Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

infosec

how-do-we-stop-the-widening-cybersecurity-gap-infographic

Advertisements

Are British Businesses over confident about the threat of data breaches?

Ilex International have launched their Breach Confidence Index. The Index is a benchmark survey created to monitor the level of confidence that British businesses have when it comes to security breaches. The Index shows high confidence levels

  • 24% of IT decision makers surveyed very confident
  • 59% fairly confident that their business is protected against a data security breach

The Breach Confidence Index raises major concerns for British businesses. Businesses are not currently required to report security breaches and in many cases, may not even know that they have experienced one. The survey found that 49% said their business has not experienced a security breach. In comparison to actual statistics shared at the 2015 Cyber Symposium, there is a major gap between the perception and reality of security breaches among businesses.

According to the survey the most common weaknesses resulting in a Data Breach were
22% MALWARE VULNERABILITIES
21% EMAIL SECURITY
15% EMPLOYEE EDUCATION
12% CLOUD APPLICATIONS
12% INSIDER THREATS
8% ACCESS CONTROL
8% BYOD OR MOBILE ACCESS
6% NON-COMPLIANCE TO CURRENT REGULATIONS

Weaknesses relating to identity and access management considerably increase as organisations expand their workforce. Some of the most common issues highlighted by large businesses include:

  • 44% insider threats
  • 42% employee education
  • 26% access control
  • 24% BYOD or mobile access

All figures in the Ilex International Breach Confidence Index, unless otherwise stated, are from YouGov Plc. Total sample size was 530 IT Decision Makers. Fieldwork was undertaken between 6th – 12th August 2015. The survey was carried out online.

Payment Card Industry issues new guidance to help organizations respond to data breaches

For any organization connected to the internet, it is not a question of if but when their business will be under attack, according to a recent cybersecurity report from Symantec, which found Canada ranked No. 4 worldwide in terms of ransomware and social media attacks last year. These increasing attacks put customer information, and especially payment data at risk for compromise.

When breaches do occur, response time continues to be a challenge. In more than one quarter of all breaches investigated worldwide in 2014 by Verizon, it took victim organization weeks, or even months, to contain the breaches. It is against this backdrop that global cybersecurity, payment technology and data forensics experts are gathering in Vancouver for the annual PCI North America Community Meeting to address the ongoing challenge of protecting consumer payment information from criminals, and new best practices on how organizations can best prepare for responding to a data breach. 

A data breach now costs organizations an average total of $3.8 million. However, research shows that having an incident response team in place can create significant savings. Developed in collaboration with the Payment Card Industry (PCI) Forensic Investigators (PFI) community, Responding to a Data Breach: A How-to Guide for Incident Management provides merchants and service providers with key recommendations for being prepared to react quickly if a breach is suspected, and specifically what to do contain damage, and facilitate an effective investigation. 

The silver lining to high profile breaches that have occurred is that there is a new sense of urgency that is translating into security vigilance from the top down, forcing businesses to prioritize and make data security business-as-usual,” said PCI SSC General Manager Stephen W. Orfei. “Prevention, detection and response are always going to be the three legs of data protection. Better detection will certainly improve response time and the ability to mitigate attacks, but managing the impact and damage of compromise comes down to preparation, having a plan in place and the right investments in technology, training and partnerships to support it

This guidance is especially important given that in over 95% of breaches it is an external party that informs the compromised organization of the breach,” added PCI SSC International Director Jeremy King. “Knowing what to do, who to contact and how to manage the early stages of the breach is critical

At its annual North America Community Meeting in Vancouver this week, the PCI Security Standards Council will discuss these best practices in the context of today’s threat and breach landscape, along with other standards and resources the industry is developing to help businesses protect their customer payment data. Keynote speaker cybersecurity blogger Brian Krebs will provide insights into the latest attacks and breaches, while PCI Forensic Investigators and authors of the Verizon Data Breach Investigation Report and PCI Compliance Report, will present key findings from their work with breached entities globally. Canadian organizations including City of Calgary, Interac and Rogers will share regional perspectives on implementing payment security technologies and best practices. 

Download a copy of Responding to a Data Breach: A How-to Guide for Incident Management here 

The original PCI SSC press release can be found here.

Standard & Poor’s labeled holes in cybersecurity a financial risk in a report

Banks with weak cybersecurity controls could be downgraded even if they haven’t been attacked, Standard & Poor’s said Monday in a report.

While it hasn’t yet downgraded a bank based on its computer security, the ratings company said it would consider doing so if it determined the lender was ill-prepared to withstand a data breach. It would also drop a bank’s rating if an attack caused reputational harm or resulted in losses that hurt profit, S&P said.

We view weak cybersecurity as an emerging threat that has the potential to pose a higher risk to financial firms in the future, and possibly result in downgrades

S&P analysts led by Stuart Plesser wrote in the report.

Cyberattacks have become a growing threat for banks, with more than a dozen U.S. depository institutions reporting hacks in 2012 and 2013 that prevented consumers from accessing their websites, according to the report. Last year, the personal data of tens of millions of JPMorgan Chase & Co. customers were compromised in a breach. The bank spent $250 million on cybersecurity in 2014 and will increase that to $450 million by next year, S&P said.

Hostile nation-states, terrorist organizations, criminal groups, activists and, in some cases, company insiders are behind most of the global cyberattacks on banks, S&P said. South Korea financial institutions have experienced security breaches in recent years, while a Russian security company working with law enforcement said it uncovered a two-year, billion-dollar theft from banks around the world by a gang of cybercriminals, according to the report, which didn’t identify the lenders.

