The industry news items that appear in this section cover a broad spectrum of events within the cybersecurity industry. Everything from the motivation behind cyberattacks to the latest data breach figures are discussed – along with the developments in the industry to help protect organizations against the threats of web-borne attacks and those launched through email campaigns.
The latest cybersecurity industry news should be essential reading for IT professionals – especially those within the healthcare and financial industries which have long been popular targets for hackers and other cybercriminals. By addressing some of the security flaws highlighted in our news items, it may be possible to prevent your own organization from suffering a similar attack.
2016 was a bad year for data breaches, but a new analysis by the Identity Theft Resource Center (ITRC) shows 2017 data breaches figures are far worse. Year over year, data breaches have increased by 29.1%.
Last year saw record numbers of data breaches, with 1,093 incidents tracked by the ITRC; however, If breaches continue to occur at the rate seen over the past 6 months, this year is likely to be another record breaking year. 2017 is likely to see more than 1,500 breaches – a particularly worrying milestone to pass.
55.4% of 2017 data breaches have been reported by organizations in the business sector. Those 420 incidents have involved more than 7.5 million records, more than 64% of all records exposed so far in 2017. The healthcare industry has also experienced many data breaches, accounting for 22% of the total. So far this year, the protected health information of 2.5 million individuals has been exposed – 21.1% of all records exposed so far in 2017.
Education may have only experienced 87 data breaches this year – 11.5% of the year to date total – but those breaches account for 9% of exposed records, helped in no small part by a single breach at Washington State University that involved at least 1 million records.
The government/military (43 breaches) is in fourth place, accounting for 1.8% of the total with the 200,000+ exposed records. Fifth place is taken by the financial services with 41 breaches, with more than 526,000 exposed records accounting for 5.4% of the year to date figures.
The ITRC has been tracking data breaches since 2005, with the 2017 data breaches bringing the overall total number of incidents up to 7,656. The total number of exposed records has now risen to 899,792,157.
In the case of healthcare data breaches, more incidents have been reported following the clarification of HIPAA Rules covering ransomware attacks. Last year there was some confusion as to whether ransomware attacks were reportable. The Department of Health and Human Services’ Office for Civil Rights confirmed late last year that most ransomware attacks are reportable under HIPAA Rules. Consequently, there has been an increase in reports of these events in recent months.
Companies in other industries are also reporting more data breaches due to changes in state legislation and public pressure. However, ITRC points out the big jump in 2017 data breaches can also be explained by an increase in insider incidents and cyberattacks.
The increase in data breaches in 2017 clearly highlights the importance of conducting a thorough, organization-wide risk analysis to identify all potential vulnerabilities that could potentially be exploited. A risk management plan should then be put in place to address any vulnerabilities that are identified.
While organizations should consider augmenting security to protect the network perimeter, the threat from within should not be ignored. Employees are typically a weak point in security defenses, although action can be taken to reduce risk. Training should be provided to improve security awareness, technological solutions implemented to reduce the risk from phishing and other malicious email-born attacks, while web-based attacks can be limited with a web filtering solution.
2017 may be shaping up to be a particularly bad year for data breaches, but with investment in people and cybersecurity defenses, it is not too late to prevent 2017 from being another record-breaking year.
The healthcare industry has been heavily targeted by cybercriminals, but retail industry data breaches are now the most common according to a recent study by Trustwave. Retail industry data breaches account for 22% of all reported breaches, closely followed by the food and beverage industry on 20%.
In 2016, corporate and internal networks were the most commonly breached systems although there was a marked increase in POS system breaches, which are now the second most targeted systems accounting for 31% of all reported breaches. Last year, POS data breaches only accounted for 22% of the total. POS data breaches were most common in the United States. In 2015, E-commerce platforms were heavily targeted accounting for 38% of all breaches, although in 2016 the percentage fell to 26%.
Healthcare data is in high demand, although it is still credit card numbers that are most commonly stolen. 63% of data breaches involved card data, split between card track data (33% of incidents) – mostly from hospitality and retail industry data breaches – and card-not-present data (30% of incidents) which came from breaches of e-commerce platforms.
The United States was also the most targeted country, accounting for 49% of all breaches – more than double the percentage of Asia-Pacific in second place with 21% of reported breaches. Europe was in third place with 20%.
Zero-day exploits are in high demand, commanding an initial price of $95,000 on the black market, although there were only 9 zero-day vulnerabilities exploited in the wild in 2016 – 5 for Adobe Flash, 3 for Internet Explorer and one for Microsoft Silverlight.
The top two methods of compromise were remote access – 29.7% of attacks – and phishing and social engineering, which accounted for 18.8% of attacks.
Exploit kit activity has fallen since the fall of the Angler, Magnitude and Nuclear exploit kits, although others such as Rig are increasing in popularity. Exploit kits activity could increase further due to the low cost of conducting malvertising campaigns – malicious adverts on third party ad networks that direct individuals to sites hosting exploit kits. Trustwave reports it now costs cybercriminals $5 to target 1,000 vulnerable computers with malicious adverts. Trustwave warns that while exploit kit activity has fallen, it would be wrong to assume it is gone for good. If it is profitable to use exploit kits, more will be developed.
Spam email is still the primary attack vector. In 2016, there was an increase in spam email messages rising from 54% of message volume in 2015 to 60% of total email volume in 2016. 35% of those messages contained malicious attachments, which Trustwave reports is up from 3% in 2015.
The most common malware variants discovered in 2016 data breach investigations attacked POS systems and were PoSeidon (18%) and Alina (13.5%) with Carbanak/Anunak in third place on 10%.
A recent Ponemon Institute study suggest data breaches take more than six months to detect, while Trustwave’s figures suggest the median number of days between intrusion and detection for external incidents was 65 days in 2016, although some companies took up to 2,000 days to discover a breach. Detection rates have improved from 2015, when it took an average of 80.5 days to detect a breach.
For the first time in the past seven years, the cost of a data breach has fallen, with a 10% reduction in per capita data breach costs across all industry sectors. The global study revealed the average cost of a data breach is now $141 per exposed or stolen record. The global average cost of a data breach is down to $3.62 million from $4 million last year.
The IBM Security sponsored study was conducted by the Ponemon Institute, which has been tracking the costs of data breaches for the past seven years. In every other year data breach costs have risen year over year.
The Ponemon Institute say the reduction can partly be explained by a strong dollar. In the United States, the cost of a data breach has risen from $221 to $225 per record with the total breach cost increasing to $7.35 million from $7.02 million last year.
For the study, the Ponemon Institute assessed the breach resolution costs after organizations experienced a breach and had notified affected individuals. Large data breaches – those in which more than 100,000 records were exposed or stolen – were not included in the study as they were deemed atypical. Instead, only breaches of between 5,000 and 100,000 records were included. The average size of the breaches were 28,512 records. A breach was defined as the loss or theft of a record that included an individual’s name along with either their Social Security number, financial information or medical record.
For the seventh consecutive year, the healthcare industry had the highest data breach costs. The per capita cost of a healthcare data breach was $380. The financial services, another highly regulated industry, had the second highest breach costs ($336 per record). Services sector data breaches cost $274 per record, life sciences breaches were $264 per record and the Industrial sector had a per capita breach cost of $259.
The lowest breach costs were retail ($177), hospitality ($144), entertainment ($131), research ($123) and the public sector ($110). The biggest cause of data breaches were malicious and criminal attacks, which also carried the highest resolution costs. System glitches and human error each accounted for 24% of data breaches.
