Month: February 2016
According to a February 2016 California data breach report issued by the California attorney general’s office, the majority of data breaches are easily preventable if basic security measures are adopted. Had companies doing business in the state of California implemented industry best practices and adhered to federal and state regulations, the privacy of millions of Californians would have been protected.
However, that was not the case and over the course of the past 4 years close to 50 million state residents have had their private data exposed as a result of data breaches suffered by government and private organizations.
The California data breach report includes a summary of data breaches reported to the attorney general’s office between 2012 and 2015. From 2012, the California Attorney general’s office needed to be notified of a breach of personally identifiable information if more than 500 state residents were affected.
Between 2012 and 2015, 657 data breaches were reported. 49.6 million state residents had their personally identifiable information exposed.
In almost half of cases, Social Security numbers were obtained by cybercriminals or were exposed as a result of the loss or theft of devices used to store personal information.
2015 was a Bad Year for Data Breaches in California
The California data breach report was compiled following a particularly bad year for Californians. In 2015, 24 million state residents had their personal information exposed. That equates to one in three Californians. To put the figure into perspective, in 2012 only 2.6 million state residents were affected by data breaches.
The California data breach report was compiled to show just how bad the current situation is. According to State attorney general Kamala D. Harris, the report should serve as a “starting point and a call to action for all of us.” The situation must improve.
Harris points out in the introduction to the 2016 Californian data breach report that “many organizations need to sharpen their security skills, trainings, practices, and procedures to properly protect consumers,” she goes on to say that if a company chooses to store private and confidential data on state residents, that company has a “legal obligation to adopt appropriate security controls.”
California Data Breach Report Summary
The main findings of the 2016 California data breach report are listed below:
- The biggest data security threats are malware and hacking
- Malware and hacking exposed 54 percent of records and accounted for the most data breaches (365)
- Malware and hacking attacks have grown by 22% in 4 years and caused 58% of breaches in 2015
- Malware and hacking caused 90% of retail data breaches
- Physical breaches (loss and theft of devices) accounted for 27% of all reported breaches.
- Physical breaches are declining: They fell from 27% in 2012 to 17% in 2015
- Errors and employee/employer negligence accounted for 17% of data breaches
- Medical records were exposed or stolen in 19% of reported breaches
- Payment card information was stolen in 39% of data breaches
- Small businesses reported 15% of data breaches
According to the new California data breach report, the retail sector suffered the most, accounting for a quarter of all data breaches reported in the past four years. Those security incidents resulted in the exposure of 42% of the total number of records exposed in the past four years. The financial sector was in second place with 18% of breaches, while the healthcare sector was third being involved in 16% of data breaches.
Data Breach Prevention – Improve Protection Against Malware
The prevention of cyberattacks requires multi-layered security systems, although in the majority of cases data breaches were found to be the result of a failure to update software and apply patches. The security vulnerabilities that were exploited by hackers or used to install malware had been discovered and patched. In the majority of cases, patches had existed for over a year but had not been installed.
Malware is commonly used as a way of gaining access to computer systems used to store valuable consumer data. Malware is often delivered via spam email campaigns. A robust and powerful anti-spam solution should be implemented to catch malicious emails and prevent them from being delivered to user inboxes.
If staff are also trained to identify malware and potentially harmful emails and attachments, a great deal of malware infections can be prevented. However, email is not the only malware delivery mechanism. Cybercriminals are increasingly using exploit kits to probe for security weaknesses in browsers and browser plugins. Those vulnerabilities can be exploited and used to download malware without any user interaction required.
These infections are referred to as drive-by attacks, and they can occur if a user can be directed to a malicious website or a site that has been compromised by cybercriminals.
Third party advertising networks can contain adverts with malicious links that direct visitors to sites where drive-by attacks can take place. Those adverts can appear on legitimate websites. Even some of the biggest sites on the Internet have been discovered to display malvertising. These threats must be dealt with to prevent data breaches from occurring.
Protecting against malware delivery via the Internet requires a different solution: a web filter.
Protect End Users from Web-Borne Malware Threats with WebTitan
WebTitan offers a range of web filtering solutions for the enterprise to protect end users from web-borne threats such as malware, ransomware, viruses, Trojans, and memory-resident malware threats. Solutions have also been developed to keep Wi-Fi networks and hotspots free from malware.
