Infographic - 78% of Organizations Experienced a Data Breach in the Past 2 Years

Cybercriminals steal $1 billion every year from small and medium-sized businesses in the U.S. and Europe

The folks at Imprima have compiled this infographic, complete with facts about data loss and data breaches in the small business community.

USB Attacks Need Physical Access Right? Not Any More

Exploiting USB Driver vulnerabilities

NCC Group Research Director Andy Davis presented 'USB Attacks Need Physical Access Right? Not Any More...' at this year's BlackHat Asia in Singapore.

Due to recent advances in a number of remote technologies, USB attacks can now be launched over a network. The talk went into detail about how these technologies work, the resulting impact on the world of USB bugs and included a live demo remotely triggering a USB kernel bug in Windows 2012 server.

It's an interesting research, refer here to download the paper and learn more about USB Bugs.

Internet of Things is Creeping into the Average Lives of Consumers

Internet of Things Gone Wild

Thanks to rapid innovation, our lives are getting easier. But there is a price to be paid. The Internet of Things is creeping into the average lives of consumers in unexpected ways, creating new vulnerabilities even in what was once the safety of our own homes.

There’s the report late last week from California-based security firm Proofpoint uncovering the first proven Internet of Things-based attack that hijacked such smart household equipment as home routers, smart TVs, and even one unsuspecting and apparently innocent refrigerator to generate spam. The attack, which took place between December 23 and January 6, generated over 750,000 “malicious email communications” and involved over 100,000 “everyday consumer gadgets.”

Each of the below developments has been built to automatically collect data about users and send that data to others. The developers insist this data is being used to enhance the consumer experience in some way; but what they don't often reveal is all the ways that data is being used to help them make money or achieve some other objective.

Take a look at these examples and think twice before you volunteer your personal information by purchasing one of these "smart" products.

• LG markets a fridge that sends a text when the milk runs out, and this article says experts have long warned such a gadget is an attractive "soft target" for hackers. In fact, in one recent attack on 100,000 smart gadgets, 750,000 spam emails were sent to their owners.
  
• Google's smart contact lenses check in and report on your health, monitoring things like gluclose levels in your tears. One commenter's question was intended to be sarcastic, but in every joke there is a grain of truth. He asked: Will it send the wearer's glucose levels directly to the NSA or does that only happen after the contact lens syncs with Google's cloud? The fact is, if the lenses can report glucose levels, it is also technically possible to program them to report on many other types of activities, as well as more of your body contents and characteristics.
  
• Wearables devices monitor physical activity and connect wirelessly to online services charged with collecting data on the wearer. If insurance companies were able to collect and use this data for their underwriting purposes (which now let employers charge employees different health insurance rates based on whether they exercise, eat right or make healthy choices), these devices could spell disaster for insurance costs... not to mention the potential impacts if employers, potential employers, family members, etc. obtain the data.    
  
• Video baby monitors send signals far and wide. To test the vulnerability of these smart gadgets, a Miami TV reporter attached one of these baby-monitor receivers to the dashboard of his car. In just a few minutes, he was able to pick up images of babies and bedrooms. Traditional audio montiors are vulnerable, as well. During the summer of 2013, ABC News reported on a Houston couple who heard cursing and lewd remarks coming from their 2-year-old's baby monitor. It had been hacked.
  
• A clip-on camera takes a still image every 30 seconds in an effort to "record your life." How often have you come across a photo of yourself that if taken out of context could cause others to jump to the wrong conclusion (college days, anyone)? Worse, what happens when someone with a clip-on camera enters a public restroom or locker room and takes pictures of people (or children) in various stages of undress?

Verizon Infographic: Why PCI Compliance has to be a Business-Wife Priority?

In 2013, only 11.1% of companies were PCI compliant on their initial assessment!

Cybersecurity in the age of "Surveillance"

How to assure that your network and its data are being guarded by a trusted partner?

The collection of information generated from the online activities of citizens, by both private and public interests, has become so widespread and pervasive that it has prompted several social commentators to label today’s digital-defined culture as “The Surveillance Age.”

The fact that nearly every sovereign state with the means is conducting high-tech surveillance programs, a practice that is considered by most to be integral to national security and ensuring the safety of the state and its citizens. For many observers, the most disconcerting component of the recently exposed data-collection activities of the National Security Agency was tied to multiple U.S. companies may have cooperated in the surveillance activities.

The possibility that trusted businesses could be leaving digital backdoors through which sensitive information could slip has cast a chill across both consumer and professional market sectors. This issue is not for us to speculate here; however, given the interest it has attracted, it would be valuable to share some fundamental information about mobile security, as well as some guidance to assure that your network and its data are being guarded by a trusted partner.

A key element of security is encryption technology, which is critical to protecting the confidentiality and integrity of a digital transaction between two endpoints, such as a mobile device and a corporate server located behind a firewall. Providing an integrated approach to mobile security, in which data is encrypted while at rest (stored on a digital device) or in transit, is the best protection against the loss of data or a security breach that could impact the profitability, competitiveness, or reputation of an organization. Strong encryption guards against data integrity compromises in these environments, which are typically treated by network engineers or mobile security experts as hostile and untrustworthy

It’s important to note that encryption technologies differ significantly in the degrees of protection they offer. To gain a deeper understanding of encryption requires an introduction to a few esoteric cryptography terms. One of those terms is entropy, which plays a significant role in determining the effectiveness of a modern encryption system. At a very high level, entropy is a measure of how much randomness you have. Simply put, the more entropy you have the more effective your encryption can be. Consider the differences between seeking a needle in a haystack and looking for one hidden in an acre’s worth of haystacks. The procedures are essentially the same; it’s the level of difficulty and complexity that differs substantially between the two scenarios. 

Any discussion related to digital intrusion or surveillance has to include spyware, which is a form of malware. Businesses or organizations using mobile devices that have open development platforms are especially susceptible to attempts to exploit users through spyware. It is also a favorite tool of cyber criminals, who are increasingly targeting mobile devices as access points into the confidential data of organizations for purposes that range from nuisance to nefarious. 

Disguised within a consumer application, malware can be used to gain access to personal information, for anything from marketing to identity theft to compromising corporate data. This real and growing threat requires security solutions that properly safeguard the privacy of governments, enterprise workers, and individual users.

The fact that the number and utility of mobile devices will only increase means that the boundaries of the modern organization are being stretched to include hundreds or even thousands of mobile end points possessing access to the most precious assets, such as intellectual property and other sensitive information.

Security in this environment cannot be an afterthought. It must be built in at every layer -- hardware, software, and network infrastructure -- to ensure end-to-end protection. With the stakes so high in “The Surveillance Age,” it’s imperative that you demand "confidentiality & integrity" commitment from every partner you trust with your information.

What You May Need to Know about Your Smart TVs & Phones

Smart appliances may be too smart for our own good!

Take smart TVs, for instance. As this article illustrates, some of these new appliances are particularly vulnerable to hackers. Once compromised, the TVs allow access to account information, including login credentials (which owners may use for access to more than just their smart-TV account). Even scarier, hackers could gain access to front-facing cameras to see everything happening in the room where the TV is connected. Instead of you watching your favorite program, criminals may be watching you!   

As many people get new smartphones for holiday gifts, they will be tempted to sell their old devices. If you're one of them, keep this story, reported by a Virginia ABC affiliate, in mind.

McAfee online security expert Robert Siciliano did a little experiment; he purchased 30 different devices from craigslist, including laptops, notebooks, iPads and smartphones. "I asked every single person if they re-installed the operating system or reformatted the drive, and they all said yes," Siciliano said. "On more than half of the devices, I found enough information to steal identities or, in some cases, even get people into trouble." 

The takeaway? Be mindful that erasing your personal data from your devices requires more than a delete button.

Here's a good resource  for learning how to sufficiently wipe your smartphones, tablets, computers and more before handing them off to a stranger. 

Information Security Forum (ISF) Identifies 6 Major Threats for 2014

ISF report states top six security threats global business will face in 2014 include the cloud, "BYO" trends and cyber-crime

A nonprofit group founded in 1989, the ISF performs research on topics dictated by its 350-plus global member organizations. Only recently has it begun making its findings public.

The six threats identified as major concerns headed into 2014, ISF emphasized the need for companies to find trusted partners and talk about cyber-security—a topic that's often treated as private.

Six: BYO

Trends Topping the ISF's list is BYO, and it's no mistake that the "D" is missing. Workers bring their email accounts, their cloud storage and more. As the trend of employees bringing mobile devices in the workplace grows, businesses of all sizes continue to see information security risks being exploited. These risks stem from both internal and external threats, including mismanagement of the device itself, external manipulation of software vulnerabilities and the deployment of poorly tested, unreliable business applications.

Five: Data Privacy In the Cloud

The cloud presented no danger, as long as one could tick off a list of items, including knowing how many clouds a company has; what other companies' data are being stored on the same servers; whether one's storage services are being subcontracted; and if there's a clear plan for what happens when a contract with a cloud provider is terminated. While the cost and efficiency benefits of cloud computing services are clear, organizations cannot afford to delay getting to grips with their information security implications.

Organizations must know whether the information they are holding about an individual is Personally Identifiable Information (PII) and therefore needs adequate protection.

Four: Reputational Damage

There are two types of companies—those that have been hacked and those that are going to be. What would a hack mean to your marketing manager, to your head of investor services, to your PR team that needs to put out that statement?. When the situation is something that could send stock prices plummeting, the reality of it sets in.

Three: Privacy and Regulation

Organizations need to treat privacy as both a compliance and a business risk, according to the ISF. "Furthermore," the report added, "we are seeing increasing plans for regulation around the collection, storage and use of information along with severe penalties for loss of data and breach notification, particularly across the European Union. Expect this to continue and develop further, imposing an overhead [cost] in regulatory management above and beyond the security function and necessarily including legal, HR and board level input."

Two: Cyber-Crime

ISF emphasized how shockingly excellent criminals are at coordinating and working together toward a cause. The Syrian Electronic Army's hack into The New York Times was offered as an example. The bad guys are really great at collaboration, because there's a lot in it for them.

Cyber-crime, hacktivism—hacking for a cause—and the rising costs of compliance, to deal with the uptick in regulatory compliance issues, can create a perfect storm of sorts,. "Organizations that identify what the business relies on most will be well-placed to quantify the business case to invest in resilience, therefore minimizing the impact of the unforeseen.

One: The Internet of Things 

High-speed networks and the Internet of Things will create scenarios like the ability for a car to detect a traffic jam ahead and understand that its driver won't make it to the airport in time for his flight—and so contact the airport to change the flight. That level of information, in the wrong hands, is concerning.

Businesses can't avoid every serious incident, and few have a "mature, structured approach for analyzing what went wrong.

By adopting a realistic, broad-based, collaborative approach to cyber-security and resilience, government departments, regulators, senior business managers and information security professionals will be better able to understand the true nature of cyber-threats and respond quickly and appropriately." 

Beta Bot: A New Trend in Cyber-Attacks

Beta Bot Malware Blocks Users Anti-Virus Programs

A new warning about malware designed to target payment platforms highlights why anti-virus software is increasingly ineffective at preventing account compromises. And while this new Trojan is not yet targeting online-banking accounts, financial institutions should be aware of the threat. The malware is another example of how fraudsters are increasingly getting around standard modes of authentication, such as usernames and passwords.

The Internet Crime Complaint Center and the Federal Bureau of Investigation recently issued an advisory about Beta Bot, the new malware that targets e-commerce sites, online payment platforms and even social networking sites to compromise log-in credentials and financial information.

When Beta Bot infects a system, an illegitimate but official-looking Microsoft Windows message box named "User Account Control" pops up, asking the user to approve modifications to the computer's settings. "If the user complies with the request, the hackers are able to exfiltrate data from the computer," the advisory states. "Beta Bot is also spread via USB thumb drives or online via Skype, where it redirects the user to compromised websites."

Beta Bot defeats malware detection programs because it blocks access to security websites and disables anti-virus programs, according to IC3. "This is a good demonstration of how fraudsters' methods are evolving constantly. They are coming up with sophisticated methods that appear so convincing, even people who typically would not fall for their schemes may do so.

Beta Bot's attacks also resemble the ransomware attacks that coupled the banking Trojan known as Citadel with the drive-by virus known as Reveton, which seized consumers' computers and demanded ransom, purporting to be from the FBI.

IC3 and the FBI warn that if consumers see what appears to be an alert from Microsoft but have not requested computer setting modifications from the company, they have likely been targeted for a Beta Bot attack. If infected, running a full system scan with up-to-date anti-virus software is recommended. And if access to security sites has been blocked, then downloading anti-virus updates or a new anti-virus program is advised.

How To Reduce Application Security Risk?

Survey shows serious misalignment between IT Executives & Engineers

Ponemon Institute independently surveyed 642 IT professionals in both executive and engineering positions. The majority of the respondents were at a supervisory level or higher. Over half of the respondents are employed by organizations of more than 5,000 employees.

Based on the responses, the primary finding is that a much higher percentage of executive-level respondents believe their organizations are following security procedures through the lifecycle of application development than do the engineers who are closest to executing the security processes.

This is a serious and potentially dangerous misalignment. Another troubling conclusion is that most organizations are only taking minimal steps to address application security throughout their development process.

The most effective way to reduce application security risk is to implement a formal, repeatable development process that includes secure coding standards to enable the early detection and remediation of vulnerabilities.

Mature organizations tend to have highly effective application security programs that include the three pillars of a secure SDLC:

• Application Security Standards
• Regular Security Assessments for measurement
• Training for each role in the SDLC

The mature organizations share common characteristics by:

• Writing and adopting security architecture and development standards.
• Training their development teams on application security topics based on role, platform, and technology used.
• Conducting regular assessments on their applications and processes to make sure the implementation of standards is effective.
• Ensuring that their executives, technicians and staff understand the importance of application security as part of the organizations’ overall risk management strategy and collaborate on ensuring the practices described above are in place.

Five Generations Of Cybercrime

Now that cybercrime is in its fifth generation, prevent a security nightmare from happening on your watch

It helps to understand more about the history of hacking, when you need to defend yourself against cyber criminals. Early hacking started when guys like Kevin Mitnick became ‘digital delinquents’ and broke into the phone company networks.

That was to a large degree to see how far they could get with social engineering, and it got them way further than expected. Actual financial damage to hundreds of thousands of businesses started only in the nineties, but has moved at rocket speed these last 20 years.

Generation ONE

Those were the teenagers in dark, damp cellars writing viruses to gain notoriety, and to show the world they were able to do it. Relatively harmless, no more than a pain in the neck to a large extent. We call them sneaker-net viruses as it usually took a person to walk over from one PC to another with a floppy disk to transfer the virus.

Generation TWO

These early day ‘sneaker-net’ viruses were followed by a much more malicious type of super-fast spreading worms (we are talking a few minutes) like Sasser and NetSky that started to cause multi-million dollar losses. These were still more or less created to get notoriety, and teenagers showing off their “elite skills”.

Generation THREE

Here the motive moved from recognition to remuneration. These guys were in it for easy money. This is where botnets came in, thousands of infected PCs owned and controlled by the cybercriminal that used the botnet to send spam, attack websites, identity theft and other nefarious activities. The malware used was more advanced than the code of the ‘pioneers’ but was still easy to find and easy to disinfect.

Generation FOUR

Here is where cybercrime goes professional. The malware starts to hide itself, and they get better organized. They are mostly in eastern European countries, and use more mature coders which results in much higher quality malware, which is reflected by the first rootkit flavors showing up. They are going for larger targets where more money can be stolen. This is also the time where traditional mafias muscle into the game, and rackets like extortion of online bookmakers starts to show its ugly face.

Generation FIVE

The main event that created the fifth and current generation is that an active underground economy has formed, where stolen goods and illegal services are bought and sold in a ‘professional’ manner, if there is such a thing as honor among thieves. Cybercrime now specializes in different markets (you can call them criminal segments), that taken all together form the full criminal supply-chain. Note that because of this, cybercrime develops at a much faster rate. All the tools are for sale now, and relatively inexperienced criminals can get to work quickly. Some examples of this specialization are:

• Cybercrime has their own social networks with escrow services
• Malware can now be licensed and gets tech support
• You can now rent botnets by the hour, for your own crime spree
• Pay-for-play malware infection services that quickly create botnets
• A lively market for zero-day exploits (unknown vulnerabilities)

The problem with this is that it both increases the malware quality, speeds up the criminal ‘supply chain’ and at the same time spreads the risk among these thieves, meaning it gets harder to catch the culprits. We are in this for the long haul, and we need to step up our game, just like the miscreants have done the last 10 years!

Cybersecurity is a never-ending Tom and Jerry cartoon

The Coming Wave of Security Startups

The threat from cyber-intrusions seems to have exploded in just the last 18 months. Mainstream media now report regularly on massive, targeted data breaches and on the digital skirmishes waged among nation states and cybermilitants. Unlike other looming technical problems that require innovation to address, cybersecurity never gets solved.

The challenges of circuit miniaturization, graphical computing, database management, network routing, server virtualization, and similarly mammoth technical problems eventually wane as we tame their complexity. Like antibiotic-resistant bacteria, attackers adapt to our defenses and render them obsolete. As in most areas of IT and computing, innovation in security springs mostly from startup companies. Larger systems companies like Symantec, Microsoft, and Cisco contribute to the corpus of cybersecurity, but mostly acquire their new technologies from startups.

Government agencies with sophisticated cyberskills tend to innovate more on the offensive side. Anyone looking to found or invest in one of those small security companies destined for success should focus on the tsunami of change rocking the IT world known as cloud computing.

According to Forrester, the global market for cloud computing will grow more than sixfold this decade, to over a quarter trillion dollars. Cloud security, as it is known, is today one of the less mature areas of cloud computing, but it has already become clear that it will become a significant chunk of that vast new market. A Gartner report earlier this year predicted that the growth of cloud-based security services would overtake traditional security services in the next three years. Just like other software products, conventional security appliances are being replaced by cloud-based alternatives that are easier to deploy, cheaper to manage, and always up-to-date.

Cloud-based security protections can also be more secure, since the vendor can correlate events and profile attacks across all of its customers’ networks. This collaborative capability will be critical in the coming years as the private sector looks to government agencies like the National Security Agency for protection from cyberattacks. The cloud also enables new security services based on so-called big data, which could simply not exist as standalone products.

Companies like SumoLogic can harvest signals from around the Web for analysis, identifying attacks and attackers that couldn’t be detected using data from a single incident or source. These new data-centric, cloud-based security products are crucial to solving the challenges of keeping mobile devices secure. Most computers shipped today are mobile devices, and they make juicier targets than PCs because they have location and payment data, microphones, and cameras. But mobile carriers and employers cannot lock down phones and tablets completely because they are personal devices customized with personal apps. Worse, phones and tablets lack the processing power and battery life to run security processes as PCs do.

Cloud approaches to security offer a solution. Software-as-a-service security companies like Zscaler can scan our mobile data traffic using proxies and VPNs, scrubbing them for malware, phishing, data leaks, and bots. In addition startups like Blue Cava, Iovation, and mSignia using Big Data to prevent fraud by fingerprinting mobile devices. Cloud security also involves protecting cloud infrastructure itself. New technologies are needed to secure the client data inside cloud-based services against theft or manipulation during transit or storage.

Eventually it should become possible for cloud computing customers to encrypt and destroy data using their own encryption keys. Until they do, there is an opportunity for startups such as CipherCloud and Vaultive to sell encryption technology that is used by companies over the top of their cloud services to encrypt the data inside.

Lastly, cloud security also includes protecting against the cloud, which enables creative new classes of attack. For example, Amazon Web Services can be used for brute force attacks on cryptographic protocols, like that one German hacker used in 2010 to break the NSA’s Secure Hashing Algorithm. Attackers can use botnets and virtual servers to wage distributed denial of service attacks; and bots can bypass captcha defenses by crowdsourcing the answers. Cloud-based attacks demand innovative defenses that will likely come from startups.

For example, Prolexic and Defense.net (a company Bessemer has invested in) operate networks of filters that buffer their clients from cloud-based DDOS attacks. Cloud computing may open up enormous vulnerabilities on the Internet, but it also presents great opportunity for innovative cybersecurity. In the coming decade, few areas of computing will be as attractive to entrepreneurs, technologists, and investors.

Top 5 Tools Every Security Professional Must Learn

5 basic tools for security professionals

As the role of the information security professional continues to evolve within organizations towards that of an executive level position, we see a growing emphasis on traditional business administration skills over the more technical skills that previously defined the top security leadership job.

Nonetheless, Information Security Professionals need to keep abreast of the latest down-in-the-weeds tools and technologies that can benefit their organization’s security posture, as well as those tools that are widely available which could be misused by malicious actors to identify and exploit network security weaknesses.

ToolsWatch is a free interactive service designed to help auditors, penetration testers, and other security professionals keep their ethical hacking toolbox up to date with the latest and greatest resources.

ARMITAGE

Metasploit has become over the years the best framework to conduct penetration testing on network systems and IT infrastructure. Nevertheless, Armitage an open source effort to bring user-friendly interface to Metasploit.

Armitage demonstrations are very convincing and allow you to analyze weak and vulnerable machines in a network in just a few clicks. This tool has brilliantly hidden the complexity of Metasploit (for a non-technical audience) in favor of usability, and is a great way to demonstrate the security in depth of an IT architecture.

HASHCAT

There is constantly a battle between security folks and users when it comes to passwords. Although it is simple to deploy a Password Policy in a company, it’s also very difficult to justify it.

Because in a perfect world from users perspective, the best password would be the name of the family cat with no expiration date, and this fact applies  to any system that requires authentication.

HashCat has shown that the selection of a strong  password must be done carefully, and this tool allows us to demonstrate the ease with which a password can be recovered.

WIFITE

You know what you have connected to when using your hardwired network, but have you ever wondered if the air is playing tricks on you? To test your WiFi security, Wifite has the simplest way.

Wifite allows the discovery of all devices that have an active wireless capability enabled by default (like some printers for example). Wifite is a very simple and convincing way to validate the security of wireless networks.

WIRESHARK

Known for many years as Ethereal, WireShark is probably the best tool when it comes to sniffing for and collecting data over a network.

On the one hand, WireShark has boosted its capabilities with the support of several types of networks (Ethernet, 802.11, etc.) and also in the simplicity of its use through a very friendly user interface.

WireShark allows to demonstrate that outdated protocols such as Telnet / FTP should be banned from a corporate network, and that sensitive information should be encrypted to avoid being captured by a malicious user

SOCIAL ENGINEERING TOOLKIT (SET)

SET is a framework that helps the in creation of sophisticated technical attacks which operated using the credulity of the human. It can be used in the process of preparing a phishing attack mimicking a known website or trapping PDF files with the appropriate payload. The simplicity of use via an intuitive menu makes it an even more attractive tool.

It is the dream of every CISO to drive security awareness campaigns without ruining the security budget. With SET, the team in charge of security audits can design attacks scenarios and distribute them internally to the targeted users.

Visualizing The World's Biggest Data Breaches

In corporate servers we trust? A beautiful interactive timeline puts the growing vulnerabilities to our personal online security in stark relief

The experience is becoming so common it’s scary. You're sitting there minding your own business, when up pops an email (or worse, a letter via snail mail) from some company you may or may not be familiar with telling you that your data has been compromised by a security breach. Change your password, post haste--if you’re lucky that a password is the worst of what was compromised.

More than 50% of CEOs surveyed by the Ponemon Institute, a cybersecurity think tank, say that their company experiences cyber attacks daily or even hourly.

These attacks are becoming more and more sophisticated, and increasingly, they are successful--to date this year, there have 343 data breaches reported in the U.S., which already exceeds the number in all of 2006, according to the Wall Street Journal. A new visualization of the world’s biggest data breaches on a timeline since 2004 puts the rise of cyberattacks in stark relief.

You can explore the graphic more here. And to protect yourself against certain kinds of data breaches, it's always good to follow good hygiene for passwords and PINs to your online accounts, like making sure you use different passwords for all sites. You can see a few additional tips on how to secure your passwords here.

The Risk of Data on Mobile Devices & in the Cloud

Ponemon Institute research finds that 69% of respondents listed mobile devices as posing the greatest risk

A recent study by the Ponemon Institute, The Risk of Regulated Data on Mobile Devices and in the Cloud, sponsored by WatchDox, reveals a stunning need for improvement on managing the risks of mobile devices and cloud computing services.

The survey involved 798 IT and IT security practitioners in a variety of organizations including finance, retail, technology, communications, education, healthcare, and public sector, among others.

The study concluded that “[t]he greatest data protection risks to regulated data exist on mobile devices and the cloud.” 69% of respondents listed mobile devices as posing the greatest risk followed by 45% who listed cloud computing.

Some other key findings include:

• Only 16% of respondents said their organization knew how much regulated data “resides in cloud-based file sharing applications such as Dropbox, Box, and others.”
  
• Only 19% said their organization knew how much regulated data was on mobile devices.
  
• Only 32% believed their organizations to be “vigilant in protecting regulated data on mobile devices.” Nearly three quarters said that employees didn’t “understand the importance of protecting regulated data on mobile devices.”
  
• 43% of organizations allow “employees to move regulated data to cloud-based file sharing applications.”
  
• Although 59% of organizations permit employees to use their own mobile devices “to access and use regulated data,” only about a third have a bring your own device (BYOD) policy.
  
• In the past two years, the average organization had almost 5 data breaches involving the loss of theft of a mobile device with regulated data on it.

What are the risks?

1. Unsafe Security Practices: With their own mobile devices and with their own cloud service provider accounts, employees might engage in unsafe security practices. Mobile devices might not be encrypted or even password-protected. When using cloud services, employees might not have the appropriate settings or an adequately strong password. They might not understand the risks or how to mitigate them.
   
2. Choice of Cloud Service Provider: There are many cloud service providers, and they vary considerably in terms of their privacy and security practices. Cloud service providers may not have adequate terms of service and may not provide adequate privacy protections or security safeguards.
   
3. Regulatory Troubles: If an employee of a HIPAA covered entity or business associate shares protected health information (PHI) with a cloud service provider, a business associate agreement is likely needed. Employees who just put PHI in the cloud might result in their organization being found in violation of HIPAA in the event of an audit or data breach.
   
4. The Ease of Sharing: Sharing files is quite easy with many cloud providers – sometimes too easy. All it takes is a person to accidentally put regulated data into a shared file folder, and . . . presto, it will be instantly shared with everyone with permission to view that folder. One errant drag and drop can create a breach.
   
5. The Ease of Losing: If you don’t carry an umbrella on an overcast day, it surely will rain. And if you put regulated data on a mobile device without adequate protection, that device will surely be lost or stolen. Call it “Murphy’s Mobile Device Law.”

What should be done?

1. Educate the Cs: The C-Suite must be educated about these risks. These are readily-preventable risks that can be mitigated without tremendous expense.
   
2. Develop Policies: The study indicates that there is often a lack of policies about the use of mobile devices and cloud. There should be clear written policies about these things, and employees must be trained about these policies.
   
3. Educate the Workforce: Everyone must be educated about the risks of mobile devices and cloud and about good data security practices. According to the Ponemon Study, “Respondents believe that most employees at one time or another circumvent or disable required security settings on their mobile devices.” Employees must know more about the risks of using unapproved cloud service providers, as well as the special risks that cloud service applications can pose.
   
4. Instill Some Fear: The study reveals that almost systemically at most organizations, the risks of mobile and cloud are underappreciated and often ignored. There needs to be a healthy sense of fear. Otherwise, convenience will win.

The Ponemon Study reveals that there is a long way to go before most organizations adequately address the risks of mobile and cloud. The problem runs deeper than the fact that these risks are hard to redress.

The problem seems to stem from the fact that the risks are woefully underappreciated by many in organizations, from the top to the bottom. That has to change, and soon.

Cyber Protection of Critical Infrastructure is becoming "Imperative"

ABI Research estimates that cyber security spending for critical infrastructure will hit $46 billion globally by the end of 2013

The digitisation of critical infrastructures has provided substantial benefits in terms of socio-economic developments – improved productivity, better connectivity, greater efficiencies. Yet some of these attributes also carry significant risks. Always-on Internet connectivity has ushered in a new cyber-age where the stakes are higher.

Disruption and destruction through malicious online activities are the new reality: cyber-espionage, cyber-crime, and cyber-terrorism. Despite the seemingly virtual nature of these threats, the physical consequences can be quite tangible.

The cyber protection of critical infrastructure has become the most immediate primary concern for nation states. The public revelation of wide-spread state-sponsored cyber-espionage presages an era of information and cyber warfare on a global scale between countries, political groups, hacktivists, organised crime syndicates, and civilian society – in short, to anyone with access to an Internet-connected device. The focus on cyber security is becoming imperative.

While some industries have had highly advanced cyber-defense and security mechanisms in place for some time (i.e. the financial sector), others are severely lacking and only just starting to implement measures (i.e. energy, healthcare). The drivers for the market in related products and services are numerous, but in large part many will be propelled by national cyber security strategies and policies.

ABI Research estimates that cyber security spending for critical infrastructure will hit $46 billion globally by the end of 2013. Increased spending over the next five years will be driven by a growing number of policies and procedures in education, training, research and development, awareness programs, standardisation work, and cooperative frameworks among other projects.

This Market Data on “Critical Infrastructure Security” breaks down spending for eight verticals: Defense, Energy, Financial, Healthcare, ICT, Public Security, Transport, and Water and Waste Management. The data is split by region (North America, Europe, Asia-Pacific, Latin America, the Middle East & Africa), by sector (private/public) and by type (product/service).

These findings are part of ABI Research’s Cyber Security Research Service.

Cyber Threats: Trends in Phishing and Spear Phishing

Phishing is a global problem for businesses as well as individuals, targeting 37.3 billion people globally in the past year

Most of us have wisened up to basic scams and know better than to accept a Nigerian prince's offer of money, or a miraculous win on a Spanish lottery that you can't quite remember entering. But cyber criminals are raising their game and have evolved their tactics to target the more cyber-aware for greater returns.

Sophisticated 'spear phishing' attacks can be hard to spot by the experts; even the largest of organisations is not immune. What chance does this provide the average company or employee, let alone those who use computers infrequently?

Spear phishing is not random – cyber criminals identify employees within a target organisation and use social engineering tactics to construct a legitimate looking email. The FBI have warned business to be more aware of spear phishing tactics, as hackers target employees with administrative rights or access to critical systems.

91% of APTs (advanced persistent threats) start with phishing attacks and success could give cyber criminals the 'keys' to bypass security and initiate further attacks. Clicking a link doesn't mean that you are immediately compromised; phishing is part of a larger attack.

Hackers need to expose a system vulnerability and be able to install software quickly and quietly. However, cyber criminals use advanced tactics to disguise malicious attachments and sites to trick users into further action.

This infographic by Via Resource highlights trends and targets in phishing attacks.

Five Ways To Plump Your Security Program Without Going Broke

Some are quick, cheap and often free! Others require a little more time and critical thinking

Addressing cyber-attacks is not just a technology issue. It requires a holistic view from the entire organization. Today's security threats span a broad spectrum of social engineering schemes, international hackers, and insider threats like the recent NSA breach.

It's easy to get overwhelmed by all of the potential threats and where money should be spent to keep up, let alone stay ahead of the curve. Security functions are getting only 70 percent of the resources that they need to do an adequate job" of securing the business, including hardware, software, services and staff. 

The hard stuff is in the next 30 percent." Meanwhile, worldwide spending on security infrastructure, including software, services and network security appliances used to secure enterprise, rose to $60 billion in 2012, up 8.4 percent from $55 billion in 2011, according to Gartner Inc. That number is expected to hit $86 billion by 2016.

Security experts offer five tips for enhancing security that don't cost a lot of cash — and sometimes no money at all — so companies can spend their security dollars on the hard stuff.

1. Patch security holes and identify vulnerabilities

Three of the top 10 botnets reported in February 2013 were more than 8 years old, according to Fortiguard Labs, the threat-researching arm of network security firm Fortinet Inc. in Sunnyvale, Calif. In the most successful attacks, the majority of those threats had been identified and fixed by vendors years earlier, said Derek Manky, global security strategist.

Companies need to keep patches up to date.

2. Install your free firewall and antivirus upgrades

A lot of people don't realize their basic support contracts with most vendors for support, firewalls and antivirus include free upgrades. If you don't have a strategy to revisit what the available technology is that you've already paid for, then you're missing out on a lot of new features and enhancements" that could prevent a security breach. 

Call your vendor and revisit our firewall and antivirus solution contracts.

3. Keep up with BYOD

Personal devices in the business environment are here to stay. Yet 79 percent of businesses had a mobile security incident in the past year, ranging from malicious apps downloaded to a mobile device to unsecure Wi-Fi connections to lack of security patches from services providers, according to a June mobile security report by Check Point Software Technologies.

These mobile security incidents cost companies between $100,000 and $500,000 in staff time, legal fees and resolution processes.

Organizations can improve mobile device security through BYOD agreements with users to ensure they take security precautions. The checklist should include installing available upgrades and patches; ensuring that each mobile device infrastructure component has its clock synced to a common time source; reconfiguring access control features as needed, according to the Computer Security Division of the National Institute of Standards and Technology.

4. Define a enterprise-wide security strategy

Nine out of 10 big companies lacked defined security strategy and security plans, or they re not tied with business goals and business objectives. There's no way to know if you're supporting business objectives unless you take the time to develop the security strategy and make they're sure they're doing the most important things for overall risk reduction. 

5. Educate Employees

Successful attacks are usually ones that exploit the human mind. Humans are always the weakest link in the chain.

Education can help stop employees from falling victim to phishing attacks or pretexting schemes or careless use of login credentials, which accounted for 3 of the top 10 threat actions performed against large companies, according to Verizon's 2012 data breach investigations report.

Why Security Teams Fail PCI Audits?

5 Key Challenges in the way of successful auditing!

For any business accepting credit or debit card payments from its customers, Payment Card Industry Data Security Standards (PCI DSS) compliance - which offers comprehensive standards to enhance payment card data security - is an absolute must.

But for most, ensuring continuous compliance (the ongoing monitoring of rules rather than waiting for audits to show non-compliance) with the vast and ever changing set of rules can be a real drain on resources. 

The 5 'C's

Undoubtedly one or all of the following challenges are getting in the way of successful auditing…the five 'C's:

Complexity- enterprises have hundreds of firewalls, routers and switches, all with their own complex configurations and thousands of access rules. All have to be tracked and catalogued which makes it almost impossible to comply with all the PCI DSS rules.

• Change - hundreds of changes every week amounts to thousands of changes to track from one audit to the next. The combination of rapid change and time pressures mean mistakes happen which can leave businesses wide open.
  
• Connectivity - configuration errors very easily lead to compliance issues and service downtime. A high number of rule changes can compromise cardholder data, which can leave businesses compromised until their next audit.
  
• Compliance - audits are time intensive and usually changes are unchecked between audits making the process even more laborious. Yet businesses cannot afford to fail an audit.
  
• Communication - poor communication and a siloed culture of app owners and IT security can mean a comprehensive compliance check between audits is extremely complicated and difficult to manage.

PCI DSS auditing doesn't always need to be a costly and thankless task. While compliance will always be essential for most enterprises, automation solutions can make it a much more efficient process - by slashing time spent on repetitive, manual work so that security teams can focus on strategic tasks such as security architecture, research and education.

New Targets for Hackers - Plane Cockpit/Voice Hijacking?

Criminal hackers can generally be divided into two groups - thieves and showboats

They breach secure systems either to steal or simply to demonstrate that it can be done. A few recent hacking incidents indicate the showboat sector may be picking up steam.

Smartphone used to hack into a plane cockpit

The power and rapid evolution of technology is exposed by a security researcher armed with an Android.

"By using a Samsung Galaxy handset, Teso demonstrated how to use ACARS to redirect an aircraft's navigation systems to different map coordinates. He was able to insert code into a virtual aircraft's Flight Management System, and by passing the code between the aircraft's computer unit and the pilot's display, Teso was able to take total control of what the aircrew would see in the cockpit.

Scientist's voice hijacked during high-profile presentation

Hackers accessed the computer synthesizer controlling Stephen Hawking's voice during a public speak he was making to a large audience, overriding his control and forcing him to make statements against his will.

"It wasn't until hours later when the Syrian Electronic Army - a group of hackers working in support of Bashar al-Assad - claimed responsibility for the attack, breaking into Stephen Hawking's voicebox one last time to announce "the Syrian Electronic Army was here" just as the scientist was leaving the stage."

6 Steps to Secure Mobile Devices

NIST Guidelines for Managing the Security of Mobile Devices in the Enterprise

When NIST issued in 2008 its initial guidance on managing mobile device security, the Apple iPhone was just a year old and the introduction of the iPad was 15 months off. Even the guidance name, Special Publication 800-124: Guidelines on Cell Phone and PDA Security, sounds ancient to today's ears.

The National Institute of Standards and Technology on June 24 published its first revision of the SP 800-124, renaming it Guidelines for Managing the Security of Mobile Devices in the Enterprise.

NIST says the revised guidance provides recommendations for selecting, implementing and using centralized management technologies, explains the security concerns inherent in mobile device use and provides recommendations for securing mobile devices throughout their life cycles.

The guidance covers enterprise-issued devices as well as the bring-your-own device trend.

Step-by-Step Approach

The revised publication offers six major steps enterprises need to take to manage mobile devices in a secure environment. According to the guidance, organizations should:

1. Have a mobile device security policy that defines which types of the organization's resources may be accessed via mobile devices, which types of mobile devices - for example, organization-issued devices vs. BYOD - are permitted to access the organization's resources, the degree of access that various classes of mobile devices may have and how provisioning should be handled.
   
2. Develop system threat models for mobile devices and the resources that are accessed through the devices. These devices often need additional protection because of their higher exposure to threats than other client devices, such as desktops and laptops.
   
3. Consider the merits of each provided security service, determine which services are needed for their environment and then design and acquire one or more solutions that collectively provide the necessary services. Categories of services to be considered include general policy, data communication and storage, and user and device authentication and applications.
   
4. Implement and test a mobile device solution before putting it into production. Aspects of the solution that should be evaluated for each type of mobile device include connectivity, protection, authentication, application functionality, solution management, logging and performance.
   
5. Secure fully each organization-issued mobile device before allowing a user to access it. This ensures a basic level of trust in the device before it is exposed to threats.
   
6. Regularly maintain mobile device security, including checking for upgrades and patches and acquiring, testing and deploying them; ensuring that each mobile device infrastructure component has its clock synced to a common time source; reconfiguring access control features as needed; and detecting and documenting anomalies within the mobile device infrastructure, including unauthorized configuration changes to mobile devices.

The revised guidance also recommends that organizations periodically perform assessments to confirm that their mobile device policies, processes and procedures are being properly followed. Assessment activities may be passive, such as reviewing logs, or active, such as performing vulnerability scans and penetration testing.