An analysis of breach costs revealed there are a number of ways to reduce the cost of a data breach. Having a breach response plan in place saw companies reduce breach costs by $19 per record, while the use of encryption reduced breach costs by an average of $17 per record. Employee education helped reduce breach costs by an average of $12.50 per record.
A fast response to a data breach can also dramatically reduce the total breach cost. Organizations that were able to contain a breach within 30 days saw breach costs reduced by $1 million. On average, it takes companies more than six months to discover a breach and containing the breach takes an average of 66 days.
TitanHQ is proud to announce a new partnership with the intelligent spaces company Purple. Purple has chosen TitanHQ’s WiFi content filtering solution – WebTitan – to keep its WiFi networks secure and to carefully control the content that can be accessed by its clients and their customers.
The importance of securing WiFi networks has been highlighted by recent cyberattacks, including the WannaCry ransomware attacks on May 12. Consumers can be provided with WiFi access, but need to be protected from web-borne threats such as drive-by ransomware downloads and phishing attacks.
WebTitan offers protection against a wide range of web-borne threats including exploit kits, phishing websites, malicious web adverts and drive-by downloads of malware and ransomware. Every day, WebTitan detects more than 60,000 web threats and protects customers by blocking access to harmful webpages. WebTitan also allows businesses to carefully control the content that can be accessed via WiFi networks, filtering out obscene, harmful, and illegal website content.
As a leading provider of WiFi analytics and marketing services, Purple is well aware of the potential risks that come from unsecured WiFi hotspots. The company is committed to securing its WiFi networks and ensuring its customers are protected in the right way. Purple required exceptional protection for its customers, yet not all WiFi filtering solutions matched the company’s unique requirements.
Purple explained those requirements to TitanHQ, which was able respond with a solution that matched the company’s exacting needs. James Wood, Head of Integration at Purple said, “From day one it was evident that they were capable of not only providing what we needed but were very responsive and technically adept.”
WebTitan allows companies to manage WiFi content controls in multiple locations from a single administration console, making it an ideal solution for global WiFi businesses. For companies such as Purple, whose clients need to have control over their own filtering controls, WebTitan was ideal. Wood explained that WebTitan “allows us to extend the control to our customers via their API. Our customers can now manage their own filtering settings directly from the Purple Portal.”
TitanHQ was able to respond rapidly roll out WebTitan in a matter of days. Purple customers are now protected by the leading WiFi content filtering solution and can access the Internet safely and securely. Wood said, “With demanding timescales involved for the migration, we invested heavily in WebTitan and they have not failed to deliver.”
TitanHQ CEO Ronan Kavanagh is delighted that Purple has chosen TitanHQ has its WiFi filtering partner. Kavanagh said, “Purple is now a valued member of the TitanHQ family and we are delighted to welcome the firm onboard. This is a partnership that illustrates just how well suited WebTitan is to Wi-Fi environments.”
Sabotage, subversion and ransomware attacks all increased sharply in 2016, with malware-infected emails now at a five-year high according to the latest installment of Symantec’s Internet Security and Threat Report (ISTR).
For the 22nd volume of the report, the antivirus and antimalware software vendor analyzed data collected from millions of users of its security solutions – The world’s largest civilian threat collection network, consisting of 98 million attack sensors spread across 157 countries around the globe.
The 77-page Internet Security and Threat Report is one of the most highly respected publications issued by any cybersecurity company.
The Internet Security and Threat Report provides a valuable insight into the state of cybersecurity and details how global cybersecurity threats have changed over the course of the past 12 months.
Internet Security and Threat Report Shows Change in Attack Tactics
Data theft and financial fraud may be major motivators behind cyberattacks on businesses, but over the past 12 months there has been a sharp rise in politically motivated cyberattacks. Rather than steal data, the attackers are sabotaging businesses using destructive malware such as hard disk wipers.
The attacks are conducted to cause serious harm to business competitors, although nation state-backed hackers have also been targeting the critical infrastructure in many countries. Attacks on Ukrainian energy providers have been conducted to disrupt the power supply while attacks on companies in Saudi Arabia – using Shamoon malware – attempted to permanently delete corporate data.
Many attacks were conducted last year with a different aim – subversion. That was clearly demonstrated during the recent U.S presidential campaign. Sensitive data from the Democratic party was leaked in an attempt to influence the outcome of the U.S presidential election. The FBI investigation into the hacking of the presidential election is ongoing.
Sabotage is on the rise, but data theft incidents continue. The past year has seen many espionage attacks resulting in the theft of sensitive data and corporate secrets and financial attacks have increased.
The Internet Security and Threat Report shows there has been a major increase in large-scale financial heists in the past year. Attacks on consumers are occurring with increasingly regularity, although the banks themselves are now being targeted. Those attacks have resulted in the theft of many millions of dollars.
The Carbanak gang has been highly active in this area and has performed multiple attacks on U.S banks, while the Banswift group performed one of the biggest heists of the year, stealing $81 million from the central bank in Bangladesh.
While exploit kits and other web-based attacks were a major threat in 2015, attackers have returned to email as the primary method of gaining access to networks. In 2015, Symantec blocked an average of 340,000 web-based attacks per day. In 2016, the number had fallen to 229,000 – a significant reduction, although the threat of web-based attacks cannot be ignored.
The Biggest Malware Threat Comes from Email
Phishing is still a major risk for businesses, although the phishing rate has fallen over the past three years, according to the Internet Security and Threat Report. In 2014, one in 965 messages were used for phishing. In 2016, the number fell to one in 2,596 emails.
However, email spam levels have remained constant year on year. Email spam accounts for 53% of all sent messages.
Phishing email volume may be down, but email-borne malware attacks have increased. The Symantec Internet Security and Threat Report shows the volume of malicious emails now being sent is higher than any point in the past five years.
Now, one in 131 emails contain either a malicious attachment or hyperlink, up from one in 220 emails in 2015 and one in 244 emails in 2014. The number of new malware variants being released has also soared. In 2014, there were 275 million new malware variants discovered. That figure rose to 357 million last year. The number of bots sending malicious email has also increased year on year, from 91.9 million in 2015 to 98.6 million in 2016.
Ransomware Attacks Soared in 2016
Ransomware attacks also increased significantly in 2016, with the United States the most targeted country. Even though the FBI and other law enforcement agencies strongly advise against paying a ransom, 64% of U.S. companies ignore that advice and pay the attackers for keys to decrypt their data.
In 2015, the average ransom demand was for $294 per infected machine. Over the course of the past 12 months, ransom amounts have increased considerably. The Symantec Internet Security and Threat Report shows ransom demands increased by an astonishing 266% in 2016. The average ransom demand is now $1,077 per infected machine.
Symantec tracked 101 separate ransomware families in 2016 – A substantial rise from the 30 known ransomware families in 2014 and 2015. Last year, there were 463,841 ransomware detections, up from 340,655 from 2015.
One of the biggest threats comes from the cloud, although many organizations are underestimating the risk. When organizations were asked how many cloud apps are in use in their company, few provided an accurate figure. Many estimated they used around 40 cloud-based apps. Symantec reports that for the average company, the figure is closer to 1,000.
As the Internet Security and Threat Report shows, the cyberthreat landscape is constantly changing as cybercriminals develop new methods of attacking businesses. Only by keeping up to date on the latest threat indicators and bolstering cybersecurity defenses can businesses maintain a robust security posture and prevent attacks.