‘Continual Battle’

S&P classified the global risk of cyberattacks as “medium,” saying large banks have taken steps to mitigate the danger. Bigger institutions have an advantage over smaller ones because their revenue base can defray some expenses, according to the report.

Few banks have disclosed the amount they’re spending to guard against attacks, S&P said. Still, any cuts to technology units as part of larger cost-savings efforts would be “disconcerting.”

Cyberdefense is a continual battle, particularly as technology evolves,” according to the report. “Many tech experts believe that if a hostile nation-state put all its resources into infiltrating a particular bank’s tech system, it would probably prove successful

The original article was published in Crain”s New Yokr Business.

Mobile Payments Data Breaches will Grow

An ISACA survey of more than 900 cybersecurity experts shows that

  • 87% expect to see an increase in mobile payment data breaches over the next 12 months
  • 42% of respondents have used this payment method in 2015

The 2015 Mobile Payment Security Study from global cybersecurity association ISACA suggests that people who use mobile payments are unlikely to be deterred by security concerns.

Other data from the survey show that cybersecurity professionals are willing to balance benefits with perceived security risks of mobile payments:

  • 23% believe that mobile payments are secure in keeping personal information safe.
  • 47% say mobile payments are not secure and 30% are unsure.
  • At 89%, cash was deemed the most secure payment method, but only 9% prefer to use it.

Mobile payments represent the latest frontier for the ongoing choice we all make to balance security and privacy risk and convenience,” said John Pironti, CISA, CISM, CGEIT, CRISC, risk advisor with ISACA and president of IP Architects. “ISACA members, who are some of the most cyber-aware professionals in the world, are using mobile payments while simultaneously identifying and contemplating their potential security risks. This shows that fear of identity theft or a data breach is not slowing down adoption and it shouldn’t as long as risk is properly managed and effective and appropriate security features are in place

Reports say that contactless in-store payment will continue to grow. Overall, the global mobile payment transaction market, including solutions offered by Apple Pay, Google Wallet, PayPal and Venmo, will be worth an estimated US $2.8 trillion by 2020, according to Future Market Insights.

ISACA survey respondents ranked the major vulnerabilities associated with mobile payments:

  1. Use of public WiFi (26%)
  2. Lost or stolen devices (21%)
  3. Phishing/shmishing (phishing attacks via text messages) (18%
  4. Weak passwords (13%)
  5. User error (7%)
  6. There are no security vulnerabilities (0.3%)

What Consumers Need to Know

According to those surveyed, currently the most effective way to make mobile payments more secure is using two ways to authenticate their identity (66%), followed by requiring a short-term authentication code (18%). Far less popular was an option that puts the onus on the consumer installing phone-based security apps (9%).

CSX-Mobile-3-lg

People using mobile payments need to educate themselves so they are making informed choices. You need to know your options, choose an acceptable level of risk, and put a value on your personal information,” said Christos Dimitriadis, Ph.D., CISA, CISM, CRISC, international president of ISACA and group director of information security for INTRALOT. “The best tactic is awareness. Embrace and educate about new services and technologies

Understand your level of risk: Ask yourself what level of personal information and financial loss is acceptable to balance the convenience of mobile payments.

Know your options: Understand the security options available to manage your risk to an acceptable level. Using a unique passcode should be mandatory, but also look into encryption, temporary codes that expire and using multiple ways to authenticate your identity.

Value your personal information: Be aware of what information you are sharing e.g., name, birthday, national identification number, pet name, email, phone number. These pieces of information can be used by hackers to gain access to accounts. Only provide the least amount of information necessary for each transaction.

Security Governance for Retailers and Payment Providers

In the emerging mobile payment landscape, ISACA notes that there is no generally accepted understanding of which entity is responsible for keeping mobile payments secure—the consumer, the payment provider or the retailer. One approach is for businesses to use the COBIT governance framework to involve all key stakeholders in deciding on an acceptable balance of fraud rate vs. revenue. Based on that outcome, organizations should set policies and make sure that mobile payment systems adhere to them.

Members of the IT or information security group taking part in the discussion should also ensure they are keeping up to date with the latest cybersecurity developments and credentials. A joint 2015 ISACA/RSA study shows that nearly 70% of information security/information technology professionals require certification when looking for candidates to fill open security positions.

The full ISACA Press Release can be found here.

Data Breaches: Are You Prepared?

Data privacy and security continues to be a growing concern for many organizations. With cyber attacks increasing each year, businesses must be mindful of how data breaches occur in order to prevent the exposure of confidential information. Recognizing vulnerabilities in data security efforts can help minimize the effects a cyber attack may have on an organization.

Thomson Reuters data-breaches

Original produced here by Thomson Reuters.

UK-Avast-for-Business-INFOGRAPHIC

5 steps to respond to a security breach

Is your organisation equipped to deal with potential financial and reputational damage following an attack? 

Has your organisation established an incident management plan that covers data breaches? Recent evidence shows that organisations are ill-equipped to deal with an attack.

Australian bulk deals website, Catch of the Day, suffered a security breach in 2011, with passwords and other user information stolen from the company’s databases. It took until 2014 to notify customers, suggesting there was no response plan in place.

The backlash was very severe for global retail giant, Target, which fell victim to the second largest credit card heist in history. Many customers were outraged about the retailer’s inability to provide information after the breach, and its failure to assure customers that the issue was resolved.

