Archive for the ‘Cyber Security’ Category

The Bots are Coming! The Bots are Coming!

The Check Point 2013 Security Report researched almost 900 businesses in 62 countries to determine the major security risks companies are exposed to daily. The research shockingly showed that 63% of enterprises are infected with bots. As well, more than half are infected with new malware at least once per day.

Cybercrime is ever evolving, and has reached unprecedented levels. Cybercriminals are constantly changing their techniques, and are threatening organizations of all sizes.

The top threats include botnets and risky Web applications. The surge in Web 2.0 applications has provided cybercriminals with brand new ways of infiltrating corporate networks. The survey showed 91% of enterprises use applications with potential security risks. Over half of the enterprises surveyed had experienced a data loss incident.

Being aware of all activity taking place on their networks is a major component for enterprises to develop a strong security blueprint. Security threats are constantly evolving, and enterprises must do what they can to minimize their risks.

Data Breaches Hurt Business Investments

Data breaches and hacker attacks are a major concern for consumers whose personal information has been put at risk. They are also a major concern for investors.

A recent study by Zogby Analytics shows that companies that have been a target of at least one cyberattack are viewed by possible investors with skepticism. A whopping 78.1% of investors surveyed indicated they would be very unlikely to invest in such a business.

As well, 68.7% indicated they would avoid investing in a company that has had one or more data breaches.

The study also found that more than half of investors were more concerned with the theft of customer data than corporate data.

Companies that are ill-equipped to battle cyberattacks will likely find they will suffer a significant detrimental effect on their brand when they are hit. If they don’t react to a breach with a well-thought-out plan, the detrimental effect will be even more devastating.

Hackers attack Twitter, Pinterest and Tumblr

If in doubt, change your password. Customer support tool Zendesk had been hacked earlier in February, and that affected Zendesk’s clients Twitter, Pinterest and Tumblr.

“We believe that the hacker downloaded email addresses of users who contacted those three customers for support, as well as support email subject lines,” explained Zendesk on their blog.

Pinterest responded by urging users to take measures to protect their accounts by using strong passwords and not sharing their passwords.

Tumblr warned its customers to review any e-mails they had shared with Zendesk to make sure no account information could be used by the hackers.

TLS protocol open to attack

UK scientists warn that the TLS protocol that provides security for online banking, credit card data and Facebook has “major weaknesses” which may lead to the interception of sensitive personal data.

The Transport Layer Security (TLS) protocol is used by millions of people daily. TLS provides security for online banking and for credit card purchases for online shopping.

Many corporate email systems use it, as do several huge entities including Facebook and Google.

The Information Security Group at Royal Holloway University found that a so-called ‘Man-in-the Middle’ attack can be launched against TLS that intercepts sensitive personal data.

“While these attacks do not pose a significant threat to ordinary users in its current form, attacks only get better with time. Given TLS’s extremely widespread use, it is crucial to tackle this issue now,” said the Information Security Group’s Professor Kenny Paterson. “Luckily we have discovered a number of countermeasures that can be used. We have been working with a number of companies and organizations, including Google, Oracle and OpenSSL, to test their systems against attack and put the appropriate defences in place.”

Internal Threats to your Data

A portable hard drive that contained personal information of more than half a million Canadians “disappeared” from the Gatineau office of Human Resources and Skills Development Canada.

The 583,000 Canadians whose information was “lost” were Canada Student Loans Program borrowers. The information included their names, social insurance numbers, birthdays, contact information and loan balances. It also contained information about the borrowers’ parents, siblings and spouses, which could conceivably increase the number of people impacted to two million plus.

Whether the “loss” was malicious or inadvertent, the Canadian government now joins many private businesses in learning the hard way that a major threat to data comes from within.

There are a number of factors that make internal data compromise difficult to address.

• Unstructured data lacks adequate controls: unstructured data is stored outside business applications and can be viewed outside the core business systems. This causes security issues because audit trail controls no longer apply.

• Most enterprises have huge volumes of unstructured data: often the excessive amount of unstructured data is due to poor organization of unnecessary and outdated files.

• Sensitive data is not readily identifiable: due to large volumes of data it is difficult to identify the small subset of sensitive data that needs to be safeguarded.

• It’s easy for data to travel: with staff email and access to the Internet, with file-sharing sites, with tiny data storage devices, the transfer of data out of the organization is extremely simple.

To address the unstructured data leakage risk, enterprises must have strong data governance and management controls in place. These controls are necessary to reduce the volume of unstructured data and to identify and control the most sensitive information.

Phishing and Spear Phishing Attacks are Effective

A recent survey of IT enterprise decision makers by Proofpoint, Inc. has found that phishing and spear phishing attacks against large organizations are extremely common and extremely effective in compromising user credentials and corporate IT systems.

Just over half of all respondents believe that their organizations were targeted by phishing email in the past year.

More than half of those respondents belonging to organizations with 1000 or more email users believe that their organizations were targeted by a spear phishing attack.

By comparison, 42% of respondents belonging to organizations with fewer than 100 email users believe they were targeted by a spear phishing attack.

More than a third of respondents who experienced a spear phishing attack in the previous 12 months (17% of all respondents) believe that the attacks resulted in compromised user login credentials and/or unauthorized access to corporate IT systems.

When asked which vectors posed the greatest risk of corporate data loss, respondents answered outbound email, online file sharing solutions, stolen mobile devices and postings to social media sites in that order.

Cost of Data Breaches

A new study by Ponemon Institute has shown that 54% of participants experienced at least one data breach in the last 12 months. Of those, 19% experienced more than four!

Almost half of those who suffered a data breach reported their corporate reputation suffered. Almost a third had had to downsize due to loss of customers.

Data breaches came with a cost too — an average £91,985 ($146,240.51) increase in customer acquisition spending.

Research shows that it takes businesses on average over 9 months and £138,700 ($220,509.42) to fully recover from a data breach.

One can’t help but conclude that data breaches and cybercrime have serious consequences to corporations.

Astoundingly, 58% of those businesses who had yet to suffer a data breach didn’t believe they would suffer loss of reputation if it happened to them. As well, 70% didn’t believe they would have to spend more on customer acquisition if they became victims of a data breach.

There is definitely a discrepancy between what businesses think the repercussions of a data breach would be and what the repercussions really are. Unhappily, this dissociation from reality tends to lull businesses into complacency about their data security.

Now is definitely the time, before a data breach happens, to anticipate and forestall risks to corporate data.

Hacker Group Anonymous has been Busy

The hacker group Anonymous has had a busy week doing what they do best — hacking.

“Today, Nov. 4, 2012, our security team became aware of the public posting of VMware ESX source code dating back to 2004. This source code is related to the source code posted publicly on April 23, 2012,” VMware wrote on its Security and Compliance blog. “It is possible that more related files will be posted in the future. We take customer security seriously and have engaged our VMware Security Response Center to thoroughly investigate.”

Anonymous also claimed to have hacked PayPal and leaked confidential information, including coded passwords and phone numbers, from approximately 28,000 PayPal accounts.

PayPal has issued a statement saying they are investigating but have yet to find evidence of this breach.

Cyber Security Concerns Should Include Mobile Devices

Not surprisingly the majority of SMBs allow their employees to use mobile devices such as smartphones and tablets. Alarmingly very few of them have taken the necessary steps to ensure these devices are safe from cyber threats.

According to a survey commissioned by AT&T and the Polytechnic Institute of New York University, 90% of SMBs allow their employees to use mobile devices to access work email, and 41% allow their employees to use these devices to access business files.

An astonishing 83% of SMBs allow their employees to use their personal devices for work.

Only 29% have installed anti-virus software on smartphones.

Although 82% of SMBs have taken steps to secure company laptops, only 32% are taking measures to protect smartphones, and 39% to protect tablets.

Of the majority not taking steps to protect these mobile devices, only 42% have plans to increase security.