Organisations are typically over-investing in some areas, while neglecting other parts that would yield significant gains, said Peter Tippett, vice-president of technology and innovation at Verizon Business.

– TRUE – This is especially true because organizations don’t stop and look at the current threat landscape and evaluate if their existing technologies are best to mitigate the current risk. Usually they just stick with what they currently have.

“Up to 40% of money spent on IT security is wasted,” he told Computer Weekly.

– I would tend to agree with this. That 40% could be spent on effective solutions that truly reduce the organizations risk.

Many organisations are increasingly spending money on insider threats, but in reality only 11% of successfully exploited data breaches in the past five years have been internal parties alone, according to the latest Verizon Business Data Breach Investigations Report.

– I question this statement and here is why. Verizon Business usually bases these reports on their caseload, which means only the companies that have called them to do forensic analysis are the ones in the study. Well not every company that has a breach calls Verizon. In fact, stop and think for a minute. If you have an insider breach, usually you know about it. Usually it is low tech. Usually you don’t need Verizon for that type of case. Also, companies do not like to disclose insider breach cases. If a hacker gets them, most people say “boy those hackers are really smart” but if an insider gets away with a bunch of stuff people say “what kind of company hires a person like that” or “what lousy policies and procedures that company must have to have that incident occur.” An insider breach is the companies fault (at least that is the perception).

Most breaches involve multiple sources, but even then research shows that only 20% overall involved internal parties.

– I don’t agree with this either. This is a fundamental problem with the way people look at breaches. If a hacker exploits a vulnerability on a web server and gets access to internal systems and downloads a database of sensitive information, everyone blames the hacker 100%. Isn’t there some responsibility on the internal IT person that didn’t patch the system? Couldn’t we blame the IT person for misconfiguring the web server to allow the hacker in? When looked at in this way, insider play a much larger role in information security breaches than many might think.

The research shows that being able to patch systems faster will reduce enterprise security risk by about 2%.
I agree with this. Verizon in a separate report several months ago showed how infrequent hackers are using 0-Day exploits. In nearly all cases were hackers using old, established, well known vulnerabilities and exploits. It isn’t about patching faster, it is about patching and patching consistently.
“But by simply eliminating systems with default passwords that are easy to guess will cut risk by at least 25%, 10 times more than patching faster,” said Tippett.

– I agree with this as well. Default passwords and easily guessable credentials are one of the top ways external breaches occur.

“An organisation can reduce its risk by 85% simply by finding out where all its servers are, where all its data is stored and what connections there are to it,” he said.

– I 100% agree with this. Most organizations that go through a system and data discovery can’t believe all the places that sensitive data resides.

Even though bigger companies tend to look for default passwords, they look only at critical systems and tend to ignore those that have nothing to do with the business, but this is another mistake, said Tippett.

– This is a big mistake because “less important systems” are often used by individuals who have access to the mission critical systems and once you compromise one system, you can have access to anything that system has access to.

“Hackers don’t care what is critical and what is not – they just use their tools to find the things that are easiest to get into, and once they are in, they move from there.”

– True, although I think is changing a little bit when hackers are getting better at analyzing the systems they compromise for potential value.

“Discover is the most important thing you can do. It is the first step in every risk-management programme. Yet it is the thing almost everyone ignores.”

– Certainly one of the most important things you can do.

lastly…. Verizon Business needs to learn how to spell OrganiZation!

