The industry news items that appear in this section cover a broad spectrum of events within the cybersecurity industry. Everything from the motivation behind cyberattacks to the latest data breach figures are discussed – along with the developments in the industry to help protect organizations against the threats of web-borne attacks and those launched through email campaigns.
The latest cybersecurity industry news should be essential reading for IT professionals – especially those within the healthcare and financial industries which have long been popular targets for hackers and other cybercriminals. By addressing some of the security flaws highlighted in our news items, it may be possible to prevent your own organization from suffering a similar attack.
Customers are increasingly choosing to visit retailers based on whether free Internet access is available in store. Providing WiFi access doesn’t just attract more customers. It provides retailers with an opportunity to communicate new sales initiatives to customers and allows valuable information to be gathered on what customers do inside stores. Monitoring the websites accessed by customers also allows retailers to gain a valuable insight into customer behavior.
Retailers are increasingly offering free WiFi in-store to attract more customers, but providing access to the Internet in-store carries risks. If customers have free, unfettered access to the Internet they would be able to access inappropriate content, accidentally download malware or use the connection for illegal file downloads.
Retailers can gain huge benefits from offering customers free access to WiFi network, but without security solutions to mitigate risk, the offer of free WiFi can backfire. A web content filter for public hotspots is now essential.
Selfridges understands the benefits of providing free WiFi access to customers, but also the risks. If WiFi was to be provided in-store, it would need to be secure to prevent customers from installing malware or accessing phishing websites
Selfridges also needed protection from legal liability. Steps therefore needed to be taken to prevent customers from accessing inappropriate website content in store and to stop minors from accessing adult content.
Selfridges prides itself on providing high quality products and customer service, so it was important to ensure for its WiFi service to reflect the stores values. Alisdair Morison, IT manager at Selfridges, said “We had to ensure that guests could not access malicious sites or to view inappropriate content while in the store.”
In the case of inappropriate website content, the risks are considerable. Morison said, “We knew that if a guest accessed porn on the WiFi connection and a child or other person could inadvertently view that screen, we would be legally liable.” The same applies to illegal file downloads via its WiFi network.
Choosing a solution posed a number of challenges. Selfridges has a small, but busy IT department so a web filtering solution needed to have a small administrative burden. Technical staff are not present in each store so it was important that the solution could be managed remotely for all four locations without the need for any site visits.
Selfridges contacted TitanHQ and chose WebTitan Cloud for WiFi. “We looked at a bunch of solutions. I was really taken aback by the price point, features and functionality we were going to get with WebTitan WiFi,” said Morison, “Other solutions didn’t have all the features and functionalities we wanted; they could do some of what we now do with WebTitan WiFi, but at a higher cost.”
The solution was set up in less than half a day and the IT team can manage the solution remotely and monitor WiFi connections. All four locations are managed through a central administration management console. All that was required to get started was to add the company’s external IP address to the GUI, update DNS forwarders and set the filtering controls.
Selfridges now blocks pornography, illegal activities such as file sharing and activities that are ethically or legally questionable. The WiFi network is child-friendly, so parents need not worry about the content that their children can access in-store. The WiFi network can be used safely and securely by all its 200 million annual visitors, with both Selfridges and its customers gaining benefits from in-store WiFi.
If you want to carefully control the activities of individuals when connected to your WiFi network and make your WiFi service family-friendly, get in touch with TitanHQ today.
Key Benefits of WebTitan Cloud for WiFi:
Filter the Internet across multiple WiFi hotspots
Manage access points through a single web-based administration panel
Delegate management of access points
Filter by website, website category, keyword term, or keyword score
Block material contained in the child abuse image content URL list (CAIC List)
Upload blacklists and create whitelists
Reduce the risk of phishing attacks
Block malware and ransomware downloads
Inspect encrypted websites with SSL certificates
Schedule and run reports on demand
Gain a real-time view of internet activity
Gain insights into bandwidth use and restrict activities to conserve bandwidth
Integrate the solution into existing systems through a suite of APIs
Apply time-based filtering controls
World class customer service
Highly competitive pricing and a fully transparent pricing policy
TitanHQ has announced a new partnership agreement with the intelligent spaces firm Purple. TitanHQ will be securing the firm’s WiFi networks and providing content filtering with WebTitan Cloud for WiFi.
Purple is a leader in its field, with over 20 million users spread across 125 countries around the globe. Its solution helps businesses monitor their physical spaces and promote their brand, in addition to gaining valuable insights into customer behavior at their venues. Purple’s clients include the City of New York, Legoland, Jaguar, Pizza Express, Outback Steakhouse, the Indiana Pacers, Merlin Entertainments Group and British Land to name but a few.
Purple will be adding WebTitan to its WiFi and Analytics package to improve security for its customers. Current and new customers will benefit from a more secure WiFi package and will be protected from a wide range of web-based threats.
WebTitan is a market-leading web content filtering solution that currently blocks more than 60,000 malware variants each day, protecting end users when they venture online. WebTitan can be used to control the content that can be accessed via WiFi networks around the globe from a single administration console. Companies can protect thousands – or tens of thousands – of WiFi access points simultaneously with WebTitan without any latency. The solution is easy to set up and configure, requires no additional hardware and has an extremely low management overhead.
Protection from exploit kits, phishing websites, and malware and ransomware downloads is more important now than ever. Cybercriminals having increased their efforts and malware, phishing and ransomware attacks are becoming increasingly common.
In the case of ransomware, payment of the ransom demand may not allow data to be recovered as has clearly been demonstrated by the NotPetya attacks. Many companies that were attacked with NotPetya are still experiencing major problems and disruptions to services, with several firms forced to replace entire networks following installation of the malware.
Cyberattacks such as WannaCry and NotPetya are likely to become the new norm, with companies needing to do more to protect their networks – and their customers – from attack.
With WebTitan, malware and ransomware protection is only part of the story. WebTitan is a powerful content filter that prevents inappropriate content from being accessed by WiFi users – Something that is becoming increasingly important in the retail and hospitality industries. With Purple’s retail and hospitality sector clients growing fast, this additional protection was essential.
For Purple, it soon became clear that the partnership with TitanHQ was the perfect choice, as James Wood, Head of Integration at Purple explained, “We approached TitanHQ with a number of specific requirements that were unique to Purple. From day one it was evident that they were capable of not only providing what we needed but were very responsive and technically adept.”
WebTitan was also ideal for Purple customers, Woods said, “We take guest Wi-Fi security seriously so it was important that our customers were protected in the right way. Along with superior protection, WebTitan also allows us to extend the control to our customers via their API. Our customers can now manage their own filtering settings directly from the Purple Portal.”
Installing the new web filtering system and replacing the incumbent system was completed in the quickest possible time frame, with tens of thousands of users migrated to the new system in a matter of days. Woods said, “With demanding timescales involved for the migration, we invested heavily in WebTitan and they have not failed to deliver.”
The Kaseya Connect Europe User Conference will be taking place on October 3, 2017 in Amsterdam, Netherlands with the company recently having announced its line-up of speakers and exhibiting partners for the event.
The Kaseya Connect Europe User Conferences are hugely popular. The events provide an excellent networking and learning opportunity with attendees able to see technical presentations with hands on demonstrations to improve usage of Kaseya solutions and find out more about the latest product releases.
Attendees benefit from expert advice, gain strategic insights and receive useful practical knowledge from industry experts and thought leaders and have the opportunity of taking part in product training and other instructional sessions to help them get the most out of their business, optimize their technical operations and boost revenues.
The upcoming Kaseya Connect Europe User Conference will include a business track to help MSPs monetize their business, increase their service stack and boost revenues.
Sue Gilkes, faculty member of CompTIA and founder and managing director of Your Impact Ltd, will be providing her insights into how MSPs can grow their business and improve revenues, while Transmentum’s Adam Harris – Author of “Check-In Strategy Journal” – will be delivering a keynote speech – “7 Sales Strategies to Take Away and Implement Immediately” – a must attend session for all MSPs.
Next year, the General Data Protection Regulation (GDPR) will come into effect in May. MSPs need to start preparing to ensure the deadline for compliance is met. With the deadline just a few months away, a session will be focused on helping MSPs prepare.
TitanHQ is pleased to announce it is an Emerald Sponsor for the event and will be demonstrating its WebTitan and SpamTitan solutions for MSPs.
WebTitan is an innovative web filtering solution ideal for MSPs. The solution can easily be added to MSPs service stacks allowing them to improve the cybersecurity defenses of their clients. WebTitan is a DNS-based web filtering solution that blocks a wide range of online threats and allows users to carefully control the web content that can be accessed via their wired and wireless networks.
SpamTitan is a leading spam filtering solution that blocks more than 99.9% of spam and malicious emails to keep end users protected from phishing attacks, malware and ransomware infections.
Both solutions are provided as white labels with a range of hosting options, including hosting within an MSPs own environment.
Following the massive global ransomware attacks of recent months, businesses are demanding additional protections, with both solutions offering MSPs a golden opportunity to generate regular additional monthly revenue with minimal management time.
“It’s exciting to bring together hundreds of our European customers and partners for this conference, and provide them with convenient access to educational sessions, networking opportunities and insightful discussions from industry leader, said Sabine Link, vice president, customer success for Kaseya” Through this event, we can deliver a unique experience for our European users that will empower them with the knowledge they need to achieve the results they desire.”
The event is free of charge for MSP executives, regardless of whether they are already Kaseya users. However, registration is required in advance of the event. If you are interested in attending the Kaseya Connect Europe User Conference in October, you can register for the conference here.
2017 US data breaches have reached a record high, jumping an incredible 29% year over year. The mid-year data breach report from the Identity Theft Resource Center (ITRC) and CyberScout shows there were 791 reported data breaches between January 1 to June 30, 2017.
If 2017 US data breaches continue at the current pace, and there are no indications to suggest they will not, this year is set to be another record breaker. Last year smashed previous records with 1,093 data breaches reported for the year. This year looks on track to see the total reach – or exceed – 1,500 breaches. That would represent a 37% increase year over year.
The biggest cause of 2017 US data breaches is hacking according to the report. Hacking includes phishing attacks, malware infections and ransomware attacks, the latter seeing a massive increase in the past 12 months. In the first six months of 2017, 63% of incidents were attributed to hacking – a 5% increase year over year. 47.7% of those breaches involving phishing to some degree. ITRC says 18.5% of 2017 US data breaches involved malware or ransomware.
Employee error and negligence, which includes improper disposal of sensitive data, continue to cause many breaches, with those causes accounting for 9% of the total. Accidental exposure of sensitive data on the Internet was the cause of 7% of data breaches. The number of breaches in both categories decreased year over year.
Most 2017 US Data Breaches Were Reported by the Business Sector
In the first half of the year, the business sector reported the most data breaches – 54.7% – with the healthcare and medical industry in second place with 22.5% of breaches. The education sector was third with 11% of breaches followed by the banking and financial services sector with 5.8% of the total. The government and military sector rounds off the top five with 5.6% of reported breaches.
There was an increase in data breaches reported by the hospitality and fast food sector in the first half of the year, most of which involved the theft of credit card details after malware was installed on POS systems. One of the biggest breaches affected Sabre Corporation and its SynXis hotel booking service. Hard Rock Hotels, Trump Hotels, Loews hotels and Four Seasons were all among the victims. In the case of Trump hotels, it was the third payment card data breach experienced in the past 2 years.
Biggest Healthcare Data Breaches of 2017 (So far)
The healthcare industry has also seen a rise in data breaches in 2017 of 14% according to the figures published by the Department of Health and Human Services’ Office for Civil Rights. The main cause of healthcare data breaches – 37% – was hacking and IT incidents, which includes ransomware and malware attacks. Unauthorized access/disclosure came a close second with 35% of the total. Loss and theft of devices containing ePHI was in third place with 24% of the total followed by improper disposal on 4%.
The biggest healthcare data breaches of 2017 so far are:
Commonwealth Health Corporation
Airway Oxygen, Inc.
Urology Austin, PLLC
Harrisburg Gastroenterology Ltd
Washington University School of Medicine
Stephenville Medical & Surgical Clinic
Primary Care Specialists, Inc.
The healthcare industry must report data breaches under HITECH/HIPAA regulations, including the number of individuals impacted. However, ITRC/CyberScout report that many organizations are holding back details of the number of individuals impacted due to the large HIPAA violation fines. Without that information, it is difficult to obtain an accurate picture of the severity of data breaches.
Eva Velasquez, ITRC President and CEO, said, “The number of records breached in a specific incident allows us to provide more insight into the scope of this problem, and is a necessary next step in our advocacy efforts.”
Last month, TitanHQ conducted a survey on managed service providers that have added WebTitan Cloud for Service Providers to their service stacks and are providing web filtering and anti-malware services to their customers.
There are many reasons why service providers have started offering a web filtering service. Customers often ask service providers for a web filtering service to prevent their employees from accessing inappropriate web content in the workplace and to stop inappropriate content from being accessed via WiFi networks in public places. They also want greater protection from malware and ransomware and to control use of bandwidth.
TitanHQ is well aware of the benefits that can be gained from using WebTitan Cloud for Service Providers, but the company wanted to gather feedback from MSPs and find out why they are so happy providing the web filtering service to their customers.
The answer to that question was abundantly clear from the survey. When asked to state the number one reason why they use web filtering there was a clear winner. 89% of service providers said they use WebTitan Cloud for Service Providers because “It saves significantly on my support time and cost.”
Managed Service Providers that offer WebTitan Cloud to customers are enjoying major savings. Since WebTitan Cloud is highly effective at blocking access to malicious websites, customers experience less downtime as a result of malware infections. For service providers that means less time is spent mitigating malware infections, which is arguably the biggest expense of IT operation teams and tech support staff.
One NYC-based Managed Service Provider summed up why web filtering is so important, saying “Web filtering is one of the, if not the greatest bang for your buck services. It’s built in anti-malware has protected our clients, and us from having to fix, thousands of hours of repair time I am absolutely certain.”
A Washington-based MSP said, “By reducing malware-related security incidents, you’re reducing your number one uncontrollable expense: the people on your IT operations team, like your help desk techs,” while a London, UK-based MSP explained that since they started providing a web filtering service, “Our Crypto calls dropped to 0.”
As well as cutting down the time spend responding to security incidents MSPs found that WebTitan Cloud for Service Providers was an easy way to improve client spending. The second most popular response was WebTitan Cloud for Service Providers is “an easy monthly recurring revenue source”.
How Can WebTitan Cloud for Service Providers Benefit Your Organization?
WebTitan Cloud for Service Providers has been developed specifically for Managed Service Providers. The solution is ideal for hotspot and WiFi providers, MSPs, ISPs and retail and public organizations that offer access to WiFi networks, including schools, universities, libraries, restaurants, cafes, shops and hotels.
The solution is highly scalable to hundreds of thousands of users and the web filtering service has no latency as it is DNS based. That also means it is not necessary to become an Internet Service Provider to offer a web filtering service.
MSPs love the fact that the solution is provided as a white label and is ready to have branding and color schemes applied. WebTitan Cloud for Service Providers also has multiple hosting options, including the option of hosting the solution within an MSPs own environment.
WebTitan Cloud for Service Providers is an API-driven, multi-tenant solution that’s easy to implement and manage. New customers can be added in minutes, there are no hardware requirements and the solution can be managed remotely without the need for site visits.
Customers benefit from an extensive list of features that help them protect their brand by blocking access to inappropriate content via WiFi networks, protect users by blocking malware and save bandwidth by restricting access to streaming services.
Why is WebTitan perfect for MSP’s?
Save on customer support time, hours and cost. No more costly ransomware call outs.
Gives your clients excellent protection against malware, ransomware, and phishing attacks
Real time LIVE updating of malware and malicious threats with an active database of 650 million users driving the AI driven protection
Easy filtering at multiple levels with the capability to recognize users in many different ways.
Protection from web threats for office and remote users.
Reporting with full AD integration – Easy to show your customers the volume of malicious attacks you have prevented.
Great for improving revenue – Generate regular monthly revenue for very little effort
Easy client account administration via a central control panel
Multiple hosting options: Deployed in our cloud, a private cloud, or in your data center
Intuitive controls with low management overhead
API driven for advanced back end integration in your own systems, including billing and reporting
Flexible pricing to suit your business, including monthly billing
Multi-tenant solution with advanced customer management features
Highly scalable with no latency
Highly customizable – can be provided as a white label ready for your logos and color scheme
Leading alternative to OpenDNS Cisco Umbrella at a fraction of the price
Industry-leading technical support and customer service
No punitive terms, measures, or sharp practices and a fully transparent pricing policy with no hidden costs.
If you are an IT service provider and you have yet to start offering a web filtering and anti-malware service, or you are unhappy with your current solution provider, contact the TitanHQ team today to find out more about how offering or switching to WebTitan can save you time and money and improve your bottom line.
A new study conducted by the Ponemon Institute has shown that General Data Protection Regulation preparations have only been made by a small minority of companies, with almost half of surveyed organizations unsure where to even start.
The General Data Protection Regulation was approved by the EU Parliament on April 14, 2016. Companies have been given until May 25, 2018 to comply with GDPR. When the new regulation comes into force, any company discovered not to be in compliance can face a heavy fine. The maximum fine for non-compliance will be €20 million or 4% of global annual turnover, whichever is the highest.
Many companies started their General Data Protection Regulation preparations as soon as the new legislation was approved. According to the Ponemon Institute survey, only 9% of companies have made the necessary changes comply with GDPR. 59% of surveyed organizations haven’t even started their General Data Protection Regulation preparations and don’t even know how to comply.
Interestingly, the threat of fines and the difficulty complying with GDPR has put many companies off doing business in the EU. 34% of surveyed companies have said their General Data Protection Regulation preparations have involved shutting down their European operations. However, that does not mean they will not need to comply. Compliance with GDPR is mandatory for any company doing business in the European Union, even if they do not have a physical base in one of the European member states.
Even the threat of fines has not convinced many companies to start preparing. Only 38% of companies said their senior leadership viewed compliance as a priority.
The changes for many companies to ensure compliance will be considerable. 89% of respondents said GDPR will have a significant impact on their data breach protection practices. However, there is considerable doubt about how effective GDPR will be. Only 41% of companies believe the new regulation will improve privacy protection practices while 70% said they don’t believe the new regulation will benefit victims of a data breach.
If you have yet to start preparing and updating your policies and procedures you don’t have long. The compliance date may be months away, but for many companies, preparations will take some time. If you are keen to avoid a fine for non-compliance, now is the time to start your GDPR compliance preparations.
If you are unaware of what GDPR means for your business or whether you need to comply with the regulation, you can find out more on this link.
The U.S. Federal Bureau of Investigation has issued its annual Internet Crime Report, showing cybercriminals have netted at least $1.3 billion last year. The figures for the report were compiled by the FBI’s Internet Crime Complaint Center, or IC3 is it is also known. Those losses came from 298,728 complaints that had been filed with IC3 in 2016.
The Internet Crime Report provides some insight into the main methods used by cybercriminals to fraudulently obtain money. Last year, the three crime types that resulted in the biggest losses were Business Email Compromise (BEC) attacks, romance/confidence fraud and non-payment/non-delivery scams.
BEC scams resulted in losses of $360.5 million last year and the scams are becoming increasingly common. Confidence and romance fraud was second, resulting in losses of $219.8 million with corporate data breaches in third place causing losses of $95.9 million. Phishing, via the web, email, SMS messages and telephone resulted in losses of $31.7 million. Losses from extortion were $15.8 million with ransomware tracked separately and causing losses of $2.4 million. Tech support fraud netted cybercriminals $7.8 million with malware and scareware losses tracked as $3.9 million.
The FBI singled out four key criminal activities in its 2016 Internet Crime Report that have become major issues in 2016: BEC, ransomware, tech support fraud and extortion.
BEC scams involve the impersonation of foreign suppliers and other vendors that are usually paid by wire transfer. A similar type of scam, referred to as email account compromise (EAC), targets individuals in a company responsible for making wire transfers.
Both scams involve the impersonation of company executives with fraudulent wire transfer requests sent to accounts department employees. Since it is the CEO that is often impersonated the scams are commonly referred to as CEO fraud. Transfers are commonly for tens or hundreds of thousands of dollars. In some cases, companies have been conned out of millions. BEC scams topped the list of losses.
BEC scams have also been rife in 2017, with the start of the year seeing an increase in BEC scams with the aim of obtaining the tax information of employees, typically W-2 forms. In 2016, there were 12,005 reported BEC scams, although this is likely just a small percentage of the real total.
Ransomware has become a major threat for businesses with criminals targeting employees using phishing emails. The FBI says Remote Desktop Protocol was also a major attack vector in 2016. The FBI suggests that security awareness training for employees is now a critical preventative measure that should be provided by all organizations. In 2016, there were 2,673 reported ransomware incidents. Similarly, many businesses choose not to report ransomware attacks.
Another major threat comes from tech support scams where criminals impersonate security companies. The attackers claim an urgent security issue must be resolved for which payment is required. These scams can involve screen-locking malware, cold calls or pop up messages. Typosquatting is also commonly used. Criminals register URLs similar to major online brands to take advantage of careless typists.
Extortion continues to be a major problem and it takes many forms. There have been numerous cases of criminals impersonating government agencies, with threats of Denial of Service attacks similarly common. Hackers have been stealing data and demanding ransoms for its return, while sextortion, hitman schemes and loan schemes are also rife.
While the Internet Crime Report provides an indication of how rampant cybercrime has become, the reports hugely underestimate the true extent of the problem. Only a small percentage of victims of cybercrime report the incident to law enforcement. The Department of Justice estimates only 15% of Internet crime is reported, while the FBI suggests only one in seven cases of Internet crime are actually reported. It is not only individuals that fail to report crimes. Many businesses that experience cyberattacks or other Internet crime-related losses fail to report the incidents. The true figures from cybercrime are likely to be several orders of magnitude worse than the Internet Crime Report suggests.
2016 was a bad year for data breaches, but a new analysis by the Identity Theft Resource Center (ITRC) shows 2017 data breaches figures are far worse. Year over year, data breaches have increased by 29.1%.
Last year saw record numbers of data breaches, with 1,093 incidents tracked by the ITRC; however, If breaches continue to occur at the rate seen over the past 6 months, this year is likely to be another record breaking year. 2017 is likely to see more than 1,500 breaches – a particularly worrying milestone to pass.
55.4% of 2017 data breaches have been reported by organizations in the business sector. Those 420 incidents have involved more than 7.5 million records, more than 64% of all records exposed so far in 2017. The healthcare industry has also experienced many data breaches, accounting for 22% of the total. So far this year, the protected health information of 2.5 million individuals has been exposed – 21.1% of all records exposed so far in 2017, resulting in HIPAA breaches.
Education may have only experienced 87 data breaches this year – 11.5% of the year to date total – but those breaches account for 9% of exposed records, helped in no small part by a single breach at Washington State University that involved at least 1 million records.
The government/military (43 breaches) is in fourth place, accounting for 1.8% of the total with the 200,000+ exposed records. Fifth place is taken by the financial services with 41 breaches, with more than 526,000 exposed records accounting for 5.4% of the year to date figures.
The ITRC has been tracking data breaches since 2005, with the 2017 data breaches bringing the overall total number of incidents up to 7,656. The total number of exposed records has now risen to 899,792,157.
In the case of healthcare data breaches, more incidents have been reported following the clarification of HIPAA Rules covering ransomware attacks. Last year there was some confusion as to whether ransomware attacks were reportable. The Department of Health and Human Services’ Office for Civil Rights confirmed late last year that most ransomware attacks are reportable under HIPAA Rules. Consequently, there has been an increase in reports of these events in recent months.
Companies in other industries are also reporting more data breaches due to changes in state legislation and public pressure. However, ITRC points out the big jump in 2017 data breaches can also be explained by an increase in insider incidents and cyberattacks.
The increase in data breaches in 2017 clearly highlights the importance of conducting a thorough, organization-wide risk analysis to identify all potential vulnerabilities that could potentially be exploited. A risk management plan should then be put in place to address any vulnerabilities that are identified.
While organizations should consider augmenting security to protect the network perimeter, the threat from within should not be ignored. Employees are typically a weak point in security defenses, although action can be taken to reduce risk. Training should be provided to improve security awareness, technological solutions implemented to reduce the risk from phishing and other malicious email-born attacks, while web-based attacks can be limited with a web filtering solution.
2017 may be shaping up to be a particularly bad year for data breaches, but with investment in people and cybersecurity defenses, it is not too late to prevent 2017 from being another record-breaking year.
The healthcare industry has been heavily targeted by cybercriminals, but retail industry data breaches are now the most common according to a recent study by Trustwave. Retail industry data breaches account for 22% of all reported breaches, closely followed by the food and beverage industry on 20%.
In 2016, corporate and internal networks were the most commonly breached systems although there was a marked increase in POS system breaches, which are now the second most targeted systems accounting for 31% of all reported breaches. Last year, POS data breaches only accounted for 22% of the total. POS data breaches were most common in the United States. In 2015, E-commerce platforms were heavily targeted accounting for 38% of all breaches, although in 2016 the percentage fell to 26%.
Healthcare data is in high demand, although it is still credit card numbers that are most commonly stolen. 63% of data breaches involved card data, split between card track data (33% of incidents) – mostly from hospitality and retail industry data breaches – and card-not-present data (30% of incidents) which came from breaches of e-commerce platforms.
The United States was also the most targeted country, accounting for 49% of all breaches – more than double the percentage of Asia-Pacific in second place with 21% of reported breaches. Europe was in third place with 20%.
Zero-day exploits are in high demand, commanding an initial price of $95,000 on the black market, although there were only 9 zero-day vulnerabilities exploited in the wild in 2016 – 5 for Adobe Flash, 3 for Internet Explorer and one for Microsoft Silverlight.
The top two methods of compromise were remote access – 29.7% of attacks – and phishing and social engineering, which accounted for 18.8% of attacks.
Exploit kit activity has fallen since the fall of the Angler, Magnitude and Nuclear exploit kits, although others such as Rig are increasing in popularity. Exploit kits activity could increase further due to the low cost of conducting malvertising campaigns – malicious adverts on third party ad networks that direct individuals to sites hosting exploit kits. Trustwave reports it now costs cybercriminals $5 to target 1,000 vulnerable computers with malicious adverts. Trustwave warns that while exploit kit activity has fallen, it would be wrong to assume it is gone for good. If it is profitable to use exploit kits, more will be developed.
Spam email is still the primary attack vector. In 2016, there was an increase in spam email messages rising from 54% of message volume in 2015 to 60% of total email volume in 2016. 35% of those messages contained malicious attachments, which Trustwave reports is up from 3% in 2015.
The most common malware variants discovered in 2016 data breach investigations attacked POS systems and were PoSeidon (18%) and Alina (13.5%) with Carbanak/Anunak in third place on 10%.
A recent Ponemon Institute study suggest data breaches take more than six months to detect, while Trustwave’s figures suggest the median number of days between intrusion and detection for external incidents was 65 days in 2016, although some companies took up to 2,000 days to discover a breach. Detection rates have improved from 2015, when it took an average of 80.5 days to detect a breach.
For the first time in the past seven years, the cost of a data breach has fallen, with a 10% reduction in per capita data breach costs across all industry sectors. The global study revealed the average cost of a data breach is now $141 per exposed or stolen record. The global average cost of a data breach is down to $3.62 million from $4 million last year.
The IBM Security sponsored study was conducted by the Ponemon Institute, which has been tracking the costs of data breaches for the past seven years. In every other year data breach costs have risen year over year.
The Ponemon Institute say the reduction can partly be explained by a strong dollar. In the United States, the cost of a data breach has risen from $221 to $225 per record with the total breach cost increasing to $7.35 million from $7.02 million last year.
For the study, the Ponemon Institute assessed the breach resolution costs after organizations experienced a breach and had notified affected individuals. Large data breaches – those in which more than 100,000 records were exposed or stolen – were not included in the study as they were deemed atypical. Instead, only breaches of between 5,000 and 100,000 records were included. The average size of the breaches were 28,512 records. A breach was defined as the loss or theft of a record that included an individual’s name along with either their Social Security number, financial information or medical record.
For the seventh consecutive year, the healthcare industry had the highest data breach costs. The per capita cost of a healthcare data breach was $380. The financial services, another highly regulated industry, had the second highest breach costs ($336 per record). Services sector data breaches cost $274 per record, life sciences breaches were $264 per record and the Industrial sector had a per capita breach cost of $259.
The lowest breach costs were retail ($177), hospitality ($144), entertainment ($131), research ($123) and the public sector ($110). The biggest cause of data breaches were malicious and criminal attacks, which also carried the highest resolution costs. System glitches and human error each accounted for 24% of data breaches.
An analysis of breach costs revealed there are a number of ways to reduce the cost of a data breach. Having a breach response plan in place saw companies reduce breach costs by $19 per record, while the use of encryption reduced breach costs by an average of $17 per record. Employee education helped reduce breach costs by an average of $12.50 per record.
A fast response to a data breach can also dramatically reduce the total breach cost. Organizations that were able to contain a breach within 30 days saw breach costs reduced by $1 million. On average, it takes companies more than six months to discover a breach and containing the breach takes an average of 66 days.
TitanHQ is proud to announce a new partnership with the intelligent spaces company Purple. Purple has chosen TitanHQ’s WiFi content filtering solution – WebTitan – to keep its WiFi networks secure and to carefully control the content that can be accessed by its clients and their customers.
The importance of securing WiFi networks has been highlighted by recent cyberattacks, including the WannaCry ransomware attacks on May 12. Consumers can be provided with WiFi access, but need to be protected from web-borne threats such as drive-by ransomware downloads and phishing attacks.
WebTitan offers protection against a wide range of web-borne threats including exploit kits, phishing websites, malicious web adverts and drive-by downloads of malware and ransomware. Every day, WebTitan detects more than 60,000 web threats and protects customers by blocking access to harmful webpages. WebTitan also allows businesses to carefully control the content that can be accessed via WiFi networks, filtering out obscene, harmful, and illegal website content.
As a leading provider of WiFi analytics and marketing services, Purple is well aware of the potential risks that come from unsecured WiFi hotspots. The company is committed to securing its WiFi networks and ensuring its customers are protected in the right way. Purple required exceptional protection for its customers, yet not all WiFi filtering solutions matched the company’s unique requirements.
Purple explained those requirements to TitanHQ, which was able respond with a solution that matched the company’s exacting needs. James Wood, Head of Integration at Purple said, “From day one it was evident that they were capable of not only providing what we needed but were very responsive and technically adept.”
WebTitan allows companies to manage WiFi content controls in multiple locations from a single administration console, making it an ideal solution for global WiFi businesses. For companies such as Purple, whose clients need to have control over their own filtering controls, WebTitan was ideal. Wood explained that WebTitan “allows us to extend the control to our customers via their API. Our customers can now manage their own filtering settings directly from the Purple Portal.”
TitanHQ was able to respond rapidly roll out WebTitan in a matter of days. Purple customers are now protected by the leading WiFi content filtering solution and can access the Internet safely and securely. Wood said, “With demanding timescales involved for the migration, we invested heavily in WebTitan and they have not failed to deliver.”
TitanHQ CEO Ronan Kavanagh is delighted that Purple has chosen TitanHQ has its WiFi filtering partner. Kavanagh said, “Purple is now a valued member of the TitanHQ family and we are delighted to welcome the firm onboard. This is a partnership that illustrates just how well suited WebTitan is to Wi-Fi environments.”
Sabotage, subversion and ransomware attacks all increased sharply in 2016, with malware-infected emails now at a five-year high according to the latest installment of Symantec’s Internet Security and Threat Report (ISTR).
For the 22nd volume of the report, the antivirus and antimalware software vendor analyzed data collected from millions of users of its security solutions – The world’s largest civilian threat collection network, consisting of 98 million attack sensors spread across 157 countries around the globe.
The 77-page Internet Security and Threat Report is one of the most highly respected publications issued by any cybersecurity company.
The Internet Security and Threat Report provides a valuable insight into the state of cybersecurity and details how global cybersecurity threats have changed over the course of the past 12 months.
Internet Security and Threat Report Shows Change in Attack Tactics
Data theft and financial fraud may be major motivators behind cyberattacks on businesses, but over the past 12 months there has been a sharp rise in politically motivated cyberattacks. Rather than steal data, the attackers are sabotaging businesses using destructive malware such as hard disk wipers.
The attacks are conducted to cause serious harm to business competitors, although nation state-backed hackers have also been targeting the critical infrastructure in many countries. Attacks on Ukrainian energy providers have been conducted to disrupt the power supply while attacks on companies in Saudi Arabia – using Shamoon malware – attempted to permanently delete corporate data.
Many attacks were conducted last year with a different aim – subversion. That was clearly demonstrated during the recent U.S presidential campaign. Sensitive data from the Democratic party was leaked in an attempt to influence the outcome of the U.S presidential election. The FBI investigation into the hacking of the presidential election is ongoing.
Sabotage is on the rise, but data theft incidents continue. The past year has seen many espionage attacks resulting in the theft of sensitive data and corporate secrets and financial attacks have increased.
The Internet Security and Threat Report shows there has been a major increase in large-scale financial heists in the past year. Attacks on consumers are occurring with increasingly regularity, although the banks themselves are now being targeted. Those attacks have resulted in the theft of many millions of dollars.
The Carbanak gang has been highly active in this area and has performed multiple attacks on U.S banks, while the Banswift group performed one of the biggest heists of the year, stealing $81 million from the central bank in Bangladesh.
While exploit kits and other web-based attacks were a major threat in 2015, attackers have returned to email as the primary method of gaining access to networks. In 2015, Symantec blocked an average of 340,000 web-based attacks per day. In 2016, the number had fallen to 229,000 – a significant reduction, although the threat of web-based attacks cannot be ignored.
The Biggest Malware Threat Comes from Email
Phishing is still a major risk for businesses, although the phishing rate has fallen over the past three years, according to the Internet Security and Threat Report. In 2014, one in 965 messages were used for phishing. In 2016, the number fell to one in 2,596 emails.
However, email spam levels have remained constant year on year. Email spam accounts for 53% of all sent messages.
Phishing email volume may be down, but email-borne malware attacks have increased. The Symantec Internet Security and Threat Report shows the volume of malicious emails now being sent is higher than any point in the past five years.
Now, one in 131 emails contain either a malicious attachment or hyperlink, up from one in 220 emails in 2015 and one in 244 emails in 2014. The number of new malware variants being released has also soared. In 2014, there were 275 million new malware variants discovered. That figure rose to 357 million last year. The number of bots sending malicious email has also increased year on year, from 91.9 million in 2015 to 98.6 million in 2016.
Ransomware Attacks Soared in 2016
Ransomware attacks also increased significantly in 2016, with the United States the most targeted country. Even though the FBI and other law enforcement agencies strongly advise against paying a ransom, 64% of U.S. companies ignore that advice and pay the attackers for keys to decrypt their data.
In 2015, the average ransom demand was for $294 per infected machine. Over the course of the past 12 months, ransom amounts have increased considerably. The Symantec Internet Security and Threat Report shows ransom demands increased by an astonishing 266% in 2016. The average ransom demand is now $1,077 per infected machine.
Symantec tracked 101 separate ransomware families in 2016 – A substantial rise from the 30 known ransomware families in 2014 and 2015. Last year, there were 463,841 ransomware detections, up from 340,655 from 2015.
One of the biggest threats comes from the cloud, although many organizations are underestimating the risk. When organizations were asked how many cloud apps are in use in their company, few provided an accurate figure. Many estimated they used around 40 cloud-based apps. Symantec reports that for the average company, the figure is closer to 1,000.
As the Internet Security and Threat Report shows, the cyberthreat landscape is constantly changing as cybercriminals develop new methods of attacking businesses. Only by keeping up to date on the latest threat indicators and bolstering cybersecurity defenses can businesses maintain a robust security posture and prevent attacks.
The GDPR impact on business practices is considerable, as is the cost of GDP compliance. A recent survey conducted by PwC revealed that 77% of large companies are expecting GDPR compliance to cost in excess of $1 million. Due to the considerable GDPR impact on business practices, many companies are already rethinking whether or not to continue doing business in Europe.
Many large multinational companies are well aware of the GDPR impact on business practices and the amount of work GDPR compliance will involve. That is not the case for SMEs, many of which are only just realizing they must comply with GDPR.
GDPR does not just apply to social media sites and global retailers. All businesses, regardless of their size, will be required to comply with the General Data Protection Regulation if they collect or process the personal information of EU citizens.
The definition of personal information is broad and includes online identifiers such as IP addresses. Even online retailers that allow EU citizens to access their websites are required to comply with GDPR.
All businesses will be required to perform a risk analysis to identify potential vulnerabilities to the confidentiality and integrity of stored data. Many large companies already have a swathe of cybersecurity protections to keep sensitive data secure, but most smaller organizations will discover they must implement more robust cybersecurity protections in order to comply with GDPR.
Companies will need to review their policies on data collection. When GDPR comes into effect, companies will need to have a valid reason for collecting personal information. Any data collected must also be limited to the minimum necessary information to perform the purpose for which data are collected.
Doing business in Europe will require privacy protections to be enhanced, new data security measures to be implemented, data collection practices to be changed, and policies and procedures to be updated. Legal teams must then assess GDPR compliance.
The GDPR impact on business practices is likely to be considerable for many companies. The time taken to perform risk analyses, assess policies and procedures, find and implement security solutions and update privacy policies will be considerable. Leaving GDPR compliance to the last minute is likely to see the deadline missed. That could prove to be very costly or even catastrophic for many businesses. Failure to comply with GDPR regulations can result in a fine of €20 million or 4% of global revenue, whichever is the greater. Non-compliance simply isn’t an option.
On May 25, 2018, the General Data Protection Regulation (GDPR) comes into force and GDPR compliance will be mandatory. Now is the time to get prepared. GDPR compliance is likely to require considerable effort and resources. If your organization is not prepared, you may miss the GDPR compliance deadline.
GDPR is a new regulation that will apply to all organizations based in EU member states, as well as those based in non-member states that capture, hold or process the data of EU citizens. GDPR is a replacement of the 1995 EU Data Protection Directive and will address web-based technology that was not widely available in 1995. Use of the cloud for instance.
The new regulation will help to ensure the personal data of EU citizens is protected and the risk of sensitive data being exposed is minimized. The new regulation will also allow EU citizens to have much greater control over the personal data that is collected and stored by organizations, and how those data are used.
How Will GDPR Protect Consumers?
One of the main elements of GDPR is improving the rights of EU citizens with regards to the personal data that is collected, stored and used by organizations. GDPR requires organizations to obtain informed consent from consumers prior to collecting and using their data. Consumers must be told the reason why data are being collected, how data will be used, and consumers must be told that they can withdraw their consent at any time. A mechanism must be put in place that will allow an organization to delete data when it is no longer required or when consent is withdrawn.
GDPR gives consumers the right to:
Find out how their data will be used
Discover how data were obtained if informed consent was not provided
Access personal data
Find out how long data will be stored
Correct errors in stored data
Move data to a different processor
Restrict or prohibit the processing of data
Find out with whom data have been or will be shared
Have data permanently erased
Avoid being evaluated on the basis of automated processing
Organizations must also limit the data collected to the minimum necessary amount for the purpose that has been described to consumers to be performed.
While organizations that have an online presence and actively collect data will have to comply with GDPR – Amazon for example – GDPR will apply to a much broader range of companies. In fact, many companies that do not have an online presence will need to comply with GDPR. GDPR will apply to any company that collects the types of data covered by the GDPR definition of personal information. That includes organizations that store ‘personal data’ of employees in an electronic database.
What Data are Covered by GDPR?
Under GDPR, personal information includes an individual’s name and a host of other identifiers, including online identifiers such as location data, IP addresses, cookies and other “pseudonymous data”. Information such as race and ethnic origin, religious or philosophical beliefs, political opinions, sexual orientation, details of sex life, criminal convictions, trade union membership, health data, biometric data, and genetic data are all covered.
Data Security Standards Necessary for GDPR Compliance
GDPR also covers the protections that must be put in place by organizations to ensure the confidentiality, integrity, and availability of data. That includes stored data and all data that flows through systems or applications.
GDPR compliance requires organizations to conduct a risk/gap analysis to assess potential vulnerabilities in their current systems and processes.
Companies must “implement appropriate technical and organizational measures” to ensure the confidentiality, integrity and availability of data. Those measures should “ensure a level of security appropriate to the risk.”
Companies must adopt a privacy and security-by-design approach, and ensure that controls are implemented during the planning stages, development, implementation, and use of applications and systems. Regular testing and security assessments must also be performed.
Systems must also be implemented that allow data to be recovered and restored in the event of a security incident or technical problem being experienced.
Data Breach Notification Requirements of GDPR
Any organization that experiences a breach of data covered by GDPR must inform their Data Protection Authorities (DPAs) within 72 hours of the breach being discovered. Individuals impacted by a data breach must also be notified, if such a breach has potential to result in identity theft or fraud, discrimination, financial loss, reputation damage, or other significant economic or social disadvantage. Notifications will not be required if stored data are encrypted or are otherwise undecipherable and unusable.
Preparing for GDPR
Many organizations currently lack the necessary systems to ensure GDPR compliance. For instance, many do not have systems that allow them to easily identify consumer data, retrieve it, and delete it as necessary.
Privacy policies will need to be drafted and published to incorporate the new regulation and ensure GDPR compliance. Forms explaining consent to use data will need to be developed and published. Staff will need to be trained on the new rights of individuals. Policies must also be developed – or updated – covering data breach notifications in case personal information is exposed, accessed, or stolen. Additional security solutions will need to be implemented. GDPR compliance will involve considerable cost and resources and ensuring GDPR compliance will take time.
Organizations must therefore start preparing for the introduction of the new regulation. It may be a year before GDPR compliance is necessary, but given the necessary changes, organizations should start planning now. From May next year, GDPR compliance will be mandatory and there will be severe penalties for non-compliance.
What are The Penalties for Non-Compliance with GDPR?
Any organization that fails to comply with GDPR can be fined by their DPAs. DPAs will be given more powers to investigate data breaches and non-compliance. The potential fines for non-compliance with GDPR are considerable.
If an organization does not comply with the GDPR security standards, a fine of up to €10 million can be issued or 2% of global annual turnover, whichever is the greater. The failure to comply with GDPR privacy standards can attract a fine of up to €20 million or 4% of global annual turnover, whichever is the greater.
Fines will be dictated by the extent of the violation or data breach, the number of individuals impacted, and the extent to which the organization has implemented controls and standards to ensure GDPR compliance.
Individuals also have the right to seek compensation if their personal information is misused or stolen, if they have suffered harm as a result. Criminal sanctions may also be applied, such as if data is collected without consent.
Organizations are likely to suffer reputational damage in the event of a data breach, as the EU will be naming and shaming organizations that fail to implement appropriate measures to protect data and prevent data breaches. Details of organizations that have not complied with GDPR will be published and made available to the public.
How Can TitanHQ Help with GDPR Compliance?
TitanHQ offers a range of data security solutions that offer real-time protection against viruses, malware, ransomware and spyware to help organizations effectively manage risk, prevent data breaches, and ensure GDPR compliance.
TitanHQ offers award-winning security solutions to prevent web-based and email-based cyberattacks, in addition to helping organizations protect themselves from insider breaches.
SpamTitan is an advanced email security solution that protects organizations from email-based attacks such as phishing, blocking the most common method of malware and ransomware delivery. SpamTitan detects and blocks 99.97% of spam email, with a range of deployment options to suit the needs of all businesses.
WebTitan offers industry-leading protection against a wide range of web-based threats such as exploit kits, malvertising, phishing websites and drive-by malware downloads. The solution allows data protection officers to limit the types of websites that can be accessed by employees to minimize risk.
ArcTitan is an easy to use email archiving system that copies all inbound and outbound messages and stores them in an encrypted email archive, preventing loss of data and ensuring emails can be recovered and audited. The solution satisfies GDPR compliance requirements for identifying, retrieving, and deleting individuals’ personal data, when its purpose has been served or consent is withdrawn.
For more information on TitanHQ’s cybersecurity solutions and how they can help with GDPR compliance, contact the TitanHQ team today.
The Intercontinental Hotels Group data breach previously announced in February as affecting 12 hotels in the chain has proven to have been far more extensive than was first thought.
Last week the group announced that the breach affected guests that used their credit cards to pay at franchisee hotels across the United States and in Puerto Rico between September 29, 2016 and December 29, 2016.
According to the chain’s website, the Intercontinental Hotels Group data breach potentially affected guests who stayed at its Holiday Inn, Holiday Inn Express, Crowne Plaza, Staybridge Suites, Candlewood Suites, Hotel Indigo, and InterContinental Hotels. The full list of hotels that have potentially been affected by the malware incident has been listed on the IHG website. In total, 1,184 of the group’s hotels have potentially been affected.
The Intercontinental Hotels Group data breach involved malware that had been downloaded onto its systems, which was capable of monitoring payment card systems and exfiltrating payment card data. It does not appear that any other information other than card details and cardholders’ names were stolen by the attackers.
The hotel group does not believe the data breach extended past December 29, 2016, although that cannot be entirely ruled out as it took until February/March for all of the affected hotels to be investigated and for confirmation to be received that the malware had been removed.
Prior to the malware being installed, IHG had started installing the OHG Secure Payment Solution (SPS), which provides point to point encryption to prevent incidents such as this from resulting in the theft of clients’ data. Had the process started sooner, the Intercontinental Hotel Group data breach could have been prevented.
Hotels that had implemented the SPS prior to September 29, 2016 were not affected and those that had implemented the solution between September 29, 2016 and December 29, 2016 stopped the malware from being able to locate and steal credit card data. In those cases, only clients that used their credit cards at affected hotels between September 29, 2016 and when the SPS system was installed were affected.
Intercontinental Hotels Group Data Breach One of Many Affecting the Hospitality Sector
The Intercontinental Hotels Group data breach stands out due to the extent to which the group was affected, with well over 1,100 hotels affected. However, this is far from the only hotel group to have been affected by POS malware. Previous incidents have also been reported by Hard Rock Hotels, Hilton Hotels, Omni Hotels & Resorts and Trump Hotels.
Hotels, in particular hotel chains, are big targets for cybercriminals due to the size of the prize. Many hotel guests choose to pay for their rooms and services on credit cards rather than in cash, and each hotel services many thousands – often tens of thousands – of guests each year.
Globally, IHG hotels service more than 150 million guests every year, which is a tremendous number of credit and debit cards. Such a widespread malware infection would be highly lucrative for the attackers. Credit card numbers may only sell for a couple of dollars a time, but with that number of guests, an attack such as this would be a huge pay day for the attackers.
The Hospitality Sector is a Big Target and Vulnerable to Cyberattacks
While many tactics are used to gain access to POS systems, oftentimes it is weak or default passwords that allow hackers to gain access to hotel computer systems. Stolen credentials are another common way that access is gained. The Verizon’s Data Breach Investigations Report (DBIR) for 2016 shows that in each of the reported breaches affecting the hospitality sector, access to systems was gained by the attackers in less than an hour.
Malware can also be inadvertently downloaded by employees and guests. Poor segregation of the POS system from other parts of the network is commonplace. That makes it easy for hackers to move laterally within the network once a foothold has been gained. Doubling up POS systems as workstations makes it too easy for hackers to gain access to POS systems.
Many hotels also fail to perform adequate risk assessments and do not conduct penetration tests or vulnerability scans. Even malware scans are performed infrequently. Some hotels also fail to implement appropriate security solutions to block access to malware-laden websites.
The Intercontinental Hotels Group data breach could have been prevented, and certainly discovered more quickly. The same is true for many hotel data breaches.
Unless hotels and hotel groups improve their cybersecurity posture and implement appropriate technology, policies and procedures to prevent cyberattacks, data breaches of this nature will continue to occur.
TitanHQ offers a range of products that can prevent hackers from gaining access to computers and POS systems. For further information on how you can protect your hotel or chain against cyberattacks, contact the TitanHQ team today.
Last week, the Bitglass Threats Below the Surface Report was released. The report highlights the extent to which organizations are being attacked by cybercriminals. Far from cyberattacks being a relatively rare occurrence, they are now as certain as death and taxes.
The report revealed that out of the 3,000 IT professionals surveyed for the report, 87% said they had experienced a cyberattack in the past 12 months. Many of those respondents had experienced numerous cyberattacks in the past year, with one company in three experiencing more than five cyberattacks in the last 12 months. To put that figure in perspective and show how the probability of being attacked has increased, two years ago, only half of companies were experiencing cyberattacks on that scale.
IT professionals rated mobile devices as one of the biggest problem areas. When asked to rate security posture, more respondents rated mobile as somewhat or highly vulnerable than any other system. While attacks can come from all angles, the report revealed that many companies are not actively monitoring their systems and devices for potential vulnerabilities. Only 24% monitored SaaS and IaaS apps for vulnerabilities, 36% monitored mobile devices and 60% monitored the network perimeter and laptops/desktops.
In response to the increased number of threats and the frequency of cyberattacks, companies have been forced to increase spending on cybersecurity defenses. The Bitglass Threats Below the Surface Report shows biggest spenders are the retail and technology sectors, with 39% of retail organizations and 36% of technology companies saying they are now spending a large proportion of their budgets on cybersecurity. 52% of respondents said their organization is planning on increasing cybersecurity spending.
Respondents were asked to rate their biggest concerns for the report to get a gauge of the biggest perceived threats. The biggest concern for 37% of respondents is phishing. Phishing attacks are becoming more sophisticated and harder for non-security professionals to identify. A range of social engineering techniques are used to fool end users into opening infected email attachments or clicking on malicious links and revealing their sensitive information. While effective at preventing many phishing attacks, training alone is no longer sufficient. Technological controls are now essential.
Malware is also a major concern along with insider threats, rated as a top concern by 32% and 33% of respondents, with email one of the main methods of malware delivery. Ransomware was also a major concern, although while ransomware attacks can result in significant costs and system downtime, fortunately, many companies have improved their ransomware defenses and have been able to recover without paying a ransom by restoring files from backups.
54% of companies said they had experienced a ransomware attack and were able to recover their data from backups without having to pay a ransom. That said, 33% of companies had no alternative but to pay a ransom to recover locked data, while 13% of companies said they had refused to pay a ransom and had experienced data loss as a result.
A new variant of Stampedo ransomware – called Philadelphia ransomware – is being used in targeted attacks on the healthcare sector in the United States. The ransomware variant is being spread using spear phishing emails.
Spear phishing emails have been detected that incorporate the healthcare organization’s logo along with the name of a physician at the organization. The use of a logo and a name adds credibility to the email, increasing the likelihood of the targeted individual clicking the link and downloading the malicious file. Information about organization’s and details of potential targets can easily be found on social media websites such as LinkedIn.
In recent months, cybercriminals have favored email attachments for spreading ransomware and malware, with Word documents containing malicious Word macros one of the most popular methods of ransomware and malware infection. The latest campaign, which was identified by Forcepoint, also uses malicious Word documents. However, rather than sending a malicious Word document as an attachment, the emails contain a link to a website where the Word document is automatically downloaded.
As with email attachments, the document must be opened and macros enabled in order for the ransomware to be downloaded.
Philadelphia Ransomware Attacks Likely to Increase
Philadelphia ransomware attacks are likely to increase thanks to a professional affiliate campaign. Would-be attackers are being recruited using a video that highlights the many features of the ransomware. The video calls Philadelphia ransomware “the most advanced and customizable ransomware ever,” and shows just how easy it is for someone with little technical skill to start their own ransomware campaign.
Would-be cybercriminals are able to rent out the ransomware and use it for their own spamming campaigns, provided they pay the author an initial fee of around $400. The one-off payment, so the authors claim, gives a user lifetime use of the ransomware. Affiliates will then be given a cut of any ransom payments they are able to generate.
Affiliate campaigns such as this – known as ransomware-as-a-service – are becoming increasingly popular. They allow non-technical spammers to jump on the ransomware bandwagon and start generating ransom payments. There is likely to be no shortage of takers.
Fortunately, the ransomware is not as advanced as the promotional video makes out. Furthermore, a decryptor for Philadelphia ransomware has been developed and can be downloaded for free via Softpedia. No ransom needs to be paid, although infection with Philadelphia ransomware can still result in considerable disruption. Healthcare organizations should therefore be on their guard.
The Recording Industry Association of America (RIAA) wants regulations to be introduced that will force Internet Service Providers to filter pirated content, rather relying on the current system of DCMA takedowns, which the RIAA believes to be ‘antiquated.’ The RIAA claims the current DCMA notice and takedown system is ‘extremely burdensome’ and ‘ineffective’ and that the system invites abuse.
The RIAA and 14 other organizations wrote to the U.S. Copyright Office last week explaining the inadequacies of current DCMA Safe Harbors and suggesting a number of potential solutions to the problem.
Currently, Internet Service Providers are required to take down copyright-infringing content after receiving a DMCA request. The request must be acted on expeditiously and ISPs are legally protected from copyright infringement lawsuits. The legislation has so far protected Internet Service Providers from legal action. Were it not for the legislation, an ISP could potentially be sued every time one of its users uploaded content that violated copyright.
One of the main problems is while the current system protects innocent Internet service providers who have passively, or unwittingly, allowed their services to be used for copyright infringing activities, some entertainment services are protected, even though their businesses are based entirely on copyright infringement, such as the streaming of sports, entertainment and movies.
A number of suggestions have been made such as amending Digital Millennium Copyright Act to include a timeframe for processing DCMA takedowns as well as requiring Internet Service Providers to filter pirated content and use automated systems that identify pirated content and prevent it from being uploaded once the content has been flagged.
The RIAA suggests that when a DCMA request is received requiring specific content to be removed, that content should then be flagged. A system should be put in place that blocks that content from being uploaded in the future on a different webpage or website. Currently, a takedown of content just means the individual or organization can simply upload the content again on another webpage or domain and the process must start over again. The RIAA says the current system is like an endless game of Whac-A-Mole.
The proposals have been criticized as any automated process is likely to result in the removal of web content that is protected under fair use laws and that automated systems could result in the overblocking of website content.
This argument has been countered by the RIAA saying the risk has been exaggerated and that argument is often used by ISPs to avoid implementing content identification technologies. The RIAA argues that current technologies are sufficiently granular to allow them to be calibrated to filter pirated content and protect fair uses.
The increase in cyberattacks on law firms has prompted the American Bar Association (ABA) to start offering cyber liability insurance for law firms, in addition to its standard insurance policies.
Cyber liability insurance for law firms is becoming as important as travel, medical and dental insurance. Cybercriminals are now targeting law firms with increasing frequency and vigor due to the treasure trove of data they store on clients.
The data can be used for fraud, although the highly sensitive nature of information disclosed to attorneys makes blackmail and extortion an attractive and potentially lucrative option. However, access to sensitive data gives cybercriminals the option of insider trading. Only last year, indictments against three Chinese nationals were unsealed by the Manhattan U.S. attorney’s office showing that more than $4 million in illegal stock trades were performed following the theft of attorney’s emails. The hackers had gained access to email accounts at three Chicago law firms involved in major mergers and acquisitions.
Cybercriminals’ use of stolen data aside, cyberattacks can prove incredibly costly. Following a cyberattack, costs of mitigation can spiral. Law firms must cover the cost of forensic investigations to determine the nature and extent of an attack, and which clients and systems have been impacted. Analyses must identify malware infections and backdoors that may have been installed allowing persistent access to networks and data.
If client data are accessed, law firms must cover the cost of legal defenses and liability protection. Lawsuits will undoubtedly follow any cyberattack. Any breach of sensitive data will almost certainly have an impact on law firms’ reputations, resulting in considerable loss of revenue. Then there are the improvements to cybersecurity defenses to prevent further attacks, the cost of which can be substantial.
For large law firms, cyberattacks can make a significant dent in profits. For small law firms, a cyberattack could prove catastrophic. Given the high costs involved, it is no surprise that cyber liability insurance for law firms is now deemed a necessity.
For the past few years, the ABA has been improving awareness of the cybersecurity risks that must be mitigated by law firms. Awareness has improved as a result and many law firms have invested heavily in technologies to protect against cyberattacks. In 2013, the ABA also petitioned the government to introduce new laws specifically to protect law firms from cyberattacks and the threat of cyber-espionage. Cyber liability insurance for law firms was a natural step for the ABA.
The ABA has developed its new program during the past year to provide affordable coverage from some of the nation’s top insurance carriers. The ABA’s cyber liability insurance for law firms is underwritten by Chubb Limited – The largest publicly traded property and casualty insurer.
The final New York Department of Financial Services cybersecurity rules have now been issued. Covered entities – banks, Insurance companies, and financial service firms operating in the state of New York must now comply with new rules. The financial services cybersecurity rules are the first to be introduced at the state level in the U.S.
The purpose of the cybersecurity rules is to make it harder for cybercriminals to gain access to confidential consumer data. The new rules require companies to adopt a host of cybersecurity measures to keep consumer data confidential and secure.
The financial services cybersecurity rules were first announced last fall. Following the announcement and publication of the draft cybersecurity rules on September 13, 2016, there followed a 45-day comment period. A revised version of the DFS cybersecurity rules was published in late December, which was followed by a further 30-day comment period. The comments received have been considered and now final changes to the cybersecurity rules have been made.
The final financial services cybersecurity rules are effective as of March 1, 2017. Covered entities have up to 6 months to ensure compliance, after which non-compliance could result in a significant financial penalty and other sanctions.
New York state governor Andrew Cuomo announced the release of the final financial services cybersecurity rules saying “New York is the financial capital of the world and it is critical that we do everything in our power to protect consumers and our financial system from the ever-increasing threat of cyber-attacks.”
The new rules should not pose too many problems for the majority of firms in the financial sector, provided that they have already adopted best practices issued by the Financial Industry Regulatory Authority (FINRA) and the Securities and Exchange Commission (SEC). However, where the new cybersecurity rules differ is their specificity. The FINRA and SEC guidelines do not specify the measures that must be adopted, whereas the DFS cybersecurity rules are much more specific about the measures that must be adopted to keep data secure.
The final version of the financial services cybersecurity rules has seen an easing of document retention requirements. In previous versions of the rules, covered entities were required to keep all categories of records for a period of five years. In the final version of the rules, the 5-year retention period only applies to records that are necessary to reconstruct financial transactions to support the normal operations of the company. Records of cybersecurity events that could materially harm the company need only to be kept for three years.
The new rules require the DFS to be notified of a cybersecurity event within 72 hours of it occurring, if the event has a reasonable likelihood of materially harming any part of the normal operations of the covered entity or if the entity has a pre-existing duty to notify another government or regulatory agency.
While the financial services cybersecurity rules are strict, there are many exemptions. Several security experts have suggested the new rules do not go far enough for this very reason.
Many of the exemptions apply to smaller companies. For instance, in order for a company to be a covered entity, the annual turnover must be more than 5 million dollars. Smaller firms employing fewer than 10 individuals are similarly exempt. That effectively means a company with 9 employees does not need to implement as stringent data security measures as a company that employs 10 individuals; however, a line must be drawn somewhere.
There are also exemptions for firms that do not possess or control non-public information. There are further exemptions for charitable organizations and insurance companies that operate in the state of New York, but are not chartered in New York state, and for reinsurers that accept credits or assets from an assuming insurer not authorized in the state. However, further updates of the rules may see some of the exemptions removed.
In all likelihood, 2016 will be forever remembered as The Year of Ransomware, in the same way that 2014 was the year of the healthcare data breach.
2016 Will be Remembered as The Year of Ransomware
Ransomware first appeared in the late 1980’s, although at the time, cybercriminals did not fully embrace it. Instead, they favored viruses, worms, and other forms of malware. That’s not to say that ransomware was not used, only that there were more lucrative ways for cybercriminals to make money.
That all started to change in 2015, when the popularity of cryptomalware was fully realized. By 2016, many actors had got in on the act and the number of ransomware variants started to soar, as did attacks on healthcare providers, educational institutions, government departments, businesses, and even law enforcement agencies. In 2016, it appeared that no one was immune to attack. Many organizations were simply not prepared to deal with the threat.
Early in the year it became clear that healthcare organizations were starting to be targeted for the first time. In February, one of the most notable ransomware attacks of the year occurred. Hollywood Presbyterian Medical Center in Hollywood, CA., was attacked and its computers were taken out of action for well over a week while the medical center grappled with the infection. The decision was taken to pay the ransom demand of $17,000 to obtain the key to decrypt its data.
Not long afterwards, MedStar Health suffered a massive infection involving many of the computers used by the hospital system. In that case, the $19,000 ransom was not paid. Instead, encrypted data were recovered from backups, although the disruption caused was considerable. 10 hospitals and more than 250 outpatient centers had their computers shut down as a result of the infection and many operations and appointments had to be cancelled.
In the first quarter of 2016 alone, the FBI reported that more than $206 million in ransom payments had been made by companies and organizations in the United States. To put that figure in perspective, just $24 million had been paid in the whole of 2015 – That represents a 771% increase in ransom payments and only three months had passed. The year of ransomware had barely even begun!
Biggest Ransomware Threats in 2016
TeslaCrypt was one of the biggest ransomware threats at the start of the year, although the emergence of Locky ransomware in February saw it become an even bigger threat. It soon became the ransomware variant of choice. Locky was used in attacks in 114 countries around the world last year, and cybercriminals continue to tweak it and release new variants. Locky has yet to be cracked by security researchers. Then came Cerber, CryptXXX, Petya (which was defeated in April), and Dogspectus for smartphones, to name just a few.
By the summer, The Guardian newspaper reported that 40% of UK businesses had been attacked with ransomware, although the majority of ransomware attacks were concentrated in the United States. By the autumn, more than 200 ransomware families had been discovered, each containing many variants.
Reports of attacks continued to flood in over the course of the year, with ransomware arguably the biggest cybersecurity threat seen in recent years.
2016 was certainly The Year of Ransomware, but 2017 doesn’t look like it will get any easier for security professionals. In fact, 2017 is likely to be even worse. Some experts have predicted that ransomware revenues will reach $5 billion in 2017.
You can find out more interesting – and horrifying – ransomware statistics by clicking the image below to view the TitanHQ ransomware infographic. The ransomware infographic also includes information on the protections that should be put in place to prevent ransomware attacks and the encryption of sensitive data.
The email archiving cost can be avoided, but fail to use an email archiving service at your peril. Huge fines await organizations that cannot recover emails for eDiscovery and if laws covering email retention are violated.
U.S. businesses are required are required to keep emails for several years. The IRS requires all companies to keep emails relating to tax for 7 years, the FOIA requires emails to be kept for 3 years, and 7 years, public companies (Sarbanes Oxley), banking and finance (Gramm-Leach-Bliley Act) and securities firms (SEC), and 6 years for healthcare organizations (HIPAA).
While large firms are able to absorb the cost of email archiving, many SMBs look at the email archiving cost and try to save money by opting for backups instead. While it is possible to save on the email archiving cost by using backups, the decision not to use an email archiving service could prove to be very costly indeed.
Email backups can serve the same purpose as email archiving in the sense that both can be used to retain old emails. However, while an email backup can help a business protect against data loss, if ever there is a need to recover backed up emails, companies often encounter problems.
Email backups are fine for recovering entire email accounts (mostly). In the event of a malware or ransomware attack, email backups can be used to restore entire mailboxes but backups can be corrupted or also encrypted. There will also be times when only certain emails need to be recovered – for eDiscovery purposes in the event of a lawsuit for example. An eDiscovery order may be received that requires all email correspondence sent to a particular client or customer to be retrieved. Such a request may require emails from 100s of employees to be located and those emails may date back several years. Finding all emails would be an incredibly time consuming process, and it may not actually be possible to recover all correspondence. Backup files cannot easily be searched as they are simply data repositories.
An email archive on the other hand is different. The entire archive can be quickly and easily searched and individual emails be easily found and recovered. If an eDiscovery request is received, searches can be performed to identify all relevant emails and attachments and the entire process will take minutes or a few hours at most. The recovery of emails and files from a backup could take weeks or even months, assuming that the task is even possible.
Email backups fail surprisingly often. The recent spate of ransomware attacks has highlighted a number of examples of data backups that have been corrupted, leaving organizations little option but to pay the attackers for a key to decrypt locked data. In the case of a ransomware infection, the ransom payment may be tens of thousands of dollars or even millions. However, the cost of failing to produce emails for eDiscovery or a compliance audit can be even higher.
Non-compliance with the Sarbanes-Oxley Act and other industry legislation can see fines of several million dollars issued. In 2016, Scottrade was issued with a fine of $2.6 million by the Financial Industry Regulatory Authority (FINRA). Scottrade had kept records of its emails, but not a complete record. More than 168 million emails had not been retained that should have been present in an archive. As Brad Bennett, Executive Vice President and Chief of Enforcement at FINRA explained when announcing the fine, “Firms must maintain sound supervisory systems and procedures to ensure the integrity, accuracy, and accessibility of electronic books and records.” That includes email correspondence.
The cost of email archiving is not only low compared to the cost of a regulatory fine, email archiving is actually inexpensive, especially when using a cloud-based email archiving solution such as ArcTitan. Being cloud-based, emails are securely stored in the cloud without the need for any additional hardware. Business can rest assured that no email will ever be lost, as the archive is securely stored separately from the mail system and the archive is automatically backed up in the cloud.
In the event of an eDiscovery order, any email can be retrieved almost instantly, regardless of when the email was archived. No specific software is required as emails can be archived directly from Office 365 or a mail client such as Outlook, or through a standard web browser. Furthermore, the load on an organization’s email server can be greatly reduced. Reductions of 80% have been seen by a number of TitanHQ’s clients.
Email Archiving, EU Citizens, and GDPR
The regulations mentioned at the top of the page (HIPAA, Sarbanes-Oxley and the Gramm-Leach-Bliley Act) largely affect domestic businesses operating within the domestic market. However, any businesses with a presence in Europe or that retain EU citizens´ personal data in emails will also be subject to the EU´s General Data Protection Regulation (GDPR).
This regulation stipulates that only the minimum amount of data necessary to perform a lawful function can be retained. It also states that measures must be put in place to protect EU citizen´s´ personal data against loss, theft or unauthorized disclosure.
Possibly more importantly, EU citizens have the right to request access to their personal data, insist on corrections being made if any information is incorrect, restrict data processing or demand the erasure of their personal information. For this reason alone it is important to use an email archiving service. With the quick and easy search facility, data access requests can be complied with in minutes.
To find out more about the full benefits of email archiving and the features of ArcTitan, give the TitanHQ sales team a call today. We think you will be pleasantly surprised at how low the email archiving cost is.
The financial services sector and healthcare industry are obvious targets for cybercriminals, but cyberattacks on educational institutions in 2017 have risen sharply. There have been a multitude of cyberattacks on educational institutions in 2017, and February is far from over. The list paints a particularly bleak outlook for the rest of the year. At the current rate, cyberattacks on educational institutions in 2017 are likely to smash all previous records, eclipsing last year’s total by a considerable distance.
Why Have There Been So Many Cyberattacks on Educational Institutions in 2017?
Educational institutions are attractive targets for cybercriminals. They hold large quantities of personal information of staff and students. Universities conduct research which can fetch big bucks on the black market.
While some of the finest minds, including computer scientists, are employed by universities, IT departments are relatively small, especially compared to those at large corporations.
Educational institutions, especially universities, are often linked to government agencies. If hackers can break into a university network, they can use it to launch attacks on the government. It is far easier than direct attacks on government agencies.
Cybersecurity protections in universities are often relatively poor. After all, it is hard to secure sprawling systems and huge networks that are designed to share information and promote free access to information by staff, students and researchers. Typically, university networks have many vulnerabilities that can easily be exploited.
Schools are also often poorly protected due to a lack of skilled staff and funding. Further, many schools are now moving to one-to-one programs, which means each student is issued with either a Chrome tablet or a Windows 10 laptop. More devices mean more opportunities for attack, plus the longer each student is connected to the Internet, the more time cybercriminals have to conduct attacks.
Another problem affecting K12 schools is the age of individuals who are accessing the Internet and email. Being younger, they tend to lack awareness about the risks online and are therefore more susceptible to social engineering and phishing attacks. The data of minors is also much more valuable and can be used for far longer by cybercriminals before fraud is detected.
While college students are savvier about the risks online, they are targeted using sophisticated scams geared to their ages. Fake job offers and scams about student loans are rife.
The threat of cyberattacks doesn’t always come from outside an institution. School, college and university students are hacking their own institution to gain access to systems to change their grades or for sabotage. Students with huge debts may also seek data to sell on the black market to help make ends meet.
While all of these issues can be resolved, much needs to be done and many challenges need to be overcome. It is an uphill struggle, and without additional funding that task can seem impossible. However, protections can be greatly improved without breaking the bank.
Major Cyberattacks on Educational Institutions in 2017
There have been several major cyberattacks on educational institutions in 2017, resulting in huge losses – both financial losses and loss of data. Educational institutions have been hacked by outsiders, hacked by insiders and ransomware attacks are a growing problem. Then there are the email-based social engineering scams that seek the tax information of staff. Already this year there have been huge numbers of attacks that have resulted in the theft of W-2 forms. The data on the forms are used to file fraudulent tax returns in the names of staff.
Notable cyberattacks on educational institutions in 2017 include:
Los Angeles Valley College
One of the most expensive cyberattacks on educational institutions in 2017 was a ransomware infection at Los Angeles Valley College. The attack saw a wide range of sensitive data encrypted, taking its network, email accounts and voicemail system out of action. The systems could not be restored from backups leaving the college with little alternative but to pay the $28,000 ransom demand. Fortunately, valid decryption keys were sent and data could be restored after the ransom was paid.
South Carolina’s Horry County Schools
The Horry County School District serves almost 43,000 students. It too was the victim of a ransomware attack that saw its systems taken out of action for a week, even though the ransom demand was paid. While it would have been possible to restore data from backups, the amount of time it would take made it preferable to pay the $8,500 ransom demand.
South Washington County Schools
Hackers do not always come from outside an organization, as discovered by South Washington County Schools. A student hacked a server and copied the records of 15,000 students onto a portable storage device, although the incident was detected and the individual apprehended before data could be sold or misused.
Northside Independent School District
One of the largest cyberattacks on educational institutions in 2017 was reported by Northside Independent School District in San Antonio, Texas. Hackers gained access to its systems and the records of more than 23,000 staff and students.
Manatee County School District
Manatee County School District experienced one of the largest W-2 form phishing attacks of the year to date. A member of staff responded to a phishing email and sent the W-2 forms of 7,900 staff members to tax fraudsters.
Huge Numbers of W-2 Form Phishing Attacks Reported
This year has seen huge numbers of W-2 form phishing attacks on educational institutions. Databreaches.net has been tracking the breach reports, with the following schools, colleges and educational institutions all having fallen for phishing scams. Each has sent hundreds – or thousands of W-2 forms to tax fraudsters after responding to phishing emails.
Abernathy Independent School District
Argyle School District
Ark City School District
Barron Area School District
Belton Independent School District
Ben Bolt Independent School District
Black River Falls School District
Bloomington Public Schools
College of Southern Idaho
Corsicana Independent School District
Davidson County Schools
Glastonbury Public Schools
Groton Public Schools
Independence School District
Lexington School District 2
Manatee County School District
Mercedes Independent School District
Mercer County Schools
Mohave Community College
Morton School District
Mount Health City Schools
Neosho County Community College
Odessa School District
Powhatan County Public Schools
Redmond School District
San Diego Christian College
Tipton County Schools
Trenton R-9 School District
Tyler Independent School District
Virginian Wesleyan College
Walton School District
Yukon Public Schools
*List updated June 2017
These cyberattacks on educational institutions in 2017 show how important it is to improve cybersecurity defenses.
If you would like advice on methods/solutions you can adopt to reduce the risk of cyberattacks and data breaches, contact TitanHQ today. TitanHQ offers cost-effective cybersecurity solutions for educational institutions to block email and web-based attacks and prevent data breaches.
If your organization was hit with a malware or ransomware infection last year, the 2016 malware report from Malwarebytes may serve as an unpleasant reminder of 12 months best forgotten. Malware infections rose in 2016 and ransomware infections soared. In the case of the latter, there was an explosion in new variants. Malwarebytes charted a 267% increase in ransomware variants between January 2016 and November 2016. In quarter four alone more than 400 active ransomware variants were cataloged.
The 2016 malware report shows how ransomware has become the revenue-generator of choice for many cybercriminals. It is easy to understand why. Infecting computers is a relatively easy process, ransom payments are made within a matter of days, much of the process is entirely automated, and ransomware-as-a-service means no skill is even required to jump on the bandwagon and send out campaigns.
The 2016 malware report indicates ransomware accounted for 18% of malicious payloads from spam email and ransomware is the payload of choice for exploit kits, accounting for 66% of malicious downloads.
Locky was a major threat for most of the year, but in December there was a massive spike in Cerber ransomware variants, which are now the most populous ransomware family.
The cybersecurity’s company’s 2016 malware report confirms what many security professionals already know all too well. 2016 was a particularly bad year for everyone but the cybercriminals. Unfortunately, the outlook for 2017 does not look any better. In fact, it looks like it will be even worse.
Predictions have been made that will send shivers down many a system administrator’s spine. Ransomware is set to become even more aggressive. Critical infrastructures are likely to be targeted. Healthcare ransomware attacks will increase potentially placing patients’ lives at risk. Educational institutions will be targeted. No organization will be immune to attack.
Fortunately, new ransomware families will be limited in 2017. But that is only because Locky and Cerber are so effective and can easily be tweaked to avoid detection.
Then there are the botnets. The increase in use of IoT devices would not be a problem, were it not for a lack of security. Many insecure devices are coming to market which can all too easily be added to botnets. As we saw in the tail end of the year, these botnets – such as Mirai – are capable of conducting devastating DDoS attacks. Those attacks are only likely to increase in scale and frequency. As Malwarebytes correctly points out, unless manufacturers of IoT devices are better regulated and are forced to improve their security, vast sections of the Internet will come under threat.
So, it looks like all bad news for 2017. All organizations can do is purchase the technology to deal with the threats, plug security holes promptly, train staff to be aware of the threats, and shore up their defenses. The next 12 months could be a rocky ride.
Cybersecurity spending in 2016 was increased by 59% of businesses according to PwC. Cybersecurity is now increasingly being viewed as essential for business growth, not just an IT cost.
As more companies digitize their data and take advantage of the many benefits of the cloud, the threat of cyberattacks becomes more severe. The past 12 months have already seen a major increase in successful cyberattacks and organizations around the world have responded by increasing their cybersecurity spending.
The increased threat of phishing attacks, ransomware and malware infections, data theft and sabotage has been a wake up call for many organizations; unfortunately, it is often only when an attack takes place that that wake up call occurs. However, forward-thinking companies are not waiting for attacks, and are increasing spending on cybersecurity and are already reaping the benefits. They experience fewer attacks, client and customer confidence increases, and they gain a significant competitive advantage.
The annual Global State of Information Security Report from Pricewaterhouse Coopers (PwC) shows that companies are realizing the benefits of improving cybersecurity defenses. More than 10,000 individuals from 133 companies took part in the survey that provided data for the report. 59% of respondents said that their company increased cybersecurity spending in 2016. Technical solutions are being implemented, although investment in people has also increased.
Cybercriminals are bypassing complex, multi-layered cybersecurity defences by targeting employees. Organizations have responded by increasing privacy training. 56% of respondents say all employees are now provided with privacy training, and with good reason.
According to the report, 43% of companies have reported phishing attacks in the past 12 months, with this cybersecurity vector the most commonly cited method of attack. The seriousness of the threat was highlighted by anti-phishing training company PhishMe. The company’s Enterprise Phishing Susceptibility and Resiliency Report showed 90% of cyberattacks start with a spear phishing email. Given how effective training can be at reducing the risk from phishing, increasing spending on staff training is money well spent.
The same is true for technical cybersecurity solutions that reduce phishing risk. Two of the most important solutions are antispam and web filtering solutions, with each tackling the problem from a different angle. Antispam solutions are employed to prevent phishing emails from reaching employees’ inboxes, while web filtering solutions are being used to block access to phishing websites. Along with training, companies can effectively neutralize the threat.
Many companies lack the staff and resources to develop their own cybersecurity solutions; however, the range of managed security services now available is helping them to ensure that their networks, data, and systems are adequately protected. According to the PwC report, 62% of companies are now using managed security services to meet their cybersecurity and privacy needs. By using partners to assist with the challenge of securing their systems, organizations are able to use limited resources to better effect and concentrate those resources on other areas critical to business processes.
There has been a change to how organizations are view cybersecurity over the past few years. Rather than seeing cybersecurity as simply a cost that must be absorbed, it is now increasingly viewed important for business growth. According to PwC US and Global Leader of Cybersecurity and Privacy David Burg, “To remain competitive, organizations today must make a budgetary commitment to the integration of cybersecurity with digitization from the outset.” Burg also points out, “The fusion of advanced technologies with cloud architectures can empower organizations to quickly identify and respond to threats, better understand customers and the business ecosystem, and ultimately reduce costs.”
The Federal Trade Commission (FTC) is conducting a study to investigate the security update practices of mobile device manufacturers. The study is being conducted amid concern that mobile device manufacturers are not doing enough to ensure owners of mobile devices are protected from security threats.
Security Update Practices of Mobile Device Manufacturers Leave Mobile Users Exposed to Attack
A number of new and highly serious threats have emerged in recent years which allow attackers to remotely execute malicious code on mobile devices if users visit a compromised website. One of the most serious threats comes from the Stagefright vulnerability discovered last year.
The Stagefright vulnerability could potentially be exploited to allow attackers to gain control of Android smartphones. It has been estimated that as many as one billion devices are prone to attack via this vulnerability. Google released an Android update to fix the vulnerability, yet many mobile phone users were unable to update their devices as the manufacturer of their device, or the mobile carrier they used, did not allow the updates to be installed. Because of this, many smartphone owners are still vulnerable to attack.
Even when device manufacturers do update their devices there are often long delays between the issuing of the fix and the rolling out of updates. When a rollout is executed, it can take a week or more before all device owners receive their updates. During that time users are left vulnerable to attack.
The FTC wants to find out more about the delays and the rationale behind the slow rolling out of updates.
FTC and FCC Join Forces and Demand Answers from Carriers and Device Manufacturers
The FTC has joined forces with the Federal Communications Commission (FCC) for the study and has ordered smartphone manufacturers and developers of mobile device operating systems to explain how security updates are issued, the reasoning behind the decision to delay the issuing of security updates, and for some device manufacturers, why security updates are not being issued.
While the study is primarily being conducted on manufacturers of devices running the Android platform, although Apple has also been ordered to take part in the study, even though its devices are the most secure. Apple’s security update practices are likely to serve as a benchmark against which other manufacturers will be judged. Manufacturers that use the Android platform that will take part in the study include Blackberry, HTC, LG, Motorola and Samsung. Google and Microsoft will also take part.
The FTC is asking operating system developers and mobile manufacturers to disclose the factors that are considered when deciding whether to issue updates to correct known vulnerabilities. They have been asked to provide detailed information on the devices they have sold since August 2013, if security vulnerabilities have been discovered that affect those devices, and if and when those vulnerabilities have been – or will be – patched.
The FCC has asked questions of mobile phone carriers including the length of time that devices will be supported, the timing and frequency of updates, the process used when developing security updates, and whether device owners were notified when the decision was taken not to issue a security update for a specific device model.
Whether the study will result in better security update practices of mobile device manufacturers remains to be seen, although the results of the study, if published in full, will certainly make for interesting reading.
A new study has confirmed that the healthcare industry faces the highest risk of cyberattacks. Healthcare providers and health plans are being targeted by cybercriminals due to the value of patient data on the black market. A full set of medical records, along with personally identifiable information and Social Security numbers, sells for big bucks on darknet marketplaces. Health data is far more valuable then credit cards for instance.
Furthermore, organizations in the healthcare industry store vast quantities of data and cybersecurity protections are still less robust than in other industry verticals.
The survey was conducted by 451 Research on behalf of Vormetric. Respondents were asked about the defenses they had put in place to keep sensitive data secure, how they rated their defenses, and how they planned to improve protections and reduce the risk of cyberattacks occurring.
78% of respondents rated their network defenses as very or extremely effective, with network defenses having been prioritized by the majority of healthcare organizations. 72% rated data-at-rest defenses as extremely or very effective. While this figure seems high, confidence in data-at-rest defenses ranked second from bottom. Only government industries ranked lower, with 68% of respondents from government agencies rating their data-at-rest defenses as very or extremely effective.
Even though many IT security professionals in the healthcare industry believe their network and data-at-rest defenses to be robust, 63% of healthcare organizations reported having experienced a data breach in the past.
The Risk of Cyberattacks Cannot Be Effectively Managed Simply by Becoming HIPAA-Compliant
Many organizations have been prioritizing compliance with industry regulations rather than bolstering defenses to prevent data breaches. Many healthcare organizations see compliance with the Health Insurance Portability and Accountability Act (HIPAA) as being an effective way of ensuring data are protected.
HIPAA requires all covered-entities – healthcare providers, health plans, healthcare clearinghouses, and business associates of covered entities – to implement administrative, technical, and physical safeguards to keep confidential patient data secure. By achieving “HIPAA-compliance” covered entities will improve their security posture and reduce the risk of cyberattacks, but compliance alone will not ensure that data are protected.
One only needs to look at the Department of Health and Human Services’ Office for Civil Rights breach portal to see that healthcare data breaches are commonplace. Many of the organizations listed in the breach portal have implemented defenses to protect data and are HIPAA-compliant. Compliance has not prevented data breaches from occurring.
The 451 Research survey asked respondents their views on compliance. 68% said it was very or extremely effective at ensuring data were secured. The reality is HIPAA only requires healthcare organizations to implement safeguards to achieve a minimum level of data security. In order to prevent data breaches and effectively manage the risk of cyberattacks, organizations need to invest more heavily in data security.
HIPAA does not, for example, require organizations to protect data-at-rest with encryption. If the network perimeter is breached, there is often little to prevent data from being stolen. Healthcare organizations are focusing on improving network protection but should not forget to protect data-at-rest with encryption. 49% said network security was still the main spending priority over the next 12 months, which was the highest rated security category for investment.
Healthcare organizations did appreciate that investment in technologies to protect data-at-rest was important, with 46% of respondents saying spending would be increased over the next 12 months on technologies such as disk and file encryption to help manage the risk of cyberattacks.
This week has seen the release of new U.S. data breach statistics by the Identity Theft Resource Center (ITRC). The new report reveals the extent to which organizations have been attacked over the past decade, breaking down data breaches by industry sector.
ITRC has been collecting and collating information on U.S. data breaches since 2005. Since records of security breaches first started to be kept, ITRC figures show a 397% increase in data exposure incidents. This year has seen the total number of data breach incidents surpass 6,000, with 851 million individual records now having been exposed since 2015.
U.S. Data Breach Statistics by Industry Sector
The financial sector may have been extensively targeted by cybercriminals seeking access to financial information, but between 2005 and March 2016 the industry only accounts for 7.9% of data breaches. The heavily regulated industry has implemented a range of sophisticated cybersecurity protections to prevent breaches of confidential information which has helped to keep data secure. The business and healthcare sectors were not so well protected and account for the majority of data breaches over the past decade.
Over the course of the past decade financial sector ranked lowest for breaches of Social Security numbers. The largest data security incident exposed 13.5 million records. That data breach occurred when data was on the move.
At the other end of the scale is the business sector, which includes the hospitality industry, retail, transport, trade, and other professional entities. This sector had the highest number of data breaches accounting for 35.6% of all data breaches reported in the United States. Those breaches exposed 399.4 million records.
ITRC’s U.S. data breach statistics show that the business sector was the most frequently targeted by hackers over the course of the past decade, accounting for 809 hacking incidents. Hackers were able to steal 360.1 million records and the industry accounted for 13.6% of breaches that exposed credit and debit card numbers. The huge data breaches suffered by Home Depot and Target involved the exposure of a large percentage of credit and debit card numbers.
Healthcare Sector Data Breaches Behind the Massive Rise in Tax Fraud
The business sector was closely followed by the healthcare industry, which has been extensively targeted in recent years. ITRC reports that the industry accounted for 16.6% of data breaches that exposed Social Security numbers. Since 2005, over 176.5 million healthcare records have been exposed and over 131 million records were exposed as a result of hacking since 2007. That includes the 78.8 million records exposed in the Anthem Inc., data breach discovered early last year.
While hacking has exposed the most records, employee negligence and error were responsible for 371 data breaches in the healthcare industry. Healthcare industry data breaches are believed to have been responsible for the massive increase in tax fraud experienced this year. Tax fraud surged by 400 percent in 2016.
Government organizations and military data breaches make up 14.4% of U.S data breaches over the past decade, with the education sector experiencing a similar number, accounting for 14.1% of breaches. Over 57.4 million Social Security numbers were exposed in government/military data breaches along with more than 389,000 credit and debit card numbers.
The education sector experienced the lowest number of insider data breaches of all industry sectors (0.7%) although 2.4 million records were exposed via email and the Internet.
Cybersecurity Protections Need to Be Improved
The latest U.S. data breach statistics show that all industry sectors are at risk of cyberattack, and all must improve cybersecurity protections to keep data secure. According to Adam Levin, chairman and founder of IDT911, “Companies need to create a culture of privacy and security from the mailroom to the boardroom. That means making the necessary investment in hardware, software and training. Raising employee cyber hygiene awareness is as essential as the air we breathe.”
Symantec’s 2016 Internet security threat report has revealed the lengths to which cybercriminals are now going to install malware and gain access to sensitive data. The past 12 months has seen a substantial increase in attacks, and organizations are now having to deal with more threats than ever before.
Internet Security Threat Report Shows Major Increases in Ransomware, Malware, Web-borne Threats and Email Scams
The new Internet Security Threat Report shows that new malware is being released at a staggering rate. In 2015, Symantec discovered over 430 million unique samples of malware, representing an increase of 36% year on year. As Symantec points out, “Attacks against businesses and nations hit the headlines with such regularity that we’ve become numb to the sheer volume and acceleration of cyber threats.”
A new zero-day vulnerability is now being discovered at a rate of one per week, twice the number seen in 2014 and 2013. In 2015, 54 new zero-day vulnerabilities were discovered. In 2014 there were just 24 zero-day exploits discovered, and 23 in 2013.
The 2016 Internet Security Threat Report puts the total number of lost or stolen computer records at half a billion, although Symantec reports that organizations are increasing choosing to withhold details of the extent of data breaches. The breach may be reported, but there has been an 85% increase in organizations not disclosing the number of records exposed in breaches.
Ransomware Attacks Increased 35% in 2015
Ransomware is proving more popular than ever with cybercriminal gangs. In 2015, ransomware attacks increased by 35%. The upward trend in 2015 has continued into 2016. Spear phishing attacks have also increased. While these attacks are often conducted on large organizations, Symantec reports that spear phishing attacks on smaller companies – those with fewer than 250 employees – have been steadily increasing over the past five years. In 2015, spear phishing attacks increased by a staggering 55%.
Cybercriminals may now be favoring phishing attacks and zero-day exploits over spam email scams, but they still pose a major risk to corporate data security. There has also been a rise in the number of software scams. Scammers are getting consumers to purchase unnecessary software by misreporting a security problem with their computer. Symantec blocked 100 million fake technical support scams last year.
75% of Websites Found to Contain Exploitable Security Vulnerabilities
One of the most worrying statistics from this year’s Internet Security Threat Report is over 75% of websites contain unpatched security vulnerabilities which could potentially be exploited by hackers. Even popular websites have been found to contain unpatched vulnerabilities. If attackers can compromise those websites and install exploit kits, they can be used to infect millions of website visitors. Simply being careful which sites are visited and only using well known sites is no guarantee that infections are avoided.
With the dramatic increase in threats, organizations need to step up their efforts and improve cybersecurity protections. Failure to do so is likely to see many more of these attacks succeed.
The healthcare ransomware threat is not new, but the threat of attack is growing. Last week, a healthcare provider in the United States found out just how damaging a ransomware attack can be. Hollywood Presbyterian Hospital experienced a ransomware attack on February 5, resulting in part of its computer network being taken out of action for more than a week.
The healthcare provider’s electronic health record system (EHR) was locked by ransomware and a demand of $17,000 was made by the attackers to supply the security keys. This is not the first time that a healthcare provider has had to deal with a ransomware infection, but attacks on healthcare organizations have been relatively rare.
What makes this attack stand out is the fact that the ransom was actually paid. CEO Allen Stefanek said “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom.”
The Healthcare Ransomware Threat is Very Real
Many businesses in the country have been attacked and have been forced to pay sizable ransoms in order to get a security key to decrypt their locked data. If data is encrypted by attackers, and no backup exists, there is little choice but to pay the ransom and hope that the attackers make good on their promise to supply the security keys.
There is no guarantee that the attackers will pay of course. They could just demand even more money. There have also been cases where the attackers have “tweaked” their ransomware, but accidentally broke it in the process. Even if a ransom was paid, it would not be possible to unlock the data.
Paying a ransom does not therefore guarantee that the security keys will be supplied. In this case, the attackers did make good on their promise and supplied the keys allowing business to return to normal.
The public announcement about the ransomware attack, and the disclosure of the payment of the $17,000 ransom, could potentially lead to even more attacks taking place. That is a big payment for a hacker, yet orchestrating a ransomware campaign is relatively easy, and does not require a major financial outlay. The return on investment will be significant if a healthcare provider is forced to pay a ransom. Since the ransom was paid, this may prompt many more hackers to attack healthcare providers.
Ransomware Attack Raises a Number of Questions
This attack does raise a number of questions. What many security professionals will be asking is why the hospital paid at all. In the United States, healthcare providers are required to make backups and store those data off-site. In event of emergency, such as this, a healthcare provider must be able to restore patient data. This is a requirement of the Health Insurance Portability and Accountability Act (HIPAA). It doesn’t matter what the emergency is, if computers or networks are taken out of action, the protected health information of patients cannot be lost.
The reality however, is that restoring computer systems after a ransomware attack may not be quite as straightforward. It would depend on the extent of the ransomware attack, the number of systems that were compromised, the difficulty of restoring data, and how much data would actually be lost.
Backups should be performed daily, so it is possible that 24 hours of data may have been lost, but unlikely any more. Even if data loss had occurred, it is probably that the data were stored elsewhere and could be recovered. The payment of the ransom suggests that there may have actually been an issue with the backups, or that the cost of recovering data from the backups would have been more than the cost of paying the ransom.
Dealing with the Healthcare Ransomware Threat
Regardless of the reasons why data restoration was not possible, or paying the ransom seemed preferable, other healthcare providers should be concerned. Further attacks are likely to take place, so it is essential that backups are performed regularly, and critically, those backups are tested. A backup of data that cannot be restored is not a backup. It is a false hope.
Furthermore, healthcare providers must ensure employees are trained how to spot a malware and ransomware, and software solutions should be implemented to prevent spam emails from being delivered to inboxes. Staff should be prepared, but it is best not to put the malware identification skills to the test.
Not all ransomware is delivered via spam email. Additional protections must also be put in place to prevent drive-by attacks and malvertising should be blocked. A web filtering solution, such as WebTitan, should also be installed to reduce the risk of ransomware downloads and to enforce safe use of the Internet.
There is no silver bullet that can totally negate the healthcare ransomware threat. It is impossible to make any system 100% secure, but by implementing a range of protections the risk of a ransomware infection can be reduced to an acceptable level. A disaster recovery plan must also exist that will allow data to be restored in the event that an attack does prove to be successful.
Many security professionals would like to know what is the motivation behind cyberattacks? How much do hackers earn? What actually motivates hackers to attack a particular organization? How long do hackers try before giving up and moving on, and how profitable is cybercrime for the average hacker?
A recent survey commissioned by Palo Alto Networks provides some answers to these questions and offers some insight into the minds of hackers. The results of the survey suggest that cybercrime is not as profitable as many people think. In fact, “the big payday” is actually something of a myth, certainly for the majority of hackers.
There is a common misconception that cyber attackers are tirelessly working to breach the defenses of organizations and are raking in millions from successful attacks; however, the survey results indicate otherwise.
The Ponemon Institute asked 304 threat experts their opinions on the motivation behind cyberattacks, the money that can be made, the time invested by hackers, and how attackers choose their targets.
The respondents, based in Germany, the United States, and the United Kingdom, were all involved in the threat community to varying degrees. 79% of respondents claimed to be involved in the threat community, with 21% of respondents saying they were “very involved.”
What is the motivation behind cyberattacks?
The study cast some light on what is the motivation behind cyberattacks, as well as offering some important insights into the minds of hackers. There is a threat from hacktivists and saboteurs but, in the majority of cases, attackers are not intent on causing harm to organizations. The majority of cybercriminals are in it for the money. The motivation behind 67% of cybercrime is money.
However, in the majority of cases, it would appear that there is not actually that much money to be made. If hackers were to find employment as security professionals and use their skills to protect networks from hackers, they would likely earn a salary four times as high, and they would get sick pay, holiday pay, and medical/dental insurance.
How much do hackers earn?
Anyone interested in how much hackers earn may be surprised to find out it is not actually that much. The study determined that a technically proficient hacker would be able to conduct just over 8 cyberattacks per year, and an average of 41% of those attacks would not result in the attacker receiving any compensation.
The profits from cybercrime were found to be fairly constant regardless of where the criminals were based. In the United States a single cyberattack netted the perpetrator an average of $15,638. In the United Kingdom attackers earned an average of $12,324, and in Germany it was $14,983.
So how much to hackers earn? Take away the cost of the toolkits they purchase – an average of $1,367 – and the Ponemon institute calculated the average earnings for a cyber attacker to be in the region of $28,744 per year. That figure was based on 705 hours spent “on the job” – around 13.5 hours per week. While it is clear that some hackers earn considerably more, the average hacker would be better off getting a real job. IT security practitioners earn 38.8% more per hour.
How can the survey data be used to prevent cyberattacks?
The survey probed respondents to find out how determined hackers were at breaching the defenses of companies. Surprisingly, it would appear that even if the potential prize is big, hackers tend not to spend a great deal of their time on attacks before moving on to easier targets.
72% of hackers are opportunistic and 69% of hackers would quit an attack if a company’s defenses were discovered to be strong. Ponemon determined that an attack on a typical IT security infrastructure took around 70 hours to plan and execute, whereas a company with an excellent infrastructure would take around 147 hours.
However, if a company can resist an attack for 40 hours (less than two days) 60% of attackers would move on to an easier target. Cybercriminals will not waste their time attacking organizations that make it particularly difficult to obtain data. There are plenty of much easier targets to attack.
Install complex, multi-layered defenses and use honeypots to waste hackers’ time. Make it unprofitable for attackers and in the majority of cases attackers will give up and move on to easier targets.
The cost of bot fraud in 2016 is likely to rise to a staggering $7.2 billion, according to a new report by the Association of National Advertisers (ANA).
2015 Bot Baseline study places the cost of bot fraud at over $7 billion
The study, conducted in conjunction with WhiteOps, shows that despite efforts to reduce the impact of bot fraud, criminal gangs are still managing to game the online advertising industry. Advertisers are being tricked into thinking that real visitors are viewing their adverts and are paying for those visits, when in actual fact a substantial percentage come from bots.
For some companies the losses were shocking. The highest losses were reported to have cost one company $42 million over the course of the year. However, even smaller companies did not escape unscathed. The cost of bot fraud for the least affected advertiser was $250,000.
ANA studied 1,300 advertising campaigns conducted by 49 major companies over a period of two months from August 1, 2015., to September 30, 2015. The results of the study were then extrapolated to provide the cost of bot fraud for 2016.
The study examined more than 10 billion ad impressions to determine the percentage that were real visitors. To distinguish bot visits from the human visits, ANA/WhiteOps added detection tags to the advertising campaigns under study.
The same study was conducted back in 2014 and this year’s results show that virtually nothing has changed, with just a fall in bot fraud of just 0.2% registered. The level of bot fraud has remained constant, although the cost to companies has increased.
In 2014, online advertisers were estimated to have lost around $5 billion to bot fraud, with the rise in cost of bot fraud due to an expected increase in advertising investment over the course of the next 12 months.
Last year, brands suffered an average of $10 million in losses to bot fraud. That’s an average of $10 billion paid to advertise to bots. For 25% of companies, 9% of impressions go to non-human traffic.
Methods of bot detection have improved, but they are clearly not having much of an effect on the cost of bot fraud for advertisers. As detection methods improve, bot operators have improved their ability to obfuscate their bot visits.
Unfortunately, it is difficult to distinguish bot traffic from real traffic as more residential IP addresses are being used, and the bots are becoming better at mimicking real browsing habits.
Further information has emerged on the Juniper Networks backdoor discovered last week, which suggests the NSA had a hand in the installation of a backdoor in the company’s source code.
Last week, a Juniper Networks backdoor was discovered after the company identified unauthorized code which could potentially allow hackers to gain access to secure communications and data that its customers had protected with its firewalls.
The malicious code would allow a hacker to decipher encrypted communications protected by the company’s Netscreen firewalls. It is not known at this stage how the code was installed, and whether this was an inside job or if it was inserted remotely. But what is known, is the person or group responsible installed the Juniper Networks backdoor as a result of an inherent weakness in the system. They were also helped by a coding configuration error believed to have been made by a company employee.
Juniper Networks Backdoor Installed Using NSA-Introduced Weakness
One security researcher, Ralf-Philipp Weinmann of German firm Comsecuris, has claimed that the weakness in the Dual_EC had been put there by the NSA, who championed the use of Dual_EC. It is not known whether the NSA or one of its spying partners was responsible for changing the source code, but it would appear that the NSA had, perhaps inadvertently, introduced a weakness that ultimately led to the system being compromised.
The weakness in the code that was first uncovered in 2007. The flaw was uncovered in the Dual_EC algorithm by two Microsoft researchers: Dan Shumow and Niels Ferguson. The Dual_EC algorithm had just been approved by NIST, and was used with three random number generators. Together, the encryption was believed to be secure enough to use to protect government data.
However, Shumow and Ferguson were able to demonstrate that the elliptic curve-based Dual_EC system could allow hackers to predict a random number used by the algorithm, which would make the encryption susceptible to being hacked.
Specific elliptic curve points were used as part of the random number generator. If one of those points was not a randomly generated number, and the person responsible for determining that point also generated a secret key, any holder of that key could potentially crack the encryption as it would be possible to determine the random number used by the algorithm. If that number could be predicted, the encryption could be cracked. Dan Shumow and Niels Ferguson believed this would be possible with just 32 bytes of output, if the key was known.
The flaw in Dual_EC is believed to be an intentional backdoor in the encryption that was introduced by the NSA, according to documents published by Edward Snowden. However, this was deemed not to be a problem as a second random number generator was used by Juniper. The second random number generator was supposed to have been used for the encryption, meaning even someone with a secret key would not be able to predict the random number used.
However, a coding error resulted in the original random number generator being used, rather than the second one. Someone had managed to break into the system and use their own constant, consequently, the encryption could be cracked.
The Juniper Networks backdoor has now apparently been plugged with the company recently issuing a patch to fix the problem. However, it would appear that the Juniper Networks backdoor had existed for at least three years.
According to reports from FireEye, IT security professionals do not only need to be concerned about malware attacks on computers, servers, and Android devices: Cisco router malware has now been discovered.
Cisco router malware discovered on 79 devices to date
Cisco router malware is highly sophisticated and particularly worrying. The malware can survive a restart and will be reloaded each time. Cisco router malware is also highly versatile and can be tweaked to suit an attacker’s needs. It has been found to support up to 100 different modules.
The malware was first discovered in Ukraine, although the infections have now spread to 19 different countries around the world; including the US, UK, Germany, China, Canada, India and the Philippines. At this stage it is not clear who created the malware, or what the main purpose is.
It is also not clear whether the malware has been installed via exploited vulnerabilities. It is possible that routers have been hijacked as a result of default logins not being changed, or weak passwords being set.
It is known that Cisco router malware is sophisticated and it appears to have been professionally developed. This had lead security researchers to believe that foreign governments have had a hand in its development. Should that be the case, it is likely that the main purpose of the malware is spying. While it has been known for some time that router malware is possible in theory, this is the first time that malware had been discovered to affect routers in the wild.
SYNful Knock came as a big surprise to many security professionals
The malicious software is called SYNful Knock and it serves as a fully functional backdoor allowing remote access of networks. The attacks are also silent in many cases, and hackers are able to use the malware without risk of detection.
To date, the United States has been targeted by the cybercriminals behind the malware infections, with 25 of the 79 infections discovered in the U.S. That said, the infection was discovered to have affected an ISP which was hosting 25 infected routers. Lebanon has also been targeted and 12 infections discovered in the country, while 8 of the 79 infections have been found in Russia.
The infections were discovered using ZMap. Four full scans of public IPv4 addresses were probed for signs of the malware by sending out TCP SYN packets. At this stage it would appear that only Cisco routers have been affected by SYNful Knock, but there is concern that other manufacturers’ routers may also be infected with malware. Researchers are now investigating to find out if router malware is a more widespread problem.
Did you think the Ashley Madison data breach was mildly humorous? Did you think that it serves the people right for cheating on their husband, wife or life partner? If you did, you certainly didn’t have an account with the online cheating website. Those who did simultaneously broke out in a cold sweat when they realized the website had been hacked and the perpetrator was threatening to make the data public.
Ashley Madison data breach exposed millions of confidential records
The Impact Team was the hacking group behind the Ashley Madison data breach. The company announced it had hacked the company’s database on the Tor network. The hackers claimed they would release details of the website’s patrons – people looking to have extra-marital affairs – if the company did not shut down its website. Avid Life Media Ltd., the company behind Ashley Madison, did not agree to close its business. The hackers then made good on their promise and started publishing data. A large data dump caused many of the website’s subscribers to panic.
The methods used by the attackers to gain access to the website have not been disclosed, although they were able to obtain the records of more than 30 million individuals in the attack. Unfortunately for the people who have had their privacy violated, there is little that can be done apart from take precautions with their financial accounts. Their data cannot be un-exposed and it is out there and can be used by whoever finds it. That will mean phishers, cybercriminals, identity thieves, and anyone who has taken an objection to their extra-marital activities may try to expose them.
A data breach can seriously damage a company’s reputation
This was a high profile breach due to the nature of the website and the total confidentiality that is expected and demanded by the company’s clients. A data breach such as this has potential to cause considerable damage to a brand with a marketing strategy and service that depends on privacy. However, brand reputation damage occurs following any security breach. Target, Anthem Inc., eBay, OPM. All have had their reputations damaged to varying degrees as a result of security breaches and data theft.
Many IT professionals believe that it is not a case of whether a security breach will be suffered, but when it will happen. A great many security professionals believe that most companies have already suffered a security breach. They just do not know yet.
Lessons learned from the Ashley Madison data breach
Consumers can learn lessons from the Ashley Madison data breach. They should be aware that disclosing any information increases the risk of someone else accessing that information.
The lessons for consumers are:
If you want to do anything in secret, the Internet is probably not the best place to do it
When disclosing information of a sensitive nature, ask yourself what the consequences would be if someone found out or exposed that information
Would you be able to recover from a breach of that information?
Is the service or product more or less important than it being kept a secret?
No matter how secure a website, service, or application claims to be, there is always a risk of a security breach being suffered
There is never a 100% guarantee of privacy online – All networks and systems are vulnerable to attack
Businesses must conduct a risk analysis
Businesses must also consider the risks to data security. Many security threats exist, and they must all be effectively managed. In order to determine what risks exist, an organization must conduct a thorough risk analysis. It is only possible to address and manage risk if a company knows what security vulnerabilities exist. Unfortunately, many hackers already know about the data security risks that are present, as well as how they can be exploited.
Once a risk is identified, unless state or federal legislation demand that the risk is addressed, a company must decide what measures to employ, and whether they are actually worthwhile.
To do that a company must calculate the annualized rate of occurrence (ARO) of a security breach via a given vulnerability, which means how often a vulnerability is likely to be exploited in any given year. Then the company must determine the repercussions from that vulnerability being exploited. How much the security breach would cost to resolve. That figure is the single loss expectancy (SLE). Once these figures are known it is possible to determine the annual loss expectancy (ALE) by multiplying those two figures. A decision can then be taken about how the risk can be managed.
Sean Doherty, Head of Research & Development at TitanHQ recently pointed out that “the notion of having ‘perfect security’ is ludicrous”. What must be done is to make it as hard as possible for systems to be infiltrated and data stolen. It is essential to implement good security measures which will be sufficient to repel attacks from all but the most skilled, motivated, and determined individuals. There is no such thing as zero risk, but it is possible to manage risk and get it down to a minimal level.
The role of a systems administrator is certainly challenging, mainly because it is constantly changing. This is the way it always has been since the role of a systems administrator was first defined. Now if you were to write down the role of a systems administrator, it would virtually be out of date before the ink had dried.
The role of a systems administrator evolves quickly. That is the very nature of the job. For many sys admins, that is what makes the job so interesting and enjoyable.
Anyone contemplating entering the professions should not be afraid of hard work. They also need to know that they will need a lot of training, and even more experience in order to excel in the position.
The role of a systems administrator over the next five years
Over the course of the next five years there is expected to be 12% growth for systems and network administrators according to the US Bureau of Labor Statistics. The last report issued by the BLS indicated a much higher growth rate, but it has now been adjusted and matches the average of all industries tracked by the BLS.
In years gone by you may have been able to get away with just having a MCSA qualification to become a good systems administrator. Today, that is not nearly enough. Not only will you need to know your way around Microsoft, you will also need to become an expert in every system used by your employer.
To excel in the role of a systems administrator you must be technically gifted, and you will need to be something of a jack of all trades. New technology is frequently introduced and part of the role of a systems administrator is to get to grips with that technology quickly. After all, you will be required to configure it, troubleshoot it, and repair it as necessary. The role of the systems administrator has grown enormously since IT has become so pervasive in business.
Fortunately, it is much easier to access training and information resources than ever before. Vendor websites provide a wealth of information, Udemy and other online learning resources can easily be accessed, and social media networks and online forums allow a sys admin to tap into the knowledge of colleagues and other sys admins when help is required.
How important is certification?
You will need an MCSA certificate to get your first job, but in order to retain your position, or even to progress and get a better paid job, further qualifications may be required. But not necessarily. They look great on a CV and can impress potential employers, but experience really does counts. If you know your stuff and have experience it does make sense to get certificated, but never underestimate the value of experience over a piece of paper. Certification is not everything.
If you want to take on the role of a systems administrator be sure to learn these technologies!
A system administer should be familiar with emerging technologies, but there are some tech trends that are an absolute must to become familiar with. These include:
Voice Over IP (VoIP)
Technologies that can automate tasks performed by a sys admin
Automation of daily sys admin tasks
Automation of sys admin tasks will not mean you will be ultimately made redundant. It means you can use your time more efficiently. You will need to be familiar with the tools that allow you to automate a lot of tasks. They are essential for managing large, complex networks.
Without any automation of daily tasks, the role of a system administer would be an absolute nightmare. Imaging trying to keep track of system messages for a network with 1000 connected devices if you did not have a centralized logging system!
While automation is vital, it is not without its problems. Automation can make the management of a computer network easier, but on a day to day basis your job is likely to be much more complicated, especially when it comes to troubleshooting problems.
Let’s say you have a red X showing on your management dashboard. What does that red X mean? Well, it could mean any number of things. For instance:
There could be a problem with the device hosting the dashboard, or it could be caused by a routing error. It could be a cable issue, or a problem with the device itself. It may be an error with the discovery protocol, or maybe the network dashboard is faulty. Automation may save time, but it doesn’t necessarily mean it is always quicker and easier to resolve problems. It also requires a sys admin to undergo further training on the automation system itself and the equipment used to host it.
In order to be able to automate tasks you will need to learn a scripting language such as Python or Windows PowerShell. One thing is for sure. If you are planning on becoming a sys admin you will need to learn at least one scripting language before you get your first job. As for the others, they can be learned on the job.
Use of SaaS and the Cloud is Increasing
You must be familiar with cloud archiving and backups as these have proven to be invaluable in improving efficiency. Many man-hours have been cut by using the cloud for routine data operations. However, that said, there is now a need for sys admins to become familiar with APIs – Application Programming Interfaces.
With many companies now using outsourced cloud services, the sys admins role has become much more valuable. Without a sys admin, businesses would have no alternative but to believe what cloud service salespersons say. An experienced sys admin will be able to assess the services being offered and determine whether they have the required functionality to adequately serve the needs of the business.
The Two V’s – VoIP and Virtualization
Many companies are taking advantage of the huge cost savings possible by switching from traditional telephone services to VoIP. Unfortunately, while business leaders love the cost savings, users do not like the potential downtime. In fact, they can be pretty intolerant. They expect 99.999% uptime like they get with traditional telephony. It is therefore essential that sys admins understand network load dynamics and are able to successfully implement and maintain VoIP services.
Businesses nowadays use many virtual networks, which add new levels of abstraction. They also require advanced knowledge of switching and routing. It is therefore essential that a good working knowledge of virtualization is acquired.
The role of a system administrator requires these skills…
A study conducted by the Association for Information Systems (AIS) and Association for Computing Machinery (ACM), detailed in the IS 2010 Curriculum Guidelines, suggests an individual in the role of a systems administrator must have the following skills and attributes in order to succeed in the position:
Creative, analytical, and critical thinking skills
Excellent communication and negotiation skills
Collaboration and leadership skills
Good mathematical knowledge
Do you think you have what it takes? If you do, make sure you are aware of all the critical technologies. Work on your mathematical and communication skills, and make sure you expand your social network. Many companies are looking for experience, which can make it hard to get your first position. Hang in there. If you can prove your knowledge and demonstrate your skills, you should be able to get your first position. And we wish you the very best of luck with that.
Many people are using Microsoft Exchange for archiving email and some people do not archive email at all. Both are big mistakes. To find out why, it is important to know what true email archiving actually is.
What is email archiving?
Email archiving means more than just clearing your inbox. An email archive is a technical term used to describe a permanent and unalterable record of email data.
It is important to make a distinction between an email archive and an email backup because the two terms are frequently confused. Both are important, but they are used in different situations.
An email backup is a store of emails that can be recovered in case of emergency. If email data are lost, corrupted, or accidentally deleted, the mailbox can be restored from a backup. Email backups can be used to restore email accounts to the state they were in when the backup was made. Backups therefore need to be performed daily, but also weekly and monthly. Each time a backup is made, it will usually overwrite a previous copy. Email backups are not permanent and are not designed for long term storage.
An email archive is different. It is a tamper-proof repository for the long-term storage of email data. An email archive is useful for disaster recovery, like a backup, but in contrast to a backup, an archive is searchable, which means searches can be performed for specific email data and individual emails can be quickly found and retrieved on demand. Backups cannot easily be searched, which makes finding and recovering individuals emails difficult and time consuming.
Why is it important to have an email archive?
One of the main benefits of an email archive is to reduce the storage space required for mailboxes. Smaller mailboxes are faster to search and retrieve information. The mailbox should only contain a working copy of emails from the last few days or weeks. The remaining emails should be moved to an archive where they can be retrieved as and when necessary. This eases the strain on the email server and improves performance.
Email archiving is a legal requirement in many countries around the world. It is necessary to maintain an email archive to comply with specific industry regulations, as well as country and state laws. An archive is also required for eDiscovery. If legal action is taken against a business, it must be possible for emails, and documents sent via email, to be retrieved. These must be provided during litigation.
eDiscovery can prove extremely expensive if an email archiving solution is not used. If documents or emails are requested they can be quickly found and exported from an archive. If emails need to be obtained from individual computers, or from backups, the time required to locate the emails would be considerable. You may even need to search every computer in your organization! If you run a small business and have 20 computers and email accounts, this would take quite a while. If you run a business with 10,000 computers and email accounts, you could be in real trouble if you don’t have an email archive.
Email archives must be searchable, so the organization of the archive is critical. How so? Well, that is best illustrated with an example. An executive criminal case involving Nortel Networks resulted in 23 million pages of electronic email records being delivered by the prosecution. That is a lot of data. Unfortunately, the information was in a mess because it had not been well organized. So much of a mess that Ontario Superior Court Justice Cary Boswell ordered the prosecution to re-present it to the defense in a comprehensible format. It was described as an “unsearchable morass.”
Organizing 23 million pages of emails takes a considerable amount of time. It is therefore important to get the structure of the archive correct from the outset.
Can I use Microsoft Exchange for archiving email?
Is it possible to use Microsoft Exchange for archiving email? Since the 2007 version was issued, Microsoft has included the option to use Exchange for archiving email in its journaling and personal archive functions.
However, there is a problem with using Exchange for archiving email. The journaling function does not work as a true email archive. Using Exchange for archiving email can cause many problems.
Reasons why Exchange for archiving email can cause problems for businesses
MS Exchange does not allow email in its archive to be effectively indexed and searched
Individual email account holders can create personal PSTs and store email on their computers
Individual PSTs may not meet the requirements of eDiscovery
There are no data retention configuration settings in journaling
The journaling function doesn’t really satisfy the requirements of businesses, but what about the Personal Archive? Can that be used? Unfortunately, while that does offer some enhanced email archiving functionality, using the Personal Archive of Exchange for archiving email will also cause problems.
Let us take a look at the functionality of the personal email archive in the 2010 release. Exchange 2010 is better for email archiving than the 2007 release, but there are still some major issues.
In Exchange 2010, it is possible to create a mailbox archive for each email account. The purpose of the archive is to free up space in the mailbox. This is a get around for restrictive mailbox quotas. The archive is intended to be used as a medium-term store for additional emails that the user does not want to delete, but does not need in the mailbox for day to day operations. They are not really email archives, rather secondary mailboxes. They lack the functionality of a true email archive.
Exchange users have two options for their personal archive, regardless of whether it is located on premises or in the cloud. The archive can be configured to move messages automatically after a set period of time (based on retention tags) or the task can be performed manually as and when required.
There are two main drawbacks to using an Exchange personal archive. For many organizations the main disadvantage is the cost: It is necessary to purchase an enterprise client access license or CAL, or to purchase Office 2010 Professional Plus if Outlook is required.
Even Microsoft points out that it may not be wise to use personal archives in Exchange for archiving email, stating they “may not meet your archiving needs.” Does that seem an odd statement to make? That is because it is not a true email archive, it is a personal archive, which is quite different.
Users are able to choose what information is loaded into the personal archive. They can also delete emails from the archive. That is no good for regulatory compliance and eDiscovery. There is a get around though. It is possible to meet certain eDiscovery and regulatory compliance requirements when using Exchange for archiving email. Users can be given Discovery Management roles, and can perform indexing and multiple mailbox searches. Unfortunately, the Control Panel in Exchange 2010 is difficult to use, especially for eDiscovery purposes.
Some of these issues have been addressed in Exchange 2013, but there are still eDiscovery issues. Users have far too much control over their personal archives and mailboxes. They have the ability to create their own policies and apply personal settings to their mailboxes and archives and can potentially bypass corporate email storage policies. Unfortunately, unless Litigation Hold or In-Place Hold is applied to each and every mailbox, the administrator is incapable of overriding settings that have been applied by each user.
Is it possible to use Microsoft Exchange for archiving email if SharePoint 2013 is used?
The issue of eDiscovery has been tackled by Microsoft. It is possible to use SharePoint 2013 to perform searches of all mailboxes, but there are even problems with this added eDiscovery feature.
For a start, it is necessary to buy SharePoint 2013 (or later versions) and that has a cost implication. It is also necessary to use cloud storage and keep the data on an Exchange server, otherwise the In-Place Discovery tools of Exchange will not work.
There is another issue. That is the storage space you will require. Every email that has ever been sent or received through MS Exchange will need to be stored. Over time your email “archive” will become immense. Over 90% of the emails stored in that archive will never need to be accessed. It will involve paying an unnecessary cost and searching through all those emails will take a long time. Recovering emails will be particularly slow.
A true archive will remove a significant proportion of the 90% of emails that you will never need to access, and search and recovery time can be greatly reduced.
You cannot consider the archiving function of MS Exchange to be a true email archive that will meet all compliance and eDiscovery needs.
Important Considerations for GDPR Compliance
In May 2018, the EU´s General Data Protection Regulation (GDPR) took effect. The regulation requires strong measures to be put in place to prevent the loss, theft, or unauthorized disclosure of emails containing the personal data of EU citizens. Measures are also required to prevent the unauthorized modification of email data and policies must be introduced to delete emails once the lawful basis for retaining them has expired.
GDPR also gives citizens rights about how their personal data is obtained, processed, shared, and retained. Citizens can request access to their personal data, check that it is up-to-date and complete, and request it is deleted under certain circumstances. In order to respond to data access requests within the thirty days allowed, companies should have an indexed, searchable method of complying with the requests – something not guaranteed with Microsoft Exchange.
It is also important to note that GDPR applies to every company that obtains, processes, shares or retains EU citizens´ personal data regardless of where the company is located. Non-compliance with GDPR can result in fines of up to €20 million (c. $24.5 million) or 4% of global turnover, so it is recommended companies using Microsoft Exchange – with or without SharePoint 2013 – adopt a new approach to email archiving.
The ArcTitan approach to email archiving
ArcTitan is a true email archiving solution that has been custom designed to meet compliance and eDiscovery requirements, and meet all data retention requirements. ArcTitan is a cloud-based email archiving solution that stores archived email data on Replicated Persistent Storage on AWS S3 and all email data is backed up automatically.
Email archiving takes place at a rate of 200 messages a second and when searches need to be performed, email recovery is lightning fast. You can search your archive at a rate of 30 million emails a second.
ArcTitan acts as a black box flight recorder for your email and will ensure that come what may, you will never lose an email again.
Ireland is famous for many things, but cybersecurity technology would not come top of many peoples list of famous Irish exports. However, that is fast changing thanks to an Irish cybersecurity firm called SpamTitan Technologies.
Irish CyberSecurity Company Ranks in Cybersecurity Ventures’ Top 125
SpamTitan Technologies is the top Irish cybersecurity firm according to the recent “Cybersecurity 500” list produced by Californian Security Research organization, Cybersecurity Ventures, having been ranked in position 123 out of the top 500 firms.
Cybersecurity Ventures compiled the list of the world’s top internet, email, and network security firms to help companies of all sizes pick the most appropriate IT security partners. The CV top 500 list is aimed at IT security professionals, CISOs, CIOs and VCs, and helps them to find the best products and best partners to assist them keep their confidential data secured and their networks protected from attack.
No company pays to be included in the list, and the companies are not selected on size or revenue. Instead they are chosen based the quality of the products and services offered. The list is compiled by obtaining recommendations from security experts on efficiency, effectiveness, speed, ease of implementation, and usability of the products.
Galway-based SpamTitan Technologies is an up and coming Irish cybersecurity firm that specializes in developing powerful solutions that allow small to medium sized enterprises to tackle the growing problem of hacking, data theft, and sabotage. Online criminals are targeting corporations of all sizes and many small to medium sized businesses are struggling to repel attacks. There are many possible attack vectors and the threat landscape is constantly changing, but some of the biggest threats to data and network security are targeting employees. Workers are widely regarded as the weakest link in the security chain.
SpamTitan Technologies provides powerful, cost-effective, and easy to implement email and Internet security solutions that help businesses increase protections against malicious outsiders. The company’s products help businesses reduce the risk of data breaches and network infiltration by keeping employees’ devices protected and reducing the opportunities given to cybercriminals to launch an attack.
Over the past couple of years there has been a decline in the volume of spam emails being sent. Just a few years ago over 70% of the total number of emails sent were actually spam. Botnets have recently been taken down and one of the world’s most active spammers has been arrested. This year spam email accounted for just under 50% of total email volume.
This is certainly good news. Less time is spent dealing with annoying emails. However, the risk of harm to equipment and finances does not appear to be reducing at the same rate. In fact, the risk of suffering losses due to the activities of cybercriminals is increasing. Spam email volume may be decreasing, but the quality and sophistication of spam email attacks has increased. Spam email still represents a major threat to businesses.
SpamTitan Technologies is tackling the issue. The company’s Anti-Spam solutions use two powerful anti-virus engines to scan incoming and outgoing email, with independent tests showing a catch rate of 99.7%, while the false positive rate is virtually zero. Less spam is delivered to employees’ inboxes, reducing the risk of malware and viruses being delivered.
The Irish cybersecurity firm also offers protection from the growing online phishing threat. Spam email volume is falling, but the number of malicious websites being created is increasing. Online criminals are switching their mode of attack and are targeting Internet and social media users. SpamTitan Technologies’ WebTitan web filtering solution offers protection from phishing websites and sites containing malicious code. Phishing attempts are blocked, users are prevented from visiting malicious websites, and their computers are kept free from malware. So are the networks those computers connect to.
There may not be many Irish cybersecurity firms in the list – just three in fact – but SpamTitan has been rated the hottest prospect and is the Irish cybersecurity company to watch in 2015. NetFort was also named in the list, with the Network Security monitoring company just creeping into the top 500 list at position 498. PixAlert, the IT governance and compliance firm, placed inside the top 350 global firms at position 332.
President Barack Obama is set to propose new US cybersecurity legislation this week in an effort to tackle the growing problem of cybercrime. Recent high profile hacks on government organizations have caused considerable embarrassment and there is growing concern that the US government is losing the war on cybercrime and that it can do little to prevent attacks from foreign-government backed hacking groups.
New US cybersecurity legislation will increase the government’s power to prosecute cybercriminals
New US cybersecurity legislation is seen as the answer to the government’s inability to prevent cyberattacks. Further intel is required, new powers needed to pursue criminals, and also to take action over criminal activity that takes place outside its borders.
Currently private companies are unwilling to share cyberthreat intel with the government, and improved collaboration and intel sharing with the private sector is seen as critical in the fight against cybercrime.
The proposed US cybersecurity legislation would make it much easier for the courts to take action to shut down criminal botnets and would discourage the sale of spyware. It will also expand the current Racketeering Influenced and Corrupt Organizations Act. This would give the government greater power to prosecute individuals engaged in cybercriminal activity, such as the selling or renting of botnets. It would also increase the government’s power to prosecute for the selling of government information outside US geographical boundaries.
The new US cybersecurity legislation is being pushed through in the wake of a particularly embarrassing hack of the U.S. Central Command’s Twitter account. Hackers managed to gain access to the Twitter account and post pro-ISIS content. Action was already being planned following a host of major cybersecurity incidents such as the attack on Sony, which has been attributed to a hacking team backed by North Korea. The Twitter hack was last straw for many, and will be used to help push through the new legislative package.
In the words of President Obama, the attacks “show how much more work we need to do, both public and private sector, to strengthen our cybersecurity.”
US cybersecurity legislation to offer private companies targeted liability protection
Private companies will be forced to share their cyberthreat intelligence with the government, although they will receive “targeted liability protection.” Even president Obama admitted to not knowing exactly what that meant.
The problem with sharing intelligence data is the threat of subsequent lawsuits. The liability protection is supposed to relieve any fears of legal action for the disclosure of information, although private companies may require more convincing.
Under the current proposals, private companies would be permitted to remove information about individuals before sharing data. Previous attempts to introduce new US cybersecurity legislation have failed due to the unwillingness of private companies to leave themselves wide open to litigation.
Part of the new legislative package is likely to include a new data breach notification law that would require all organizations to report hacking incidents to the government as well as requiring them to provide further information about cybersecurity breaches and data theft to consumers.
While few would argue that new US cybersecurity legislation is required, many privacy proponents are uncomfortable with the wording being used in the proposed legislative package, which they claim is intentionally vague.
It is not only firms in the financial services, education, and healthcare industries that need to be aware of business data retention laws. All companies in the United States must comply with business data retention laws, even if a firm is not covered under HIPAA, Gramm Leach Bliley, Franks-Dobbs, or SOX. The same applies for companies that do business with citizens of the European Union, as the EU also has business data retention laws.
It is a crime to violate business data retention laws
Did you know that the simple act of permanently deleting an email could get you in legal trouble? If you delete the contents of a backup tape, or reuse the wrong one, criminal charges may even be filed. Sentences of up to 20 years in jail are possible if data is deleted with malicious intent. The deletion of data is a serious crime. If a business operating in the financial sector is audited, and cannot show auditors certain emails, the SEC (Security and Exchange Commission) is likely to issue a heavy fine.
The laws covering data are complex. Different regulations call for different data retention periods. Some states have implemented data retention laws with even stricter controls than federal regulations. Some companies providing services to organizations in different business sectors, may have to comply with different laws depending on the firm they are currently working with. As a precaution, many companies in the United States decide to keep data indefinitely. Getting something wrong is too easy, and the consequences far too serious to take any chances.
When backing up data, including emails, backups should be created and stored securely off-site. Backups need to be physically secured, and should be encrypted to prevent unauthorized access. They must also be tamper-proof. In the event of emergency, it must be possible to restore data in its entirety. Information will need to be retrieved in its original form for eDiscovery or to provide to auditors.
If you are unsure about the regulations that cover data retention and which laws you must comply with, a brief summary is listed below. Please bear in mind that data retention laws are updated from time to time. At the time of publication, the information contained in this article is up to date and correct.
HIPAA – The Health Insurance Portability and Accountability Act (1996)
The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 and covers healthcare providers, healthcare clearinghouses, health insurers and business associates of HIPAA-covered entities. The legislation was signed into law by Bill Clinton, and initially was intended to protect Americans and retain insurance coverage while between jobs.
Since its introduction, the legislation has been updated with stricter requirements concerning data privacy and security and calls for safeguards to be implemented to ensure that Protected Health Information (PHI) is secured at all times. Rules were introduced to protect the privacy of patients and dictate when, and to whom, data can be disclosed. HIPAA also stipulates the actions that must be taken if data is accidentally exposed. HIPAA requires medical data to be retained for a minimum of six years after the last date of treatment. However, some states require data to be kept for 6 years or longer. HIPAA is only a minimum standard. States are permitted to introduce even stricter business data retention laws.
SOX – Sarbanes-Oxley Act (2002)
The Sarbanes-Oxley Act of 2002 was introduced in the wake of the Enron scandal. Businesses must be able to verify the accuracy of their financial statements. It is all well and good for a company to report to investors and stakeholders that everything is financially in order, but they must be able to prove that is the case. In the case of Enron, the information provided was deliberately inaccurate. SOX was introduced to protect investors from fraud.
Under SOX, all financial data must be retained for a minimum period of seven years, which extends to email, since email is often used to communicate financial information. Email communications discussing business operations must also be retained for 7 years.
UK business data retention laws
In the UK, business data retention laws apply, although different time scales apply to different data types and formats. A UK business must keep records of accounts for 3 years, although businesses in the financial services must keep data for six years. Emails must be kept for a year, as must text messages. If you are an Internet Service Provider (ISP) you must keep logs of Internet connection data for a period of a year, and ISPs and web hosts must keep records of the websites their customers have visited for a period of four days.
European business data retention laws
In Germany, all business communication data must be retained for a period of six years, although data relating to accounts and payroll must be kept for a decade. Different laws apply throughout Europe and are beyond the scope of this post. If you want to find out more about the different business data retention laws in Europe, take a look at the guide produced by Iron Mountain on this link.
Email Retention Periods in the United States
Data retention law
Who Must Comply?
How long data must be stored
Freedom of Information Act (FOIA)
Federal, state, and local agencies
Sarbanes Oxley Act (SOX)
All public companies
Department of Defense (DOD) Regulations
Federal Communications Commission (FCC) Regulations
Federal Deposit Insurance Corporation (FDIC) Regulations
Food and Drug Administration (FDA) Regulations
Pharmaceutical firms, food manufacturers, food storage and distribution firms, manufacturers of biological products
Minimum of 5 years rising to 35 years
Banks and Financial Institutions
Health Insurance Portability and Accountability Act (HIPAA)
Healthcare organizations (Healthcare providers, health insurers, healthcare clearinghouses and business associates of covered entities)
Payment Card Industry Data Security Standard (PCI DSS)
Credit card companies and credit card processing organizations
Securities and Exchange Commission (SEC) Regulations
Data backups should be performed on a daily basis, and those backup tapes should be stored securely off site for the period of time dictated by industry regulations. Email is best stored in an archive. Archives are searchable and convenient. If an email is accidentally deleted and needs to be recovered, an email archive will allow this. It is far easier restoring an email from an archive than restoring an entire email account from a backup tape.
ArcTitan is a convenient and cost-effective solution for archiving emails to meet data retention requirements. ArcTitan features a natural language interface that allows searches to be performed, and individual emails can be rapidly located and restored. ArcTitan in lightning-fast, and can search 30 million emails a second, while emails are sent to the cloud-based archive at a rate of 200 messages a second.
ArcTitan indexes email headers, sender/receiver, subject, message body, and attachments separately, and indices are distributed across Apache Solr instances simultaneously. Raw email data is encrypted at rest and in transit to the archive and is stored in onto Replicated Persistent Storage. ArcTitan acts as a black box flight recorder for email. Come what may, you will never lose an email and will be able to recover emails quickly when you need them.
If you want to ensure compliance with business data retention laws, and have the flexibility to be able to retrieve old email data for audits (and when users accidentally delete important emails), ArcTitan is the answer.