According to the Websense announcement: “The malicious Web site that is redirected is typical: it asks the user to install a missing codec to watch a video, and the download codec is a Trojan Downloader. Until now, these kinds of sites just used hot topics to attract users; we suspect that they will use more advanced SEO techniques to infect more users in the future.”

The survey was of 700 security professional
46 percent say employees have a “weak understanding” of security policy.
48 percent say there is a lack of training and an overall unsupportive company culture as it pertains to security.

Training is handled a few different ways today:
56 percent offer training or information online
35 percent use employee newsletters
25 percent do in person training

63 percent track whether their security policies are being followed.
60% take action on employees who break policies

Researches offered workers and escallating range of theoretical bribes ranging from a good meal to 1.5 million dollars. more than one third of respondants said they could be bribed. The theoretical bribes were put into every day terms. For example, ten percent said they would do it if their mortgage were paid off. Five percent would do it for a vacation or a new job. Four percent would sell out their employers data if their credit cards were paid off. The scary, bitter and sardonic group of two percent said they do it for a good meal. Two thirds of those that were willing to sell out said they needed 1.5 million dollars to do it.

From a company perspective, these are employees with real access to information you normally prize including:

– 83 percent have access to customer databases
– 72 percent have access to business plans
– 53 percent can get into accounting systems
– 37 percent have IT administrative passwords

The vast majority (about two thirds) said it would be “easy” to get this information out of the organization. Eighty eight percent of them think that the information they have access to is valuable.

The respondents said they felt less secure in their jobs and had less loyalty to the employers than they did a year ago.

For those that had access to customer information such as credit or debit card information, most said they were less likely to sell that, and 4 out of 5 flat out refused at any price. For the 20 percent that were willing to do it, the price was far higher than other types of data.

“GOVERNMENT SYSTEMS AND HOMELAND SECURITY –Malware Infects Computers at US Marshals Service and FBI (May 21, 2009) Part of the computer system at the US Marshals Service was shut down Thursday morning after malware was detected. The decision was made to shut down Internet access and some email service to prevent the spread of the malware while the infection is being cleared up. No data have been compromised. The agency was running Windows-based systems that had anti-malware software installed, but the software had not been updated in more than three years despite the agency having paid for upgrades that would have protected against the malware. In addition, the Windows Operating Systems did not have the relevant patches applied that would have prevented the malware from infecting the machines.”

Yes, even our own government agencies don’t apply security software patches and updates that are the most effective in preventing infection. They even had purchased the licenses, but hadn’t taken the time to apply the updates in more than 3 years. This is why when Verizon did their data breach study not too long ago, they found that nearly all vulnerabilities that were exploited had patches available at the time of the breach, and in nearly all cases, the patches had been available for many months.

Being secure is less and less about the available technology, but rather the policies and following procedures to keep what you have up-to-date. Technology is only as good as the overall security program that enables it through human management and upkeep.

http://www.msnbc.msn.com/id/30873876/

http://www.networkworld.com/news/2009/052109-marshall-malware.html?hpg1=bn

http://www.foxnews.com/story/0,2933,521040,00.html

“In the study we just released on financial institution data breaches between 200 and 2008 we analyze the breach sources.

Hacking accounts for 42 percent of incidents but 55 percent of records compromised. This is the largest percent of incidents and records which is why financial institutions have and continue to work hard to mitigate their exposure to hackers.

Theft constitutes 30 percent of incidents but only 3 percent of records compromised. The lesson to be learned here is that you will still have to disclose a breach even if few records are compromised. This is where encryption products are valuable. If the data is encrypted and gets stolen, data breach notification laws usually do not require disclosure (only 4 of 45 states require it). To see the individual states that have these laws and which ones require disclosure even when the data is encrypted, see the list in the study.

Malicious Insiders accounted for 15 percent of incidents but 24 percent of records compromised. This could be a bit misleading as well because often in the cases of theft, it could be a malicious insider and not known. So in reality this number could be higher, but is already quite staggering. Malicious insiders come in many varieties, however IT Admins are one of the leading causes.

3rd parties accounted for 8 percent of incidents and 11 percent of records lost. This (in my opinion) is a very high number. This can include malicious individuals employed by the 3rd party. It can be data disclosure by untrained or careless partner employees. It can also be hackers or other outsiders that compromise the 3rd party network and then gain access or compromise company systems through the access granted to a 3rd party. This is why 3rd party due diligence is so important right now and has been harped on by the regulators for the last couple of years.

Careless and untrained insiders account for a very small percentage of incidents and records compromised. Keep in mind that all these statistics are based on KNOWN data breaches (which some estimate at 11% of the total) and we only learn the number of records compromised in about two thirds of incidents. The number of incidents involving careless and untrained insiders is quite small (in my opinion) for a couple of reasons. First, financial institutions have some of the best policies, procedures, guidelines, and training of any vertical tracked. Second, they have been regulated, and actively audited for many years (unlike healthcare with HIPAA who has a higher percentage of these types of breaches). Third, companies are still sweeping incidents under the carpet…especially when there was a breakdown on internal processes. So we aren’t seeing the whole story here. As a result, they have fewer of these types of instances then any other vertical.”

Nearly half of all breaches exploited remote access and control systems. The report states that this is often remote access software (such as PCAnywhere, VNC, Terminal Services, etc.) that the company is leaving open for a 3rd party provider to access and use as needed.

Web applications and Internet-facing systems were also commonly used to exploit systems and networks. This was likely vulnerability exploit and exploit of misconfigured or neglected systems.

Wireless networks were used 9 percent of the time. And in 21 percent of the time, physical access was utilized to compromise the systems. This was most often malicious insiders and 3rd parties.

A new financial institution data breach study has recently been published by Kevin Prince of Perimeter eSecurity. It analyzes breaches between 2000 and 2008. While several aspects of the study deserve individual discussion and attention, it is interesting that Kevin Prince did a podcast interview with BankInfoSecurity. In the podcast Kevin answers questions regarding compelling aspects of the study, sources of data breaches, the cost of data breaches, lawsuits and how they relate to data security breaches. Kevin also gives 6 things any business can do to reduce their exposure to data breaches. He discusses the Heartland, RBS WorldPay and Hannaford breaches.

Error – Poor decisions, misconfigurations, omissions, non-compliance, process breakdowns, etc. Nearly 80% of breaches within this category are due to omission.

Hacking – Deliberate action against information systems.

Malcode – Malicious software or code found to contribute to breach in question. Malware was found on many more systems, but was only listed here if it contributed in some way to the breach under investigation.

Misuse – The use of organizational resources and/or priviledges for any other purpose than for what or how they were intended.

Physical – May include theft, loss, sniffing, system access, tampering, observation, or assualt/threat. This is quite low for several reasons. First, many breaches that are sourced from a physical threat do not need further investigation (of which this study represents). Second, this study makes a distinction of data at risk vs a data compromise. This is different from many other sites and studies where if the data is lost or stolen it is usually identified as a breach even if there is no evidence that the data was taken or used for malicious purposes.

Deceit – Deliberate misrepresentation including social engineering. Many of these cases also do not need further investigation which may be why the number is quite low.

Environmental – While these events are a greater risk to the availability of systems rather than the confidentiality of data, there are cases that include environmental as the source. One example listed is where a power outage caused a system reboot which defaulted a system back to an open configuration that was then exploited.

Data Breach Sources by Insider Error

It indicates that 62% of cases involve error and in 79% of those cases, it was insiders lack of doing something they should have (omission) that lead to the breach. Not following policies, procedures, and duties by those that usually know better is related to about 1/2 of all data breaches.