Month: April 2016

ITRC Releases New U.S. Data Breach Statistics

This week has seen the release of new U.S. data breach statistics by the Identity Theft Resource Center (ITRC). The new report reveals the extent to which organizations have been attacked over the past decade, breaking down data breaches by industry sector.

ITRC has been collecting and collating information on U.S. data breaches since 2005. Since records of security breaches first started to be kept, ITRC figures show a 397% increase in data exposure incidents. This year has seen the total number of data breach incidents surpass 6,000, with 851 million individual records now having been exposed since 2015.

U.S. Data Breach Statistics by Industry Sector

The financial sector may have been extensively targeted by cybercriminals seeking access to financial information, but between 2005 and March 2016 the industry only accounts for 7.9% of data breaches. The heavily regulated industry has implemented a range of sophisticated cybersecurity protections to prevent breaches of confidential information which has helped to keep data secure. The business and healthcare sectors were not so well protected and account for the majority of data breaches over the past decade.

Over the course of the past decade financial sector ranked lowest for breaches of Social Security numbers. The largest data security incident exposed 13.5 million records. That data breach occurred when data was on the move.

At the other end of the scale is the business sector, which includes the hospitality industry, retail, transport, trade, and other professional entities. This sector had the highest number of data breaches accounting for 35.6% of all data breaches reported in the United States. Those breaches exposed 399.4 million records.

ITRC’s U.S. data breach statistics show that the business sector was the most frequently targeted by hackers over the course of the past decade, accounting for 809 hacking incidents. Hackers were able to steal 360.1 million records and the industry accounted for 13.6% of breaches that exposed credit and debit card numbers. The huge data breaches suffered by Home Depot and Target involved the exposure of a large percentage of credit and debit card numbers.

Healthcare Sector Data Breaches Behind the Massive Rise in Tax Fraud

The business sector was closely followed by the healthcare industry, which has been extensively targeted in recent years. ITRC reports that the industry accounted for 16.6% of data breaches that exposed Social Security numbers. Since 2005, over 176.5 million healthcare records have been exposed and over 131 million records were exposed as a result of hacking since 2007. That includes the 78.8 million records exposed in the Anthem Inc., data breach discovered early last year.

While hacking has exposed the most records, employee negligence and error were responsible for 371 data breaches in the healthcare industry.  Healthcare industry data breaches are believed to have been responsible for the massive increase in tax fraud experienced this year. Tax fraud surged by 400 percent in 2016.

Government organizations and military data breaches make up 14.4% of U.S data breaches over the past decade, with the education sector experiencing a similar number, accounting for 14.1% of breaches. Over 57.4 million Social Security numbers were exposed in government/military data breaches along with more than 389,000 credit and debit card numbers.

The education sector experienced the lowest number of insider data breaches of all industry sectors (0.7%) although 2.4 million records were exposed via email and the Internet.

Cybersecurity Protections Need to Be Improved

The latest U.S. data breach statistics show that all industry sectors are at risk of cyberattack, and all must improve cybersecurity protections to keep data secure. According to Adam Levin, chairman and founder of IDT911, “Companies need to create a culture of privacy and security from the mailroom to the boardroom. That means making the necessary investment in hardware, software and training. Raising employee cyber hygiene awareness is as essential as the air we breathe.”

Patch Issued to Prevent Microsoft Wireless Mouse Hijacking

The risk of Microsoft wireless mouse hijacking has been addressed this week. An optional fix was released as part of the latest KB3152550 Windows update. The update is for Windows 7, 8.1, and 10, although Microsoft has not addressed the flaw in Windows Server.

Earlier this year security researchers from Bastille Networks discovered a vulnerability with wireless mice and keyboards which could potentially be exploited by hackers and used to remotely execute commands on computers. The vulnerability affected a number of providers of wireless mice and keyboards.

The vulnerability – termed MouseJack – can be used to exploit a number of vulnerabilities in the protocols used by the hardware to communicate with computers. Attackers can potentially spoof mice and keyboards, although they would need to be in close proximity to the devices to do so. This could be up to 100M away.

Attackers could use a wireless Internet connection from outside the company premises to take advantage of the MouseJack vulnerability and inject HID packets via USB dongles. Bastille Networks researchers discovered many wireless mice accept keyboard HID packets transmitted to the RF addresses of wireless mice.

The Microsoft update improves security by filtering out QWERTY key packets in keystrokes received by wireless mouse USB dongles.

The risk of Microsoft wireless mouse hijacking is relatively low, although it should not be ignored. All organizations that use wireless Microsoft mice should install the patch. If devices have been set to update automatically the patch should already have been installed.

Unfortunately, there is still a risk of Microsoft wireless mouse hijacking for users of the Sculpt Ergonomic Mouse, which was not fixed in the latest update. Non-Microsoft wireless mice may also still be at risk. Users of other wireless mice should consult the websites of the manufacturers to determine whether patches have been released.

Dell SecureWorks Releases Underground Hacker Markets Report

This month Dell SecureWorks released its annual underground hacker markets report. For the past three years, intelligence analysts at Dell SecureWorks have been tracking underground hacking forums and gathering intel. The annual reports provide an interesting insight into the world of cybercrime, and reveal just how little hackers are charging to conduct attacks.

Underground Hacker Markets Report Reveals Wide Range of Corporate Data Being Openly Sold on the Black Market

The underground hacker markets report shows that hackers are selling all types of stolen data, including passports, Social Security cards, driver’s license numbers, bank account details, airline points accounts, and credit card numbers. The latter can be purchased for just $7, while physical Social Security cards are being sold for up to $250.

Hacking services are also being offered cheaply, with the hacking of websites costing around $350, DDoS attacks being sold from $5 per hour to $555 per week, and doxing for under $20. Hacking tutorials are even being offered with multiple sessions available for under $40.

Cybercriminals wishing to launch their own attacks are being offered a wide range of malware at low prices. Remote Access Trojans (RATs) are being sold at cut price rates of $5 to $10 a time. Crypters are being sold for $80-$440, and the Angler exploit kit is available for between $100 and $135. The hackers are also offering total confidentiality and customer support.

The analysts also discovered whole business dossiers being sold via underground forums. The dossiers include email accounts, bank account numbers, and a range of logins and passwords. Those dossiers are being sold openly for as little as $547. With the type of information contained in the dossiers, criminals could drain bank accounts and even apply for credit in company names.

BEC Scams Have Increased 270% In the Past 3 Years

In the past few years business email compromise scams have increased substantially. According to a recent warning issued by the FBI, between October 2013 and August 2015 BEC attacks increased by 270%.

BEC scams are proving to be extremely lucrative for cybercriminals. Figures from the FBI suggest that $1.2 billion has been lost to BEC scams since October 2013. Mattel recently discovered by accident that criminals had succeeded in pulling off a BEC scam involving a $3 million transfer to hackers in China.

The scam took place at a time when the company was undergoing a corporate change, and it would have been successful had the transfer been made on virtually any other weekend in the year. The fact that the transfer was made on a bank holiday gave Mattel time to stop the transfer going through.

Attacks on this scale may not be pulled off regularly, but they are far from unusual. One of the biggest BEC scam losses was reported by the The Scoular Co., recently. The Omaha-based company lost $17.2 million to BEC scammers.

Cybercriminals no longer need to personally gain access to corporate email accounts to pull off these scams. For a very small investment they can buy access to CEO and executive email accounts.

The Dell underground hacker market report indicates cybercriminals can purchase a U.S. corporate email account for around $500, while Gmail, Hotmail and Yahoo accounts can be compromised for around $129.

Symantec’s Internet Security Threat Report Shows Major Increase in Online Threats

Symantec’s 2016 Internet security threat report has revealed the lengths to which cybercriminals are now going to install malware and gain access to sensitive data. The past 12 months has seen a substantial increase in attacks, and organizations are now having to deal with more threats than ever before.

Internet Security Threat Report Shows Major Increases in Ransomware, Malware, Web-borne Threats and Email Scams

The new Internet Security Threat Report shows that new malware is being released at a staggering rate. In 2015, Symantec discovered over 430 million unique samples of malware, representing an increase of 36% year on year. As Symantec points out, “Attacks against businesses and nations hit the headlines with such regularity that we’ve become numb to the sheer volume and acceleration of cyber threats.”

A new zero-day vulnerability is now being discovered at a rate of one per week, twice the number seen in 2014 and 2013. In 2015, 54 new zero-day vulnerabilities were discovered. In 2014 there were just 24 zero-day exploits discovered, and 23 in 2013.

The 2016 Internet Security Threat Report puts the total number of lost or stolen computer records at half a billion, although Symantec reports that organizations are increasing choosing to withhold details of the extent of data breaches. The breach may be reported, but there has been an 85% increase in organizations not disclosing the number of records exposed in breaches.

Ransomware Attacks Increased 35% in 2015

Ransomware is proving more popular than ever with cybercriminal gangs. In 2015, ransomware attacks increased by 35%. The upward trend in 2015 has continued into 2016. Spear phishing attacks have also increased. While these attacks are often conducted on large organizations, Symantec reports that spear phishing attacks on smaller companies – those with fewer than 250 employees – have been steadily increasing over the past five years. In 2015, spear phishing attacks increased by a staggering 55%.

Cybercriminals may now be favoring phishing attacks and zero-day exploits over spam email scams, but they still pose a major risk to corporate data security. There has also been a rise in the number of software scams. Scammers are getting consumers to purchase unnecessary software by misreporting a security problem with their computer. Symantec blocked 100 million fake technical support scams last year.

75% of Websites Found to Contain Exploitable Security Vulnerabilities

One of the most worrying statistics from this year’s Internet Security Threat Report is over 75% of websites contain unpatched security vulnerabilities which could potentially be exploited by hackers. Even popular websites have been found to contain unpatched vulnerabilities. If attackers can compromise those websites and install exploit kits, they can be used to infect millions of website visitors. Simply being careful which sites are visited and only using well known sites is no guarantee that infections are avoided.

With the dramatic increase in threats, organizations need to step up their efforts and improve cybersecurity protections. Failure to do so is likely to see many more of these attacks succeed.

Vendor Data Security Risk Management Poor, According to Two New Studies

Companies may be happy to use vendors for a wide range of service that they do not have the resources or skills to conduct in-house, but the vendor data security risk could be considerable, according to a new report issued by security firm Bomgar.

Furthermore, the number of third party vendors used by an average firm has grown substantially in recent years. Bomgar determined that on average 89 separate vendors are accessing company networks every week. With such high volumes of third party companies being given access to corporate networks, data breach risk is high. Especially considering the lack of security controls in place at many companies.

Numerous companies have reported suffering a data breach as a direct result of granting vendors access to their networks. The survey conducted by Bomgar asked 608 IT decision makers from the United States, UK, Germany, and France about vendor access to their networks and IT security. 69% of respondents said their organization had either definitely or probably experienced a vendor-related data breach.

The situation is likely to get much worse. When asked whether reliance on third party vendors would increase over the course of the next two years, three quarters of respondents said that it would. It is not only the vendors employed by organizations that are the problem. In many cases, vendors have vendors and subcontract certain tasks to other companies. 72% of respondents said this was the case, increasing vendor security risk further.

Poor Vendor Data Security Could Lead to a Data Breach

The survey also revealed that only 35% of companies could say with any degree of certainty exactly how many vendors were able to access their networks. Just 34% of companies could tell how many logins had been issued to their vendors. This suggests the majority of companies are exercising poor network access control.

Many organizations are leaving their organization wide open to a vendor-related data breach. The potential for damage is considerable. Rather than limiting network privileges for vendors, 44% of companies said that when it comes to network access they tend to use an all or nothing approach. Rather than limiting data access to the minimum necessary requirement for a task to be performed, full access is granted.

The survey results show that many companies may be underestimating vendor data security risk. 92% of respondents said they trusted their vendors completely or at least most of the time. That said, when asked if they trust vendors too much just over two thirds said yes.

While the Bomgar study appears to show overwhelming trust in security vendors, a separate study conducted by the Ponemon Institute revealed that in the United States trust in vendors is much lower, at least when it comes to reporting security breaches.

The Ponemon survey was conducted on 598 individuals across a range of organizations. Respondents were familiar with vendor data security risk management at their respective organizations.

37% of respondents said they believed their primary vendors would not notify them if a breach of confidential or sensitive data occurred. For subcontractors used by third-party vendors, trust was even lower. 73% said they did not think they would be informed of a breach if it occurred.

Organizations may implement robust security defenses to prevent direct network attacks, but if they fail to ensure their vendors are exercising appropriate data security controls and do not keep tabs on who has access to their network, data breaches are likely to occur.