The GDPR impact on business practices is considerable, as is the cost of GDP compliance. A recent survey conducted by PwC revealed that 77% of large companies are expecting GDPR compliance to cost in excess of $1 million. Due to the considerable GDPR impact on business practices, many companies are already rethinking whether or not to continue doing business in Europe.
Many large multinational companies are well aware of the GDPR impact on business practices and the amount of work GDPR compliance will involve. That is not the case for SMEs, many of which are only just realizing they must comply with GDPR.
GDPR does not just apply to social media sites and global retailers. All businesses, regardless of their size, will be required to comply with the General Data Protection Regulation if they collect or process the personal information of EU citizens.
The definition of personal information is broad and includes online identifiers such as IP addresses. Even online retailers that allow EU citizens to access their websites are required to comply with GDPR.
All businesses will be required to perform a risk analysis to identify potential vulnerabilities to the confidentiality and integrity of stored data. Many large companies already have a swathe of cybersecurity protections to keep sensitive data secure, but most smaller organizations will discover they must implement more robust cybersecurity protections in order to comply with GDPR.
Companies will need to review their policies on data collection. When GDPR comes into effect, companies will need to have a valid reason for collecting personal information. Any data collected must also be limited to the minimum necessary information to perform the purpose for which data are collected.
Doing business in Europe will require privacy protections to be enhanced, new data security measures to be implemented, data collection practices to be changed, and policies and procedures to be updated. Legal teams must then assess GDPR compliance.
The GDPR impact on business practices is likely to be considerable for many companies. The time taken to perform risk analyses, assess policies and procedures, find and implement security solutions and update privacy policies will be considerable. Leaving GDPR compliance to the last minute is likely to see the deadline missed. That could prove to be very costly or even catastrophic for many businesses. Failure to comply with GDPR regulations can result in a fine of €20 million or 4% of global revenue, whichever is the greater. Non-compliance simply isn’t an option.
On May 25, 2018, the General Data Protection Regulation (GDPR) comes into force and GDPR compliance will be mandatory. Now is the time to get prepared. GDPR compliance is likely to require considerable effort and resources. If your organization is not prepared, you may miss the GDPR compliance deadline.
GDPR is a new regulation that will apply to all organizations based in EU member states, as well as those based in non-member states that capture, hold or process the data of EU citizens. GDPR is a replacement of the 1995 EU Data Protection Directive and will address web-based technology that was not widely available in 1995. Use of the cloud for instance.
The new regulation will help to ensure the personal data of EU citizens is protected and the risk of sensitive data being exposed is minimized. The new regulation will also allow EU citizens to have much greater control over the personal data that is collected and stored by organizations, and how those data are used.
How Will GDPR Protect Consumers?
One of the main elements of GDPR is improving the rights of EU citizens with regards to the personal data that is collected, stored and used by organizations. GDPR requires organizations to obtain informed consent from consumers prior to collecting and using their data. Consumers must be told the reason why data are being collected, how data will be used, and consumers must be told that they can withdraw their consent at any time. A mechanism must be put in place that will allow an organization to delete data when it is no longer required or when consent is withdrawn.
GDPR gives consumers the right to:
- Find out how their data will be used
- Discover how data were obtained if informed consent was not provided
- Access personal data
- Find out how long data will be stored
- Correct errors in stored data
- Move data to a different processor
- Restrict or prohibit the processing of data
- Find out with whom data have been or will be shared
- Have data permanently erased
- Avoid being evaluated on the basis of automated processing
Organizations must also limit the data collected to the minimum necessary amount for the purpose that has been described to consumers to be performed.
While organizations that have an online presence and actively collect data will have to comply with GDPR – Amazon for example – GDPR will apply to a much broader range of companies. In fact, many companies that do not have an online presence will need to comply with GDPR. GDPR will apply to any company that collects the types of data covered by the GDPR definition of personal information. That includes organizations that store ‘personal data’ of employees in an electronic database.
What Data are Covered by GDPR?
Under GDPR, personal information includes an individual’s name and a host of other identifiers, including online identifiers such as location data, IP addresses, cookies and other “pseudonymous data”. Information such as race and ethnic origin, religious or philosophical beliefs, political opinions, sexual orientation, details of sex life, criminal convictions, trade union membership, health data, biometric data, and genetic data are all covered.
Data Security Standards Necessary for GDPR Compliance
GDPR also covers the protections that must be put in place by organizations to ensure the confidentiality, integrity, and availability of data. That includes stored data and all data that flows through systems or applications.
GDPR compliance requires organizations to conduct a risk/gap analysis to assess potential vulnerabilities in their current systems and processes.
Companies must “implement appropriate technical and organizational measures” to ensure the confidentiality, integrity and availability of data. Those measures should “ensure a level of security appropriate to the risk.”
Companies must adopt a privacy and security-by-design approach, and ensure that controls are implemented during the planning stages, development, implementation, and use of applications and systems. Regular testing and security assessments must also be performed.
Systems must also be implemented that allow data to be recovered and restored in the event of a security incident or technical problem being experienced.
Data Breach Notification Requirements of GDPR
Any organization that experiences a breach of data covered by GDPR must inform their Data Protection Authorities (DPAs) within 72 hours of the breach being discovered. Individuals impacted by a data breach must also be notified, if such a breach has potential to result in identity theft or fraud, discrimination, financial loss, reputation damage, or other significant economic or social disadvantage. Notifications will not be required if stored data are encrypted or are otherwise undecipherable and unusable.
Preparing for GDPR
Many organizations currently lack the necessary systems to ensure GDPR compliance. For instance, many do not have systems that allow them to easily identify consumer data, retrieve it, and delete it as necessary.
Privacy policies will need to be drafted and published to incorporate the new regulation and ensure GDPR compliance. Forms explaining consent to use data will need to be developed and published. Staff will need to be trained on the new rights of individuals. Policies must also be developed – or updated – covering data breach notifications in case personal information is exposed, accessed, or stolen. Additional security solutions will need to be implemented. GDPR compliance will involve considerable cost and resources and ensuring GDPR compliance will take time.
Organizations must therefore start preparing for the introduction of the new regulation. It may be a year before GDPR compliance is necessary, but given the necessary changes, organizations should start planning now. From May next year, GDPR compliance will be mandatory and there will be severe penalties for non-compliance.
What are The Penalties for Non-Compliance with GDPR?
Any organization that fails to comply with GDPR can be fined by their DPAs. DPAs will be given more powers to investigate data breaches and non-compliance. The potential fines for non-compliance with GDPR are considerable.
If an organization does not comply with the GDPR security standards, a fine of up to €10 million can be issued or 2% of global annual turnover, whichever is the greater. The failure to comply with GDPR privacy standards can attract a fine of up to €20 million or 4% of global annual turnover, whichever is the greater.
Fines will be dictated by the extent of the violation or data breach, the number of individuals impacted, and the extent to which the organization has implemented controls and standards to ensure GDPR compliance.
Individuals also have the right to seek compensation if their personal information is misused or stolen, if they have suffered harm as a result. Criminal sanctions may also be applied, such as if data is collected without consent.
Organizations are likely to suffer reputational damage in the event of a data breach, as the EU will be naming and shaming organizations that fail to implement appropriate measures to protect data and prevent data breaches. Details of organizations that have not complied with GDPR will be published and made available to the public.
How Can TitanHQ Help with GDPR Compliance?
TitanHQ offers a range of data security solutions that offer real-time protection against viruses, malware, ransomware and spyware to help organizations effectively manage risk, prevent data breaches, and ensure GDPR compliance.
TitanHQ offers award-winning security solutions to prevent web-based and email-based cyberattacks, in addition to helping organizations protect themselves from insider breaches.
SpamTitan is an advanced email security solution that protects organizations from email-based attacks such as phishing, blocking the most common method of malware and ransomware delivery. SpamTitan detects and blocks 99.97% of spam email, with a range of deployment options to suit the needs of all businesses.
WebTitan offers industry-leading protection against a wide range of web-based threats such as exploit kits, malvertising, phishing websites and drive-by malware downloads. The solution allows data protection officers to limit the types of websites that can be accessed by employees to minimize risk.
ArcTitan is an easy to use email archiving system that copies all inbound and outbound messages and stores them in an encrypted email archive, preventing loss of data and ensuring emails can be recovered and audited. The solution satisfies GDPR compliance requirements for identifying, retrieving, and deleting individuals’ personal data, when its purpose has been served or consent is withdrawn.
For more information on TitanHQ’s cybersecurity solutions and how they can help with GDPR compliance, contact the TitanHQ team today.
The Intercontinental Hotels Group data breach previously announced in February as affecting 12 hotels in the chain has proven to have been far more extensive than was first thought.
Last week the group announced that the breach affected guests that used their credit cards to pay at franchisee hotels across the United States and in Puerto Rico between September 29, 2016 and December 29, 2016.
According to the chain’s website, the Intercontinental Hotels Group data breach potentially affected guests who stayed at its Holiday Inn, Holiday Inn Express, Crowne Plaza, Staybridge Suites, Candlewood Suites, Hotel Indigo, and InterContinental Hotels. The full list of hotels that have potentially been affected by the malware incident has been listed on the IHG website. In total, 1,184 of the group’s hotels have potentially been affected.
The Intercontinental Hotels Group data breach involved malware that had been downloaded onto its systems, which was capable of monitoring payment card systems and exfiltrating payment card data. It does not appear that any other information other than card details and cardholders’ names were stolen by the attackers.
The hotel group does not believe the data breach extended past December 29, 2016, although that cannot be entirely ruled out as it took until February/March for all of the affected hotels to be investigated and for confirmation to be received that the malware had been removed.
Prior to the malware being installed, IHG had started installing the OHG Secure Payment Solution (SPS), which provides point to point encryption to prevent incidents such as this from resulting in the theft of clients’ data. Had the process started sooner, the Intercontinental Hotel Group data breach could have been prevented.
Hotels that had implemented the SPS prior to September 29, 2016 were not affected and those that had implemented the solution between September 29, 2016 and December 29, 2016 stopped the malware from being able to locate and steal credit card data. In those cases, only clients that used their credit cards at affected hotels between September 29, 2016 and when the SPS system was installed were affected.
Intercontinental Hotels Group Data Breach One of Many Affecting the Hospitality Sector
The Intercontinental Hotels Group data breach stands out due to the extent to which the group was affected, with well over 1,100 hotels affected. However, this is far from the only hotel group to have been affected by POS malware. Previous incidents have also been reported by Hard Rock Hotels, Hilton Hotels, Omni Hotels & Resorts and Trump Hotels.
Hotels, in particular hotel chains, are big targets for cybercriminals due to the size of the prize. Many hotel guests choose to pay for their rooms and services on credit cards rather than in cash, and each hotel services many thousands – often tens of thousands – of guests each year.
Globally, IHG hotels service more than 150 million guests every year, which is a tremendous number of credit and debit cards. Such a widespread malware infection would be highly lucrative for the attackers. Credit card numbers may only sell for a couple of dollars a time, but with that number of guests, an attack such as this would be a huge pay day for the attackers.
The Hospitality Sector is a Big Target and Vulnerable to Cyberattacks
While many tactics are used to gain access to POS systems, oftentimes it is weak or default passwords that allow hackers to gain access to hotel computer systems. Stolen credentials are another common way that access is gained. The Verizon’s Data Breach Investigations Report (DBIR) for 2016 shows that in each of the reported breaches affecting the hospitality sector, access to systems was gained by the attackers in less than an hour.
Malware can also be inadvertently downloaded by employees and guests. Poor segregation of the POS system from other parts of the network is commonplace. That makes it easy for hackers to move laterally within the network once a foothold has been gained. Doubling up POS systems as workstations makes it too easy for hackers to gain access to POS systems.
Many hotels also fail to perform adequate risk assessments and do not conduct penetration tests or vulnerability scans. Even malware scans are performed infrequently. Some hotels also fail to implement appropriate security solutions to block access to malware-laden websites.
The Intercontinental Hotels Group data breach could have been prevented, and certainly discovered more quickly. The same is true for many hotel data breaches.
Unless hotels and hotel groups improve their cybersecurity posture and implement appropriate technology, policies and procedures to prevent cyberattacks, data breaches of this nature will continue to occur.
TitanHQ offers a range of products that can prevent hackers from gaining access to computers and POS systems. For further information on how you can protect your hotel or chain against cyberattacks, contact the TitanHQ team today.
Last week, the Bitglass Threats Below the Surface Report was released. The report highlights the extent to which organizations are being attacked by cybercriminals. Far from cyberattacks being a relatively rare occurrence, they are now as certain as death and taxes.
The report revealed that out of the 3,000 IT professionals surveyed for the report, 87% said they had experienced a cyberattack in the past 12 months. Many of those respondents had experienced numerous cyberattacks in the past year, with one company in three experiencing more than five cyberattacks in the last 12 months. To put that figure in perspective and show how the probability of being attacked has increased, two years ago, only half of companies were experiencing cyberattacks on that scale.
IT professionals rated mobile devices as one of the biggest problem areas. When asked to rate security posture, more respondents rated mobile as somewhat or highly vulnerable than any other system. While attacks can come from all angles, the report revealed that many companies are not actively monitoring their systems and devices for potential vulnerabilities. Only 24% monitored SaaS and IaaS apps for vulnerabilities, 36% monitored mobile devices and 60% monitored the network perimeter and laptops/desktops.
In response to the increased number of threats and the frequency of cyberattacks, companies have been forced to increase spending on cybersecurity defenses. The Bitglass Threats Below the Surface Report shows biggest spenders are the retail and technology sectors, with 39% of retail organizations and 36% of technology companies saying they are now spending a large proportion of their budgets on cybersecurity. 52% of respondents said their organization is planning on increasing cybersecurity spending.
Respondents were asked to rate their biggest concerns for the report to get a gauge of the biggest perceived threats. The biggest concern for 37% of respondents is phishing. Phishing attacks are becoming more sophisticated and harder for non-security professionals to identify. A range of social engineering techniques are used to fool end users into opening infected email attachments or clicking on malicious links and revealing their sensitive information. While effective at preventing many phishing attacks, training alone is no longer sufficient. Technological controls are now essential.
Malware is also a major concern along with insider threats, rated as a top concern by 32% and 33% of respondents, with email one of the main methods of malware delivery. Ransomware was also a major concern, although while ransomware attacks can result in significant costs and system downtime, fortunately, many companies have improved their ransomware defenses and have been able to recover without paying a ransom by restoring files from backups.
54% of companies said they had experienced a ransomware attack and were able to recover their data from backups without having to pay a ransom. That said, 33% of companies had no alternative but to pay a ransom to recover locked data, while 13% of companies said they had refused to pay a ransom and had experienced data loss as a result.
A new variant of Stampedo ransomware – called Philadelphia ransomware – is being used in targeted attacks on the healthcare sector in the United States. The ransomware variant is being spread using spear phishing emails.
Spear phishing emails have been detected that incorporate the healthcare organization’s logo along with the name of a physician at the organization. The use of a logo and a name adds credibility to the email, increasing the likelihood of the targeted individual clicking the link and downloading the malicious file. Information about organization’s and details of potential targets can easily be found on social media websites such as LinkedIn.
In recent months, cybercriminals have favored email attachments for spreading ransomware and malware, with Word documents containing malicious Word macros one of the most popular methods of ransomware and malware infection. The latest campaign, which was identified by Forcepoint, also uses malicious Word documents. However, rather than sending a malicious Word document as an attachment, the emails contain a link to a website where the Word document is automatically downloaded.
As with email attachments, the document must be opened and macros enabled in order for the ransomware to be downloaded.
Philadelphia Ransomware Attacks Likely to Increase
Philadelphia ransomware attacks are likely to increase thanks to a professional affiliate campaign. Would-be attackers are being recruited using a video that highlights the many features of the ransomware. The video calls Philadelphia ransomware “the most advanced and customizable ransomware ever,” and shows just how easy it is for someone with little technical skill to start their own ransomware campaign.
Would-be cybercriminals are able to rent out the ransomware and use it for their own spamming campaigns, provided they pay the author an initial fee of around $400. The one-off payment, so the authors claim, gives a user lifetime use of the ransomware. Affiliates will then be given a cut of any ransom payments they are able to generate.
Affiliate campaigns such as this – known as ransomware-as-a-service – are becoming increasingly popular. They allow non-technical spammers to jump on the ransomware bandwagon and start generating ransom payments. There is likely to be no shortage of takers.
Fortunately, the ransomware is not as advanced as the promotional video makes out. Furthermore, a decryptor for Philadelphia ransomware has been developed and can be downloaded for free via Softpedia. No ransom needs to be paid, although infection with Philadelphia ransomware can still result in considerable disruption. Healthcare organizations should therefore be on their guard.
The Recording Industry Association of America (RIAA) wants regulations to be introduced that will force Internet Service Providers to filter pirated content, rather relying on the current system of DCMA takedowns, which the RIAA believes to be ‘antiquated.’ The RIAA claims the current DCMA notice and takedown system is ‘extremely burdensome’ and ‘ineffective’ and that the system invites abuse.
The RIAA and 14 other organizations wrote to the U.S. Copyright Office last week explaining the inadequacies of current DCMA Safe Harbors and suggesting a number of potential solutions to the problem.
Currently, Internet Service Providers are required to take down copyright-infringing content after receiving a DMCA request. The request must be acted on expeditiously and ISPs are legally protected from copyright infringement lawsuits. The legislation has so far protected Internet Service Providers from legal action. Were it not for the legislation, an ISP could potentially be sued every time one of its users uploaded content that violated copyright.
One of the main problems is while the current system protects innocent Internet service providers who have passively, or unwittingly, allowed their services to be used for copyright infringing activities, some entertainment services are protected, even though their businesses are based entirely on copyright infringement, such as the streaming of sports, entertainment and movies.
A number of suggestions have been made such as amending Digital Millennium Copyright Act to include a timeframe for processing DCMA takedowns as well as requiring Internet Service Providers to filter pirated content and use automated systems that identify pirated content and prevent it from being uploaded once the content has been flagged.
The RIAA suggests that when a DCMA request is received requiring specific content to be removed, that content should then be flagged. A system should be put in place that blocks that content from being uploaded in the future on a different webpage or website. Currently, a takedown of content just means the individual or organization can simply upload the content again on another webpage or domain and the process must start over again. The RIAA says the current system is like an endless game of Whac-A-Mole.
The proposals have been criticized as any automated process is likely to result in the removal of web content that is protected under fair use laws and that automated systems could result in the overblocking of website content.
This argument has been countered by the RIAA saying the risk has been exaggerated and that argument is often used by ISPs to avoid implementing content identification technologies. The RIAA argues that current technologies are sufficiently granular to allow them to be calibrated to filter pirated content and protect fair uses.
The increase in cyberattacks on law firms has prompted the American Bar Association (ABA) to start offering cyber liability insurance for law firms, in addition to its standard insurance policies.
Cyber liability insurance for law firms is becoming as important as travel, medical and dental insurance. Cybercriminals are now targeting law firms with increasing frequency and vigor due to the treasure trove of data they store on clients.
The data can be used for fraud, although the highly sensitive nature of information disclosed to attorneys makes blackmail and extortion an attractive and potentially lucrative option. However, access to sensitive data gives cybercriminals the option of insider trading. Only last year, indictments against three Chinese nationals were unsealed by the Manhattan U.S. attorney’s office showing that more than $4 million in illegal stock trades were performed following the theft of attorney’s emails. The hackers had gained access to email accounts at three Chicago law firms involved in major mergers and acquisitions.
Cybercriminals’ use of stolen data aside, cyberattacks can prove incredibly costly. Following a cyberattack, costs of mitigation can spiral. Law firms must cover the cost of forensic investigations to determine the nature and extent of an attack, and which clients and systems have been impacted. Analyses must identify malware infections and backdoors that may have been installed allowing persistent access to networks and data.
If client data are accessed, law firms must cover the cost of legal defenses and liability protection. Lawsuits will undoubtedly follow any cyberattack. Any breach of sensitive data will almost certainly have an impact on law firms’ reputations, resulting in considerable loss of revenue. Then there are the improvements to cybersecurity defenses to prevent further attacks, the cost of which can be substantial.
For large law firms, cyberattacks can make a significant dent in profits. For small law firms, a cyberattack could prove catastrophic. Given the high costs involved, it is no surprise that cyber liability insurance for law firms is now deemed a necessity.
For the past few years, the ABA has been improving awareness of the cybersecurity risks that must be mitigated by law firms. Awareness has improved as a result and many law firms have invested heavily in technologies to protect against cyberattacks. In 2013, the ABA also petitioned the government to introduce new laws specifically to protect law firms from cyberattacks and the threat of cyber-espionage. Cyber liability insurance for law firms was a natural step for the ABA.
The ABA has developed its new program during the past year to provide affordable coverage from some of the nation’s top insurance carriers. The ABA’s cyber liability insurance for law firms is underwritten by Chubb Limited – The largest publicly traded property and casualty insurer.
The final New York Department of Financial Services cybersecurity rules have now been issued. Covered entities – banks, Insurance companies, and financial service firms operating in the state of New York must now comply with new rules. The financial services cybersecurity rules are the first to be introduced at the state level in the U.S.
The purpose of the cybersecurity rules is to make it harder for cybercriminals to gain access to confidential consumer data. The new rules require companies to adopt a host of cybersecurity measures to keep consumer data confidential and secure.
The financial services cybersecurity rules were first announced last fall. Following the announcement and publication of the draft cybersecurity rules on September 13, 2016, there followed a 45-day comment period. A revised version of the DFS cybersecurity rules was published in late December, which was followed by a further 30-day comment period. The comments received have been considered and now final changes to the cybersecurity rules have been made.
The final financial services cybersecurity rules are effective as of March 1, 2017. Covered entities have up to 6 months to ensure compliance, after which non-compliance could result in a significant financial penalty and other sanctions.
New York state governor Andrew Cuomo announced the release of the final financial services cybersecurity rules saying “New York is the financial capital of the world and it is critical that we do everything in our power to protect consumers and our financial system from the ever-increasing threat of cyber-attacks.”
The new rules should not pose too many problems for the majority of firms in the financial sector, provided that they have already adopted best practices issued by the Financial Industry Regulatory Authority (FINRA) and the Securities and Exchange Commission (SEC). However, where the new cybersecurity rules differ is their specificity. The FINRA and SEC guidelines do not specify the measures that must be adopted, whereas the DFS cybersecurity rules are much more specific about the measures that must be adopted to keep data secure.
The final version of the financial services cybersecurity rules has seen an easing of document retention requirements. In previous versions of the rules, covered entities were required to keep all categories of records for a period of five years. In the final version of the rules, the 5-year retention period only applies to records that are necessary to reconstruct financial transactions to support the normal operations of the company. Records of cybersecurity events that could materially harm the company need only to be kept for three years.
The new rules require the DFS to be notified of a cybersecurity event within 72 hours of it occurring, if the event has a reasonable likelihood of materially harming any part of the normal operations of the covered entity or if the entity has a pre-existing duty to notify another government or regulatory agency.
While the financial services cybersecurity rules are strict, there are many exemptions. Several security experts have suggested the new rules do not go far enough for this very reason.
Many of the exemptions apply to smaller companies. For instance, in order for a company to be a covered entity, the annual turnover must be more than 5 million dollars. Smaller firms employing fewer than 10 individuals are similarly exempt. That effectively means a company with 9 employees does not need to implement as stringent data security measures as a company that employs 10 individuals; however, a line must be drawn somewhere.
There are also exemptions for firms that do not possess or control non-public information. There are further exemptions for charitable organizations and insurance companies that operate in the state of New York, but are not chartered in New York state, and for reinsurers that accept credits or assets from an assuming insurer not authorized in the state. However, further updates of the rules may see some of the exemptions removed.
The Cybersecurity Requirements for Financial Services Companies can be viewed on this link.
In all likelihood, 2016 will be forever remembered as The Year of Ransomware, in the same way that 2014 was the year of the healthcare data breach.
2016 Will be Remembered as The Year of Ransomware
Ransomware first appeared in the late 1980’s, although at the time, cybercriminals did not fully embrace it. Instead, they favored viruses, worms, and other forms of malware. That’s not to say that ransomware was not used, only that there were more lucrative ways for cybercriminals to make money.
That all started to change in 2015, when the popularity of cryptomalware was fully realized. By 2016, many actors had got in on the act and the number of ransomware variants started to soar, as did attacks on healthcare providers, educational institutions, government departments, businesses, and even law enforcement agencies. In 2016, it appeared that no one was immune to attack. Many organizations were simply not prepared to deal with the threat.
Early in the year it became clear that healthcare organizations were starting to be targeted for the first time. In February, one of the most notable ransomware attacks of the year occurred. Hollywood Presbyterian Medical Center in Hollywood, CA., was attacked and its computers were taken out of action for well over a week while the medical center grappled with the infection. The decision was taken to pay the ransom demand of $17,000 to obtain the key to decrypt its data.
Not long afterwards, MedStar Health suffered a massive infection involving many of the computers used by the hospital system. In that case, the $19,000 ransom was not paid. Instead, encrypted data were recovered from backups, although the disruption caused was considerable. 10 hospitals and more than 250 outpatient centers had their computers shut down as a result of the infection and many operations and appointments had to be cancelled.
In the first quarter of 2016 alone, the FBI reported that more than $206 million in ransom payments had been made by companies and organizations in the United States. To put that figure in perspective, just $24 million had been paid in the whole of 2015 – That represents a 771% increase in ransom payments and only three months had passed. The year of ransomware had barely even begun!
Biggest Ransomware Threats in 2016
TeslaCrypt was one of the biggest ransomware threats at the start of the year, although the emergence of Locky ransomware in February saw it become an even bigger threat. It soon became the ransomware variant of choice. Locky was used in attacks in 114 countries around the world last year, and cybercriminals continue to tweak it and release new variants. Locky has yet to be cracked by security researchers. Then came Cerber, CryptXXX, Petya (which was defeated in April), and Dogspectus for smartphones, to name just a few.
By the summer, The Guardian newspaper reported that 40% of UK businesses had been attacked with ransomware, although the majority of ransomware attacks were concentrated in the United States. By the autumn, more than 200 ransomware families had been discovered, each containing many variants.
Reports of attacks continued to flood in over the course of the year, with ransomware arguably the biggest cybersecurity threat seen in recent years.
2016 was certainly The Year of Ransomware, but 2017 doesn’t look like it will get any easier for security professionals. In fact, 2017 is likely to be even worse. Some experts have predicted that ransomware revenues will reach $5 billion in 2017.
You can find out more interesting – and horrifying – ransomware statistics by clicking the image below to view the TitanHQ ransomware infographic. The ransomware infographic also includes information on the protections that should be put in place to prevent ransomware attacks and the encryption of sensitive data.
The email archiving cost can be avoided, but fail to use an email archiving service at your peril. Huge fines await organizations that cannot recover emails promptly.
U.S. businesses are required are required to keep emails for several years. The IRS requires all companies to keep emails for 7 years, the FOIA requires emails to be kept for 3 years, and 7 years again for Healthcare organizations (HIPAA), public companies (Sarbanes Oxley), banking and finance (Gramm-Leach-Bliley Act) and securities firms (SEC).
While large firms are able to absorb the cost of email archiving, many SMBs look at the email archiving cost and try to save money by opting for backups instead. While it is possible to save on the email archiving cost by using backups, the decision not to use an email archiving service could prove to be very costly indeed.
Email backups can serve the same purpose as email archiving in the sense that both can be used to keep old emails. However, while an email backup can help a business protect against data loss, if ever there is a need to recovery backed up emails, companies often encounter problems.
Email backups are fine for recovering entire email accounts (mostly). In the event of a malware or ransomware attack, email backups can be used to recover entire email accounts. However, what happens if only certain emails need to be found – for eDiscovery purposes in the event of a lawsuit for example?
An eDiscovery order may be received that requires all email correspondence sent to a particular client or customer to be retrieved. Such a request may require emails from 100s of employees to be located. Those emails may date back several years. Finding all emails would be an incredibly time consuming process, and it may not actually be possible to recover all correspondence. Backup files cannot easily be searched. They are just data repositories, not a well-managed archive.
An email archive on the other hand is different. Not only can individual emails be easily recovered, the entire archive can be quickly and easily searched. If an eDiscovery request is received, all requested emails can be quickly and easily recovered. The process is likely to take minutes. The recovery of files from a backup could take weeks or even months, assuming that the task is even possible.
Email backups fail surprisingly often. The recent spate of ransomware attacks has highlighted a number of examples of data backups that have been corrupted, leaving organizations little option but to pay the attackers for a key to decrypt locked data. In the case of a ransomware infection, the ransom payment may be hundreds, thousands or even tens of thousands of dollars. However, the failure to produce email correspondence for eDiscovery or a compliance audit can be even higher.
Non-compliance with the Sarbanes-Oxley Act and other industry legislation can see fines of several million dollars issued. Only last year, Scottrade was issued with a fine of $2.6 million by the Financial Industry Regulatory Authority (FINRA). Scottrade had kept records of its emails, but not a complete record. More than 168 million emails had not been retained that should have been present in an archive. As Brad Bennett, Executive Vice President and Chief of Enforcement at FINRA explained when announcing the fine, “Firms must maintain sound supervisory systems and procedures to ensure the integrity, accuracy, and accessibility of electronic books and records.” That includes email correspondence.
The cost of email archiving is not only low compared to the cost of a regulatory fine, email arching is actually inexpensive, especially when using a cloud-based email archiving solution such as ArcTitan. Being cloud-based, emails are securely stored without the need for any additional hardware. Business can rest assured that no email will ever be lost.
In the event of an eDiscovery order, any email can be retrieved almost instantly, regardless of when the email was archived. No specific software is required as emails can be archived from Office 365 and archived messages can be accessed easily using an Outlook plug-in or even directly from the browser. Furthermore, the load on an organization’s email server can be greatly reduced. Reductions of 80% have been seen by a number of TitanHQ’s clients.
To find out more about the full benefits of email archiving and the features of ArcTitan, give the TitanHQ sales team a call today. We think you will be pleasantly surprised at how low the email archiving cost can be.
If your organization was hit with a malware or ransomware infection last year, the 2016 malware report from Malwarebytes may serve as an unpleasant reminder of 12 months best forgotten. Malware infections rose in 2016 and ransomware infections soared. In the case of the latter, there was an explosion in new variants. Malwarebytes charted a 267% increase in ransomware variants between January 2016 and November 2016. In quarter four alone more than 400 active ransomware variants were cataloged.
The 2016 malware report shows how ransomware has become the revenue-generator of choice for many cybercriminals. It is easy to understand why. Infecting computers is a relatively easy process, ransom payments are made within a matter of days, much of the process is entirely automated, and ransomware-as-a-service means no skill is even required to jump on the bandwagon and send out campaigns.
The 2016 malware report indicates ransomware accounted for 18% of malicious payloads from spam email and ransomware is the payload of choice for exploit kits, accounting for 66% of malicious downloads.
Locky was a major threat for most of the year, but in December there was a massive spike in Cerber ransomware variants, which are now the most populous ransomware family.
The cybersecurity’s company’s 2016 malware report confirms what many security professionals already know all too well. 2016 was a particularly bad year for everyone but the cybercriminals. Unfortunately, the outlook for 2017 does not look any better. In fact, it looks like it will be even worse.
Predictions have been made that will send shivers down many a system administrator’s spine. Ransomware is set to become even more aggressive. Critical infrastructures are likely to be targeted. Healthcare ransomware attacks will increase potentially placing patients’ lives at risk. Educational institutions will be targeted. No organization will be immune to attack.
Fortunately, new ransomware families will be limited in 2017. But that is only because Locky and Cerber are so effective and can easily be tweaked to avoid detection.
Then there are the botnets. The increase in use of IoT devices would not be a problem, were it not for a lack of security. Many insecure devices are coming to market which can all too easily be added to botnets. As we saw in the tail end of the year, these botnets – such as Mirai – are capable of conducting devastating DDoS attacks. Those attacks are only likely to increase in scale and frequency. As Malwarebytes correctly points out, unless manufacturers of IoT devices are better regulated and are forced to improve their security, vast sections of the Internet will come under threat.
So, it looks like all bad news for 2017. All organizations can do is purchase the technology to deal with the threats, plug security holes promptly, train staff to be aware of the threats, and shore up their defenses. The next 12 months could be a rocky ride.
Cybersecurity spending in 2016 was increased by 59% of businesses according to PwC. Cybersecurity is now increasingly being viewed as essential for business growth, not just an IT cost.
As more companies digitize their data and take advantage of the many benefits of the cloud, the threat of cyberattacks becomes more severe. The past 12 months have already seen a major increase in successful cyberattacks and organizations around the world have responded by increasing their cybersecurity spending.
The increased threat of phishing attacks, ransomware and malware infections, data theft and sabotage has been a wake up call for many organizations; unfortunately, it is often only when an attack takes place that that wake up call occurs. However, forward-thinking companies are not waiting for attacks, and are increasing spending on cybersecurity and are already reaping the benefits. They experience fewer attacks, client and customer confidence increases, and they gain a significant competitive advantage.
The annual Global State of Information Security Report from Pricewaterhouse Coopers (PwC) shows that companies are realizing the benefits of improving cybersecurity defenses. More than 10,000 individuals from 133 companies took part in the survey that provided data for the report. 59% of respondents said that their company increased cybersecurity spending in 2016. Technical solutions are being implemented, although investment in people has also increased.
Cybercriminals are bypassing complex, multi-layered cybersecurity defences by targeting employees. Organizations have responded by increasing privacy training. 56% of respondents say all employees are now provided with privacy training, and with good reason.
According to the report, 43% of companies have reported phishing attacks in the past 12 months, with this cybersecurity vector the most commonly cited method of attack. The seriousness of the threat was highlighted by anti-phishing training company PhishMe. The company’s Enterprise Phishing Susceptibility and Resiliency Report showed 90% of cyberattacks start with a spear phishing email. Given how effective training can be at reducing the risk from phishing, increasing spending on staff training is money well spent.
The same is true for technical cybersecurity solutions that reduce phishing risk. Two of the most important solutions are antispam and web filtering solutions, with each tackling the problem from a different angle. Antispam solutions are employed to prevent phishing emails from reaching employees’ inboxes, while web filtering solutions are being used to block access to phishing websites. Along with training, companies can effectively neutralize the threat.
Many companies lack the staff and resources to develop their own cybersecurity solutions; however, the range of managed security services now available is helping them to ensure that their networks, data, and systems are adequately protected. According to the PwC report, 62% of companies are now using managed security services to meet their cybersecurity and privacy needs. By using partners to assist with the challenge of securing their systems, organizations are able to use limited resources to better effect and concentrate those resources on other areas critical to business processes.
There has been a change to how organizations are view cybersecurity over the past few years. Rather than seeing cybersecurity as simply a cost that must be absorbed, it is now increasingly viewed important for business growth. According to PwC US and Global Leader of Cybersecurity and Privacy David Burg, “To remain competitive, organizations today must make a budgetary commitment to the integration of cybersecurity with digitization from the outset.” Burg also points out, “The fusion of advanced technologies with cloud architectures can empower organizations to quickly identify and respond to threats, better understand customers and the business ecosystem, and ultimately reduce costs.”
The Federal Trade Commission (FTC) is conducting a study to investigate the security update practices of mobile device manufacturers. The study is being conducted amid concern that mobile device manufacturers are not doing enough to ensure owners of mobile devices are protected from security threats.
Security Update Practices of Mobile Device Manufacturers Leave Mobile Users Exposed to Attack
A number of new and highly serious threats have emerged in recent years which allow attackers to remotely execute malicious code on mobile devices if users visit a compromised website. One of the most serious threats comes from the Stagefright vulnerability discovered last year.
The Stagefright vulnerability could potentially be exploited to allow attackers to gain control of Android smartphones. It has been estimated that as many as one billion devices are prone to attack via this vulnerability. Google released an Android update to fix the vulnerability, yet many mobile phone users were unable to update their devices as the manufacturer of their device, or the mobile carrier they used, did not allow the updates to be installed. Because of this, many smartphone owners are still vulnerable to attack.
Even when device manufacturers do update their devices there are often long delays between the issuing of the fix and the rolling out of updates. When a rollout is executed, it can take a week or more before all device owners receive their updates. During that time users are left vulnerable to attack.
The FTC wants to find out more about the delays and the rationale behind the slow rolling out of updates.
FTC and FCC Join Forces and Demand Answers from Carriers and Device Manufacturers
The FTC has joined forces with the Federal Communications Commission (FCC) for the study and has ordered smartphone manufacturers and developers of mobile device operating systems to explain how security updates are issued, the reasoning behind the decision to delay the issuing of security updates, and for some device manufacturers, why security updates are not being issued.
While the study is primarily being conducted on manufacturers of devices running the Android platform, although Apple has also been ordered to take part in the study, even though its devices are the most secure. Apple’s security update practices are likely to serve as a benchmark against which other manufacturers will be judged. Manufacturers that use the Android platform that will take part in the study include Blackberry, HTC, LG, Motorola and Samsung. Google and Microsoft will also take part.
The FTC is asking operating system developers and mobile manufacturers to disclose the factors that are considered when deciding whether to issue updates to correct known vulnerabilities. They have been asked to provide detailed information on the devices they have sold since August 2013, if security vulnerabilities have been discovered that affect those devices, and if and when those vulnerabilities have been – or will be – patched.
The FCC has asked questions of mobile phone carriers including the length of time that devices will be supported, the timing and frequency of updates, the process used when developing security updates, and whether device owners were notified when the decision was taken not to issue a security update for a specific device model.
Whether the study will result in better security update practices of mobile device manufacturers remains to be seen, although the results of the study, if published in full, will certainly make for interesting reading.
A new study has confirmed that the healthcare industry faces the highest risk of cyberattacks. Healthcare providers and health plans are being targeted by cybercriminals due to the value of patient data on the black market. A full set of medical records, along with personally identifiable information and Social Security numbers, sells for big bucks on darknet marketplaces. Health data is far more valuable then credit cards for instance.
Furthermore, organizations in the healthcare industry store vast quantities of data and cybersecurity protections are still less robust than in other industry verticals.
The survey was conducted by 451 Research on behalf of Vormetric. Respondents were asked about the defenses they had put in place to keep sensitive data secure, how they rated their defenses, and how they planned to improve protections and reduce the risk of cyberattacks occurring.
78% of respondents rated their network defenses as very or extremely effective, with network defenses having been prioritized by the majority of healthcare organizations. 72% rated data-at-rest defenses as extremely or very effective. While this figure seems high, confidence in data-at-rest defenses ranked second from bottom. Only government industries ranked lower, with 68% of respondents from government agencies rating their data-at-rest defenses as very or extremely effective.
Even though many IT security professionals in the healthcare industry believe their network and data-at-rest defenses to be robust, 63% of healthcare organizations reported having experienced a data breach in the past.
The Risk of Cyberattacks Cannot Be Effectively Managed Simply by Becoming HIPAA-Compliant
Many organizations have been prioritizing compliance with industry regulations rather than bolstering defenses to prevent data breaches. Many healthcare organizations see compliance with the Health Insurance Portability and Accountability Act (HIPAA) as being an effective way of ensuring data are protected.
HIPAA requires all covered-entities – healthcare providers, health plans, healthcare clearinghouses, and business associates of covered entities – to implement administrative, technical, and physical safeguards to keep confidential patient data secure. By achieving “HIPAA-compliance” covered entities will improve their security posture and reduce the risk of cyberattacks, but compliance alone will not ensure that data are protected.
One only needs to look at the Department of Health and Human Services’ Office for Civil Rights breach portal to see that healthcare data breaches are commonplace. Many of the organizations listed in the breach portal have implemented defenses to protect data and are HIPAA-compliant. Compliance has not prevented data breaches from occurring.
The 451 Research survey asked respondents their views on compliance. 68% said it was very or extremely effective at ensuring data were secured. The reality is HIPAA only requires healthcare organizations to implement safeguards to achieve a minimum level of data security. In order to prevent data breaches and effectively manage the risk of cyberattacks, organizations need to invest more heavily in data security.
HIPAA does not, for example, require organizations to protect data-at-rest with encryption. If the network perimeter is breached, there is often little to prevent data from being stolen. Healthcare organizations are focusing on improving network protection but should not forget to protect data-at-rest with encryption. 49% said network security was still the main spending priority over the next 12 months, which was the highest rated security category for investment.
Healthcare organizations did appreciate that investment in technologies to protect data-at-rest was important, with 46% of respondents saying spending would be increased over the next 12 months on technologies such as disk and file encryption to help manage the risk of cyberattacks.
This week has seen the release of new U.S. data breach statistics by the Identity Theft Resource Center (ITRC). The new report reveals the extent to which organizations have been attacked over the past decade, breaking down data breaches by industry sector.
ITRC has been collecting and collating information on U.S. data breaches since 2005. Since records of security breaches first started to be kept, ITRC figures show a 397% increase in data exposure incidents. This year has seen the total number of data breach incidents surpass 6,000, with 851 million individual records now having been exposed since 2015.
U.S. Data Breach Statistics by Industry Sector
The financial sector may have been extensively targeted by cybercriminals seeking access to financial information, but between 2005 and March 2016 the industry only accounts for 7.9% of data breaches. The heavily regulated industry has implemented a range of sophisticated cybersecurity protections to prevent breaches of confidential information which has helped to keep data secure. The business and healthcare sectors were not so well protected and account for the majority of data breaches over the past decade.
Over the course of the past decade financial sector ranked lowest for breaches of Social Security numbers. The largest data security incident exposed 13.5 million records. That data breach occurred when data was on the move.
At the other end of the scale is the business sector, which includes the hospitality industry, retail, transport, trade, and other professional entities. This sector had the highest number of data breaches accounting for 35.6% of all data breaches reported in the United States. Those breaches exposed 399.4 million records.
ITRC’s U.S. data breach statistics show that the business sector was the most frequently targeted by hackers over the course of the past decade, accounting for 809 hacking incidents. Hackers were able to steal 360.1 million records and the industry accounted for 13.6% of breaches that exposed credit and debit card numbers. The huge data breaches suffered by Home Depot and Target involved the exposure of a large percentage of credit and debit card numbers.
Healthcare Sector Data Breaches Behind the Massive Rise in Tax Fraud
The business sector was closely followed by the healthcare industry, which has been extensively targeted in recent years. ITRC reports that the industry accounted for 16.6% of data breaches that exposed Social Security numbers. Since 2005, over 176.5 million healthcare records have been exposed and over 131 million records were exposed as a result of hacking since 2007. That includes the 78.8 million records exposed in the Anthem Inc., data breach discovered early last year.
While hacking has exposed the most records, employee negligence and error were responsible for 371 data breaches in the healthcare industry. Healthcare industry data breaches are believed to have been responsible for the massive increase in tax fraud experienced this year. Tax fraud surged by 400 percent in 2016.
Government organizations and military data breaches make up 14.4% of U.S data breaches over the past decade, with the education sector experiencing a similar number, accounting for 14.1% of breaches. Over 57.4 million Social Security numbers were exposed in government/military data breaches along with more than 389,000 credit and debit card numbers.
The education sector experienced the lowest number of insider data breaches of all industry sectors (0.7%) although 2.4 million records were exposed via email and the Internet.
Cybersecurity Protections Need to Be Improved
The latest U.S. data breach statistics show that all industry sectors are at risk of cyberattack, and all must improve cybersecurity protections to keep data secure. According to Adam Levin, chairman and founder of IDT911, “Companies need to create a culture of privacy and security from the mailroom to the boardroom. That means making the necessary investment in hardware, software and training. Raising employee cyber hygiene awareness is as essential as the air we breathe.”