By implementing a web filtering solution, end users can be prevented from visiting websites known to contain malware and from engaging in risky online behavior. By restricting access to potentially dangerous websites, the risk of a malware or ransomware infection can be greatly reduced.
For further information on the benefits of WebTitan’s web filtering solutions contact the Sales team today:
US Sales +1 813 200 9460
UK/EU Sales +44 (0)247 699 3641
IRL +353 91 54 55 00
Alternatively send an email to email@example.com or visit the webpages below:
The cost of a data breach can be considerable, as has been clearly demonstrated by the hacking of TalkTalk. The hacking of the UK-based Internet service provider resulted in 157,000 customer accounts being compromised, with 15,656 bank account numbers and sort codes stolen by the hackers.
The group of hackers responsible for the security breach spoke to the media soon after and talked of the poor security at TalkTalk, and how easy it was to gain access to sensitive customer data. One of the hackers even said that in one instance, a three-digit password had been used to secure an account.
The hacking incident triggered a media storm which tarnished the ISP’s image and resulted in many customers changing ISP to one that was perceived to offer better security. As to how many customers have changed their mind about signing up with TalkTalk, that is unlikely to ever be known.
Soon after the discovery of the extent of the data breach, TalkTalk chief executive Dido Harding told the BBC that the company still expected its end of year results to “be in line with market expectations,” and that the data breach would likely result in one-off costs of between £30-£35 million.
However, the ISP seriously underestimated the fallout from the hacking incident, with the current costs now double the initial estimate at £60 million: Enough to make a noticeable dent in the company’s profits. That cost was broken down as one-off costs of around £45 million and a trading impact of £15 million.
The Cost of a Data Breach is Easy to Underestimate
The cost of a data breach is difficult to accurately calculate. It is possible to arrive at a reasonable estimate of the cost of breach resolution measures. The cost of implementing new security controls to prevent future cyberattacks is fairly easy to predict, as is the cost of mailing breach notification letters to customers. What it is much harder to estimate is the loss of business as a result of a breach of customer data.
TalkTalk took the decision to offer customers a free upgrade of services and told those affected financially be the breach that they would be free to leave without penalty. Since customers were not permitted to change without a cost if they had not suffered losses, many had to wait until their contract expired before switching provider. According to the latest figures, the company lost 101,000 customers as a result of the data breach.
The decision to offer a free upgrade of services proved to be a wise move, not only to prevent customers who had been affected by the data breach from leaving, but to convince other customers to stay. The free upgrade has reportedly been taken up by around 500,000 customers. Even with that upgrade, the company understandably experienced a higher churn rate, with many not choosing to renew their contracts when they came to an end.
The total impact on revenue was estimated to be around 3%, although the company appears to now be recovering with the churn rate having improved in the past two months. According to Harding, “Trust in the TalkTalk brand has improved since just after the attack and consideration is higher now than it was before the incident.”
Kaspersky Lab has recently discovered the extent to which a remote access Trojan is being used by cybercriminals, highlighting the security risk from Java Runtime Environment.
Kaspersky Lab discovered that the Adwind remote access Trojan (RAT) discovered in 2012 is being used extensively by cybercriminals to conduct attacks on businesses. The RAT is frequently tweaked to avoid detection with numerous variants currently in use in the wild. The RAT has many names in addition to Adwind, with Alien Spy, JSocket, jRat, and Sockrat just a few of the names of the Adwind malware variants.
The Java-based RAT is now being rented out to criminal gangs to allow them to conduct their opportunistic attacks on companies and individuals, sometimes for as little as $25. Kaspersky Lab estimates that the number of criminals now using the malware has risen to around 1,800. The malware is estimated to be raking in around $200,000 a year for the authors. To date, it is estimated that the RAT has been used to attack as many as 440,000 users.
The frequency of attacks is also increasing. In the past 6 months, around 68,000 new infections have been discovered.
Have You Effectively Managed the Security Risk from Java Runtime Environment?
The latest variant is known as JSocket. The malware is believed to have first appeared in the summer of 2015 and is still being extensively used. The RAT is most commonly spread by phishing campaigns with users fooled into running the Java file, installing the Trojan. While the RAT is primarily distributed by large-scale email spam campaigns, some evidence has been uncovered to suggest it is being used as part of targeted attacks on individuals and organizations.
This is a cross-platform malware that can be used on Windows, Linux, Android, and Mac OS systems. It serves as a backdoor allowing cybercriminals to gain access to the system on which it is installed, effectively allowing them to take control of devices, gather data, log keystrokes, and exfiltrate data. It is also capable of moving laterally. It is written entirely in Java and can be used to attack any system that supports the Java Runtime Environment.
The security risk from Java Runtime Environment is considerable. Kaspersky Lab recommends that all organizations review their use of JRE and disable it whenever possible.
Unfortunately, many businesses use Java-based applications, and disabling or uninstalling JRE is likely to cause problems. However, it is essential to manage the security risk from Java Runtime Environment to prevent infections from Adwind and its variants.
If there is no need for JRE to be installed on computers, it should be removed. It represents an unnecessary risk that could result in a business network being compromised.
If it is not possible to disable JRE, it is possible to protect computers from Adwind/JSocket. Since this malware is commonly sent out as a Java archive file, the code can be prevented from running by changing the program used to open JAR files.
Have you managed the security risk from Java Runtime Environment? Is JRE unnecessarily installed on computers used to access your network?
Many security professionals would like to know what is the motivation behind cyberattacks? How much do hackers earn? What actually motivates hackers to attack a particular organization? How long do hackers try before giving up and moving on, and how profitable is cybercrime for the average hacker?
A recent survey commissioned by Palo Alto Networks provides some answers to these questions and offers some insight into the minds of hackers. The results of the survey suggest that cybercrime is not as profitable as many people think. In fact, “the big payday” is actually something of a myth, certainly for the majority of hackers.
There is a common misconception that cyber attackers are tirelessly working to breach the defenses of organizations and are raking in millions from successful attacks; however, the survey results indicate otherwise.
The Ponemon Institute asked 304 threat experts their opinions on the motivation behind cyberattacks, the money that can be made, the time invested by hackers, and how attackers choose their targets.
The respondents, based in Germany, the United States, and the United Kingdom, were all involved in the threat community to varying degrees. 79% of respondents claimed to be involved in the threat community, with 21% of respondents saying they were “very involved.”
What is the motivation behind cyberattacks?
The study cast some light on what is the motivation behind cyberattacks, as well as offering some important insights into the minds of hackers. There is a threat from hacktivists and saboteurs but, in the majority of cases, attackers are not intent on causing harm to organizations. The majority of cybercriminals are in it for the money. The motivation behind 67% of cybercrime is money.
However, in the majority of cases, it would appear that there is not actually that much money to be made. If hackers were to find employment as security professionals and use their skills to protect networks from hackers, they would likely earn a salary four times as high, and they would get sick pay, holiday pay, and medical/dental insurance.
How much do hackers earn?
Anyone interested in how much hackers earn may be surprised to find out it is not actually that much. The study determined that a technically proficient hacker would be able to conduct just over 8 cyberattacks per year, and an average of 41% of those attacks would not result in the attacker receiving any compensation.
The profits from cybercrime were found to be fairly constant regardless of where the criminals were based. In the United States a single cyberattack netted the perpetrator an average of $15,638. In the United Kingdom attackers earned an average of $12,324, and in Germany it was $14,983.
So how much to hackers earn? Take away the cost of the toolkits they purchase – an average of $1,367 – and the Ponemon institute calculated the average earnings for a cyber attacker to be in the region of $28,744 per year. That figure was based on 705 hours spent “on the job” – around 13.5 hours per week. While it is clear that some hackers earn considerably more, the average hacker would be better off getting a real job. IT security practitioners earn 38.8% more per hour.
How can the survey data be used to prevent cyberattacks?
The survey probed respondents to find out how determined hackers were at breaching the defenses of companies. Surprisingly, it would appear that even if the potential prize is big, hackers tend not to spend a great deal of their time on attacks before moving on to easier targets.
72% of hackers are opportunistic and 69% of hackers would quit an attack if a company’s defenses were discovered to be strong. Ponemon determined that an attack on a typical IT security infrastructure took around 70 hours to plan and execute, whereas a company with an excellent infrastructure would take around 147 hours.
However, if a company can resist an attack for 40 hours (less than two days) 60% of attackers would move on to an easier target. Cybercriminals will not waste their time attacking organizations that make it particularly difficult to obtain data. There are plenty of much easier targets to attack.
Install complex, multi-layered defenses and use honeypots to waste hackers’ time. Make it unprofitable for attackers and in the majority of cases attackers will give up and move on to easier targets.
Employee security training is an essential part of an organization’s defense against cyberattacks, yet many CISOs and CSOs are not conducting regular training. In fact, according to a survey conducted last year on behalf of ClubCISO, one in five CISOs (21%) said they had never given security training to their staff.
This could indicate overreliance on technological security measures to prevent cyberattacks, such as firewalls, anti-virus and anti-malware software, anti-spam filters, and web filters. Organizations may have confidence in their policies and procedures. CISOs may even believe that their organization is unlikely to be attacked. Regardless, of the reason, a lack of training leaves a gaping hole in security defenses.
Employee Security Training Is A Cost-Effective Way of Improving Security Posture
IT departments are well aware that employees are a weak link in the security chain and can all too easily undo all the good work done to keep data and networks secure. All it takes is for one employee to open a Word document and enable malicious macros, visit a compromised website, or inadvertently download malware for a network to be compromised.
If you want to improve your security posture, one of the easiest and most cost-effective ways to protect your network is training employees how to identify security risks. CISOs, CSOs, and IT staff may be well aware that opening an email attachment from someone they don’t know is risky. Not all employees will be so security-minded and may not appreciate the risk they are taking by opening an email attachment or visiting a link sent to them via email. Failing to train employees on these security basics is like leaving your front door unlocked when you go on vacation. Staff also need to be trained for email compliance regulations. A little training can go a very long way.
Employee Security Training Should Not Be A One-Time Event
Many organizations realize that training is important, yet still only conduct security training sessions once a year. Security training may only be given to new recruits when they join a company. The ClubCISO survey revealed that one in five employers only provided training to new employees, and 37% carried out training just once a year. Only 21% said they conducted regular security training sessions.
Furthermore, when training was provided, more than half of organizations had no idea about how effective their training had been. Training was given in a checkbox fashion in order to meet industry security regulations. Once provided, documents could be signed by employees to confirm that training had been provided, which would be sufficient if ever the organization was audited by industry regulators. However, it may not be sufficient to prevent a successful cyberattack. Employee security training is not a one-time event. It should be provided in regular training sessions, knowledge should be tested, and a security culture should be developed.
Getting Staff Cybersecurity Training Right
It is all too easy to purchase a new security product and hope that it is 100% effective and will prevent a cyberattack from being successful, but no system is infallible. Cybersecurity defenses must be multi-layered, and end users must be part of any defense strategy. After all, cybercriminals will target end users as they offer an easy entry point into a corporate network.
Employee security training is not something that is enjoyed by the staff, and many employees would prefer not to have to undergo training. Many employees don’t concentrate and forget their training almost immediately. Conducting a training session is therefore not sufficient by itself. Online security training is similarly unlikely to be particularly effective if the staff is not then tested on their new knowledge of security.
It is therefore important to make employee security training a regular exercise and to follow up training with testing to ensure that it is taken more seriously. Consider rewarding employees for taking part in training exercises. Make sure employees are given support, and if a test is failed, such as a phishing exercise, ensure that employees who need further training are given extra help.
Employee security training is not just something that is beneficial to employers. Employees also benefit. They can use training to keep their own online activities secure outside of the office, or can use training to protect their children when they go online. Explain the relevance and inform employees that the skills they learn can help to keep them safe outside work.
Get the Board to Back Security Training Efforts
All too often there is a lack of awareness of level of risk faced by organizations at the board level. Employee security training may be considered to be an unnecessary use of time and resources. Without board buy-in, CISOs are likely to face an uphill battle.
Employee security training will require support from the board and for that to happen it may be necessary for CISOs to explain the relevance and importance of employee security training. If you feel that your board does not appreciate the benefits, send the board members a dummy phishing email. If they click the link or open a bogus attachment, it may help them to understand the high risk of employees doing the same. Without buy in from the board it will be difficult to develop a worthwhile and effective training program.
With the current threat from malware, ransomware, phishing, and hacking, it is essential to take action to defend all attack surfaces. Since employees are often the weakest link in the security chain, they are a great place to start to improve overall security posture.