Kevin Prince is chief technology officer of Perimeter E-Security.
The views expressed are his own. –
Social Networks have grown out of control. Literally. Today, neither users nor social networking companies can control the monsters they have created. Think Jurassic Park: where John Hammond wanted to build something no one else had ever done, a fun theme park combined with a zoo of cloned dinosaurs. He built what he thought would be adequate security, but in reality, didn’t understand nearly enough about the environment he was trying to control. People naturally trusted that proper security was in place and that they would of course be safe. Quickly things spiral out of control, and nearly everyone gets eaten by the end of the movie.
The creators of social networking sites — yes all of them — are just like John Hammond. Their unique ideas caught on in such a viral way that just keeping up with the bandwidth, processing power, storage, development, and everything else required to keep the system online is an amazingly complex, never-ending task. For most of these sites, security is – and has always been – an afterthought. Some of them try, but it’s a bit like closing the amusement park gates after the Tyrannosaurus has bolted.
The users of social networking sites also contribute to the problem. Most are absolutely reckless when it comes to behavior on the sites. A while ago, I ran a social networking experiment on Facebook. I created a new user profile based on a free Google mail account. I chose the name Rebecca Johnson, made her 26, and used a profile picture of a three-year-old girl in a dress that I snagged from a department store website. No other information was in the profile. I wanted to see what would happen when I invited random strangers to be friends with this fictitious person.
Lucky for me, Facebook presents you with people it thinks you might know. Due to a lack of information in my profile, Facebook presented me with people of all ages that live in my county (obviously they were looking at my IP address and correlating that with my city). I of course knew none of these people but went ahead and invited them and others. In all, I invited 250 totally random people to be my friends. The only criteria I used: they had to have profile pictures. My logic: if you don’t have a profile picture, you’re probably not a serious or frequent user. Here’s a timetable of what happened next.
8:00am – Invite Friends
8:02am – My first friend accepts the invitation
9:00am – 6 Friends
10:00am – 12 Friends
3:00pm – 28 Friends
After one week, I had 140 friends. Forty-seven people ignored my request; three questioned me via email saying, “I am kind of embarrassed, how do I know you again?”; I had 60 “pending” requests; and one friend invitation with an email saying, “Hey, I must know you because we know three of the same people.”
If you remove the pending requests, nearly 75 percent of requests ended in the person accepting me as a friend. And it got worse: after one month, I had 187 friends out of that initial 250 friend requests. In other words: A staggering percentage of people will accept a friend request from someone they don’t know.
So, does that really matter? What harm can come from it, right? Well, let me tell you: Rebecca Johnson now has an intimate knowledge of her 187 friends’ lives:
Most have posted recent photos of themselves and their loved ones. One took pictures of every room in her house after a recent remodel and then began “a much needed vacation” to California and announced she wouldn’t be back for two weeks.
Several were young kids still in high school. Facebook is a cyber-stalker’s dream come true. For many friends, you can know their every move. For others, you know the major events in their lives. Even a mildly creative person can come up with hundreds of ways this information could be exploited. Think of the information that most of us have entered into Facebook.
Name, sex, birthday, relationship status and interests, political views, religious views, email address, schools, employment, location, other friends, photos, videos, not to mention whatever comes into our heads and gets posted on our walls. Rebecca Johnson knows when people are coming, when they are going, who they will be with, and much, much more.
Another huge problem is passwords. All-to-often people use simple passwords that are either easy to guess, short, or they use the same password on many different systems. Further, the processes that protect these systems are often flawed. For example, to do a password reset you might have to answer some questions about yourself that you entered when initially registering (like your fathers middle name, or what elementary school you attended). Today, most of these questions are not difficult to discover when combining social networking sites and other Internet resources. This is how Sarah Palin’s email was breached during her campaign.
So it’s no surprise that naive, trusting, apathetic, and unsuspecting users, who don’t think about security, are often the same that become victims of identity fraud.
But there’s another culprit: “cloud computing” providers. Last summer, a hacker broke into the personal Google Mail account of the spouse of an executive at Twitter. And because that account was linked to shared documents in Google Apps (a cloud computing system), hundreds of sensitive company documents were exposed. Is the user to blame or the cloud based services? In the aftermath of the breach, fingers were pointed at a lack of policies and procedures prohibiting links of personal email to corporate resources, the cloud computing service, and everything in between.
And Twitter is not alone: Monster.com, Lexis-Nexis, Facebook, MySpace, and many others have all been compromised at some point. That’s because social network sites make it easy to register, login, remember your login credentials, and even reset your password. They also make it very easy to spoof other users, install malware, send SPAM, or conduct any number of other nefarious acts. Plus, these sites have a growing number of third-party applications and service providers that interact with these services – with little in the way of what most security professionals would consider adequate security.
The combination of weak security procedures, third-party interactions, a user culture of “ease of use” trumping security, and the blending of corporate and personal lives is a formula for disaster. And although social networks have one of the biggest targets on their back, they’re just one type of cloud computing service.
The harsh reality: Cloud-based application providers think application first, and somewhere down on the list is security.
So what can be done?
First, cloud computing services need a ground-up overhaul of their security. They need to build their systems with security and privacy as the top priority rather than an afterthought. They need to stop blaming the “other guy” and shore up their own code and networks. They need to protect themselves from unauthorized access, data manipulation, data exposure, and a myriad of other threats.
Meanwhile, users need to take responsibility for their own identities and information and stop flaunting it on the Internet. They need to assume that if they post something on the Internet, everyone in the world can see it. They shouldn’t connect personal accounts to corporate resources. They need to use strong (long and complex) passwords that change periodically and are different for each service they use. There are many secure applications for smart phones that can store credentials.
Anything less and the risk of identity theft and fraud will only escalate.

It is a great read!

I must commend Google on the way they handle the information security breach. They are forthright about it. See, Google understands that breaches happen. They also understand they are significant and must be addressed promptly. They utilize the resources to delve fully into them…which often uncover additional issues.

Howard (right) and Prince (below) say online peace can only come when corporations achieve “cyberbalance.” Photos: Perimeter

On the Internet, the good guys and the bad guys are inextricably connected. But what happens when one side gets the upper hand?

By Doug Howard, chief strategy officer, and Kevin Prince, chief technology officer, Perimeter E-Security

(The following is an edited excerpt of the forthcoming book, Security 2020, scheduled to be published next year.)

Since the inception of computers and more specifically, our global reliance upon them, the number, severity, complexity, and source of security threats have all increased exponentially many times over.

Why do threats emerge? Sometimes a developer wants notoriety (that was the primary motivation in the late 90’s and the first few years of the new millennium) but today the main force behind digital threats is the hope of monetary gain. Political and religious motivations are coming on strong, too.

At the same time, threat mitigation solutions and tactics constantly are developing to deal with these threats. These solutions evolve over time and balance out each each new threat. The problem comes when threats emerge faster than solutions, and companies lose their balance.

The “white hats” (the good guys that help develop and implement solutions) and “black hats” (cyber criminals) have a relationship not unlike yin yang in Chinese philosophy. Seemingly opposing forces are interconnected giving rise to each other in turn.

Yin and yang are thought to arise together from an initial quiescence or emptiness and continue to move in tandem until quiescence is reached again. For example, dropping a stone in a calm pool of water will simultaneously raise waves and lower troughs between them. This will radiate outward until the movement dissipates and the pool is calm once more.

According to Chinese philosophy, Yin and yang will always have the following characteristics (And so, too, do “white hats” and “black hats”:

* They are opposing. The good guys are always trying to stop the bad guys. The bad guys are always looking for the next way to outsmart the good guys.
* They are rooted together. For example, the discovery of a critical vulnerability will simultaneously start a flurry of development for patches and fixes by the good guys and malware and scripts to exploit it by the bad guys.
* They transform each other. New technologies and tactics are developed to counteract the effects of previous technologies and tactics.
* One cannot exist without the other. If all the cyber criminals disappeared tomorrow, you would have no need for security professionals. (Without cybercrooks, our firm, Perimter, and many others would be out of a job. )

But there is one characteristic of information security that is not always true. Yin and Yang are always balanced, but information security is sometimes out of balance.

What causes these forces to become out of balance? For starters, new threats can emerge and evolve so quickly that mitigation solutions are not available timely enough. Sometimes companies balk at spending money on new solutions, or they simply don’t have the expertise or understanding to deploy, manage, or monitor barriers to cybercrime.

Any of these elements individually can cause problems in the information security space. (When all of these elements are true at the same time, you have a perfect storm for massive, worldwide impact that causes catastrophic damages and enormous economic loss.)

It’s terrible to say, but sometimes it takes a cyberbreach of significant size to educate companies and consumers about the threats and to get them focused on solutions. After the first denial-of-service attacks (attacks that block legitimate users from accessing sites or applications) in 2001, a number of upstarts and existing security firms rushed to market with technologies to thwart so-called DOS attacks, and companies quickly moved to implement them.

Are we on the verge of a cybercatastrophe? Certainly the black hats are looking for new ways to cause chaos. With hard work, good cyberslething and a bit of luck companies like ours will keep pace with the bad guys’ attacks – but companies need to do their part and get smart about the potential threats. If not, that stone dropped in a pool of water could turn into a tsunami, and it will take a lot of technology, manpower and time to achieve digital quiescence.

Howard is chief strategy officer of Perimeter E-Security, a Milford, Conn.-based provider of information security systems to companies of all sizes. Prince is chief technology officer.

Also Posted Here

—————–

Perimeter E-Security Exposes Top Ten Biggest Security Breaches and Blunders of 2009

MILFORD, Conn., Nov. 23 /PRNewswire/ — Perimeter E-Security, the trusted market leader of information security services that delivers enterprise-class protection and compliance to companies of all sizes, announced the top ten biggest information security breaches and blunders of 2009. According to Chief Technology Officer, Kevin Prince, there is a common thread between all of these incidents: they could have been avoided.

“2009 has been a year full of data breaches, compromises and exposures all around cyber-criminality. These incidents could have been prevented by adopting basic security standards and embracing a culture of security,” added Prince. “Most companies actually know exactly where they lack security and where their gaps and exposures are. But knowing this, they still ‘play with fire’ and hope that they won’t get burned. Now is the time for everyone to take into account of all the malicious breaches and blunders that have happened in the last year alone, and take the time to reconfigure their network protection systems to prevent these mishaps from happening to them.”

Here’s the list of the top 10 biggest information security breaches and blunders in 2009:

#10 – Malicious Codes’ Extended Stay

Hackers broke into web servers owned by a major domain registrar and hosting provider and planted rogue malware that resulted in the compromise of more than 573,000 debit and credit card accounts. The malicious code was in place for over three months. This type of “extended stay” of malicious code is a negative trend that showed progress in 2009.

#9 – The Ease of Hacking a CEO’s Mailbox

A significant hosted email provider offered a $10,000 prize to anyone who could hack into its CEO’s mailbox. The company used the authentication method, providing one-time pin code and even gave usernames and passwords. Hackers successfully broke in, bypassing the 2nd factor authentication using a cross site scripting vulnerability.

#8 – The Jealous Boyfriend

You can’t forget the man who sent spyware to his girlfriend, who then opened the email on her work computer, resulting in a data security breach on a major children’s hospital network. The hospital could have used a web content filtering solution, but even that wouldn’t completely eliminate the problem. This particular breach shows that some healthcare organizations can still be apathetic towards information security.

#7 – Macking

Media hacking or “macking” has become quite popular in 2009. Macking, characterized as the lowest of the low hanging fruit, can be very profitable for cyber criminals in this day in age where search engines can be easily manipulated, botnets can send billions of email messages, and social network sites have worms that can spread messages.

#6 – Insiders Everywhere

This year was also the year of insider breaches. A temporary telecom company employee was arrested on charges of stealing personal information and then pocketing more than $70,000 by taking out short-term payday loans. Even one of the world’s leading anti-virus and internet security provider had an international office employee steal customers’ credit card numbers. Insider breaches will continue to be a rising threat for 2010 and beyond, as long as companies don’t have the proper policies in place to prevent them.

#5 – 160,000 California University records hacked

At one of California’s most esteemed universities, personal information of 160,000 current and former students and alumni may have been comprised. The breach was discovered April 21, 2009, but the database had been illegally accessed by hackers over six months prior in October 2008. Organizations must be constantly tracking and aware of hackers setting up shop on one or more of their systems.

#4 – Virginia Department of Health Blackmail

The FBI and Virginia State Police have been hunting down hackers who demanded that the state pay $10 million dollars ransom for the return of millions of personal pharmaceutical records that claimed to have been deleted and stolen from the Prescription Monitoring Program. The alleged “deleted data” was backed up and secured within days of the ransom demand. Modern hackers are becoming more bold and fearless.

#3 – Google

In 2009, Google had its fair share of data breaches, in its Google apps, Google AdWords, Google Docs, Gmail and more. As one of the biggest internet organizations, it’s also one of the most targeted by hackers and other malicious threats.

#2 – Social Networking Sites

Twitter was hacked so many times in 2009 we could have a top 10 Twitter breach article by itself. Whether it is individual accounts being compromised like Britney Spears, Twitter employees, or Twitter 3rd parties, Twitter has equal opportunity exploitability. Facebook, YouTube and MySpace aren’t any better. Social networking sites have had a tough year as far as data breaches and blunders are concerned and it’s not going to be much better in 2010.

#1 – Nation’s largest payment processor is poster child of breaches

One of the nation’s leading payment processor is this year’s new poster child of data security breaches. The official court proceedings report that 130 million records were compromised. The company processes credit cards for over a quarter of a million merchants nationwide. They have had 31 separate lawsuits filed against them as a result of the breach and about 700 banks announced losses as well. The good news is that we caught the bad guys! Albert “Segvec” Gonzalez has been indicted by a federal grand jury in New Jersey along with two unnamed Russian conspirators.

“2009 was a banner year for negative information security news and as we enter 2010, we are seeing more regulations, more fines, and more lawsuit filings – all related to information security. Data security breaches are nasty business and should be avoided at all costs,” added Prince.

69 percent of all web pages with any objectionable content also had at least one malicious link.

The issue is growing as well. 78 percent of new web pages discovered in the first half of 2009 with any objectionable content had at least one malicious link.

Look for yourself in the case of Heartland in the attached graph of the Heartland stock ticker over the past year.

Not only did Heartland have approximately a 40% stock drop the day this was announced, the stock continued to drop for some time. Heartland recently announced their Q2 2009 financials which includes the cost and write-offs associated with the data security breach. [Article]

They specifically noted that $.32/share was the write-off amount associated with resolving issues with their data security breach. They said this was associated with the $19.4 million dollars it cost them to settle these issues. This resulted in a quarterly loss of 2.6 million ($.07/share) for Q2.

This also does not include the money they are putting into deploying end-to-end encryption which is their answer.

It should be noted that both Visa and Mastercard have said that Heartland was not PCI compliant at the time the breach occured.

This year’s key findings both support last year’s conclusions and provide new insights. These include:

* Most data breaches investigated were caused by external sources. Seventy-four percent of breaches resulted from external sources, while 32 percent were linked to business partners. Only 20 percent were caused by insiders, a finding that may be contrary to certain widely held beliefs.

* Most breaches resulted from a combination of events rather than a single action. Sixty-four percent of breaches were attributed to hackers who used a combination of methods. In most successful breaches, the attacker exploited some mistake committed by the victim, hacked into the network, and installed malware on a system to collect data.

* In 69 percent of cases, the breach was discovered by third parties. The ability to detect a data breach when it occurs remains a huge stumbling block for most organizations. Whether the deficiency lies in technology or process, the result is the same. During the last five years, relatively few victims have discovered their own breaches.

* Nearly all records compromised in 2008 were from online assets. Despite widespread concern over desktops, mobile devices, portable media and the like, 99 percent of all breached records were compromised from servers and applications.

* Roughly 20 percent of 2008 cases involved more than one breach. Multiple distinct entities or locations were individually compromised as part of a single case, and remarkably, half of the breaches consisted of interrelated incidents often caused by the same individuals.

* Being PCI-compliant is critically important. A staggering 81 percent of affected organizations subject to the Payment Card Industry Data Security Standard (PCI-DSS) had been found non-compliant prior to being breached.