Archive | Information Security RSS feed for this section

Internet security 2014

Symantec declares 2013 a year of mega-breaches and targeted attacks.

The Symantec Corporation has published its Internet Security Report for 2014.

Symantec’s data monitors threat activity in 157 countries and territories.  The report features a time-line of security breaches from around the world and analyses the number of targets of each attack.

Key findings

  • The total number of breaches were up 62% from 2012
  • A total of 552 million identities were breached in 2013 – an astonishing increase of 493% on 2012 figures
  • Data exposed included credit card information, birth dates, home addresses, medical records, logins, passwords and email addresses
  • Real names, birth dates and social security numbers are the top three types of data breached
  • Mega-breaches – Eight breaches exposed more than 10 million identities each
  • Massive growth in ‘ransomware’ – scammers acting as ‘law enforcement’ to levy fines up 500%
  • The Internet of Things – attackers are targeting medical equipment, baby monitors and smart TVs
  • Big Data is also attractive to cybercriminals

Social Media and mobile threats

Fake offers and click through online surveys are the most popular form of scamming used on social media platforms.  Other scams include fake apps, which require login information to be entered which is then stolen.  Malicious app developers find it relatively easy to persuade users to grant them unnecessary permissions.  The attraction of attacking mobile devices is that so much data is available once an attacker is on the device.

Reducing threats – best practice for businesses

  • implement a removable media policy
  • restrict email attachments
  • enforce a strong password policy
  • educate staff and users on internet security protocols
  • monitor for incursions and vulnerabilities

Reducing threats – best practice for consumers

  • Think before you click
  • Update your antivirus software regularly
  • Guard your personal data

 The full White Paper is available to download from Symatec.

Spammers, spam – and Monty Python

Research explores how key spam players interact.  Canada’s new anti-spam legislation came into effect in July 2014. 

It is estimated that over 14 billion spam messages are sent around the world every day.  Researchers at Aachen University in Germany and the University of California, Santa Barbara explored the three key elements required in a spam campaign – the list of victim emails, the content, and a botnet.

Experts specialising in each of these three elements have emerged, selling their expertise in a ‘prosperous underground economy’ and building their own versions of customer loyalty. By seeking to better understand the relationships between the key players, it’s hoped that researchers can develop more effective anti-spam measures.  (You can download their findings here.)

Meanwhile, Canada has rolled out new legislation that aims to tackle the issue of spam.   The Canadian Anti-Spam Law (CASL) is outlined in summary here.  Although the potential fines are high, the fact is that any organisation following good practice will not fall foul of the new legislation.  You should have clear unsubscribe processes, and have the permission of the recipients to send them commercial messages.

And of course, the legislation is only relevant for email addresses in Canada (.ca)

And now for something completely different

Spam of the edible kind features in a famous Monty Python sketch (described in this humourless Wikipedia entry).   In July 2014 the surviving Monty Python cast is taking to the stage for the first time in decades.   The 20,000 tickets for their opening night at London’s O2 Arena sold out in a record breaking 43 seconds.

The ‘Tour’ is embracing social media. Fans can follow the Tour on Twitter and appear on the fan wall by using the Tour Hashtags.  They can also treat themselves to a Ministry of Silly Walks app and  join the Python Spam Club.  Which begs the question, what if your spam is about the spam club?

Bring your own identity

Organisations are seeking a balance between security, privacy and compliance on the one hand and convenience on the other.

Effective Identity and Access Management (IAM) is becoming increasingly important for organisations.  Not only are they seeking to manage the access rights of increasingly mobile employees but they are opening up applications to external users, including partners and consumers.  All this is being done in the context of the growth of social media and cloud services.

In a report for CA, Quocirca explores the current state of Identity and Access Management and why it is business priority for so many.

The age of bring-your-own-identity (BYOID)

For consumers social media is already emerging as a key source of identity – e.g. logging in with Facebook to access Spotify accounts. The report suggests that this will grow in more ‘conservative’ business areas including government and online banking.  Along with these changes, the emergence of the concept of Bring your own identity (BYOID) means that employees will be taking their identities with them from one job to another.

Meanwhile, for organisations opening up access to external users, the key driver is to enable direct transactions with customers and partners, with a view to increasing customer satisfaction and enabling innovation.

Geographic trends

  • Organisations in the Nordic and Benelux regions more likely to be opening up their applications  to consumers
  • Nordics lead the way with use of social media for identifying and communicating with potential customers
  • Benelux, Israeli, Nordic and UK based organisations  were the most likely to recognise the power of IAM to open up new revenue streams
  • French and Italians were focused on new business processes

The full report can be downloaded from CA Technologies.

Bitcoins and gold coins

Is hiding your hoard in a rusty tin can safer?!

News stories have emerged about an American couple who have found buried treasure on their land. Initially they thought they might have found a marker for a grave, perhaps for a pet.  However, what they discovered were several tin cans full of rare 19th century American coins.  The haul is expected to fetch $10million.

This good news coin story throws into relief last year’s news of a man who threw away his ‘Bitcoin fortune’ when he disposed of an old hard drive.

The ‘cryptocurrency’ has been in the news again.  MtGox, one of the biggest Bitcoin exchanges, went offline after technical issues and ‘unusual activity’.  It had been suggested that security loopholes had led to millions of Bitcoins being stolen.  MtGox has now filed for bankruptcy.

It seems that many investors whose Bitcoins had been lodged with MtGox may have lost their investment and industry analysts are warning that Bitcoin will be subject to ‘more fraud’.  Fraudsters have already been busy according to Dell SecureWorks.  They have identified 150 different forms of malware designed to steal Bitcoins.

An article in American Banker, draws the lessons learned from the history of PayPal to predict that Bitcoin is likely to be subject to transaction and phishing fraud, identify theft and organised crime.  The authors recommend that Bitcoin learns from PayPal’s hard work in driving fraud elsewhere by focusing on security.

Of course, Bitcoin is not the only cryptocurrency as this article in ITProPortal outlines.  What makes these currencies so attractive – they work across borders and are untraceable – is what makes them risky too.  Perhaps hiding your hoard in a rusty tin can is a safer bet!

Cyber-attacks and staying private

Cyber-attacks on banks have been high-profile news in the UK.  £1.3 million was taken from Barclays when a computer was hijacked, while police foiled a similar plot against Santander.

The Bank of England’s policy makers have responded, drawing attention to the ‘potential vulnerabilities’ in the banking system, including old and complex IT infrastructure and a reliance on centralised systems.

Concern about a lack of preparedness against cyber-attacks was also expressed at a recent London meeting of information security risk and management professionals. Delegates discussed the ‘perfect storm’ of cyber-security risks – the widespread adoption of social media, cloud services, mobile devices – combined with the proliferation of unstructured data.  Potential risks to organisations include intentional or accidental data breach; social media account hacking and identify theft.  (Government figures for the cost of cyber-security breaches have been discussed previously on this blog.)

The UK is a global leader in identify fraud.  Fraud is said to have cost the UK over £70 billion in 2012 and nearly a quarter of residents have fallen victim to some form of identity fraud.

Staying private

Personal data is ‘the new oil of the internet’ according to the World Economic Forum. Increasingly sophisticated criminals are using the information and data we share to develop ‘spear-phishing’ targeted email campaigns or are able to glean personal details such as pet’s names or mothers’ maiden names which can be used to answer security questions.

As information professionals we are well-placed to help our organisations – and individual colleagues – understand the new information landscape and to help them stay safe and secure.

Phil Bradley is speaking about Privacy (session C103) in a special session at this year’s Internet Librarian International conference.

Val on Google+

 

 

Managing information risk – European business must do better

European companies are improving when it comes to managing information risk, but they must do even better.

PWC and Iron Mountain have published their 2013 Risk Maturity Index, exploring attitudes to information risk and examples of best practice in mid-sized businesses in six countries in Europe (France, Germany, Hungary, Netherlands, Spain and UK*).  Their findings suggest there has been some improvement in attitudes to information risk, but that there is still a long way to go.  Middle sized (250-2,500 employees) European companies are ‘ill equipped’ to navigate the complex information landscape.

Key findings of the study

  • Awareness of the importance of information risk management is growing
  • The average number of data breaches is growing 50% per year
  • 36% of companies are keeping all of their data ‘just in case’
  • Only 45% of companies have an information risk strategy
  • 42% of those surveyed are worried about the security of their company’s stored data
  • Only 25% consider their employees to be a serious threat to information security
  • 45% do not monitor employee social media use

National differences

Companies in the Netherlands performed better than in any other country.  They were more likely to have strategies and plans in place to deal with BYOD and minor data ‘mishaps’. They were also much more likely to have a corporate risk register.  Alongside companies in France, Dutch businesses were most likely to treat information risk at board level.

Hungary takes second place in the Risk Maturity Index.  Over the last 12 months, businesses have focused on raising employees’ awareness of information risk issues and providing relevant training.

Spanish companies lag behind those in other countries and are least likely to provide guidelines to employees or to have key security measures in place.

Best practice

  •  Information management and risk must be a board level issue
  • Information audits – identify what you have, where it is stored and how it is classified
  • Operate a policy of ‘controlled trust’

*600 senior managers were interviewed in mid-sized businesses in the six countries.

The White Paper is free to download from Iron Mountain.

[Follow Val Skelton on Google+]

Collaborating to ensure cybersecurity

Earlier this year the European Commission published its Cybersecurity Strategy.

The document called for the development of a platform to bring public and private sector stakeholders together so they could share good practice and develop secure ICT solutions.

At about the same time in the US, President Obama published an executive order which also focused on the importance of protecting infrastructure from cyberattacks.

Both initiatives reflect the invaluable contribution that the digital economy makes to society and the economy and the importance of protecting sites and services from malicious cyberattacks.  Organisations and nations need to manage and mitigate cyber risk and there is much to be gained from stakeholders sharing experience and information about potential threats, vulnerabilities and solutions.

Writing for Harvard Business Review, Harry D. Raduege, Jr.writes writes about the importance of bringing together leaders from all sectors to learn and share.  In particular, he believes they should focus on:

  • Understanding the problem - what are the key issues and threats facing your organisation?
  • Making one person accountable – a leader in your organisation should be identified as designated to look after all cyber/digital issues
  • Coordinating efforts – not just within your own organisation, but also up and down your supply and value chain
  • Communicating – not just within supply chains but beyond with government agencies; professional bodies and regulators

Meanwhile, the UK’s National Audit Office has expressed concern about a skills shortfall in information security.  Responding to the report, Marisa Viveros writing for Harvard Business Review agrees that holistic and collaborative measures are called for, mirroring the interdisciplinary approaches of academia.

Above all, education about cybersecurity and IT issues is “one of the best investments a company can make”.

More information on the EU’s cybersecurity plan can be found here.

[Follow Val Skelton on Google+]

Cyber security in the UK

Effective cyber security is good for business, according to the UK’s Department for Business, Innovation and Skills (BIS), which has published its 2013 Information Security Breaches Survey.  The report presents the findings from over 1000 respondents across small, medium and large firms in a range of sectors.  The figures show that companies in the UK have experienced the highest ever number of reported security breaches and the costs to firms are also at an all-time high.  The average cost to a large firm of its worst security breach is reported to be between £450k and £850k.  For small firms, the figure ranges between £35k and £65k.

The increased use of cloud computing, mobile devices and social networks can increase risk (14% of large organisations reported a security breach via a social network).  Ongoing changes in the business environment can also lead to uncertainty about who is responsible for information and data ‘ownership’.  This is particularly true in large organisations where 33% of respondents reported that such responsibilities were ‘unclear’.

Most of the respondents reported that they have written information security policies, yet 34% report that employee understanding is poor.  Training levels remain low, despite evidence that training and awareness can significantly reduce the impact of security breaches.

Threats from outside – and within

The BIS states that cyber-attacks have grown ‘in frequency and intensity’ over the last year.  These include hacktivism attacks, phishing, identity fraud and denial of service attacks.  Companies are not just subject to external threats.  Staff related breaches may be both deliberate and inadvertent and can range from accidentally sending emails to the wrong recipients or disgruntled employees taking business critical data with them when they leave the company.

Key findings

  • 87% of small firms experienced a security breach last year
  • 93% of large companies experienced a security breach
  • 36% of the worst security breaches were caused by inadvertent human error
  • 10% of the worst security breaches were caused by deliberate misuse of systems by staff
  • 23% of respondents haven’t carried out any form of security risk assessment
  • 9% of large organisations had a security or data breach in the last year involving smartphones or tablets
  • 4% of respondents had a security or data breach in the last year relating to one of their cloud computing services
  • 92% of respondents expect to spend at least the same on security next year (and 47% expect to spend more)

[Follow Val Skelton on Google+]

Antivirus software – an ‘illusion of security’?

The detection rate of new viruses by antivirus software is currently lower than 5%.

In a Hacker Intelligence Initiative study of 40 antivirus (AV) products (conducted by business security firm Imperva) the results suggest that it can take up to a month for 75% of the products to add viruses to their lists and begin protecting their customers against them.  On average it took three weeks between information about threats being made available and AVs addressing them.

The challenge is that new viruses and malicious programs are being created and distributed on an industrial scale every day and that AV software needs to be updated continuously.  Hackers and attackers understand AV products in depth and are able to design around their strengths and weaknesses.

The researchers ‘hunted down’ 82 viruses using a mixture of search, hacker forums and ‘honey pots’ and then tested them against 40 AV products.  They conclude that AVs are fast to respond to malware that spreads rapidly but that blind spots exist when it comes to viruses with limited distribution.

The anti-virus products tested include paid-for and freeware (e.g. Avast), with little significant difference in performance between the two groups.

Imperva concludes that IT security should continue to use AVs but that they should also focus on what they call ‘aberrant’ behaviour.  They give an example of a breach of information security in a US state.  Once the initial breach had been successful, systems failed to notice that data was being accessed and moved around several times before eventually being moved out of the network by the hackers.

According to Gartner (2011) the global annual spend on antivirus software is $7.4 billion.

You can read the research findings (including some thoughts on the methodology) here.

Original source: ITProPortal

Exiting employees helping themselves to information

It’s not just stationery that walks out of the office with exiting employees.  According to a survey conducted by the records and information management company Iron Mountain, a significant proportion of employees has removed confidential information from the office – in spite of data protection and other information governance guidelines.

2,000 office workers in France, Germany, Spain and the UK were surveyed.  32% of them admitted to taking or forwarding confidential information on more than one occasion.  Of those who are removing information:

  • 51% are taking information from confidential customer databases
  • 46% are taking presentations
  • 21% are taking company proposals
  • 18% are taking strategic plans
  • 18% are taking product or service roadmaps

The employees’ attitudes to their actions are interesting.  Many of those surveyed felt a sense of ‘ownership’ of the information, particularly if they had a role in creating it in the first place.  34% of respondents were completely unaware of any company guidelines regarding the removal of information from the office.

Information and data are – of course – key organisational assets.  Information professionals have the opportunity to influence organisational information governance policy and educate employees about their information responsibilities.