Consequences included settlement payouts of up to $10 million and the resignations of its CIO and CEO.

Organisations should have established and tested incident management plans to respond to data security breaches sooner rather than later. A solid response plan and adherence to these steps can spare much unnecessary business and associated reputational harm.

Here’s a five step plan to ensure you give your organisation the best chance of minimising financial and reputational damage following an attack. 

Step 1: Don’t panic, assemble a taskforce

Clear thinking and swift action is required to mitigate the damage. There is no time for blame-shifting. You need a clear, pre-determined response protocol in place to help people focus in what can be a high pressure situation and your incident management plan should follow this protocol.

Having the right team on the job is critical. Bear these factors in mind when assembling your team: Appoint one leader who will have overall responsibility for responding to the breach. Obvious choices are your CIO or chief risk officer. This leader should have a direct reporting line into top level management so decisions can be made quickly.

Include representatives from all relevant areas, including IT, to trace and deal with any technical flaws that led to the breach; and corporate affairs, in case liaison with authorities is required, to manage media and customer communications.

Don’t forget privacy (you do have a chief privacy officer, don’t you?) and legal, to deal with regulators and advise on potential exposure to liability).

If you anticipate that litigation could result from the breach, then it may be appropriate for the detailed internal investigation of the breach to be managed by the legal team. If your organisation doesn’t have these capabilities, seek assistance from third parties at an early stage.

Step 2: Containment

The taskforce should first identify the cause of the breach and ensure that it is contained. Steps may include:

  • Installing patches to resolve viruses and technology flaws. The ‘Heartbleed’ security bug identified in April 2014 at one time compromised 17 per cent of internet servers. Although a security patch was made available almost immediately once it was discovered, some administrators were slow to react, leaving servers exposed for longer than necessary.
  • Resetting passwords for user accounts that may have been compromised and advising users to change other accounts on which they use the same password.
  • Disabling network access for computers known to be infected by viruses or other malware (so they can be quarantined) and blocking the accounts of users that may have been involved in wrongdoing.
  • Taking steps to recall or delete information such as recalling emails, asking unintended recipients to destroy copies or disabling links that have been mistakenly posted. Take care to ensure that steps taken to contain the breach don’t inadvertently compromise the integrity of any investigation.

Step 3: Assess the extent and severity of the breach

The results will dictate the subsequent steps of your response. A thorough assessment involves:

  • Identifying who and what has been affected. If it’s not possible to tell exactly what data has been compromised, it may be wise to take a conservative approach to estimation.
  • Assessing how the data could be used against the victims. If the data contains information that could be used for identity theft or other criminal activity (such as names, dates of birth and credit card numbers) or that could be sensitive (such as medical records), the breach should be treated as more severe. If the data has been encrypted or anonymised, there is a lower risk of harm.
  • Considering the context of the breach. If there has been a deliberate hacking, rather than an inadvertent breach of security, then the consequences for the relevant individuals or organisations could be much more significant. This should inform how you respond to the breach.

Step 4: Notification

For serious data security breaches, proactive notification is generally the right strategy. A mandatory notification scheme has been proposed in Australia, with the government promising implementation by the end of 2015.

In any case, there are good reasons to consider voluntary notifications, which include:

  • Victims may be able to protect themselves, for example by changing passwords, cancelling credit cards and monitoring bank statements.

E-Bay was roundly criticised in 2014 for not acting quickly enough to notify users affected by a hacking attack, and only doing so by means of a website notice rather than by sending individual messages. Notices should be practical, suggesting steps that recipients can take to protect themselves.

  • The Privacy Commissioner may also be involved, particularly if personal information has been stolen. The Commissioner may take a more lenient approach to organisations that proactively address problems when they arise.
  • Other third parties may also need to be notified. For example, if financial information is compromised, you might notify relevant financial institutions so that they can watch for suspicious transactions.

Step 5: Action to prevent future breaches

Having addressed the immediate threat, prevention is the final step. While customers may understand an isolated failure, they are typically less forgiving of repeated mistakes. Carry out a thorough post-breach audit to determine whether your security practices can be improved.

This could include:

  • Engaging a data security consultant, which will give you a fresh perspective on your existing practices, and help to reassure customers and others that you do business with.
  • Promptly remedying any identified security flaws – changes should be reflected in data security policies and training documents (and if such documents don’t exist, create them.)
  • Rolling out training to relevant personnel to ensure that everyone is up to speed on the latest practices.
  • Reviewing arrangements with service providers to ensure that they are subject to appropriate data security obligations (and, if not already the case, make data security compliance a key criterion applied in the procurement process).

Written by Cheng Lim is a partner at global law firm King & Wood Mallesons. Cheng leads KWM’s Cyber-Resilience initiative and has assisted clients over many years in dealing with privacy, data security and data breaches. Originally produced for CIO Australia.

Guest blog: PCI audits and how to recognize a good QSA auditor and partner

Many organizations approach a PCI audit with fear and trepidation. There are a lot of stories out there about how difficult, expensive and disruptive a PCI audit can be, but I want to see if I can add some balance to this view. I believe that when it comes to a PCI auditor it matters a great deal who you are working with. We just completed a PCI audit of our Alliance Key Manager for VMware solution and it gave me a whole new perspective and attitude about the audit process. Our PCI work was conducted by Coalfire, a security company that provides PCI audit services as well as audit services for the health and financial communities. Most of my remarks will reflect on the great experience we had with Coalfire and some of the lessons we learned.

As is true of financial auditors, the QSA auditor has a duty to accurately assess the security of your IT systems to insure that they meet or exceed the PCI Data Security Standards (PCI DSS) as outlined by the PCI Security Standards Council (PCI SSC). They have a professional responsibility to tell you where you meet the PCI DSS standard, and where you fall short. That “falling short” part is the thing most people dread hearing about.

I would suggest that this is exactly where a good security audit can be very helpful. We need to know where our security is weak, and we need to know how to fix the problems. A good QSA auditor will be more than a gatekeeper for the PCI security standards – they will be a trusted advisor on how to get things right from a security perspective. That practical advice is exactly what we need to protect our sensitive data.

Finding problems and fixing them is less expensive than suffering a data breach and then scrambling to fix the problems.

Another often overlooked benefit of having a good QSA auditor is that you get a get a trusted advisor in the process. It is one thing to have an auditor point out the faults in your security strategy, it is another to find an auditor who can advise you on the security strategies and potential solutions that can help you. While there must be an arms-length relationship between an auditor and a solution provider, your QSA auditor should be able to point you to a number of solutions that can help you mitigate security weaknesses. An experienced auditor is going to help you navigate towards a good solution.

It is hard to quantify the benefit of this type of guidance, but I personally think it is invaluable.

The take-away is that you should set high expectations for the relationship you develop with your QSA auditor. You can walk away from the experience with checks in boxes, or you can meet PCI compliance AND achieve a credible security strategy and trusted advisor. I found the latter in my relationship with Coalfire.

Patrick Townsend

Townsend Security

Top 5 Strategic Infosec issues in Higher Education

The EDUCAUSE infographic of the Top Five strategic information security issues for Higher Education:-

  1. Developing an effective information security strategy that responds to institutional organization and culture and that elevates information security concerns to institutional leadership.
  2. Ensuring that members of the institutional community (students, faculty, and staff) receive information security education and training.
  3. Developing security policies for mobile, cloud, and digital resources (includes issues of data handling/protection, access control, and end-user awareness).
  4. Using risk-management methodologies to identify and address information security priorities.
  5. Developing, testing, and refining incident response capabilities to respond to information systems/data breaches.

The Infographic is below:-

educause-infographic'

Top 10 technologies for information security and their implications for security organisations in 2014

At the Gartner Security & Risk Management Summit they highlighted the top 10 technologies for information security and their implications for security organisations in 2014. 

Enterprises are dedicating increasing resources to security and risk. Nevertheless, attacks are increasing in frequency and sophistication. Advanced targeted attacks and security vulnerabilities in software only add to the headaches brought by the disruptiveness of the Nexus of Forces, which brings mobile, cloud, social and big data together to deliver new business opportunities,” said Neil MacDonald, vice president and Gartner Fellow. “With the opportunities of the Nexus come risks. Security and risk leaders need to fully engage with the latest technology trends if they are to define, achieve and maintain effective security and risk management programs that simultaneously enable business opportunities and manage risk 

Gartner believes the top 10 technologies for information security are: 

1. Cloud Access Security Brokers

Cloud access security brokers are on-premises or cloud-based security policy enforcement points placed between cloud services consumers and cloud services providers to interject enterprise security policies as the cloud-based resources are accessed. In many cases, initial adoption of cloud-based services has occurred outside the control of IT, and cloud access security brokers offer enterprises to gain visibility and control as its users access cloud resources.

2. Adaptive Access Control

Adaptive access control is a form of context-aware access control that acts to balance the level of trust against risk at the moment of access using some combination of trust elevation and other dynamic risk mitigation techniques. Context awareness means that access decisions reflect current condition, and dynamic risk mitigation means that access can be safely allowed where otherwise it would have been blocked. Use of an adaptive access management architecture enables an enterprise to allow access from any device, anywhere, and allows for social ID access to a range of corporate assets with mixed risk profiles.

3. Pervasive Sandboxing (Content Detonation) and IOC Confirmation

Some attacks will inevitably bypass traditional blocking and prevention security protection mechanisms, in which case it is key to detect the intrusion in as short a time as possible to minimize the hacker’s ability to inflict damage or exfiltrate sensitive information. Many security platforms now included embedded capabilities to run (“detonate”) executables and content in virtual machines (VMs) and observe the VMs for indications of compromise. This capability is rapidly becoming a feature of a more-capable platform, not a stand-alone product or market. Once a potential incident has been detected, it needs to be confirmed by correlating indicators of compromise across different entities, for example, comparing what a network-based threat detection system sees in a sandboxed environment to what is being observed on actual endpoints in terms of processes, behaviors, registry entries and so on.

4. Endpoint Detection and Response Solutions

The endpoint detection and response (EDR) market is an emerging market created to satisfy the need for continuous protection from advanced threats at endpoints (desktops, servers, tablets and laptops), most notably significantly improved security monitoring, threat detection and incident response capabilities. These tools record numerous endpoint and network events and store this information in a centralized database. Analytics tools are then used to continually search the database to identify tasks that can improve the security state to deflect common attacks, to provide early identification of on going attacks (including insider threats), and to rapidly respond to those attacks. These tools also help with rapid investigation into the scope of attacks, and provide remediation capability.

5. Big Data Security Analytics at the Heart of Next-generation Security Platforms

Going forward, all effective security protection platforms will include domain-specific embedded analytics as a core capability. An enterprise’s continuous monitoring of all computing entities and layers will generate a greater volume, velocity and variety of data than traditional SIEM systems can effectively analyse. Gartner predicts that by 2020, 40% of enterprises will have established a “security data warehouse” for the storage of this monitoring data to support retrospective analysis. By storing and analysing the data over time, and by incorporating context and including outside threat and community intelligence, patterns of “normal” can be established and data analytics can be used to identify when meaningful deviations from normal have occurred.

6. Machine-readable Threat Intelligence, Including Reputation Services

The ability to integrate with external context and intelligence feeds is a critical differentiator for next-generation security platforms. Third-party sources for machine-readable threat intelligence are growing in number and include a number of reputation feed alternatives. Reputation services offer a form of dynamic, real-time “trustability” rating that can be factored into security decisions. For example, user and device reputation as well as URL and IP address reputation scoring can be used in end-user access decisions.

7. Containment and Isolation as a Foundational Security Strategy

In a world where signatures are increasingly ineffective in stopping attacks, an alternative strategy is to treat everything that is unknown as untrusted and isolate its handling and execution so that it cannot cause permanent damage to the system it is running on and cannot be used as a vector for attacks on other enterprise systems. Virtualization, I\isolation, abstraction and remote presentation techniques can be used to create this containment so that, ideally, the end result is similar to using a separate “air-gapped” system to handle untrusted content and applications. Virtualization and containment strategies will become a common element of a defense-in-depth protection strategy for enterprise systems, reaching 20% adoption by 2016 from nearly no widespread adoption in 2014.

8. Software-defined Security

“Software defined” is about the capabilities enabled as we decouple and abstract infrastructure elements that were previously tightly coupled in our data centers: servers, storage, networking, security and so on. Like networking, compute and storage, the impact on security will be transformational. Software-defined security doesn’t mean that some dedicated security hardware isn’t still needed, it is. However, like software-defined networking, the value and intelligence moves into software.

9. Interactive Application Security Testing

Interactive application security testing (IAST) combines static application security testing (SAST) and dynamic application security testing (DAST) techniques. This aims to provide increased accuracy of application security testing through the interaction of the SAST and DAST techniques. IAST brings the best of SAST and DAST into a single solution. This approach makes it possible to confirm or disprove the exploitability of the detected vulnerability and determine its point of origin in the application code.

10. Security Gateways, Brokers and Firewalls to Deal with the Internet of Things

Enterprises, especially those in asset-intensive industries like manufacturing or utilities, have operational technology (OT) systems provided by equipment manufacturers that are moving from proprietary communications and networks to standards-based, IP-based technologies. More enterprise assets are being automated by OT systems based on commercial software products. The end result is that these embedded software assets need to be managed, secured and provisioned appropriately for enterprise-class use. OT is considered to be the industrial subset of the “Internet of Things,” which will include billions of interconnected sensors, devices and systems, many of which will communicate without human involvement and that will need to be protected and secured.

Most organisations struggle to resolve the effects of a breach

According to IDG research in a CSG Invotas white paper “Security Automation: Time to Take a Fresh Look” most organisations struggle to resolve the effects of a breach.

There’s no doubt that improving intrusion response and resolution times reduces the window of exposure from a breach,” said Jen McKean, research director at IDG Research. “More companies seek security automation tools that will enable them to resolve breaches in mere seconds and help maintain business-as-usual during the remediation period

Researchers polled decision makers of information security, strategy, and solution implementations at companies with 500 or more employees. They explored the security challenges commercial organizations face when confronted with security breaches across their networks. Key findings include:

  • 46% of respondents report an average detection time of hours or days
  • 54% reporting average resolution times of days or months
  • On going management of electronic identities that control access to enterprise, cloud, and mobile resources take the most time to change or update during a security event
  • A majority of respondents seek ways to reduce response time in order to address risk mitigation, preserve their company’s reputation, and protect customer data
  • 61% of respondents admit they are looking for ways to improve response times to security events
  • 82% of respondents report no decrease in the number of network security events or breaches last year whilst more than a quarter of those surveyed report an increase
  • 60% of IT Security Resources dedicated to protecting the network layer
  • 10% of respondents reporting they’re able to resolve issues in seconds or minutes; 54% say it takes days, weeks or months
  • 28% of respondents say the number of security events or breaches increased in 2013
  • 24% report that the severity of incidents increased
  • 39% of respondents say they can detect a security breach within seconds or minute

Business process automation solutions offer a new approach to the most difficult step in security operations: taking immediate and coordinated action to stop security attacks from proliferating. Building digital workflows that can be synchronized across an enterprise allows a rapid counter-response to cyber-attacks. Speed, accuracy, and efficiency are accomplished by applying carrier-grade technology, replicating repetitive actions with automated workflows, and reducing the need for multiple screens.

It is no longer a surprise to hear that a breach has compromised data related to customers, employees, or partners,” said Paul Nguyen, president of global security solutions at CSG Invotas. “CIOs recognize that they need faster, smarter ways to identify security breaches across their enterprises. More importantly, they need faster, smarter ways to respond with decisive and coordinated action to help protect threats against company reputation, customer confidence, and revenue growth

A quarter of respondents say they are comfortable with the idea of automating some security workflows and processes and that they deploy automation tools where they can. 57% of respondents say they are somewhat comfortable with automation for some low-level and a few high-level processes, but they still want security teams involved. On average, respondents report that 30% of their security workflows are automated today; but nearly two-thirds of respondents expect they will automate more security workflows in the coming year.

The full survey and key findings are available here.

