Saturday, 22 October 2016

‘The need to stay alert as data breach costs rise’

by Mike Simmonds, managing director, Axial Systems                                                                

When BYOD originally took off, security concerns drove companies to take measures to counteract the risks of allowing remote access to company data from employee devices. Many believed they had shut the door to cybercrime. In reality, data breaches have continued to soar. According to research from PwC, showcased in a recent infographic from Swivel Secure, the number of small firms experiencing a data breach jumped by 14% last year – and although in 2014, the average cost of such a breach was £90k, it rose to £190k in 2015. The number of large companies suffering a breach rose 9% over the same period, with average costs per breach increasing from £800k in 2014 to a phenomenal £2.3 million last year.  In total, a staggering 90% of large businesses admitted to a data breach, with more than two-thirds having been attacked by an unauthorised outsider in the last year.

Scoping the Challenge

The possibility of being fined is another significant concern. The new General Data Protection Regulations (GDPR) puts stringent new data protection requirements in place and will impact any companies holding any data at all about any EU citizen. The most severe penalty available for non-compliance with GDPR is a fine up to €20 million, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

For businesses that fall victim to these cyber-criminals, the reputational damage suffered can also be severe. Serious fines attract media coverage and may deter prospective customers signing up. The inability of the business to recover what has been lost by the breach can further compromise credibility. After all, while some cyber-criminals steal data, others corrupt it and make it worthless. Ransomware, for example, may simply encrypt all of the business’s data with a key that the organisation cannot access. The business has no recourse to any third party in its bid to retrieve the information, further undermining its credibility with prospects and customers.   So why are we seeing more breaches and what steps can businesses take to protect themselves and bring cybercrime under tighter control?

Part of the reason for the rise is probably down to greater reporting. The pending introduction of GDPR means that if you do suffer a breach, you have to reveal it to the authorities. The regulation was approved by the European Parliament in April 2016 and all organisations that process personally identifiable information (PII) must comply with it by 25 May 2018. So, businesses need to get their reporting mechanisms in place as soon as possible.

This higher level of reporting though should not disguise the fact that the increase in data breaches is real and many factors are fuelling it. Data growth is continuing to rise exponentially – and so too is the volume of data potentially available to hackers online. In line with this, cyber-criminals are becoming increasingly sophisticated. Many have organised into professional groups, with a highly-skilled workforce operating across far-flung networks. Breaches are becoming more targeted also at least in part because it is as cheap and easy to launch targeted attacks today as it is to adopt a blanket bomb approach.

At the same time, many businesses are migrating their data to the cloud for storage (one in three now use cloud data storage, according to the survey), changing the nature of access again and bringing with it a whole raft of new security concerns. Businesses now need to think about more than just their own security and ensure that their level is at least mirrored by that of their cloud service provider. They must be confident, for example, that any data transitioned to the care of that provider is encrypted the moment it lands rather than post-landing. Most companies do not realise that if they are using cloud services, they are themselves still liable for the security/integrity of any data forwarded to those services.  With the coming of GDPR and the associated fines, this is hugely important.  Simply saying it’s the fault of the service provider for any data loss just won’t pass muster in this context.

At Axial, we advise customers to encrypt data themselves as it leaves their building. This ensures there are two layers of encryption – so that if one is compromised, one remains encrypted, whether the data is in motion between the office location and cloud service or whether it is at rest at each location.

Key Role of Authentication

Whatever the nature of the data it is looking to protect, the business must exercise ‘due diligence’ at all times and that means much more than just taking a cursory glance at the data. In this context, following due diligence entails the business undertaking a thorough review of its data protection processes and what steps it can take to make them even more secure. The data from the Swivel Secure infographic, which draws on 2015 research from PwC indicates that organisations still have much to do in this respect. 32% of those surveyed had not had any form of security risk assessment. More than a quarter (26%) do not evaluate how effective their security expenditure is, while just 60% said they were confident that they had adequate security skills to manage their risk for next year.

While ease of access is of course important, businesses also have to be focused  on ensuring that employees never compromise security in exchange for it. There is a need for education here. Take the manager that needs to deliver a presentation the next day and wants to store it in an accessible place. There is a natural inclination to save the slides in multiple locations – on the company laptop, on  a file sharing application and on a memory stick, perhaps, with the rationale that if one location fails, the others can serve as a back-up.

Such an approach creates its own problems, however – and users need to be made aware of the issues and concerns. If the laptop is left on a train, it could be easy prey for anyone with the skill and inclination to break into it. The file sharing application could potentially be compromised also, while USB sticks are frequently lost. Simply by taking the data outside of the corporate infrastructure, you are bypassing all the security infrastructure and potentially putting sensitive information at risk.

It’s a clear demonstration of how so many businesses can make themselves vulnerable by effectively sleepwalking into data breaches. So what’s the solution? Technology should always be part of it. Anti-virus and anti-malware software needs to be implemented and kept up to date. Data leakage protection can also be put in place, providing electronic tracking of files, or putting systems in place that stop users arbitrarily dropping data out to cloud services. Critically though, adaptive authentication, in which risk-based multi-factor authentication is used to ensure the protection of users accessing websites, portals, browsers or applications, also has an increasingly key role to play.

Being able to manage user authentication based on such parameters as who, when, where and what is essential, of course.  Adaptive authentication solutions such as Swivel’s AuthControl provide the ability to manage how users authenticate to the network or individual applications based on multiple parameters and a risk score.  For example, a business may decide that access to HR/Finance records carries a high risk whereas mail does not.  In that case, name/password may be sufficient for mail access but two-factor user authentication and a digital (machine) certificate are required to access the finance application – even for the same user.

Furthermore, adaptive authentication provides a great user experience in hybrid environments where a combination of on-premises, remote access and cloud services are delivered by the business.

So adaptive authentication is key but it has to be delivered as part of an overall strategy. Technology is critically important but ultimately countering data breaches effectively is also about education. Businesses need to hammer home the message that employees need to take a responsible approach to managing and protecting their data. They must be aware of the potential security threats and do all they can to mitigate them – from keeping care of devices they use at work to making sure their passwords are consistently strong. The battle against the cyber-criminals will continue but if businesses are to fight back and reverse the ongoing trends, they need their employees to be onside and focused on keeping data safe.

The post ‘The need to stay alert as data breach costs rise’ appeared first on IT SECURITY GURU.

from ‘The need to stay alert as data breach costs rise’

Is it worth reporting ransomware?

Sophos discusses whether it’s worth reporting ransomware.

Victims of ransomware have a lot to cope with. After they’ve recovered from the shock of losing access to files, there’s the small matter of whether to pay the ransom to get them back.

Regardless of the outcome, victims are left worried about how best to clean their computer to avoid being hit by a follow-up attack.

In most cases reporting any of this probably doesn’t figure high on the to-do list: which organization should they contact and, frankly, would it make any difference anyway?

This lack of confidence is probably justified in many countries, with victims of cybercrimes often simply advised to go to a local police station and hope a staff member will be in a good enough mood to talk to them.

Ransomware rethink

Ransomware reporting is, in a way, a microcosm of the larger issue of how best to tackle cyberattacks.

Reporting burglary, car theft or mugging, would be a no-brainer. But online fraud or ransomware extortion? If it happens on a computer, there’s a tendency for people to see it as either the victim’s problem or for the bank or service provider to sort out.

Faced with soaring online crime, police forces and government have realized that to have any chance of containing online crime means treating in in the same way as any other type of law breaking. Intelligence is needed to warn the public of attacks and evidence gathered for possible future prosecutions.

The catch is that amassing better intelligence will be about getting the public to overcome years of conditioning and start telling law enforcement what has happened to them. These investigations are essential. Without real-time reporting, knowing what the criminals are up to and gathering evidence quickly enough to catch perpetrators, becomes impossible.

Reporting ransomware

The good news is that in the US, UK and a few parts of Europe reporting ransomware and extortion is getting easier.

Only weeks ago, the FBI put out its first ever note encouraging ransomware victims to report attacks in some detail through the Agency’s Crime Complaint Center (IC3).

A few months earlier, Europol, the Dutch police and a clutch of cybersecurity firms got in on the act by launching a portal, No More Ransom, which is meant to act as a single point of contact and advice for confused ransomware victims unsure about whether to tell anyone.

The UK, which likes to think of itself as ahead of the game, launched an online cybercrime reporting system in 2009 in the form of Action Fraud.  Ransomware and phishing attacks can now be notified through an online tool for victims who end out of pocket.

The UK’s Office of National Statistics (ONS) even grasped the nettle this year and added cybercrime as a separate heading in its 2015-2016 crime statistics for England and Wales, a further sign of changing attitudes.

Worthy though these reporting systems are, awareness of their existence – and importance – among the public remains weak.

To pick one example, the FBI’s 2015 Internet Crime Report (which uses numbers drawn from the IC3 reporting service) recorded only 2,453 ransomware complaints for the year – likely a huge underestimate of the true scale of the problem.

Until public reporting improves, tackling ransomware in a centralized, top-down manner could prove incredibly difficult, leaving more accurate estimates of campaigns in the lap of cybersecurity firms whose specialism is measuring the effect of attacks on computers rather than human victims.

The post Is it worth reporting ransomware? appeared first on IT SECURITY GURU.

from Is it worth reporting ransomware?

Too small for cyber security? Think again.

By: Chris Stoneff, VP Technical Management, Lieberman Software

The last Verizon Data Breach Investigation Report stated that 63% of data breaches involved cyber criminals using weak, default or stolen passwords to access information they shouldn’t.  With this in mind, it’s good to remember that being a small business is no excuse for poor password security.  This is especially so when it comes to the administrator passwords that protect access to the most sensitive areas of a company’s network, like file stores and corporate email.  When these credentials are compromised by bad guys, it is easier for them to move around the network and infiltrate critical systems and even gain access to your valuable customer data.

Stolen credentials are one of the easiest ways to exploit small businesses. Many Small and Medium Enterprises (SMEs) may think they don’t have the budgets or the means for effective cyber security. However, small businesses that think they are too insignificant to warrant proper cyber security efforts need to carefully consider who their customers are and how unhappy they would be if their data was compromised.  When we look back at Target, one of the biggest data breaches of all time, the breach was discovered to have come through one of Target’s small third party vendors with weak passwords that never changed.

At a bare minimum, companies need to make sure that employees rotate passwords and don’t use the standard ones they use for their personal online accounts.  Passwords should be strong – more than 8 characters and include upper and lower case characters as well as numbers.

For those that struggle with endless strings of passwords, there are also affordable Privileged Account Management products that can automate time-consuming manual password changes to ease IT administration burdens. By changing passwords faster than intruders can exploit them, these security products provide real-time containment of attacks that breach the perimeter, and prevent anonymous “nesting” on the network.

Large enterprises are taking cyber security seriously and getting harder to breach.  Hackers historically always take the path of least resistance, if that path is via a smaller business with tempting customers, you better believe they will take the easy route. Getting a few basics right, like password security, will go a long way to protecting even the smallest business.

The post Too small for cyber security? Think again. appeared first on IT SECURITY GURU.

from Too small for cyber security? Think again.

Book Review: Game Hacking, by Nick Cano

Nick Cano’s Game Hacking walks an unusual line between gaming, computer security and coding. Many involved in the gaming industry, especially with online gaming, know that security can be just as challenging and serious a subject as in other spheres of computing; but to many – even many gamers – video games are still not quite […]

The post Book Review: Game Hacking, by Nick Cano appeared first on ITsecurity.

from Book Review: Game Hacking, by Nick Cano

Support scams and Balance

I believe in balance. All problems are caused by imbalance. Illnesses are caused by imbalances in the body; wars are caused by imbalances in the ether; and even support scams are caused by imbalance. I had another call from Microsoft’s computer maintenance department. I wasn’t feeling good. I am ashamed to say I told him […]

The post Support scams and Balance appeared first on ITsecurity.

from Support scams and Balance

Friday, 21 October 2016

Ransomware, Support Scams, and Old-School 419s

Ransomware is the buzzword of the moment, but other scams haven't gone away. Some are even converging with ransomware.

The post Ransomware, Support Scams, and Old-School 419s appeared first on ITsecurity.

from Ransomware, Support Scams, and Old-School 419s

Google pays $100k to anti-malware crusader Giovanni Vigna

Anti-malware machine and head of the Shellphish DARPA Grand Challenge bronze-medallist team has won US$100,000 from Google for security research efforts. University of California Santa Barbara doctor Giovanni Vigna landed Google’s Security, Privacy and Anti-Abuse award for his long line of research into malware detection. Google did not specify the specific work for which he was awarded but Dr. Vigna has co-published dozens of papers in the field among some 200 works spanning Android, networking, and web-based attacks.

View full story


The post Google pays $100k to anti-malware crusader Giovanni Vigna appeared first on IT SECURITY GURU.

from Google pays $100k to anti-malware crusader Giovanni Vigna