular service and are likely not indicative of any heightened risk specific to that service
  • Likejacking increased significantly during the first quarter of 2011, from 0.54% of all Web malware encounters in January 2011 to 6% in March 2011
  • At 13%, Miley Cyrus–themed likejacking scams beat out all other celebrities and events in March 2011. Likejacking themes for Indian actress Nayantara were at 7%, while Charlie Sheen was at 3%, Justin Bieber at 2%, and Lady Gaga at 1%
  • At 4% of all Web malware encounters in 1Q11, website compromises that attempted to download the Hiloti Trojan were the most frequently encountered, followed by malicious GIF injections (3%). Website compromises related to the Lizamoon series of SQL injection attacks represented just 0.15% of Web malware encounters for the quarter
  • Though far less successful than in years past, SQL injection attempts continued to be the most prevalent event firing (55%) observed by Cisco Remote Management Services in 1Q11
  • Malware activity related to the MyDoom worm was the 10th most frequently RMS-observed IPS event in 1Q11, demonstrating that legacy malware can still pose a threat to unprotected systems
  • As expected, Rustock activity declined significantly over 1Q11, but, interestingly, the sharp decline commenced weeks prior to the botnet takedown
  • Following 4Q10 declines, global spam volume increased and then subsequently decreased during 1Q11, but levels remained above that of December 2010
  • With an increase of 248%, Indonesia overtook the United States as the top spam-sending country in 1Q11
Cisco’s Top 10 Signature Findings Q1 2011  
Generic SQL Injection 55.03%
Web View Script Injection Vulnerability 7.01%
Gbot Command and Control Over HTTP 5.16%
B02K-UDP 5.20%
Cisco Unified Videoconferencing Remote Command Injection 4.91%
Microsoft Internet Explorer Invalid Flag Reference Remote Code Execution 3.27%
Windows MHTML Protocol Handler Script Execution 2.47%
WWW WinNT cmd.exe Access 1.30%
Web Application Security Test/Attack 1.19%
MyDoom Virus Activity 1.16%

Note that the MHTML vulnerability described in Microsoft KB 2501696, IntelliShield alert 22310, and Cisco Intrusion Prevention System (IPS) 6.0 – 33379/0 also appears on the Cisco RMS top 10 signature events list for 1Q11. Microsoft released an update for this former zero-day vulnerability in April 2011 (MS11-026).

While a significantly occurring event in 1Q11, SQL injection attempts remained at a fairly steady pace throughout the quarter with the only notable increase occurring in the latter part of March 2011.

Cisco RMS Top 10 by Port Activity
Port  Percentage
80 69%
40436 2.23%
25 2.17%
161 1.39%
5060 1.27%
123 1.16%
34227 1.13%
443 1.05%
21 1.00%
20 0.71%

Although they represent a relatively small percentage of overall spam, phishing attacks pose a serious risk to security, both from a financial and sensitive information disclosure perspective. In 1Q11, attackers increasingly turned their attention toward phishing Twitter accounts.

This interest in Twitter credentials is likely due in part to Twitter users’ acceptance of shortened URLs. By compromising Twitter accounts, attackers can take advantage of shortened URLs to entice followers to visit malicious links the users might ordinarily view as suspicious. Such attacks are further fuelled by the trust engendered through social networking in general.

The report can be downloaded here

.

Cloud Computing Risk Assessment from ENISA

European Network and Information Security Agency
Image via Wikipedia

In November 2009 The European Network and Information Security Agency (ENISA) published a document title “Cloud Computing Risk Assessment” the “Benefits, risks and recommendations for information security“.

The document maybe 15 months old but it is an excellent starting point for any organisation looking to invest in the CLOUD.

The official ENISA wording is below.

ENISA, supported by a group of subject matter expert comprising representatives from Industries, Academia and Governmental Organizations, has conducted, in the context of the Emerging and Future Risk Framework project, an risks assessment on cloud computing business model and technologies. The result is an in-depth and independent analysis that outlines some of the information security benefits and key security risks of cloud computing. The report provide also a set of practical recommendations.Produced by ENISA with contributions from a group of subject matter expert comprising representatives from Industry, Academia and Governmental Organizations, a risk assessment of cloud computing business model and technologies. This is an in-depth and independent analysis that outlines some of the information security benefits and key security risks of cloud computing. The report provide also a set of practical recommendations. It is produced in the context of the Emerging and Future Risk Framework project.

Download the document from the ENISA site here.

Botnets: 10 Tough Questions downloadable research

European Network and Information Security Agency
Image via Wikipedia

 As part of the project Botnets: Detection, Measurement, Mitigation & Defence” a series of questions was discussed by internationally renowned experts in the field of botnets between September and November 2010.

This document presents a selection of the most interesting results. The document distills the major issues which need to be understood and addressed by decision-makers in all groups of stakeholders.


Editor: Dr. Giles Hogben
Authors: Daniel Plohmann, Elmar Gerhards-Padilla, Felix Leder

Download the document here

The European Network and Information Security Agency, working for the EU Institutions and Member States. ENISA is the EU’s response to security issues of the European Union. As such, it is the ‘pace-setter’ for Information Security in Europe.

The objective is to make ENISA’s web site the European ‘hub’ for exchange of information, best practices and knowledge in the field of Information Security. This web site is an access point to the EU Member States and other actors in this field.

Blog at WordPress.com.

Up ↑

%d bloggers like this: