Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

IT Security

Standard & Poor’s labeled holes in cybersecurity a financial risk in a report

Banks with weak cybersecurity controls could be downgraded even if they haven’t been attacked, Standard & Poor’s said Monday in a report.

While it hasn’t yet downgraded a bank based on its computer security, the ratings company said it would consider doing so if it determined the lender was ill-prepared to withstand a data breach. It would also drop a bank’s rating if an attack caused reputational harm or resulted in losses that hurt profit, S&P said.

We view weak cybersecurity as an emerging threat that has the potential to pose a higher risk to financial firms in the future, and possibly result in downgrades

S&P analysts led by Stuart Plesser wrote in the report.

Cyberattacks have become a growing threat for banks, with more than a dozen U.S. depository institutions reporting hacks in 2012 and 2013 that prevented consumers from accessing their websites, according to the report. Last year, the personal data of tens of millions of JPMorgan Chase & Co. customers were compromised in a breach. The bank spent $250 million on cybersecurity in 2014 and will increase that to $450 million by next year, S&P said.

Hostile nation-states, terrorist organizations, criminal groups, activists and, in some cases, company insiders are behind most of the global cyberattacks on banks, S&P said. South Korea financial institutions have experienced security breaches in recent years, while a Russian security company working with law enforcement said it uncovered a two-year, billion-dollar theft from banks around the world by a gang of cybercriminals, according to the report, which didn’t identify the lenders.

‘Continual Battle’

S&P classified the global risk of cyberattacks as “medium,” saying large banks have taken steps to mitigate the danger. Bigger institutions have an advantage over smaller ones because their revenue base can defray some expenses, according to the report.

Few banks have disclosed the amount they’re spending to guard against attacks, S&P said. Still, any cuts to technology units as part of larger cost-savings efforts would be “disconcerting.”

Cyberdefense is a continual battle, particularly as technology evolves,” according to the report. “Many tech experts believe that if a hostile nation-state put all its resources into infiltrating a particular bank’s tech system, it would probably prove successful

The original article was published in Crain”s New Yokr Business.

Advertisements

Most organisations struggle to resolve the effects of a breach

According to IDG research in a CSG Invotas white paper “Security Automation: Time to Take a Fresh Look” most organisations struggle to resolve the effects of a breach.

There’s no doubt that improving intrusion response and resolution times reduces the window of exposure from a breach,” said Jen McKean, research director at IDG Research. “More companies seek security automation tools that will enable them to resolve breaches in mere seconds and help maintain business-as-usual during the remediation period

Researchers polled decision makers of information security, strategy, and solution implementations at companies with 500 or more employees. They explored the security challenges commercial organizations face when confronted with security breaches across their networks. Key findings include:

  • 46% of respondents report an average detection time of hours or days
  • 54% reporting average resolution times of days or months
  • On going management of electronic identities that control access to enterprise, cloud, and mobile resources take the most time to change or update during a security event
  • A majority of respondents seek ways to reduce response time in order to address risk mitigation, preserve their company’s reputation, and protect customer data
  • 61% of respondents admit they are looking for ways to improve response times to security events
  • 82% of respondents report no decrease in the number of network security events or breaches last year whilst more than a quarter of those surveyed report an increase
  • 60% of IT Security Resources dedicated to protecting the network layer
  • 10% of respondents reporting they’re able to resolve issues in seconds or minutes; 54% say it takes days, weeks or months
  • 28% of respondents say the number of security events or breaches increased in 2013
  • 24% report that the severity of incidents increased
  • 39% of respondents say they can detect a security breach within seconds or minute

Business process automation solutions offer a new approach to the most difficult step in security operations: taking immediate and coordinated action to stop security attacks from proliferating. Building digital workflows that can be synchronized across an enterprise allows a rapid counter-response to cyber-attacks. Speed, accuracy, and efficiency are accomplished by applying carrier-grade technology, replicating repetitive actions with automated workflows, and reducing the need for multiple screens.

It is no longer a surprise to hear that a breach has compromised data related to customers, employees, or partners,” said Paul Nguyen, president of global security solutions at CSG Invotas. “CIOs recognize that they need faster, smarter ways to identify security breaches across their enterprises. More importantly, they need faster, smarter ways to respond with decisive and coordinated action to help protect threats against company reputation, customer confidence, and revenue growth

A quarter of respondents say they are comfortable with the idea of automating some security workflows and processes and that they deploy automation tools where they can. 57% of respondents say they are somewhat comfortable with automation for some low-level and a few high-level processes, but they still want security teams involved. On average, respondents report that 30% of their security workflows are automated today; but nearly two-thirds of respondents expect they will automate more security workflows in the coming year.

The full survey and key findings are available here.

Report on Malware Activity for the last 6 months 2011 – M86

M86 a web and email security company has released its review of the last 6 months of 2011.

The report has some excellent screen shots of malicious attacks, particularly phishing and spam attacks.

The screenshots should be shown to all school pupils and college students so they do not make the mistakes. Equally all organisations should distribute the images as part of their internet usage training because a lot of social media activity takes place during the working day.

M86 said of their report:

“We already know that cybercriminals have become adept at circumventing mainstream security solutions, and as we find more fraud perpetrated through social networking sites and mobile devices, it is imperative for organizations to educate their users and complement their reactive protection with proactive, real-time technologies to enhance their security posture,” said Bradley Anstis, Vice President of Technical Strategy, M86 Security. “Many of the trends we forecast in our 2011 predictions report, such as the increased use of stolen digital certificates in targeted attacks, have occurred. Our goal is to help organizations preempt these complex attacks before malware has a chance to infiltrate networks and cause very real damage.”

Key Findings of the Report:

  1. Targeted attacks became sophisticated and pursued a wider range of organizations, including commercial, national critical infrastructure and military targets.
  2. Use of stolen or fraudulent digital certificates has become more common, especially as part of targeted attacks.
  3. In several targeted attacks, malware was hidden by embedding itself in various file formats—with a few cases of multiple embedding layers. This method can evade security software that fails to scan deep enough.
  4. Blackhole has become the most prevalent exploit kit in the second half of 2011 with a huge margin over other exploit kits. Some of the exploit kits which were active in the past are rarely used now or were practically abandoned.
  5. Newer versions of Blackhole are being deployed first in Eastern Europe. Its authors increased its update frequency and added new exploits and tricks to evade detection, such as checking the software version on the client machine before attempting to exploit it.
  6. Fake social media notifications are now a mainstream way for spammers to dupe users into clicking links.
  7. Facebook continues to be a conduit for spam and malware, as many campaigns are spreading virally by enticing users to share posts that promise gift cards or other rewards.
  8. Hacked, but otherwise legitimate, websites played a major role in distributing spam and malware by redirecting browsers to the ultimate destination.
  9. Malicious Web content currently exploits more than 50 vulnerabilities in various software products. The most commonly exploited products are Microsoft Internet Explorer, Oracle Java, Adobe Acrobat Reader, Adobe Flash and Microsoft Office products.
  10. The overall volume of spam continued to decline in 2011, reaching a four-year low in December 2011.
  11. Eight spamming botnets were responsible for 90% of the spam monitored by M86 Security Labs. All of these botnets are familiar and have been established for some time.
  12. The proportion of malicious spam rose in the second half of the year from less than 1% to 5%, including a massive spike in malicious attachments in August and September. Later in the year, the focus shifted from malicious attachments to malicious links that led to exploit kits, in particular, the Blackhole exploit kit.
  13. Some noticeable wins by law enforcement authorities and researchers against cybercriminals, botnets and affiliate programs like fake AV and rogue online pharmacies, took place this year.
  14. Malicious Web content hosted in China targets mostly older versions of Internet Explorer, which is popular in that country.
  15. Almost half of the global malicious Web content is hosted in the U.S. The states hosting most malware are Florida, California, Texas and Washington.

Expanded details on some of the key findings

Critical national infrastructure is targeted

As targeted attacks become more sophisticated, cybercriminals are pursuing a wider range of organizations, including commercial, national critical infrastructure and military targets. Confirmed attacks in 2011 include RSA, Lockheed Martin and the Asia-Pacific Economic Cooperation (APEC). Dutch company DigiNotar, for example, detected an intrusion that resulted in the fraudulent issuance of hundreds of digital certificates for a number of domains, including Google, Yahoo, Facebook, the CIA, the British MI6 and the Israeli Mossad.

Stolen digital certificates are increasingly used in successful targeted attacks

Stealing or faking digital certificates has become an important component of a targeted attack. Digital certificates are used to confirm and assure a user that the downloaded application truly is from the trusted vendor. With the stolen certificates cybercriminals can distribute malware and sign it with a legitimate company certification, thus tricking users to confidently download the application.

The Blackhole exploit kit dominates the exploit kits market

In late 2011, Blackhole established itself as the most successful exploit kit. Its authors increased its update frequency and added new ways to evade detection, such as checking the software version on the client machine before attempting to exploit it.

The volume of malicious spam escalated in 2011

Though overall spam volume decreased as of December 2011, the proportion of malicious spam rose in the second half of the year from less than 1% to 5%, with a spike in malicious attachments occurring in August and September. As noted previously, there was a shift from malicious attachments to the use of embedded links to infected content later in the year.

Social media is a haven for fraudulent posts and scams

It is now mainstream practice for spammers to use bogus social media notifications to dupe users into clicking on infected links. Perhaps even more troubling is the success with which cybercriminals capitalize on user trust and familiarity to make Facebook, for example, a conduit for spam and malware propagation. Many of these campaigns are spread virally by enticing users to share posts for “rewards” or “gift cards” with their friends.

The full report and those screen shots can be found here.

.

Combating Cybercrime to Protect Organisations

PWC have released their annual Cybercrime report, “Cybercrime: protecting against the growing threat – Global Economic Crime Survey“, and as usual it makes very scary reading.

The report shows that crime is up and those organisations have been slow to react to the threats. Threats that were highlighted in previous reports.

Organisations of all sizes need to improve their abilities to protect their sensitive data and the report focuses on several area that need addressing, for example awareness of the threats in senior management and training for employees in how to spot crime and how to take the appropriate steps to react to the incident (Incident Response Planning…).

There needs to be adequate protection in the form of technology, procedures and policies for the proposed awareness and training to be effective and efficient.

The report is based upon 3,877 respondents from organisations in 78 countries. The scale of the survey has provided a global picture of economic crime.

The key findings of the report are shown in full, with the remainder of the post focusing on the statistics shown in the report.

Key Findings from the PWC “Cybercrime: protecting against the growing threat” report

Our sixth report paints a dramatic picture of UK organisations still struggling in the face of severe austerity cuts.

Economic crime has risen by 8 percentage points since our 2009 survey, with over half of respondents reporting at least one instance of economic crime in the last 12 months. Even more concerning for Senior executives was the fact that 24% of respondents reported more than ten incidents in the last 12 months.

Our findings suggest that the combination of rising economic crime in the UK, and widespread austerity cuts that limit the resources available to focus on economic crime, has made today’s business environment altogether more difficult and risky.

Cybercrime has become the third most common type of economic crime, whilst levels of ‘conventional’ economic crime have fallen (asset misappropriation has fallen by 8 percentage points since 2009, and accounting fraud by 5 percentage points in the same period). So we think organisations need to take a fresh look at how they deal with fraud.

Cybercrime now regularly attracts the attention of politicians and the media, and should be a concern to business leaders as well. Our survey gave respondents their first direct opportunity to highlight cybercrime as one of the main economic crimes they had experienced, and over a quarter of those who had reported economic crime in the last 12 months did so. The largest number of these were from the financial services sector.

Our survey shows that organisations need to be clear about exactly what cybercrime is, and who is responsible for managing it.

Economic crime perpetrated externally has increased and fraud carried out by employees within the organisation is declining.

Statistics extracted from the report

  • 47% of respondents said the cybercrime threats have increased over the last 12 months
  • 84% of respondents who identified an economic crime had carried out at least one fraud risk assessment in the last 12 months
  • 19% of UK respondents didn’t perform a fraud risk assessment in the last 12 months. This is a much lower figure compared with the global 29% of respondents
  • Over half of UK respondents reported economic crime in the last 12 months, compared with 34% globally
  • 51% of respondents experienced fraud in the last 12 months (UK)
  • 26% of those who experienced an economic crime in the last 12 months reported a cybercrime
  • 48% of respondents felt that responsibility for detecting and preventing cybercrime falls to the Chief Information Officer, the Technology Director or the Chief Security Officer
  • 66% of respondents said they had reported a cybercrime incident to law enforcement, compared with 76% of those who experienced economic crime
  • 54% of respondents representing organisations with offices in more than 20 countries saw an increased risk from cybercrime in the last 12 months. 35% of respondents representing organisations based just in the UK perceived a similar rise

Cybercrime awareness

  • The most effective way to raise cyber security awareness is through face-to-face training. In spite of this, only 24% of UK respondents received this type of training
  • 33% see cyber security as the responsibility of the Chief Executive Officer and the Board, the global figure is 21%
  • One in five respondents said the CEO and the Board only review these risks on an ad hoc basis

Response to cyber crime

  • 16% of UK respondents said their organisation has in place all five of the measures specified in the survey, compared with 12% of global respondents – see the link to the full report below.
  • 83% were concerned about reputational damage
  • 57% of respondents representing UK organisations have a media and public relations plan in place. The global response was 44%
  • 28% of respondents said they didn’t have any access to forensic technology investigators

Profile of the internal fraudster

  • male
  • aged between 31 and 40
  • employed with the organisation for between three and five years
  • educated to high school and not degree level

Top 5 departments perceived to present the biggest cybercrime risk

UK  Global
1. Information technology 52 53
2. Operations 42 39
3. Sales and marketing 36 34
4. Finance 37 32
5. Physical/Information security 22 25

Find the full report here.

.

Security should not be viewed as an isolated activity

In IP EXPO’s 2011 security index survey which was conducted among IT professionals from businesses of all sizes and sectors on behalf of Imago Techmedia and the IP EXPO show organisers.

Respondents to our survey overwhelmingly agreed that IT security should not be viewed as an isolated activity, but would best be treated as an integrated part of businesses’ entire technology reviews and processes,”

said Mike England, Social Business & Content Director at IP EXPO event organiser Imago Techmedia

The key findings include:

  • 70% said they believed security would be best considered collaboratively and routinely across all aspects of ICT
  • 47% said they believed their own organisations needed more security-related collaboration between different ICT disciplines
  • 44% of respondents stated that at least a quarter of their jobs involved IT security.  For 23%, security took up more than half their time
  • 23% of respondents said that their approaches to compliance compromised their security
  • 26% said mobile devices such as smartphones and laptops posed the highest risk of data loss to their businesses.
  • 18% said memory sticks being used for data theft posed the highest risk to their businesses
  • 18% of IT pros say their businesses may not survive the consequences of a major security breach
  • Nearly one-fifth of IT professionals fear their businesses may never re-open for business or would fail shortly after a major security breach
  • 68% said they viewed IT security as “a necessary evil”

CSA UK & Ireland President Des Ward commented on the results of the survey:

Lack of collaboration and a perceived disconnect between security and business would explain the view of security being deemed ‘a necessary evil’, or even a cost of doing business online and consequently having little real business value. Businesses need to evolve beyond compliance risk management to information risk management in order to implement strategies that reduce the likelihood of breaches occurring, while at the same time affording a level of business agility fitting today’s interconnected society,” he suggested.

Of the main findings, Nigel Stanley, security practice leader at Bloor Research and IT Security Pathfinder at IP EXPO, said:

What’s clear is that even if someone’s job doesn’t directly involve security per se, everyone needs to be actively engaged in dealing with the problem.  And the way that businesses are going about it is encouraging, because security management needs to be a two-way process with the users actively engaged in the process.  Generally, taking compliance steps should enhance an organisation’s security – unless of course it is doing just enough to tick the boxes but failing to see the broader benefits of building a compliant business.  However, reducing security posture to achieve compliance is bonkers.

The IT security industry has been left wanting in respect of the consumerisation of IT that’s been fuelled by smartphone adoption.  Only now are we starting to see management tools for these devices, so it’s no surprise that these have been identified by respondents as the biggest risk area,” he commented.

IP Expo will be in london on the 19th and 20th October 2011.

.

Six Years of Data Breaches including the TOP 10 largest Breaches

Vault IV
Image by jaygoldman via Flickr

The Leaking Vault 2011 report from the Digital Forensics Association has gathered data from studying 3,765 publicly disclosed data breach incidents, and is the largest study of its kind to date. Information was gleaned from the organizations that track these events, as well as government sources. Data breaches from 33 countries were included, as well as those from the United States.

This study covers incidents from 2005 through 2010, and includes over 806.2 million known records disclosed. On average, these organizations lost over 388,000 records per day/15,000 records per hour every single day for the past six years.

The estimated cost for these breaches comes to more than $156 billion to the organizations experiencing these incidents. This figure does not include the costs that the organizations downstream or upstream may incur, nor that of the data subject victims. Further, it is a low estimate of the cost, due to the fact that 35% of the incidents did not name a figure for records lost.

The Hacking vector remains the records loss leader, responsible for 48% of the records disclosed in the study.

  • In 65% of the cases, the data disclosed included the data subject’s name, address and Social Security Number
  • 16% disclosed medical information
  • 15% of the incidents disclosed Credit Card Numbers

Medical disclosures saw a significant increase with the addition of the 2010 data. This is more likely due to the reporting requirement of existing regulations going into effect than any actual increase of incidents. The incidents where criminal use of the data was confirmed increased by 58% from the prior report.

Here is a small sampling of the incidents from the study to put a personal face on the statistics:

Three servers from a well-known chain restaurant were charged with using skimming devices to make more than $117,000 in fraudulent charges to customer credit card accounts.

  • A restaurant employee stole customer credit card information and used it to purchase $200,000 of Walmart gift cards.
  • In the span of six months, nine employees of a telecommunications company inappropriately accessed confidential customer account information and used it to make cloned cell phones. Over $15 million of unauthorized phone calls resulted from this scheme.
  • An executive turned himself into authorities after being accused of selling customer information to identity thieves in exchange for sports tickets and gift cards.
  • The owner of a medical equipment business used Medicare client information to obtain approximately $1.6 million worth of fraudulent claims.
  • The owner of a farm equipment store pled guilty to federal charges, admitting she stole the identities of customers to obtain more than 80 loans worth $1.7 million.

Breach  Vectors

There has been a rise in snooping and other inappropriate disclosure where the confidentiality of the data is breached, but the data may not have left the control of the organization; or the act was done with the approval of the organization, but found later to be an inappropriate breach of confidentiality. In a recent case, UCLA Medical Center agreed to pay $865,000 to settle instances where employees snooped on the medical records of celebrities being treated at the facility.

Another example is when the California Department of Health Care Services released confidential and identifying information about HIV positive MediCal recipients to a third party service provider. This was later deemed to be both illegal and unauthorized. To classify these types of cases, the new breach vector of Disclosure has been added to the study beginning with 2011.

The Laptop Vector

Laptops increasingly contain significant amounts of organizational data. They are frequently the sole computer employee’s use, and come with a hard drive that can contain very large datasets. It is not uncommon for companies to find out after a breach incident that the individual assigned the asset had spreadsheets, and even whole databases containing sensitive data. When a laptop is issued to an individual, it should be accompanied by a set of rules for the custodian of the device to follow. This should include direction for maintaining physical control offsite (i.e., not to leave it in a vehicle, etc.) and onsite (i.e., lock it to their work surface), as well as controls for when these rules either are insufficient to keep the asset safe, or when the individual does not follow them. Potential controls include encrypting the device, remote wiping capability, tracking/recovery software, etc. The organization has a responsibility to the data subjects to take appropriate steps to ensure their data will not be at risk of disclosure when the unexpected happens.

Of the 3,765 incidents in the study, 719 involved laptops being improperly disposed of, getting stolen, or being lost. In 96% of these incidents, the laptops were stolen. Overall, the laptop vector accounted for 45,500,147 records in the study.

  • The largest quantity of laptops were stolen from the office of the organization suffering the loss. This illustrates the need for locking mechanisms for the laptops when unattended at work.
  • The second largest number of laptops were stolen from inside a vehicle. This is the most preventable, and represents 191 incidents over 4 million records.

The Hacking Vector

The 2010 data increasingly showed the prevalence of skimmer use. Skimmers are credit card readers that are typically hand held or installed in ATMs and point of sale devices to read the credit card track data and steal it. This was most commonly seen in retail establishments, and especially in restaurants. Anywhere the credit card is taken away from the customer’s control; there is a higher risk that a skimmer might be used by the dishonest. However, this is not to say that the card data is safe when in the control of the customer. Another increasingly common incident is the skimmer installed inside the gas pump. In this case, there is either a skimmer on the outside of the pump (these are becoming very clever and difficult to spot), or there is a device inside the pump where the customer has no hope of detecting it, and it can be wirelessly unloaded by the criminals, posing minimal risk of being caught.

The Large Incidents (Involving over 1 Million Records)

Only 66 of 3765 incidents involved over 1 million records. However, those 2% of incidents made up 91% of the records disclosed over the study. The top vector for large incidents was the Hack vector, claiming 29% of the incidents. The Drive/Media vector took 22% of the incidents, with the Fraud – SE vector accounting for 17%.

Breach Vectors of the Ten Largest Incidents   (2005 – 2010)
Organization Record Vector
Heartland Payment Systems 130,000,000 Hack
TJX Companies 94,000,000 Hack
Facebook 80,000,000 Web
National Archives 76,000,000 Drive/Media
Card Systems 40,000,000 Hack
RockYou, Inc. 32,000,000 Hack
U.S. Dept. of Veterans Affairs 28,600,000 Laptop
H.M. Revenue and Customs 25,000,000 Drive/Media
iBill 17,781,462 Fraud-SE
TMobile 17,000,000 Drive/Media

Criminal Use

Criminal or malicious motivation in attacks makes for more expensive breaches. This is true both for the organizations who suffer them, and the people whose data is compromised. Between 2005 and 2010, in 396 cases were confirmed to have been used for criminal activity. This is a difficult metric to track; since the criminal activity associated with breach activity shows that the data is commonly sold and resold.

The crime where the perpetrator has a direct connection to the victim is most frequently where the arrest is reported with the event. To that end, the Fraud-SE category is represented by a much higher margin than some of the vectors that have generated these large scale data disclosures.

Credit Cards

There were 558 incidents where CCN data was involved. They accounted for almost 330 million records. The median records disclosed was 1,000; and 45% of the incidents did not list how many records were disclosed. These records should fall under the Payment Card Industry’s Data Security Standard (PCI-DSS), and the organizations that have experienced these incidents will have to undergo further scrutiny to prove they are compliant with this standard.

The ID Theft Critical Data Elements

The Identity Theft critical data elements are those that, in combination with the Name and Address, facilitate the commission of identity theft and financial fraud—namely the SSN and date of birth. In TLV, we looked at the incidents with these three data items all lost in the same event. At the time of that study, there were only 262 incidents that contained all three items. In contrast, there are now a total of 1,084.

As you can see in the figure below, the Business sector shows a substantial increase. It has gone from 168 incidents in the prior study to 850. However, in only 13% of these cases where the combination of data puts the subject victim into the worst position possible, are these organizations confirmed to have offered credit monitoring. Now, there are a large number of unknowns in this area as well—in the majority of the cases, the reports simply do not say one way or the other whether this service is offered. This is a metric primarily gleaned from the original data breach notification letters obtained through either FOIA requests or from those government entities that are directly posting the original documents as part of the event report. For instance, in the Business sector, 38 cases are confirmed that the service definitely is not offered. In the remaining 701 records, the credit monitoring status is not provided.

Estimated Cost of Data Breaches/Year

Year Records Disclosed Cost Per Record Total Breach Records
2005 68,555,563 $138.00 $9,460,667,694.00
2006 80,377,865 $182.00 $14,628,771,430.00
2007 164,813,878 $197.00 $32,468,333,966.00
2008 182,707,769 $202.00 $36,906,969,338.00
2009 261,759,494 $204.00 $53,398,936,776.00
2010 48,080,863 $204.00* $9,808,496,052.00
Total 806,295,432 $156,672,175,256.00
*Cost figure from 2009.

The full The Leaking Vault 2011 report can be found here.

.

Symantec MessageLabs June 2011 Intelligence Report

Image representing Symantec as depicted in Cru...
Image via CrunchBase

Symantec have released their June 2011 Intelligence Report. The Symantec Intelligence Report, provides the latest analysis of cyber security threats, trends and insights from the Symantec Intelligence team concerning malware, spam, and other potentially harmful business risks. The data used to compile the analysis for this combined report includes data from May and June 2011.

Report highlights

  • Spam – 72.9% in June (a decrease of 2.9 percentage points since May 2011)
  • Phishing – One in 330.6 emails identified as Phishing (a decrease of 0.05 percentage points since May 2011)
  • Malware – One in 300.7 emails in June contained malware (a decrease of 0.12 percentage points since May 2011)
  • Malicious Web sites – 5,415 Web sites blocked per day (an increase of 70.8% since May 2011)
  • 35.1% of all malicious domains blocked were new in June (a decrease of 1.7 percentage points since May 2011):
  • 20.3% of all Web-based malware blocked was new in June (a decrease of 4.3 percentage points since May 2011)
  • Review of Spam-sending botnets in June 2011
  • Clicking to Watch Videos Leads to Pharmacy Spam
  • Wiki for Everything, Even for Spam
  • Phishers Return for Tax Returns
  • Fake Donations Continue to Haunt Japan
  • Spam Subject Line Analysis
  • Best Practices for Enterprises and Users

Spam Analysis

In June 2011, the global ratio of spam in email traffic decreased by 2.9% points since May 2011 to 72.9% (1 in 1.37 emails).

Country May April Change %
United States  29% 31% -2
India  5% 4% 1
Russia  5% 5%  
Brazil  5% 5%  
Netherlands  5% 5%  
Taiwan  3% 4% -1
South Korea  3% 3%  
Uruguay  3% 3%  
Ukraine  3% 2% 1
China 2% 3% -1

As the global spam level declined in June 2011, Saudi Arabia became the most spammed geography, with a spam rate of 82.2%, overtaking Russia, which moved into second position.

In the US, 73.7% of email was spam and 72.0% in Canada. The spam level in the UK was 72.6%. In The Netherlands, spam accounted for 73.0% of email traffic, 71.8% inGermany, 71.9% in Denmark and 70.4% in Australia. In Hong Kong, 72.2% of email was blocked as spam and 71.2% in Singapore, compared with 69.2% in Japan. Spam accounted for 72.3% of email traffic in South Africa and 73.4% in Brazil.

Global Spam Categories

Spam Category Name  June 2011
Pharmaceutical  40%
Adult/Sex/Dating 19%
Watches/Jewelry  18%
Newsletters  12%
Casino/Gambling  7%
Unknown  3%
Degrees/Diplomas  2%
Weight Loss  1%

Phishing Analysis

In June, Phishing activity decreased by 0.06 percentage points since May 2011; one in 286.7 emails (0.349%) comprised some form of Phishing attack

Phishing Sources: Country  May April % change
United States 44% 55% -11
Chile 15%  15%   unlisted N/A
Canada  5% 5%  
Germany  5% 6% -1
United Kingdom  4% 6% -2
China 2%  2%   unlisted N/A
France 2% 3% -1
Netherlands  2% 2%  
Russia  1% 2% -1
Australia 1% 3% -2

South Africa remained the most targeted geography for Phishing emails in June, with 1 in 111.7 emails identified as phishing attacks. South Africa suffers from a high level of Phishing activity targeting many of its four major national banks, as well as other international financial institutions.

In the UK, phishing accounted for 1 in 130.2 emails. Phishing levels for the US were 1 in 1,270 and 1 in 207.7  for Canada. In Germany Phishing levels were 1 in 1,375, 1 in 2,043 in Denmark and 1 in 543.7 in The Netherlands. In Australia, Phishing activity accounted for 1 in 565.2 emails and 1 in 2,404 in Hong Kong; for Japan it was 1 in 11,179 and 1 in 2,456 for Singapore. In Brazil, 1 in 409.8 emails were blocked as Phishing attacks.

The Public Sector remained the most targeted by phishing activity in June, with 1 in 83.7 emails comprising a Phishing attack. Phishing levels for the Chemical & Pharmaceutical sector were 1 in 897.3 and 1 in 798.3 for the IT Services sector; 1 in 663.2 for Retail, 1 in 151.4 for Education and 1 in 160.8 for Finance.

Email-borne Threats

The global ratio of email-borne viruses in email traffic was one in 300.7 emails (0.333%) in June, a decrease of 0.117 percentage points since May 2011.

The UK remained the geography with the highest ratio of malicious emails in June, as one in 131.9 emails was blocked as malicious in June.

In the US, virus levels for email-borne malware were 1 in 805.2 and 1 in 297.7 for Canada. In Germany virus activity reached 1 in 721.0, 1 in 1,310 in Denmark and in The Netherlands 1 in 390.3. In Australia, 1 in 374.5 emails were malicious and 1 in 666.5 in Hong Kong; for Japan it was 1 in 2,114, compared with 1 in 946.7 in Singapore. In South Africa, 1 in 280.9 emails and 1 in 278.9 emails in Brazil contained malicious content. With 1 in 73.1 emails being blocked as malicious, the Public Sector remained the most targeted industry in June. Virus levels for the Chemical & Pharmaceutical sector were 1 in 509.4 and 1 in 513.8 for the IT Services sector; 1 in 532.8 for Retail, 1 in 130.4 for Education and 1 in 182.3 for Finance.

Malware Name % Malware
Exploit/SuspLink-d1f2  4.85%
Link-Trojan.Generic.5483393-4cac  2.89%
W32/NewMalware!836b  2.41%
W32/NewMalware!0575 2.39%
Exploit/Link-FakeAdobeReader-8069  2.32%
Trojan.Bredolab!eml-1f08  1.97%
Exploit/LinkAliasPostcard-d361  1.52%
W32/Packed.Generic-7946 1.46%
W32/Bredolab.gen!eml  1.36%
Exploit/FakeAttach-844a 1.39%

Web-based Malware Threats

In June, MessageLabs Intelligence identified an average of 5,415 Web sites each day harboring malware and other potentially unwanted programs including spyware and adware; an increase of 70.8% since May 2011. This reflects the rate at which Web sites are being compromised or created for the purpose of spreading malicious content. Often this number is higher when Web-based malware is in circulation for a longer period of time to widen its potential spread and increase its longevity. The 70.8% rise marks a return to the highest rate since December 2010, as can be seen in the chart below; the rate had previously been diminishing during the first half of 2011.

As detection for Web-based malware increases, the number of new Web sites blocked decreases and the proportion of new malware begins to rise, but initially on fewer Web sites. Further analysis reveals that 35.1% of all malicious domains blocked were new in June; a decrease of 1.7 percentage points compared with May 2011. Additionally, 20.3% of all Web-based malware blocked was new in June; a decrease of 4.3 percentage points since the previous month.

Endpoint Security Threats

The endpoint is often the last line of defense and analysis; however, the endpoint can often be the first-line of defense against attacks that spread using USB storage devices and insecure network connections. The threats found here can shed light on the wider nature of threats confronting businesses, especially from blended attacks and threats facing mobile workers. Attacks reaching the endpoint are likely to have already circumvented other layers of protection that may already be deployed, such as gateway filtering. The table below shows the malware most frequently blocked targeting endpoint devices for the last month. This includes data from endpoint devices protected by Symantec technology around the world, including data from clients which may not be using other layers of protection, such as Symantec Web Security.cloud or Symantec Email AntiVirus.cloud.

Malware Name Malware %
W32.Ramnit!html  9.47%
W32.Sality.AE  8.49%
Trojan.Bamital 8.23%
W32.Ramnit.B!inf  7.59%
W32.DownadupageB  3.76%
W32.Virut.CF  2.70%
W32.Almanahe.B!inf  2.50%
W32.SillyFDC  1.99%
Trojan.ADH. 1.91%
Trojan.ADH  1.90%
Generic Detection 16.90%

For further details visit the Symantec website here.

March’s Report summary can be found here.

April’s Report summary can be found here.

May’s Report summary can be found here.

.

Network Barometer Report 2011 – Dimension Data’s annual report

Dimension Data announced the results of its Network Barometer Report for 2011. The findings of the report have been taken from 270 “Technology Lifecycle Management” (TLM) assessments of enterprise organizations.

The annual Dimension Data report gauges the readiness of organizations’ networks to support business by evaluating adherence to best practices, potential security vulnerabilities and the end-of-life status of network devices.

Key findings from the 2011 report are:

  • More than 73% of corporate network devices had at least one known security vulnerability, nearly double the 38% recorded in last year’s report.
  • A single, higher-risk vulnerability identified by Cisco’s PSIRT* (Product Security Incident Response Team) in September 2009 – PSIRT 109444 – was found in a staggering 66% of all devices, and was responsible for this jump.
  • With PSIRT 109444 removed from the equation, the next four vulnerabilities were found in less than 20% of all devices, indicating that organizations are stepping up remediation efforts.
  • 47% of devices were in late stage obsolescence – characterized as “beyond end-of-contract renewal” – which is the highest risk phase of the product lifecycle. At this point, organizations can no longer purchase additional support and are less likely to have access to the latest vendor-supplied security patches, leaving them vulnerable to security breaches and compliance violations.
  • The average number of configuration violations per device has decreased by 30%; however, AAA (authentication, authorization and accounting) errors continue to dominate.
  • A fall in the total number of configuration issues per device indicates that there has been progress in organisations’ response to configuration errors.
  • Despite some improvement, potential security violations still represent the single largest block of configuration errors.
  • Technology obsolescence is running at 38% of organisations’ installed asset base – little change in the past 3 years
  • The percentage of devices in late stage end-of-life dropped from 58% last year to 47% this year, and those beyond LDoS dropped from 31% last year to 9%. This suggests that organisation are managing their network assets in a much more effective manner and refreshing those devices where the risk is greatest.
  • An increase in technology obsolescence in the cases of repeat assessments also suggests that organisations are using an overall understanding of their technology estate to ‘sweat assets’ intelligently.

“The Network Barometer Report 2011 raises the question of whether organizations have the necessary visibility into their overall technology environment to adequately protect customer data, privacy and sensitive business information, and to intelligently manage and ‘sweat’ IT assets,” said Wesley Johnston, chief operating officer, Dimension Data Americas.

“Previous research that we’ve conducted – unrelated to the Network Barometer Report – supports this concern, revealing that companies are unaware of as much as 25% of their networking devices. Organizations need a full view of every device on the network – including where it is, what it does and what the implications are when it breaks or becomes unsupportable – in order to protect themselves and their customers and ensure business productivity and efficiency,” stated Johnston.

 The Dimension Data Network Barometer Report can be downloaded here

.

The State of Data Security a report by Sophos

Sophos has published its first report focused on data security, “The State of Data Security”.

The report is excellent read with 25 pages packed full of information and advice.

The report provides advice and guidance to businesses interested in protecting their data, including “Today’s IT and business managers must take a hard look at the risks and costs of potential data loss. Creating a proactive data security plan arms you with the knowledge you need to manage the risk and helps you to stay compliant with data protection rules and regulations.”

Some statistics and quotes from the report:-

  • The U.S. had the highest cost per compromised record at $204, followed by Germany at $177, France at $119, Australia at $114 and the U.K.at $98
  • CSO magazine’s 2011 CyberSecurity Watch Survey found that 81% of respondents’ organizations experienced a security event during the past 12 months, compared with 60% in 2010.Twenty-eight percent of respondents saw an increase in the number of security events as compared with the prior 12 months
  • In a survey of 1,000 people in the U.K., 94% ranked “protecting personal information” as their top concern, equal to their concerns about crime, according to The Telegraph.
  • according to security expert Rebecca Herold, you’ll cover roughly 85 to 90% of compliance regulations if you practice effective data protection
  • About 85% of all U.S. companies have experienced one or more data breaches, according to the Ponemon Institute
  • In 2010, malicious attacks were the root cause of 31% of the data breaches studied, according to the Ponemon Institute – up from 24% in 2009 and 12% in 2008
  • According to the Identity Theft Resource Center, at least 662 data breaches in the U.S. occurred in 2010, which exposed more than 16 million records. Nearly two-thirds of breaches exposed Social Security numbers, and 26% involved credit card or debit card data
  • With over 500 million U.S. records of data breaches and loss since 2005, it’s no surprise that these data loss stories are headline news.

The report can be downloaded here.

.

Global Threat Report Quarter 1 2011

Image representing Cisco as depicted in CrunchBase
Image via CrunchBase

The Cisco Quarter 1 2011 Global Threat Report has been released. The Cisco Global Threat Report is a compilation of data collected across the four segments of Cisco Security: ScanSafe, IPS, RMS and IronPort.

The highlights for Quarter 1 2011 include:-.

  • 105,536 unique Web malware were encountered in March 2011, a 46% increase from January 2011
  • Malicious webmail represented 7% of all Web-delivered malware in March 2011, a 391% increase from January 2011
  • 45% of all malicious webmail resulted from Yahoo! mail, 25% from Microsoft Live/Hotmail, and only 2% from Google’s Gmail
  • Search-engine-related traffic resulted in an average of 9% of all Web malware encountered in 1Q11
  • 33% of search engine encounters were via Google search engine results pages (SERPs), with 4% each from Yahoo! and Bing SERPs
  • SERPs and webmail encounters are impacted by the popularity of a particular service and are likely not indicative of any heightened risk specific to that service
  • Likejacking increased significantly during the first quarter of 2011, from 0.54% of all Web malware encounters in January 2011 to 6% in March 2011
  • At 13%, Miley Cyrus–themed likejacking scams beat out all other celebrities and events in March 2011. Likejacking themes for Indian actress Nayantara were at 7%, while Charlie Sheen was at 3%, Justin Bieber at 2%, and Lady Gaga at 1%
  • At 4% of all Web malware encounters in 1Q11, website compromises that attempted to download the Hiloti Trojan were the most frequently encountered, followed by malicious GIF injections (3%). Website compromises related to the Lizamoon series of SQL injection attacks represented just 0.15% of Web malware encounters for the quarter
  • Though far less successful than in years past, SQL injection attempts continued to be the most prevalent event firing (55%) observed by Cisco Remote Management Services in 1Q11
  • Malware activity related to the MyDoom worm was the 10th most frequently RMS-observed IPS event in 1Q11, demonstrating that legacy malware can still pose a threat to unprotected systems
  • As expected, Rustock activity declined significantly over 1Q11, but, interestingly, the sharp decline commenced weeks prior to the botnet takedown
  • Following 4Q10 declines, global spam volume increased and then subsequently decreased during 1Q11, but levels remained above that of December 2010
  • With an increase of 248%, Indonesia overtook the United States as the top spam-sending country in 1Q11
Cisco’s Top 10 Signature Findings Q1 2011  
Generic SQL Injection 55.03%
Web View Script Injection Vulnerability 7.01%
Gbot Command and Control Over HTTP 5.16%
B02K-UDP 5.20%
Cisco Unified Videoconferencing Remote Command Injection 4.91%
Microsoft Internet Explorer Invalid Flag Reference Remote Code Execution 3.27%
Windows MHTML Protocol Handler Script Execution 2.47%
WWW WinNT cmd.exe Access 1.30%
Web Application Security Test/Attack 1.19%
MyDoom Virus Activity 1.16%

Note that the MHTML vulnerability described in Microsoft KB 2501696, IntelliShield alert 22310, and Cisco Intrusion Prevention System (IPS) 6.0 – 33379/0 also appears on the Cisco RMS top 10 signature events list for 1Q11. Microsoft released an update for this former zero-day vulnerability in April 2011 (MS11-026).

While a significantly occurring event in 1Q11, SQL injection attempts remained at a fairly steady pace throughout the quarter with the only notable increase occurring in the latter part of March 2011.

Cisco RMS Top 10 by Port Activity
Port  Percentage
80 69%
40436 2.23%
25 2.17%
161 1.39%
5060 1.27%
123 1.16%
34227 1.13%
443 1.05%
21 1.00%
20 0.71%

Although they represent a relatively small percentage of overall spam, phishing attacks pose a serious risk to security, both from a financial and sensitive information disclosure perspective. In 1Q11, attackers increasingly turned their attention toward phishing Twitter accounts.

This interest in Twitter credentials is likely due in part to Twitter users’ acceptance of shortened URLs. By compromising Twitter accounts, attackers can take advantage of shortened URLs to entice followers to visit malicious links the users might ordinarily view as suspicious. Such attacks are further fuelled by the trust engendered through social networking in general.

The report can be downloaded here

.

Study: Consumers’ Reaction to Online Fraud

Image representing ThreatMetrix as depicted in...
Image via CrunchBase

ThreatMatrix and Cloud-based Fraud Prevention Company and the Ponemon Institute have released the findings of their joint study on Consumers and their awareness and appreciation of online fraud.

The study has revealed

  • 85% of respondents reported being worried and dissatisfied with the level of protection online businesses are providing to stop fraudsters. This % is up 5% on the Ponemon study of 2009.
  • 42% of respondents said they have been the victim of online fraud.
  • 80% of victims said they did not report the crime.
  • 19% that said they had reported the fraud only reported to the online business.

A lot of fraudulent activity goes unreported today, making it difficult for online businesses to fully understand the prominence and seriousness of the problem,” said Reed Taussig, president and CEO, ThreatMetrix. “With a rise in online transactions and activities across devices, more needs to be done to educate online merchants, banks, social outlets and other businesses on how to decrease fraudulent activity.”

Those respondents that expressed concern over online fraud said they felt online merchants, banks and social networks need to take additional steps to prevent fraudsters from stealing consumer information.

  • 68% would allow a trusted online business to place a cookie on their computer to automatically authenticate them
  • 82% indicated that they would expect an online business to offer alternative authentication methods if they were unable to match the consumer’s digital fingerprint to their security system.

“Our survey results help validate the need and consumer preference for technology, such as device identification, to authenticate identity as opposed to using personally identifiable information,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “Consumers expressed much more willingness to share data like ISP, computer serial number, type and make, rather than information like date of birth and telephone number.”

Information Consumers are Willing to Allow a Trusted Online Business to Check to Verify Their Identity, or Digitally Fingerprint Their Computer:

1. Serial number of computer 88%
2. Type and make of your computer 83%
3. Internet service provider 76%
4. Browser settings  71%
5. Type of browser  65%
6. IP address 59%
7. Types of software applications residing on your device 54%
8. Email address  46%
9. Purchase history  39%
10. Planned future purchases  35%
11. Date of birth  34%
12. Telephone number  17%
13. Home address  16%
14. Name  14%
15. Zip code 9%
16. Social Security number 4%
17. Driver’s license number 2%

Study findings indicate that consumers have a “positive perception about companies that use authentication and fraud detection tools to prevent online fraud”.

  • 56% of consumers indicated they are ‘more willing’ to shop or browse an online business if they know that company is taking specific measures toward combating fraud.
  • 88% of respondents stated a preference for companies to share information about their device for authentication purposes — as opposed to sharing personal information to verify their identity.

 Read the whole study here.

Symantec MessageLabs April 2011 Intelligence Report

Image representing Symantec as depicted in Cru...
Image via CrunchBase

Symantec MessageLabs have released their April 2011 Intelligence Report which as usual makes very interesting reading.

The highlights of the Intelligence Report are below:

  • Spam – 72.9% in April (a decrease of 6.4 percentage points since March 2011)
  • Viruses – One in 168.6 emails in April contained malware (an increase of 0.11 percentage
    points since March 2011)
  • Phishing – One in 242.2 emails comprised a phishing attack (an increase of 0.02
    percentage points since March 2011)
  • Malicious web sites – 2,431 web sites blocked per day (a decrease of 18.2% since March
    2011)
  • 33.0% of all malicious domains blocked were new in April (a decrease of 4.0 percentage
    points since March 2011)
  • 22.5% of all web-based malware blocked was new in April (a decrease of 1.9 percentage
    points since March 2011)
  • Targeted attacks increase in intensity: What does a recent targeted attack look like?
  • Shortened URLs: Do you know what you’re clicking on?

Symantec MessageLab’s table below shows the most frequently blocked email-borne malware for April, many of which take advantage of malicious hyperlinks. Overall, 55.1% of email-borne malware was associated with Bredolab, Sasfis, SpyEye and Zeus variants, a trend initially reported in the MessageLabs Intelligence Report for February 2011. 

Malware % Malware
Trojan.Bredolab!eml  37.67%
Exploit/FakeAttach  4.54%
HeurAuto-08ba  3.88%
Gen:Variant.Kazy.17074 3.53%
Trojan.Bredolab 3.31%
W32/Bredolab.gen!eml-19251 3.27%
W32/Bredolab.gen!eml 2.83%
Gen:Variant.Kazy.16615 1.80%
W32/Generic-afcd 1.79%
W32/Delf-Generic-ad9e 0.70%

Symantec MessageLab’s table below shows the malware most frequently blocked targeting endpoint devices for the last month. This includes data from endpoint devices protected by Symantec technology around the world, including data from clients which may not be using other layers of protection, such as Symantec MessageLabs Web Security.cloud or Symantec MessageLabs Email AntiVirus.cloud.

Malware % Malware
W32.Sality.AE  8.10%
W32.Ramnit.B!inf  7.80%
W32.Ramnit!html  6.90%
Trojan.Gen 6.80%
Trojan Horse  6.80%
Trojan.Bamital  5.30%
W32.Downadup.B 4.10%
Trojan.Gen.2  3.80%
Downloader  3.80%
W32.Almanahe.B!inf  2.50%

See entire Symantec MessageLab’s Intelligence Report here

The March report summary can be found here.

.

Symantec MessageLabs March 2011 Intelligence Report

Image representing MessageLabs as depicted in ...
Image via CrunchBase

Symantec MessageLabs have released their March 2011 Intelligence Report which as usual makes very interesting reading.

The highlights of the Intelligence Report are below:

  • Spam – 79.3% in March (a decrease of 2.0 percentage points since February 2011)
  • Viruses – One in 208.9 emails in March contained malware (an increase of 0.13 percentage points since February 2011)
  • Phishing – One in 252.5 emails comprised a phishing attack (a decrease of 0.07 percentage points since February 2011)
  • Malicious websites – 2,973 web sites blocked per day (a decrease of 27.5% since February 2011)
  • 37.0% of all malicious domains blocked were new in March (a decrease of 1.9 percentage points since February 2011)
  • 24.5% of all web-based malware blocked was new in March (an increase of 4.2 percentage points since February 2011)
  • Global spam volumes drop by one third, as Rustock botnet is dismantled
  • First review of spam-sending botnets in 2011 identified Bagle as most active botnet as Rustock fell silent

SPAM. The Russian Federation is now the most frequent source of spam in March; perhaps in large part given that there are a large number of bots for Bagle, Lethic and Maazben located in this geography.

Country % of Spam
Russian Federation 12.4%
India 8.8%
Brazil 5.9%
United States 4.5%
Ukraine 4.4%
Colombia 3.9%
Romania 3.8%
Argentina 2.8%
Vietnam 2.5%
Korea, Republic of 2.5%

Symantec MessageLab’s table below shows the most frequently blocked email-borne malware for March, many of which take advantage of malicious hyperlinks. In March, 35.3% of email-borne malware was associated with Bredolab, SpyEye and Zeus variants, a trend initially reported in the MessageLabs Intelligence Report for February 2011.

Malware % Malware
Trojan.Bredolab!eml 24.0%
Exploit/SuspLink-7d87 17.1%
W32/Bredolab.gen!eml-19251 4.8%
Trojan.Bredolab 1.9%
Exploit/SuspLink.dam 1.8%
Exploit/SuspLink-6c7b 1.6%
W32/Bredolab.gen!eml 1.5%
W32/Bredolab!gen-ad91 1.4%
Exploit/LinkAliasPostcard-b354 0.8%
W32/Delf-Generic-ad9e 0.7%

Symantec MessageLab’s table below shows the malware most frequently blocked targeting endpoint devices for the last month.

Malware % Malware
W32.Sality.AE 8.3%
Trojan.Gen* 7.7%
Trojan Horse 7.4%
W32.Ramnit!html 5.8%
Trojan.Gen.2* 4.9%
W32.Ramnit.B!inf 4.3%
Trojan.ADH.2 4.3%
Trojan.Bamital 4.3%
W32.Downadup.B 3.9%
Downloader* 3.5%

See the whole Symantec MessageLab’s Intelligence Report here.

It is also worth reading the earlier posts on Phishing and the impact on the UK Banks and the Fraud Intelligence Report.

.

Call Centre Security and PCI Compliance

An Indian call center
Image via Wikipedia

Credit Card data is the Crown Jewels for hackers and the financial lifeblood of many companies. An Account Data Compromise, also known as a breach can lead to bad press and a bad reputation, you only need to Google Play.com or Lush to see the impact.

With the 18th March 2011 launch of the PCI Councils “Protecting Telephone Based Payment Card Data” on Call Centres it is worth noting that, according to research from Connected World 36.7% of contact Centres claimed to be fully compliant with the Payment Card Industry Data Security Standard (PCI DSS).

However, the majority (89%) admitted to not understanding PCI DSS, the requirements nor penalties.

There are many business and regulatory requirements that impact Call Centres, especially the recording of telephone calls, for example in the United Kingdom, the Financial Services Act.

The act of recording a call can break the rules of PCI DSS as most calls will involve the recording of ALL the data. Data such as, CAV2, CVC2, CVV2 or CID, which should never be recorded. Storing the PAN and Expiry data is acceptable so long as the data is encrypted and the Merchant has acted on all the questions within SAQ D or undertaken a formal Audit if they are a level 1 Merchant.

The number one piece of advice for Call Recording is DO NOT DO IT unless you really have to.

However, the recording of the calls and storing of Credit Card Data in an encrypted format are small parts of the issue facing Call Centres.

By considering the following points and reviewing the documents on the PCI Resource page  you can go a long way towards achieving a PCI compliant Call Centre.

  • Employee vetting is the first step in ensuring a secure Call Centre.
  • There needs to be a formal employee induction programme where employees learn about the company’s policies (rules) and the ramifications of breaching the policies.
  • Specifically, there needs to be a documented Policy on how employees handle Calls and Data resulting from the Calls, especially Credit Card Data?
  • The Merchant needs to communicate the Policy to all employees that have access to Credit Card Data.
  • Do employees regularly receive training on the Policy and its importance? They should do.
  • Are employees made aware of their IT Security responsibilities?
  • Security Awareness training needs to be provided, for example, how to deal with the threat of computer viruses, how to report suspicious activity, etc
  • Security Awareness has to be promoted, for example, on posters and in newsletters.
  • Do supervisors/managers enforce a clear desk Policy? For example, no MP3 players, no note pads or any other methods to record information.
  • Access to photocopiers and scanners needs to be restricted.
  • Restricting physical access to the Call Centre should be considered.
  • Call Centres should be restricted to employees only and visitors need to be escorted.
  • All paperwork leaving the Call Centre should be shredded to avoid the unnecessary risk or Personally Identifiable Information (PII) finding its way into the public domain.
  • Consideration should be made to CCTV
  • Do all employees have unique logon identities?
  • Are strong passwords enforced?
  • Are passwords changes enforced every 30 days, or less?
  • Are password changes significantly different after every change? For example, not simply adding a 1 or a 2 at the end of previous password.
  • Home and remote workers need to have local security installed, for example, personal Firewalls and Anti Virus.
  • Do systems and servers that store credit card data, for example, CRMs and Databases, have access restricted on a need to know basis?
  • Are logs taken and stored for system and networks where data is stored?
  • Is the Merchant’s network and systems attached to the network adequately protected against viruses, hackers and other threats?
  • Are these systems regularly scanned and patched for vulnerabilities. PCI DSS requires that all systems and networks with the scope of the card data environment be scanned by an Approved Scanning Vendor at least quarterly.
  • Is the Merchant’s security regularly tested? For example, by having Penetration Tests.
  • Does the Merchant have a plan on how to deal with a breach and is this plan tested? This is often called an Incident Response Plan and can be tuned to deal with all types of breaches for example, the Epsilon Email Breach.

In summary, PCI DSS is not the only area on compliance affecting the Call Centre but PCI DSS does help focus the business on what security, processes and procedures are required to achieve best practice.

.

The majority of stolen Credit Cards stop being used after 24 hours

Ethoca in their report “Fraud Attacks Cross Industries” (Jan 2011) have established that in 86% of cases, fraudsters stopped using a credit card in less than 1 day (24 hours) either because the card was cancelled by the issuer or because the fraudster began using another card.

They also found that 10% of stolen cards were used at multiple merchants.

In only 29% of the cases did the fraudster stay within the same industry sector. In other words the fraudsters try to spread their fraud across as wide a field as possible. Probably to avoid the credit card issuers anti fraud procedures which can spot buying patterns – how many mobile phones does one person need?

The report established that the number one target for cross industry fraud was Mobile Phones followed by pre-paid Gift Cards. This means that in almost all case of organised fraud the fraudster will have a Mobile Phone and a Gift Card on their shopping list.

About the report

Ethoca’s data came from credit card issuers and online merchants. The 95 merchants studied in their program represent 61% of the top 500 Internet merchants as measured by revenue*.

Issuers had identified the fraud with their own risk management systems and then confirmed with the cardholder that the order was indeed fraudulent before providing the transaction details to Ethoca. As a result, Ethoca was able to study a total of 25,188 confirmed cases of fraudulent transactions from June 2010 through October 2010.

*Source: Internet Retailer Magazine for 2009 www.top500guide.com

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: