Archive for January, 2013
Just glancing at 2012 data breach statistics is enough to make governance, risk and compliance
officials cringe: There were 1,478 data breaches reported worldwide last year — 35% more than in
2011, according to an Online Trust Alliance
But there’s something of a bright side to these stats: Almost all the incidents could have been
avoided by implementing such simple steps as following data security
and privacy best practices and internal controls, according to the OTA.
When you think about data governance, data collection and data
protection, it’s really everyone’s job within an organization.
executive director and president, Online Trust Alliance
“We are, more and more, becoming a data-driven economy,” said OTA Executive Director and
President Craig Spiezle. “As we think about the increase in data-location data and various data
types, it creates a tremendous opportunity for business. But it also creates a tremendous
opportunity for businesses to lose data that is extremely personal.”
To raise data security and privacy awareness, the nonprofit OTA released its 2013 Data Protection
Breach Readiness Guide in recognition of Data Privacy Day earlier
this week. The OTA also has held a series of town hall meetings across the country to promote data
security and privacy best practices.
Data protection concerns don’t end with the increased number of data security breaches and
cybercrime incidents, either. The increased popularity of geolocation applications, as well as the
use of complex data analytics and data appending, have led to regulatory concerns regarding the
use, control and sharing of personally
The increased use of mobile devices and accompanying bring-your-own-device
programs also contribute to data security and privacy concerns. Mobile devices generate information
that includes unique identifiers and location data, while users are mostly unaware of what data is
being collected, how it is being used and who has access to it. As a result, data incidents and
identity theft are increasingly occurring through accidental device loss and cybercrime.
“We’re seeing a lot of issues that are caused by the low-hanging fruit, the simple things that
just don’t get done,” said Aaron Weller, managing director of data protection and privacy practice
Inc., one of the sponsors of the OTA’s town hall meetings. “You see people every day using
unencrypted USB keys and losing thousands of records. It’s not always the hard stuff that hurts
you. Oftentimes, it’s the simple stuff.”
The benefits of data security and privacy
All companies, regardless of size or business sector, can benefit from implementing data
privacy programs, a data protection strategy and data-loss incident readiness plans, according
to the OTA. Some of the steps — and their accompanying benefits — include:
compliance risk by encrypting all data and placing credit card information into a separate
- Creating a well-integrated plan with all departments involved, including legal, information
security, client services, IT, public relations, marketing, operations and investor relations.
- Depending on the type of data involved and the jurisdiction of state attorneys general, provide
customers with a timely notification and offer consumers reasonable protective measures to help
them protect themselves.
The OTA advises that broad sets of operational and technical best practices help protect a
company and its customers’ personal data. By developing a data
lifecycle plan, organizations can respond with immediacy and consistency, Spiezle said. “It’s
important for businesses to take a data stewardship position on the data they collect, and to make
sure they have plans in place,” he said. “By adhering to best practices that are attempting to
prevent, mediate and respond to threats, I think we all benefit.”
More on data security and privacy
As consumerization gains popularity, mobile
security remains a top priority
governance best practices to avoid breaches
The OTA suggests organizations thoroughly evaluate data from its acquisition through its use,
storage and destruction. It’s important to balance any data-related regulatory requirements
with business needs and consumer expectations, according to the alliance.
security and privacy can be very costly to business: The average cost of a data breach to
businesses is $5.5 million, according to the OTA report. Businesses often make data security and
privacy more tenuous by rendering it strictly an IT problem, Spiezle said. “I think if we think of
it as an IT issue, we set ourselves up for failure,” he said. “When you think about data
governance, data collection and data protection, it’s really everyone’s job within an
Simple steps — such as properly training employees on how to handle the data and why some
information requires more attention than other information — are simple, vendor-neutral processes
that organizations can easily implement, Spiezle said. In 2012, 26% of reported breaches stemmed
from internal employee
misconduct or accidental disclosures — and more are expected in 2013.
“That’s where there is some opportunity for organizations to think about what the real risks
are, and what controls should be put in place,” PriceWaterhouseCoopers’ Weller said about
employee-level data security and privacy controls. “It’s not always about spending a lot of money
to address some of these issues.”
Let us know what you think about the story; email Ben Cole, associate editor. For IT compliance
news and updates throughout the week, follow us on Twitter @ITCompliance.
Posted: Thursday, January 31, 2013 2:24 pm
Updated: 3:10 pm, Thu Jan 31, 2013.
Possible data breach at local restaurant
January 31, 2013
The Works Bakery Cafe may have suffered a security breach.
Some customers who used their credit and/or debit cards at the restaurant, which has a branch on Main Street in Keene, say their accounts have been compromised.
James Boffetti, an attorney for the N.H. Attorney General’s Office Consumer Protection Division, said Thursday that the office is aware of the possible data breach, but hasn’t received any customer complaints. However, Boffetti believes the restaurant will handle the matter properly.
“I have full confidence that (The Works) is doing and will do exactly what is required of them in terms of notifying this office. I have assurances that that, in fact, will happen,” Boffetti said.
Richard French, president of The Works, did not return multiple phone calls Thursday.
However, in a statement to the Brattleboro Reformer, he said, “Federal and state law enforcement agencies were promptly notified by the Works Cafe and are conducting an investigation into the allegations. The nature of the ongoing investigation limits what can be disclosed about it at this time.”
The Works also has locations in Brattleboro and in Concord, Durham, Manchester and Portsmouth, and Portland, Maine.
No further information was available.
Danielle Rivard can be reached at [email protected] or 352-1234 ext. 1435. Follow her on Twitter @DRivardKS.
Thursday, January 31, 2013 2:24 pm.
Updated: 3:10 pm.
While Android malware continues to grow faster than other malware types, it still accounts for only a minute fraction of all malware on the Web, according to Cisco’s annual security report released this week.
Compromised websites hosting malicious Java and iFrame attacks and other malware far and away outpaces all other delivery vectors for malware, Cisco’s report said.
“These types of attacks often represent malicious code on ‘trusted’ webpages that users may visit every day— meaning an attacker is able to compromise users without even raising their suspicion,” the report added.
Infecting benign sites with malware remains at the heart of malware propagation as attackers continue to find great success delivering malware over infected banner ads on Websites, malicious media files or redirects via iFrame
“Web malware encounters occur everywhere people visit on the Internet—including the most legitimate of websites that they visit frequently, even for business purposes,” said Mary Landesman, senior security researcher with Cisco. “Indeed, business and industry sites are one of the top three categories visited when a malware encounter occurred. Of course, this isn’t the result of business sites that are designed to be malicious.”
Malicious scripts, include iFrame attacks, accounted for 83 percent of attacks, Cisco said. Exploits delivered malware in almost 10 percent of attacks, followed by data-stealing malware, downloaders, worms and viruses.
Dynamic content on mainstream websites represented 18.3 percent of the delivery mechanisms exploited by malware. Online syndicated advertising was next followed by business and industry websites, gaming sites, web hosts and search engines and portals.
“The majority of encounters happen in the places that online users visit the most—and think are safe,” the report said.
Despite the explosion of Android malware, mobile malware accounted for less than a half percent of all malware encounters, according to the report. Malicious applications deliver the majority of mobile malware, in particular on the Android platform. Most security incidents occur because users either jailbreak devices or install applications from untrusted third-party app stores.
As the recent spate of zero-day vulnerabilities in Java pointed out, attackers find it most efficient to target cross-platform technologies such as Java, or third-party apps such as Adobe Flash or Reader, for example. The availability and ease of use of exploit kits makes it that much simpler for attackers to deliver malware. In the Cisco report, Java accounted for 87 percent of exploits reported in the survey, dwarfing the number of PDF, Flash and ActiveX attacks.
“With over three billion devices running Java, the technology represents a clear way for hackers to scale their attacks across multiple platforms,” the report said.
Mirroring a similar state of the industry report released this week by Arbor Networks, Cisco identified distributed denial of service attacks as another means of disrupting online services. Hacktivists involved in the banking DDoS attacks of late 2012, in particular attacks targeting DNS infrastructure with amplification and reflection attacks. These attacks use DNS recursive resolvers to increase how much attack traffic is sent to a victim, the report said.
“We are seeing a trend in DDoS, with attackers adding additional context about their target site to make the outage more significant,” says Cisco’s Gavin Reid. “Instead of doing a SYN flood, the DDoS now attempts to manipulate a specific application in the organization—potentially causing a cascading set of damage if it fails.”
The average throughput in DDoS attacks went up 27 percent to 1.57 Gbps, demonstrating how much of an anomaly the DDoS attacks against the major banks were. Those topped out at 100.84 Gbps, Cisco said, and lasted upwards of 20 minutes at a time. Attackers there were able to fire bad traffic simultaneously to different targets, another rarity in DDoS attacks.
Other noteworthy trends mentioned in the Cisco report:
- Spam was down 18 percent worldwide, with India, the United States and Korea the top three originators of spam messages;
- The top spoofed brands in order: prescription drugs; luxury watches; credit cards; business reviews, professional networks
- 91 percent of young consumers believe the age of privacy is over; one-third are not concerned about data about them that is captured and stored;
- 45 percent of young consumers believe their online identity is different from offline; only eight percent believe the two are the same.
- Large companies with more than 25,000 employees are 2.5 times more at risk for running into malware online.
Commenting on this Article will be automatically closed on May 1, 2013.
There aren’t many things that count as surprises anymore in the security industry. And the news today that The New York Times was penetrated by a team of Chinese attackers who apparently had access to large amounts of employee emails for several months certainly doesn’t fall into that category. It would be news if these attackers weren’t targeting The Times and other large media companies. What’s interesting and novel is that the company decided to out itself as a victim, signing up for what may be a large dose of public scorn and derisive laughter.
There are a number of ways that one can look at The Times hack, and they run the gamut from an indifferent shrug to casual interest to some kind of outrage. The chosen response likely has a lot to do not just with your knowledge of the threat landscape, but also with your thoughts on how victims of these kinds of attacks should handle them. For most people who follow events in the security world on even a somewhat regular basis the attack on The Times will be just another headline. Attackers from China are suspected of having run similar operations against U.S. defense contractors, military networks and dozens of large enterprises in the last few years. This is simply one more brick on the pile.
Casual observers, on the other hand, may read the story and think, How can such a large and financially successful company not have better security? It’s a version of the same question that people ask after every one of these publicly disclosed attacks: How can the Pentagon/Google/RSA get hacked?
The answer, of course, is that everyone can be hacked.
The Times was targeted apparently because of a story the paper had published that was unflattering to the Chinese government. Soon after the story ran in October, attackers began targeting the company with what turned out to be a months-long campaign in which they succeeded in stealing the corporate passwords for every employee of the paper. Quite a nice haul. But outside of the name of the victimized company, it’s not anything that would make security people sit up and take notice.
The reaction from The Times officials is what’s been quite interesting. The company didn’t simply issue a one-paragraph press release or note for investors. That might have been the route they took had the attackers gone after customer data rather than employee emails, but the nature of this attack and the way that it affected the company were somewhat unusual.
Now, one could argue that the paper took the approach that it did because it is a media company and news is news. A sexy story about Chinese APT attackers targeting Times journalists in retaliation for investigative reporting is sure to draw some eyeballs. Dole out some carefully chosen details, leave a lot of others out, and sell a bunch of papers.
Certainly The Times piece is light on the technical details of the attack, simply talking about what sounds like a typical spear-phishing attack that used compromised PCs in other organizations as staging points. That’s the way these things work, and the company didn’t break any new ground with those bits of information. But what officials at The Times may have done is shown the way for other companies that find themselves in a similar situation. No longer do victimized organizations need to sit still and say nothing, hoping that the details of an attack will never come out. The days when companies are painted as negligent or careless simply for being hacked appear to be retreating.
This is a good thing. As Adam Shostack points out in his post on the attack, this could be the beginning of something new.
“Me, I believe it’s culture change, but am aware of the risk of confirmation bias. When I think back to 2008, I think the peanut gallery would have been pointing and giggling, and I think we’re over that,” he said.
I think he’s right. But there is more change needed. The Times should provide more technical details about the attacks, giving security teams at other likely targets the ability to learn from any mistakes and analyze the response from the company’s staff. Details about the initial phishing emails would be helpful, as well, to give the rank and file employees the chance to identify malicious messages and an idea of what to do about them. And maybe that will be forthcoming. But even if not, this is a good step and seeing that The Times took that step should give other companies the courage to do likewise.
Commenting on this Article will be automatically closed on May 1, 2013.
The Chinese group behind the targeted attack on the New York Times was laser focused on accessing the email of a reporter and the newspaper’s former Beijing bureau chief to the point that it used an inordinate number of custom malware samples to get the job done.
“In terms of statistics, 45 [custom malware samples] as a ratio to the number of computers involved, 53, is a high ratio,” said Richard Bejtlich, chief security officer of Mandiant, the forensics firm hired by the Times to investigate the targeted attack. “Usually, you’ll see one or two for the relatively small number of systems involved.”
Bejtlich said the attackers were focused on accessing the journalists’ emails in order to learn more about the sources used in a Times article published Oct. 25 delving into alleged corruption involving prime minister Wen Jiabao and the close-to $3 billion fortune he has amassed since taking power. China has been strident in using such intrusions to monitor coverage of the country by U.S. media; the Wall Street Journal reported today that it too has been targeted by attackers from China.
Using that much malware enabled the attackers to maintain persistence within the Times network and be able to react quickly as the Times’ IT department and incident response teams from Mandiant would cut off access from particular IP addresses.
“They may have put tools on [53 computers], but there were hundreds of other machines they had access to,” Bejtlich said. “The number of machines they accessed was low because they were focused on the two individuals here.”
The reporter, David Barboza, and Jim Yardley, former bureau chief in China, both had their corporate email accounts compromised. The attackers also stole every Times employees’ corporate password in an incursion that lasted more than four months.
Executive editor Jill Abramson said no emails or files from the Jiabao story were accessed, downloaded or copied. Also, no customer data was compromised, officials said, adding that the attackers have been removed from the corporate network. The Chinese denied involvement in the attacks, a Times article today said.
Mandiant, however, has extensive experience in dealing with APT-style incursions from China and quickly pinned characteristics emanating from this attack on a particular group it had seen before. The group developed, or commissioned the development of, tools that would access the two individuals’ email accounts, as well as malware purpose-built for persistence and proliferation within the Times network, Bejtlich said.
“There’s no evidence this extended beyond the Times’ infrastructure. The credentials they had access to were domain credentials like those used for Windows domain,” Bejtlich said when asked if any personal home computers were attacked. “Home computers would not be part of that domain.”
The attacks ramped up with the Oct. 25 publication of the article; the Times said it was warned by Chinese government officials on Oct. 24 of consequences should the article be published.
The Times reached out to its carrier, ATT, and asked to be alerted of suspicious activity on their computer network. On the 25th, ATT said it was seeing activity that had similar characteristics to other attacks carried out by the Chinese government and military. Mandiant, which was hired Nov. 7, told the Times that compromised university computers in four states along with a handful of small business computers and ISPs were used to route the attacks to the newspaper.
As is the case with most targeted attacks, this one likely started with a spear-phishing email. Bejtlich said Mandiant has not been able to find a phishing email or site, though the company does suspect that was the initial infection vector. Likely, an employee was tricked into opening an infected attachment or click on a link to a malicious website that enabled the attackers to get onto the Times’ network with legitimate credentials. From there, investigators said, they were able to plant malware, including backdoors, which enabled the attackers to communicate with compromised computers.
Mandiant’s investigation concluded that the attackers were on the Times network for two weeks before finding the domain controller that managed corporate access to resources. Eventually they were able to crack Barboza’s email account and read messages and documents from the Times’ email server in an apparent attempt to get at the reporter’s sources, the article said.
Bejtlich said his company’s investigators were able to match the activity used in this attack to a particular group of Chinese attackers using a suite of indicators of compromise that Mandiant has built over the years.
“We identify systems with problems and collect forensic artifacts and match those with threat groups we’ve been tracking for years to see if they match,” he said. “We look for certain tools or command and control infrastructure that are earmarks used by certain groups. Then we’ll go through a second process to see if we can narrow that down.”
Mandiant labels APT groups with numbers, rather than use industry convention names such as Night Dragon. This particular group, APT 12, is very active and quietly targeting companies in the United States and Europe, unlike other groups that are loud and pervasive, and not necessarily as skilled such as the Comment Crew (APT 1).
“We see them targeting hundreds of organizations, but don’t attract attention or leave much of a footprint,” Bejtlich said. Such groups act on behalf of the Chinese government, which has targeted journalists in the past in an effort to understand how the country is perceived in the West and perhaps control the sources used by the media.
“The Chinese are desperate to know what others think of them first,” Bejtlich said. “They want to know what news organizations are reporting about them. They want to access the Gmail accounts of those who support dissidents. They’ve attacked think tanks because they want to know what the think tanks are recommending for policy.”
In the meantime, the Times was unique among organizations suffering targeted attacks in that it got out in front of the story with high-level details about the attack.
“I congratulate the Times for coming forward,” Bejtlich said. “It’s more important how you manage an intrusion. Let’s get to the point where it’s not shameful to have an intrusion. I would think twice about going after an adversary such as the Times because they might tell the world.”
Commenting on this Article will be automatically closed on May 1, 2013.
While run-of-the-mill attacks, such as denial-of-service attacks and bot compromises, are more common, many companies worry more about advanced persistent threats and insider attacks.
While a hefty portion of companies are worried about advanced persistent threats, industrial espionage and malicious insiders, bot software and denial-of-service attacks are far more common, according to Arbor Networks’ 8th Annual Worldwide Infrastructure Security Report released Jan. 29.
The survey of 130 companies found that half of businesses had discovered a system compromised with bot software in their network and nearly half had suffered a distributed denial-of-service attack.
While botnet compromises remained the top concern among respondents, more than half the companies surveyed worried more about targeted attacks, such as advanced persistent threats, even though only 22 percent had actually encountered such an attack in the last 12 months. Industrial espionage and malicious insiders both showed a similar level of concern that outweighed the incidence of the issue.
“I agree that APT and malicious insiders are a disproportionate concern,” said Gary Sockrider, Arbor Networks’ solutions architect for the Americas. “Even though they are not the most common of observed threats, they are a greater area of concern looking forward.”
The survey of service providers and large enterprises found that the bandwidth of the top reported attacks remained constant from the previous year at 60G bps, as did the bandwidth detected by Arbor’s own systems, which peaked at 100G bps, the company said. The average attack consistently remains about 1G bps, and typically averaged 1.6G bps by the end of the year, the company said.
The continued increase in attack size is not surprising, following the large-bandwidth denial-of-service attacks aimed at financial institutions by the Izz ad-Din al-Qassam Cyber Fighters, a reputed hacktivist group that is allegedly protesting a video deemed insulting to Muslims and posted on YouTube.
Infrastructure denial-of-service (DoS) attacks, which try to clog network connections with junk data, accounted for 91 percent of all attacks, according to the Arbor report. Application-layer attacks, which try to consume processing time with requests to Web applications, are a small but increasingly important part of attacks and make up the other 9 percent.
“The prevailing wisdom used to be pretty simple: If you have someone in your infrastructure that is being attacked, you kick them out,” Sockrider said. “More and more, however, as more entities become potential targets, I think you will see service providers needing to deal with attacks.”
Arbor’s report focused on DoS attacks, but the disconnect between other threats and the level of corporate concern marks an interesting trend. More than 50 percent of respondents worried about advanced persistent threats on their network, but only 22 percent encountered such threats. Almost 40 percent worried about data exfiltration as part of industrial espionage, but only 5 percent actually reported an incident.
While companies appear to be focusing too keenly on less probable threats, the concerns are in line with the reported risks. While APT, industrial espionage and malicious insiders are less likely to occur, the damages from such attacks are typically higher than mitigating a compromised system or a denial-of-service attack, according to past reports from both Verizon and the Ponemon Institute.
Data Breach Fund Sidecar Endorsement designed to eliminate tiered sub-limits, provide single data breach fund limit.
Insurance Networking News, January 31, 2013
ACE USA, the retail operations of ACE Group, has released an option for ACE Privacy Protection policyholders by upgrading its Data Breach Team Endorsement. The new Data Breach Fund Sidecar Endorsement eliminates tiered sub-limits and provides a single-data breach fund limit, which falls outside the policy’s liability limits for all data breach expenses.
Like what you see? Click here to sign up for Insurance Networking News weekly newsletter to get the latest on breaking industry news, carrier technology implementations and developing business and technology trends.
ACE says the Data Breach Team is a panel of independent legal, computer forensic, notification, call center, crisis communications, fraud consultation, credit monitoring, and identity restoration firms. Professional Risk helps firms mitigate the financial and reputational risks associated with privacy breaches. The ACE Data Breach Team, combined with one of the Data Breach Team Endorsement options, bridges the gap between risk transfer and purchased loss control, creating a comprehensive risk management program for privacy, data breach, and network security risk.
Data Breach Team Endorsement enhancements include coverage for regulatory communications and forensics coverage, ACE adds. Data Breach Fund Sidecar Endorsement benefits include expanded coverage for insureds with less than $1 billion in annual sales revenue; a Data Breach Fund Sidecar limit outside of the standard policy limits; a sidecar limit intact; tiered sub-limits removed, providing a single limit for all data breach expenses; a sidecar limit offered at 50 percent of the privacy liability limit on a standard basis; no retention for Data Breach Coach expenses; and simplified structure to allow brokers and clients to build excess programs above ACE limits.
For more information on related topics, visit the following channels:
- Insurance Network
Be the first to comment on this post using the section below.
The HIPAA omnibus rule becomes effective March 23 and requires compliance by covered entities and business associates by Sept. 23, which gives these stakeholders 180 days to scrutinize the effect this final rule will have on those working with protected health information (PHI). One particular area of concern for covered entities and business associates is the definition of a health data breach.
“What the government didn’t do was tinker with the breach response series of obligations that you have to provide,” explains Katherine Keefe, head of Beazley Breach Response Services, which handles data breach responses for insurers. “None of those mechanical details were modified in any way. Really, the only significant change was that the government changed the definition of what is a breach.”
While the HIPAA omnibus rule hasn’t changed the requirements for responding to a health breach, it lays out an entirely new method for determining what constitutes a breach. The definition of a breach now includes information about the presumption of a health data breach “unless the covered entity or business associate can demonstrate that there’s a low probability that the data was compromised,” reveals Keefe.
Based on the new rule, the government uses four factors to determine the likelihood that PHI was inappropriately used or disclosed.
What is the nature of information involved?
The first factor is that you need to look at the nature and extent of the protected health information involved. Is it sensitive information? Is it financial? What type of information was inappropriately disclosed or used.
Who is the unauthorized person responsible?
The second factor is the unauthorized person who used or disclosed the PHI. Is it an employee? Is it a third party? Is it someone trustworthy or not? If it was an inadvertent or misfired fax, was the recipient also a covered entity in which case they’re obligated to follow the HIPAA rules and therefore that factor may weigh heavily toward a decision that the data wasn’t compromised or there was a low probability that it was?
What the information actually accessed?
The third factor is whether the PHI was actually acquired or viewed. If it’s a laptop that is stolen or lost and returned and it wasn’t actually looked at, then that’s going to be a factor in determining whether there was a probability that it was compromised.
How have the covered entities and business associates handled the risk?
The fourth factor is the extent to which the risk to the PHI has been mitigated. Were there corrective steps already taken to reduce further disclosure, use of the information?
The new understanding of a breach is disconcerting to stakeholders such as Keefe and Beazley because of what it could to covered entities and business associates. “What I fear for the industry is if a covered entity or business associate is not able to document to the government’s satisfaction that it went through this analysis and considered these four factors,” adds Keefe, “the government now has the regulatory authority to deem any inappropriate or impermissible use or disclosure of PHI to be a breach.”
Covered entities and business associates must stay on their toes and evaluate not only what will constitute an inappropriate use or disclosure of PHI but also what these organizations will do to ensure that appropriate policies and procedures are in place to avoid inquiries and reprimands from government agencies.
“Every day in healthcare there are tons of inappropriate uses or disclosures of PHI — it’s just the nature of the beast — and it used to be that not all of them were breaches unless there was a substantial risk of reputational or financial harm,” says Keefe. “But now all those everyday disclosures, unless there’s documentation to show that there was an analysis done of the probability of compromise, they’re considered breaches.”
Thursday January 31, 2013
BRATTLEBORO — Late Wednesday night, the Reformer received the following statement from Richard French, president of the Works Bakery Cafe.
“The Works Cafe, with locations in Manchester and Brattleboro; Keene, Durham, Portsmouth and Concord, N.H.; and Portland, Maine, is investigating third-party allegations concerning theft of customer credit card and debit card account information.
“Federal and state law enforcement agencies were promptly notified by the Works Cafe and are conducting an investigation into the allegations. The nature of the on-going investigation limits what can be disclosed about it at this time.
“I cannot overstate the importance which I place on the relationships I have built with our customers over the more-than 20 years I have run this business. I want to assure everyone that I take these allegations very seriously and I promise that as soon as I am able I will share what information I can that doesn’t compromise the investigation.
“Customers who fear their cards might have been contact their financial institutions as soon as possible and take corrective action.”
The Reformer will be sitting down with French in the next few days with the expectation that more information will soon be made available.
NEW YORK–The long list of high-profile cyberespionage and cybercrime attacks that have surfaced in the last couple of years has led to broad discussions in the security community, government circles and elsewhere about the scope of the problem. Those discussions now are just starting to reach into the boardroom, and security experts say that any CEO who isn’t concerned about this problem is living in the past.
Attackers have been targeting large corporations and government agencies for decades, pilfering data, product plans, military schemes and whatever else was available to them. The game itself is nothing new. What’s changed are the tactics, tools and methods that the attackers–and defenders–are using and how difficult it is to identify and stop them. The rise of the Internet has tilted the playing field heavily in favor of the attackers, especially those with considerable financial and organizational resources.
In other words, government attackers and their affiliates. These are the groups responsible for the majority of the attacks such as Flame, Stuxnet, Red October and while those attacks sometimes are conflated with run-of-the-mill cybercrime operations designed to steal credit card numbers. That’s a mistake that corporations can’t afford to make, experts say, as underestimating their adversaries will not end well.
“Everything gets lumped together in the government sometimes. I like to put them in separate boxes. There’s cybercrime and then there’s the spy versus spy things, which will always take place,” Howard Schmidt, the former White House cybersecurity coordinator, said during the Kaspersky Lab Cyber-Security Summit here Wednesday. “We have to understand that the theft of intellectual property is different from trying to turn the lights off or kill people [with a cyberattack].
“There has to be some recognition that these things are different but the fundamental vulnerabilities that exist are the same across all of the sectors. They just get exploited by different groups.”
Schmidt, who is now retired, spent time advising both President Barack Obama and George W. Bush on information security, and also worked for a long time in law enforcement and as the CSO of Microsoft. During a discussion at the event with Eugene Kaspersky, CEO of Kaspersky Lab, Schmidt agreed with Kaspersky’s assertion that there are few, if any, companies or industries that can consider themselves to be off the target list for cyberespionage attacks.
“I’m afraid that every industry can be a victim of a high-profile attack,” Kaspersky said. “All of them are vulnerable. Communications, transportation, military. Can the military be a victim of such an attack? Yes, of course.”
Executives in some industries–especially technology, defense and manufacturing–have had to learn the hard way how successful such attackers can be with simple tools such as spear-phishing emails and commodity Trojans. The attacks don’t necessarily need to include tools such as Flame to get the job done. But getting that message across to top executives can be difficult.
“There are some executives that are now very aware of it. If they’ve been a victim, I guarantee it’s on the agenda at the next board meeting,” Schmidt said. “But usually that security message is filtered by the time it gets to the CEO. We are now having meetings with top-level CEOs, sitting down and saying, here’s what’s going on out there, whether it’s theft of intellectual property or disruption of activity. Those meetings are on the increase, but not nearly where they should be.”
In addition to educating CEOs and other officials about the scope of the problem, Kaspersky said that there’s a dire need for more security personnel at every level.
“Companies don’t have enough expertise,” he said. “There are not enough IT security experts. I don’t know any country that has enough security resources.”
Commenting on this Article will be automatically closed on May 1, 2013.