Most European organizations believe using a European cloud is easier from a regulatory and compliance perspective

Perspecsys Infograph from research at InfoSec Europe Conference

Another successful Infosecurity Europe finishes

Considering there was a tube strike I had no problems taking the normal underground route of Victoria and District lines but the North South didn’t’ seem as affected as East West.

I hadn’t realised until I saw the promotional signs for InfoSec 2015 at Olympia that this is the last time it will be at Earls Court as the building is being demolished and replaced by a retail park with houses and apartments. That is sad as it is a great art deco 1930s building, OK a bit tired but it is a better venue than Olympia.

Image

In the first minute I bumped into a couple of ex-colleagues who were exhibiting but never saw them again over the next 2½ days which serves to demonstrate the size of the event.

I then set off on my marathon walk around and around the stands talking to lots of customers, prospective customers, ex-colleagues and friends resulting in a range of outcomes:-

  • Business opportunities
  • Developed a potentially new service offering
  • Finding out where people are working this year, same person different polo shirt,
  • Speaking opportunities where a vendor wishes to educate their prospective customers on PCI, ISO and other standards

The exhibition itself had a different feel, maybe because there were less people or maybe because all the big stands had huge screens, like something from Bladerunner, backed by stages and speakers and a small army of table magicians whizzing cards everywhere.

Some of the larger vendors weren’t there but that trend isn’t new with vendors like Cisco and Check Point having missed previous events.

There did seem to be more distributors, resellers and service providers than previous years and the trend of vendors having reseller “pods” continued.

The Innovation and Overseas Pavilions of the USA, France, Israel and Moscow had some innovative solutions on offer although no one ever seemed to man the massive Moscow City stand/pods. 

Overall it was a great event.

The Cost Of Insecurity

It is simple, your investment in securing your data will be considerably less than the potential cost of a breach and the subsequent clean up.

Cisco’s Infographic is an interesting turn on the ROI message as it looks at security from the loss prevention angle rather than earnings.

Especially with Data Centre downtime costing on average $336,000 per hour.

100,000 new security threats are identified each day

Is your data secure?  Infographic

Hostwinds have produced a great Infographic on how data is secured. Focused on Google but the processes could be anyone or anywhere.

SMEs are putting larger customers at risk of security breaches

According to Shred-it’s third annual Security Tracker survey SMEs in the UK are putting their own businesses at risk and could also be damaging larger firms they supply services to by not taking enough preventative measures of confidential data.

It’s good business sense for larger companies to ask whether their suppliers have a data protection partner and an information security system in place – not only to prevent sensitive information being lost by a third party but also because the financial and reputational damage of a breach could put that supplier out of business and cause havoc in the supply chain,” warns Robert Guice, Vice President Shred-it EMEA.

The survey reveals SMEs are 10 times less likely to have an information security system set up than is the case with larger businesses.

SMEs continue to hugely underestimate the potential cost of a data breach to them. In terms of financial loss, the Information Commissioner’s Office in the UK can fine companies up to half a million pounds, enough to send many companies into insolvency”, Mr Guice said. “We believe that smaller companies maybe over-estimating the costs involved in making sure confidential information is kept safe

Whilst larger companies may be able to absorb this cost, SMEs risk a huge hit to their bottom line and a tarnished reputation which can impact relationships with customers and other business partners” Mr Guice continued.

There is a worrying gap between the protocols in place between smaller and larger businesses. Whilst companies with revenue over £1m are eight times more likely to use a professional shredding company to dispose of their sensitive documents, 37 per cent of small businesses in the UK have no information security management system in place. Moreover, three in ten (28 per cent) small business owners have never provided any information security training to their employees.

Key findings include

  • 2 in every 5 large businesses suffering a data breach have incurred losses of more than £500,000
  • The average fine is approximately £150,000 – large enough for 30% of companies to have to lay off staff as a result.
  • 77% of larger businesses have an employee directly responsible for managing information security issues at management level (66%) or board level (11%)
  • 48% of SMEs have a nominated person
  • 95% of large businesses have an employee devoted to data protection compared with only 53% of small business owners, suggesting that larger businesses better understand the potential threat of data breaches and have put control systems in place accordingly.
  • 33% of senior business executives and only 4% of small business owners use a professional shredding service
  • 88% of large businesses are more than twice as likely to be aware of the EU Data Protection Directive reforms as small businesses (43%).
  • Although the gap is closer, large businesses are still more likely to be aware of the UK Data Protection Act (92%) than small business owners (72%).
  • With more information being stored in electronic form, it is equally worrying that less than one quarter of large (23%) and small businesses (25%) crush their electronic media – which means the vast majority of UK businesses are inadvertently putting themselves and their customers at risk.
  • Businesses could be giving away private information to fraudsters by not properly disposing of or destroying hard drives. 66% of large business and 49% of small business owners wrongly think that degaussing or wiping a hard drive will remove confidential information kept on them.

.

CIOs Optimistic About Information Security

PwC have released their 2012 Global State of Information Security Survey.

The survey is a worldwide security survey by PwC, CIO Magazine and CSO Magazine. It was conducted online between February 10 and April 18, 2011. Survey respondents were from around the globe and were invited via email to take the survey. The results discussed in this report are based on the responses of more than 9,600 CEOs, CFOs, CISOs, CIOs, CSOs, vice presidents and directors of IT and information security from 138 countries. Twenty-nine percent (29%) of respondents were from North America, 26% from Europe, 21% from South America, 20% from Asia, and 3% from the Middle East and South Africa. The margin of error is less than 1%.

Threats to security, like the weather are hard to predict. Many executives point to the sunshine and clear skies overhead. Others eye the low barometric pressure

The survey produced  17 findings. The findings are summarised below:

A world of front-runners: Respondents categorize their organization

Finding #1 This year, a surprisingly high percentage of respondents consider their organization, in effect, a “front-runner” in information strategy and execution.

Finding #2 These “front-runners” see client requirement as the greatest justification for information security spending—and are passionate about protecting data.

Finding #3 Curiously, “strategists” are far more likely to clamp down on funding for information security than any of the other three groups.

Confidence and progress: A decade of maturation

Finding #4 A clear majority of respondents are confident that their organization’s information security activities are effective.

Finding #5 Companies now have greater insights than they’ve ever had into cyber crimes and other incidents and they’re translating this information into investments specifically focused on three areas: prevention, detection and web-related technologies.

Finding #6 After three years of cutting information security budgets and deferring security related initiatives, respondents are “bullish” about security spending.

Vulnerability and exposure: Capability degradation since 2008

Finding #7 One of the most dangerous cyber threats is an Advanced Persistent Threat attack. Few organizations have the capabilities to prevent this.

Finding #8 After three years of economic volatility and a persistent reluctance to fund the security mission degradation in core security capabilities continues.

Finding #9 Managing the security-related risks associated with partners, vendors and suppliers has always been an issue. It’s getting worse.

Finding #10 That 72% worldwide confidence rating in security practices may seem high but it has declined markedly since 2006.

Windows of improvement: Where the best opportunities lie

Finding #11 What are the greatest obstacles to effective information security? Leaders point to the lack of capital, among other factors—and shine the spotlight hottest at the “top of the house.”

Finding #12 Mobile devices and social media represent a significant new line of risk and defense. New rules are in effect this year for many organizations, though not yet the majority.

Finding #13 Cloud computing is improving security. But many want better enforcement of provider security policies, among other priorities.

Global trends: Asia races ahead while the world’s information security arsenals age

Finding #14 For several years, Asia has been firing up its investments in security. This year’s results reveal just how far the region has advanced its capabilities.

Finding #15 As North American organizations continue their reluctance to fund security’s mission at levels that they have in the past, capabilities continue to degrade.

Finding #16 In the face of economic uncertainty and in spite of a portfolio of security capabilities in decline, Europe pulls the purse strings even tighter.

Finding #17 Like most of the world, South America’s armory of information security defenses is rusting. As the region’s confidence in its security plummets, it thirsts for cash.

What this means for your business Look at the leaders. Learn from what they have done and how they are electing to address the future

Find the full details of the report here.

.

Symantec MessageLabs June 2011 Intelligence Report

Image representing Symantec as depicted in Cru...
Image via CrunchBase

Symantec have released their June 2011 Intelligence Report. The Symantec Intelligence Report, provides the latest analysis of cyber security threats, trends and insights from the Symantec Intelligence team concerning malware, spam, and other potentially harmful business risks. The data used to compile the analysis for this combined report includes data from May and June 2011.

Report highlights

  • Spam – 72.9% in June (a decrease of 2.9 percentage points since May 2011)
  • Phishing – One in 330.6 emails identified as Phishing (a decrease of 0.05 percentage points since May 2011)
  • Malware – One in 300.7 emails in June contained malware (a decrease of 0.12 percentage points since May 2011)
  • Malicious Web sites – 5,415 Web sites blocked per day (an increase of 70.8% since May 2011)
  • 35.1% of all malicious domains blocked were new in June (a decrease of 1.7 percentage points since May 2011):
  • 20.3% of all Web-based malware blocked was new in June (a decrease of 4.3 percentage points since May 2011)
  • Review of Spam-sending botnets in June 2011
  • Clicking to Watch Videos Leads to Pharmacy Spam
  • Wiki for Everything, Even for Spam
  • Phishers Return for Tax Returns
  • Fake Donations Continue to Haunt Japan
  • Spam Subject Line Analysis
  • Best Practices for Enterprises and Users

Spam Analysis

In June 2011, the global ratio of spam in email traffic decreased by 2.9% points since May 2011 to 72.9% (1 in 1.37 emails).

Country May April Change %
United States  29% 31% -2
India  5% 4% 1
Russia  5% 5%  
Brazil  5% 5%  
Netherlands  5% 5%  
Taiwan  3% 4% -1
South Korea  3% 3%  
Uruguay  3% 3%  
Ukraine  3% 2% 1
China 2% 3% -1

As the global spam level declined in June 2011, Saudi Arabia became the most spammed geography, with a spam rate of 82.2%, overtaking Russia, which moved into second position.

In the US, 73.7% of email was spam and 72.0% in Canada. The spam level in the UK was 72.6%. In The Netherlands, spam accounted for 73.0% of email traffic, 71.8% inGermany, 71.9% in Denmark and 70.4% in Australia. In Hong Kong, 72.2% of email was blocked as spam and 71.2% in Singapore, compared with 69.2% in Japan. Spam accounted for 72.3% of email traffic in South Africa and 73.4% in Brazil.

Global Spam Categories

Spam Category Name  June 2011
Pharmaceutical  40%
Adult/Sex/Dating 19%
Watches/Jewelry  18%
Newsletters  12%
Casino/Gambling  7%
Unknown  3%
Degrees/Diplomas  2%
Weight Loss  1%

Phishing Analysis

In June, Phishing activity decreased by 0.06 percentage points since May 2011; one in 286.7 emails (0.349%) comprised some form of Phishing attack

Phishing Sources: Country  May April % change
United States 44% 55% -11
Chile 15%  15%   unlisted N/A
Canada  5% 5%  
Germany  5% 6% -1
United Kingdom  4% 6% -2
China 2%  2%   unlisted N/A
France 2% 3% -1
Netherlands  2% 2%  
Russia  1% 2% -1
Australia 1% 3% -2

South Africa remained the most targeted geography for Phishing emails in June, with 1 in 111.7 emails identified as phishing attacks. South Africa suffers from a high level of Phishing activity targeting many of its four major national banks, as well as other international financial institutions.

In the UK, phishing accounted for 1 in 130.2 emails. Phishing levels for the US were 1 in 1,270 and 1 in 207.7  for Canada. In Germany Phishing levels were 1 in 1,375, 1 in 2,043 in Denmark and 1 in 543.7 in The Netherlands. In Australia, Phishing activity accounted for 1 in 565.2 emails and 1 in 2,404 in Hong Kong; for Japan it was 1 in 11,179 and 1 in 2,456 for Singapore. In Brazil, 1 in 409.8 emails were blocked as Phishing attacks.

The Public Sector remained the most targeted by phishing activity in June, with 1 in 83.7 emails comprising a Phishing attack. Phishing levels for the Chemical & Pharmaceutical sector were 1 in 897.3 and 1 in 798.3 for the IT Services sector; 1 in 663.2 for Retail, 1 in 151.4 for Education and 1 in 160.8 for Finance.

Email-borne Threats

The global ratio of email-borne viruses in email traffic was one in 300.7 emails (0.333%) in June, a decrease of 0.117 percentage points since May 2011.

The UK remained the geography with the highest ratio of malicious emails in June, as one in 131.9 emails was blocked as malicious in June.

In the US, virus levels for email-borne malware were 1 in 805.2 and 1 in 297.7 for Canada. In Germany virus activity reached 1 in 721.0, 1 in 1,310 in Denmark and in The Netherlands 1 in 390.3. In Australia, 1 in 374.5 emails were malicious and 1 in 666.5 in Hong Kong; for Japan it was 1 in 2,114, compared with 1 in 946.7 in Singapore. In South Africa, 1 in 280.9 emails and 1 in 278.9 emails in Brazil contained malicious content. With 1 in 73.1 emails being blocked as malicious, the Public Sector remained the most targeted industry in June. Virus levels for the Chemical & Pharmaceutical sector were 1 in 509.4 and 1 in 513.8 for the IT Services sector; 1 in 532.8 for Retail, 1 in 130.4 for Education and 1 in 182.3 for Finance.

Malware Name % Malware
Exploit/SuspLink-d1f2  4.85%
Link-Trojan.Generic.5483393-4cac  2.89%
W32/NewMalware!836b  2.41%
W32/NewMalware!0575 2.39%
Exploit/Link-FakeAdobeReader-8069  2.32%
Trojan.Bredolab!eml-1f08  1.97%
Exploit/LinkAliasPostcard-d361  1.52%
W32/Packed.Generic-7946 1.46%
W32/Bredolab.gen!eml  1.36%
Exploit/FakeAttach-844a 1.39%

Web-based Malware Threats

In June, MessageLabs Intelligence identified an average of 5,415 Web sites each day harboring malware and other potentially unwanted programs including spyware and adware; an increase of 70.8% since May 2011. This reflects the rate at which Web sites are being compromised or created for the purpose of spreading malicious content. Often this number is higher when Web-based malware is in circulation for a longer period of time to widen its potential spread and increase its longevity. The 70.8% rise marks a return to the highest rate since December 2010, as can be seen in the chart below; the rate had previously been diminishing during the first half of 2011.

As detection for Web-based malware increases, the number of new Web sites blocked decreases and the proportion of new malware begins to rise, but initially on fewer Web sites. Further analysis reveals that 35.1% of all malicious domains blocked were new in June; a decrease of 1.7 percentage points compared with May 2011. Additionally, 20.3% of all Web-based malware blocked was new in June; a decrease of 4.3 percentage points since the previous month.

Endpoint Security Threats

The endpoint is often the last line of defense and analysis; however, the endpoint can often be the first-line of defense against attacks that spread using USB storage devices and insecure network connections. The threats found here can shed light on the wider nature of threats confronting businesses, especially from blended attacks and threats facing mobile workers. Attacks reaching the endpoint are likely to have already circumvented other layers of protection that may already be deployed, such as gateway filtering. The table below shows the malware most frequently blocked targeting endpoint devices for the last month. This includes data from endpoint devices protected by Symantec technology around the world, including data from clients which may not be using other layers of protection, such as Symantec Web Security.cloud or Symantec Email AntiVirus.cloud.

Malware Name Malware %
W32.Ramnit!html  9.47%
W32.Sality.AE  8.49%
Trojan.Bamital 8.23%
W32.Ramnit.B!inf  7.59%
W32.DownadupageB  3.76%
W32.Virut.CF  2.70%
W32.Almanahe.B!inf  2.50%
W32.SillyFDC  1.99%
Trojan.ADH. 1.91%
Trojan.ADH  1.90%
Generic Detection 16.90%

For further details visit the Symantec website here.

March’s Report summary can be found here.

April’s Report summary can be found here.

May’s Report summary can be found here.

.

Blog at WordPress.com.

Up ↑

%d bloggers like this: