Kaspersky Lab 2013 Global Corporate IT Security Risks

34% of respondents ranked protection from incidents as the top priority

Kaspersky Lab, in partnership with research company B2B International, conducts regular surveys focusing on the key IT security issues and cyber threats which worry businesses.

The survey aimed to find out what representatives of these companies thought of corporate security solutions, to ascertain their level of knowledge about cyber threats, what cyber security related problems they most often face, how they address these problems and what they expect in the future.

2013 Kaspersky Lab and B2B International survey results provided below reflect the opinions of companies on key issues related to the security of the corporate IT infrastructure.

They also reflect the changes that have taken place since the previous two studies. Comparing current and historical data helps to identify and analyze existing trends in this area, ultimately creating a complete and, we believe, objective picture of the threat landscape, as well as future problems and trends affecting corporate IT security.

Main Findings

According to the survey results, one of the major problems facing businesses is the creation of a clear IT infrastructure development strategy with an information security strategy at its heart.

Companies are increasingly determined to secure their IT infrastructure in the light of increasing numbers of incidents – and significant financial losses associated with them. The main findings of the survey are:

• Maintaining information security is the main issue faced by a company’s IT management.
• In the past 12 months, 91% of the companies surveyed had at least one external IT security incident and 85% reported internal incidents.
• A serious incident can cost a large company an average of $649,000; for small and medium-sized companies the bill averages at about $50,000.
• A successful targeted attack on a large company can cost it $2.4 million in direct financial losses and additional costs.
• For a medium-sized or small company, a targeted attack can mean about $92,000 in damages – almost twice as much as an average attack.
• A significant proportion of incidents resulting in the loss of valuable data were internal, caused by issues such as unclosed vulnerabilities in software used by the company, intentional or negligent actions of employees or the loss or theft of mobile devices.
• Personal mobile devices used for work-related purposes remain one of the main hazards for businesses: 65% of those surveyed saw a threat in the Bring Your Own Device policy.
• Information leaks committed using mobile devices – intentionally or accidentally – constitute the main internal threat that companies are concerned about for the future.

For the full report in PDF format, click here.

Visualizing The World's Biggest Data Breaches

In corporate servers we trust? A beautiful interactive timeline puts the growing vulnerabilities to our personal online security in stark relief

The experience is becoming so common it’s scary. You're sitting there minding your own business, when up pops an email (or worse, a letter via snail mail) from some company you may or may not be familiar with telling you that your data has been compromised by a security breach. Change your password, post haste--if you’re lucky that a password is the worst of what was compromised.

More than 50% of CEOs surveyed by the Ponemon Institute, a cybersecurity think tank, say that their company experiences cyber attacks daily or even hourly.

These attacks are becoming more and more sophisticated, and increasingly, they are successful--to date this year, there have 343 data breaches reported in the U.S., which already exceeds the number in all of 2006, according to the Wall Street Journal. A new visualization of the world’s biggest data breaches on a timeline since 2004 puts the rise of cyberattacks in stark relief.

You can explore the graphic more here. And to protect yourself against certain kinds of data breaches, it's always good to follow good hygiene for passwords and PINs to your online accounts, like making sure you use different passwords for all sites. You can see a few additional tips on how to secure your passwords here.

Six Types Of Information Commonly Leaked

Mandiant Highlights Broad Range of Information Stolen from Victims

IT security provider Mandiant lists six categories of information that's commonly pilfered from business and government computers by hackers from a Chinese military unit it dubs APT1.

Mandiant's findings appear in a comprehensive report issued Feb. 18 that the security firm contends documents how APT1 has breached computers in enterprises that conduct business mostly in English, especially in the United States [see map below]. China denies the allegations presented in the report.  

According to Mandiant, the data stolen relate to:

• Product development and use, including information on test results, system designs, product manuals, parts lists and simulation technologies;
  
• Manufacturing procedures, such as descriptions of proprietary processes, standards and waste management processes;
  
• Business plans, such as information on contract negotiation positions and product pricing, legal events, mergers, joint ventures and acquisitions;
  
• Policy positions and analysis, such as white papers, and agendas and minutes from meetings involving high-ranking personnel;
  
• E-mails of high-ranking employees;
  
• User credentials and network architecture information.

Mandiant says it's often difficult to estimate how much data APT1 has stolen during its intrusions because the People's Liberation Army unit deletes the compressed archives after it pilfer them, leaving only trace evidence that is usually overwritten during normal business activities.

Symantec: Internet Security Threat Report 2012

Comprehensive report from Symantec, worth reading!

Spam, phishing and malware data is captured through a variety of sources, including the Symantec Probe Network, a system of more than 5 million decoy accounts and more. Over 8 billion email messages and more than 1.4 billion web requests are processed each day across 15 data centres.

Symantec also gathers phishing information through an extensive antifraud community of enterprises, security vendors, and over 50 million consumers.

Download: Symantec Internet Security Threat Report (registration may be required).

When universities will take SECURITY seriously?

Hackers Breach 53 Universities and Dump Thousands of Personal Records Online

Hackers published online Monday thousands of personal records from 53 universities, including Harvard, Stanford, Cornell, Princeton, Johns Hopkins, the University of Zurich and other universities around the world. The group of hackers, calling themselves Team GhostShell, claimed responsibility for the attack on Twitter and published some 36,000 e-mail addresses and thousands of names, usernames, passwords, addresses and phone numbers of students, faculty and staff, to the Web site Pastebin.com.

In most cases the data was already publicly available, but in some instances the records included additional sensitive information such as students’ dates of birth and payroll information for university employees. Typically, hackers seek such information because it can be used to steal identities, crack bank accounts or can be sold on the black market.

Universities make ripe targets because they store vast numbers of personal records, often in decentralized servers. The records can be a gold mine because students often have pristine credit reputations and do not monitor their account activity and credit scores as vigilantly as adults. Dozens of universities have been plagued by breaches recently.

Last August alone, the University of Rhode Island warned that students and faculty that their information may have been exposed. And at the University of Arizona, a student discovered a breach after a Google search exposed her personal information — and that of thousands of others at the university. Smaller computer breaches at Queens College and Marquette University were also reported.

In this case, the hackers said they were not motivated by profit but to “raise awareness towards the changes made in today’s education.” In a message accompanying the stolen data, they bemoaned changing education laws in Europe and spikes in tuition fees in the United States. But they also noted that in many cases, the servers they breached had already been compromised. 

“When we got there, we found that a lot of them have malware injected,” the hackers wrote on Pastebin. To breach servers, the hackers used a technique known as an SQL injection, in which they exploit a software vulnerability and enter commands that cause a database to dump its contents.

In the case of some universities, the hackers breached multiple servers. At colleges across the country, some students set up sites that allowed students and faculty to search the leaked data for their information. For instance, at the University of Pennsylvania, Matt Parmett, a junior, created a Web site that made it possible for classmates to search the leaked data by name.

Microsoft's India store hacked

Microsoft website saying "unsafe system will be baptized"

Hackers, allegedly belonging to a Chinese group called Evil Shadow Team, struck at www.microsoftstore.co.in on Sunday night, stealing login ids and passwords of people who had used the website for shopping Microsoft products.

While it is troublesome that hackers were able to breach security at a website owned by one of the biggest IT companies in the world, it is more alarming that user details - login ids and passwords - were reportedly stored in plain text file, without any encryption.

Following the hack, the members of Evil Shadow Team, posted a message on the Microsoft website saying "unsafe system will be baptized". The story was first reported by www.wpsauce.com.

Later, the website seemed to have been taken offline by Microsoft. We advise the users at Microsoft India Store to change the password as soon the website comes online. Also, if they have used the same password or login id on any other web service, they should change it immediately.

Last year, hacker groups like Lulzsec had carried out several-profile high profile break-ins, putting focus on the security measures companies put in place. Sony allegedly suffered several security breaches and hackers stole user ids and passwords of customers from its network.

In a message posted on a website called Pastebin, Lulzsec claimed the group was bringing attention to the web security. "Do you think every hacker announces everything they've hacked? We certainly haven't, and we're damn sure others are playing the silent game. Do you feel safe with your Facebook accounts, your Google Mail accounts, your Skype accounts? What makes you think a hacker isn't silently sitting inside all of these right now," the group wrote.

But the incident at Microsoft Store on Sunday hints that lessons have not been learnt. Just like Sony, which later revealed that user ids and passwords were not encrypted at the time of security breach, Microsoft too seemed to have been casual about handling the user details by storing them in a plain text file.

DHS: “Anonymous” Sniffing around SCADA systems

Hacktivist group "Anonymous" are considering attacking SCADA system

A recently leaked DHS document (Download Here) warns that Hacktivist group “Anonymous” are considering attacking SCADA systems and Critical Infrastructures in some countries.

The document labelled as “for official use only” quotes several “twitter” posts believed to belong to Anonymous members discussing and exchanging information about SCADA projects.

”On 19 July 2011, a known Anonymous member posted to Twitter the results of browsing the directory tree for Siemens SIMATIC software. This is an indication in a shift toward interest in control systems by the hacktivist group.”

another tweet

“An anonymous individual provided an open source posting on twitter of xml and html code that queries the SIMATIC software. The individual alleged access to multiple control systems and referred to “Owning” them. The Twitter posting does not identify any systems where privileged levels of access to control systems have been obtained.”

The report insinuates that experienced Anonymous hackers can quickly gain the knowledge required to hack ICS “Industrial Control Systems” which is correct. But the report didn’t mention the fact that currently there is a gold rush amongst researchers to come up with SCADA vulnerabilities, just in the past couple of weeks anyone following the right and publicly available sources can count more than a dozen zero-day vulnerabilities out there.

Just by looking around, I am afraid to say that ICS are going to be the next target after the current wave of attacks on financial institutions “Occupy wall-street”.

Looking at the flow of events, Anonymous, LulzSec and Co. have already targeted Governments, Big corporates, Defense contractors,Banks and Stock exchanges….the next logical step down the food chain is Energy.

More on the topic:

- Washington times
- The register

Survey: Median Cost of Cybercrime Up 56% in a Year

Cybercrime is expensive, Cost of Cybercrime Soaring!

EMC CFO David Goulden the other day said last month's breach of the system that stores secret codes for RSA's SecurID multifactor authentication tokens cost EMC $66.3 million in the second quarter.

That's well above average, according to a just-released survey by technology provider Hewlett-Packard, conducted by the Ponemon Institute. HP's second annual Cost of Cybercrime Study pegged the median annualized cost of cybercrime incurred by a benchmark sample of organizations at $5.9 million. The survey revealed a range of $1.5 million to $36.5 million, a 56 percent increase from the median cybercrime cost reported in HP's inaugural study published in July 2010.

The battle against cybercrime has gotten much harder in the past year. It takes organizations longer, and costs them more, to resolve cyber attacks.

But, as the study shows, taking the proper preventative measures is a money-saver. Organizations that had deployed security information and event management solutions realized a cost savings of nearly 25 percent over those who didn't.

Still, the survey suggests the battle against cybercrime has gotten much harder in the past year. It takes organizations longer, and costs them more, to resolve cyberattacks. In 2011, the survey shows, the average time to resolve a cyberattack took 18 days, with an average cost to participating organizations of nearly $416,000. That's a nearly 70 percent increase from the estimated $250,000 cost and a 14-day resolution period surmised from last year's study.

And, it's tougher to solve an insider crime than one perpectuated from the outside. A malicious insider attack can take more than 45 days to contain.

Of course, averages can't be applied to all situations. The RSA breached occurred nearly five months ago, and no one knows - or at least no one is saying - who perpetrated that costly cybercrime that not only diminished EMC's coffers but RSA's reputation as well.

Cyber criminals have been shaking the security world

What does the second half of the year have in store for the data security industry?

2011 is only half way through and there is a growing amount of cyber threat stories to recount already, including data security breaches, encryption breaches and e-mail /credit card theft incidents. Cyber criminals have been shaking the security world with attacks like never before. We have seen the rise and fall of groups like Anonymous and LulzSec, who have carried out some very high profile cyber-attacks on companies like Sony, large banks, the IMF, government agencies like the FBI.

Even the highly regarded security firm RSA had experienced a sophisticated cyber-attack that came through a security breach within the organisation. The attack that brought RSA to its knees originated from one spear phishing email that contained a malicious excel file which preyed on vulnerability within Adobe Flash. The phishing emails tricked users into opening a file, which installed a backdoor through the vulnerability in Flash. Due to the sensitive nature of RSA’s work, most details about what data was stolen have been withheld.

Perhaps the most publicized breach of all was the Sony PlayStation Network hacks in April, which ended up compromising over 100 million customer accounts, and had Sony shut down its services for over six weeks. Initially Sony said that 77 million accounts had been compromised, but later the company admitted another 25 million accounts had been breached.

The stolen information entailed customer’s user names and passwords, email addresses, home addresses, birthdays, billing information and security questions. This kind of information is the ideal ammunition for identity theft and data security threats through phishing.

These are just some of the serious data breaches that have taken place in 2011 so far. To mitigate data breaches from attackers, accessing of all stored personal details and confidential information, must be authenticated physically by the relevant and authorised personnel to prevent any unauthorized entry.

Hole in Google Chrome that granted unauthorised access to gmail accounts

Web extensions to become a new attack vector

A penetration tester has exploted a hole in Google Chrome that granted unauthorised access to gmail accounts.

WhiteHat Security researcher Matt Johansen identified the vulnerability in a Chrome OS note-taking application. He disclosed the hole to Google which patched it and gave him US$1000 as part of its Chromium security initiative.

Johansen told Reuters he intercepted data travelling between a Chrome browser extension and the Google cloud. Google has not yet revealed details of the security hole which Johansen plans to release at the Black Hat conference in Las Vegas this year.

Google extensions, written by third party software developers, were a ripe target for attack because they were granted more privileged access rights to Google cloud data than what the browser offered to web sites.

WhiteHat security detailed in a 2007 research paper a series of web application security vulnerabilities that could also be used to attack web browser extensions in Chrome and Mozilla FireFox.

Chrome OS director Caesar Sengupta said there are "significant benefits to security" by storing apps within the browser.

Kaspersky KryptoStorage

Personal Digital Vault

Kaspersky KryptoStorage securely protects your personal files against unauthorized access and data theft using cutting-edge transparent encryption technology and allows deleted files to be permanently erased from your computer.

Kaspersky KryptoStorage ensures that your encrypted data stays confidential in the event of malware attacks, unsecure WiFi connections and even if your laptop or storage device is lost or stolen. The encrypted data is only accessible via a strong password that is highly resistant to brute force attacks.

Product Highlights

• Encrypts folders and disk partitions to prevent data theft
• New files can be added to encrypted folders or containers at any time
• Containers can be transferred to other storage media and computers
• Encrypts data "on the fly" with full access to the encrypted information
• Limits access to data to prevent unauthorized modification or removal
• Uses AES-128 algorithm for strong encryption
• Allows data to be permanently deleted
• Fully Compatible with Microsoft's new operating system, Windows 7

Refer here for further details.

Facebook caught exposing millions of user credentials

App bug overrides user privacy settings

Facebook has leaked access to millions of users' photographs, profiles and other personal information because of a years-old bug that overrides individual privacy settings, researchers from Symantec said.

The flaw, which the researchers estimate has affected hundreds of thousands of applications, exposed user access tokens to advertisers and others. The tokens serve as a spare set of keys that Facebook apps use to perform certain actions on behalf of the user, such as posting messages to a Facebook wall or sending RSVP replies to invitations. For years, many apps that rely on an older form of user authentication turned over these keys to third parties, giving them the ability to access information users specifically designated as off limits.

The Symantec researchers said Facebook has fixed the underlying bug, but they warned that tokens already exposed may still be widely accessible. “There is no good way to estimate how many access tokens have already been leaked since the release [of] Facebook applications back in 2007,” Symantec's Nishant Doshi wrote in a blog post published on Tuesday. “We fear a lot of these tokens might still be available in log files of third-party servers or still being actively used by advertisers.”

Refer here to read more details.

"SONY"exposes another 24.6 million accounts

Affected Sony user accounts to be more than 100 million

Just when you thought things couldn’t get any worse for Sony: Hours after shutting down access to its Sony Online Entertainment service, the company announced another security intrusion that exposed information on an additional 24.6 million accounts.

Sony says hackers infiltrated the Sony Online Entertainment (SOE) systems around the same time as the recent break-in to Sony’s PlayStation Network (PSN). Data thieves made away with personal information from approximately 24.6 million SOE accounts, according to Sony.

An “outdated database from 2007″ was also copied which included 12,700 credit card and debit card numbers and expiration dates from customers in Austria, Germany, Netherlands and Spain. Sony noted that credit card security codes were not included in that database.

SOE systems power Sony’s multiplayer online games including EverQuest II, Free Realms and DC Universe Online. The service went down Monday morning in the United States with a maintenance message. Sony has since followed up with more details.

Over the weekend Sony executives held a press conference to discuss security problems with its PlayStation Network (PSN) and Qriocity media streaming service. Around April 18, data thieves broke into PSN and Qriocity’s databases and made away with personal information on 77 million account holders, including, possibly, credit card information on about 10 million subscribers.

Please refer here to read further details.

2010 Annual Study: U.S. Cost of a Data Breach

Data breach costs rise with criminal attacks

Criminals are driving up the cost of data breaches for U.S. business, according to researchers at the Ponemon Institute and Symantec.

The U.S. Cost of Data Breach survey released today by the Ponemon Institute and sponsored by Symantec, showed the cost of a data breach rose for the fifth straight year to an average $7.2 million per incident, up 7 percent from 2009. That’s $214 for every compromised customer record breached.

The most expensive breach reported in 2010 was $35.3 million, and the least expensive was $780,000, both up from the previous year. A key factor in the rising cost is the fact that criminals account for a larger share of the data breaches and they significantly more expensive to contain and fix.

Deliberate, criminal attacks rose nearly 30 percent last year, now accounting for 31 percent of all attacks (negligence, like lost hard drives or document, still accounts for 41 percent of breaches) and the cost of malicious attacks is is rising even faster, jumping 48 percent, to an average of $318 per compromised, wrote Dr. Larry Ponemon, founder and chairman of the institute, on his blog.

Malicious attacks create more costs because they are harder to detect, the
investigation is more involved and they are more difficult to contain and
remediate. Another reason malicious attacks are so expensive is the criminal is
out to monetize their work; they’re trying to profit off the breach.

Other factors behind rising costs:

Better awareness: Breaches are less likely to go undetected and/or unreported. This is motivated by the threat of potential legislation and legislation. So far, 46 U.S. states have passed such measures, with varying definitions of a breach, deadlines for notifying customers and punishments for failing to comply.”

Faster (costlier) response: More companies favor a rapid response. This 43 percent of companies notified customers within 30 days.

From Dr. Ponemon’s blog:

“For the second year, we’ve seen companies that quickly respond to data breaches pay more than companies that take longer. This year, they paid 54 percent
more."

For more details please refer here.

Fraud Incidents More Expensive - Javelin Strategy & Research

ID Fraud: New Accounts Most at Risk

The latest consumer fraud trends suggest that financial institutions must provide increasing leadership in the fight against identity-related fraud.

According to new findings from Javelin Strategy & Research, consumers and law enforcement alike now turn to banks and credit unions for more sophisticated detection and prevention when it comes to the misuse of stolen identities to open new accounts.

In its annual Identity Fraud Survey report, Javelin finds that losses from new account fraud far exceed those associated with other types of ID fraud. Moreover, new account fraud is harder to detect.

While Javelin finds that the number of ID fraud incidents dropped 28 percent from 2009, when ID fraud reached an all-time high, in 2010 the expense associated with recovering from ID fraud increased 66 percent.

Please refer here to download the report.

Security White Papers

Information Security Resources

Here are some new security white papers I'd like to share with you - I hope you'll enjoy them.

7 Shortcuts to Losing Your Data (and Probably Your Job)

This tongue in cheek white paper explores data loss from a contrarian point of view - exploring the top 7 shortcuts you can take to ensure that you lose your data.

Download PDF: http://bit.ly/hBDpIK

Top Eight Identity & Access Management Challenges with SaaS Applications

This white paper presents the eight biggest identity and access management (IAM) challenges associated with adopting and deploying cloud and SaaS applications, and discusses best practices for addressing each of them.

Download PDF: http://bit.ly/geZi1S

The Silent Danger of Clever Malware

This paper discusses the history and progression of the modern Trojan attack. It explores the methodology used by hackers in selecting a target and developing a compelling attack and cites several examples of some successful targeted Trojans.

Download PDF: http://bit.ly/e4QHCc

Vulnerability Management - Assess, Prioritize, Remediate, Repeat

This report provides insights into Best-in-Class practices for assessing vulnerabilities and threats to IT infrastructure, prioritizing fixes based on the business value of resources and acceptable levels of risk, and remediating through the efficient deployment of patches, configuration changes, and other compensating controls.

Download PDF: http://bit.ly/i35fAH