Computer security Archives - Defence Intelligence Blog

Cyber Risk No. 3: Direct Loss From Malicious Acts

English: Outside the fence, Menwith Hill Spy Base This photo was taken on the ‘Foil the Base’ demonstration in March 2003. Founded in the 1950s (RAF) Menwith Hill has been operated since 1966 by the United States’ National Security Agency (NSA), and has grown to become the world’s largest intelligence-gathering ground station outside the US. (Photo credit: Wikipedia)

In previous posts, we’ve covered how loss or theft of confidential information and loss of reputation can affect the cyber security of a 21st Century business. Today, we turn our attention to direct loss from malicious acts (i.e. hackers, malware).

So many businesses are open to this risk because they don’t know how to protect their security, leaving them vulnerable to malware threats that can quickly cause advertisers, partners, and customers to abandon ship.

Perhaps scariest of all, is that no business is immune.

Take the recent case of Tor, the encrypted web security browser designed to allow businesses and privacy-concerned users to browse the Internet without fear of reproach. Tor had given so many people peace of mind until a recent malware attack, which many are attributing to the National Security Agency (NSA), toppled user confidence.

Researchers claim that malware responsible for bringing down Freedom Hosting, the biggest service provider on the anonymous Tor network, was hard-coded to send information to the NSA, reported TechWeek europe. In one fell swoop, the product became forever in question.

According to Verizon’s 2012 Data Breach Investigations Report, 69% of data breaches in 2012 were attributed to malware infections. 174 million data records were lost in 855 separate incidents. The rate of infection grows each year. McAfee, in a The State of Malware 2013, reported they cataloged 100,000 new malware samples each day.

So what does data theft malware really cost us? Globally, the cost of a data breach averaged $136 per compromised record, up from $130 the previous year (2013 Cost of a Data Breach: Global Analysis, Ponemon Institute and Symantec). With even 120 million data records (69% of the total) from 2012, that’s over $16 billion in loss from malware data breaches.

Here are two things to consider as you attempt to bring security to your business.

There are many types of malware that can threaten your system’s security, and they’re constantly evolving. You must invest your cyber security dollars with a company that is constantly aware of the changing landscape. Defence Intelligence’s Nemesis 2.0 uses advanced network behaviour analysis in conjunction with real time intelligence to prevent and detect system compromise on your network.
Attacks are inevitable. Security experts like to say that there are now only two types of companies left in the United States: those that have been hacked and those that don’t know they’ve been hacked. The news is full of stories of large and small companies that are compromised. Don’t be one of them.

Is Anybody Listening? The Struggle for More Security

Communication (Photo credit: P Shanks)

You might know the immense value of IT security, but you probably know at least a few professionals who don’t. Apparently, communicating the importance of security is a difficult task for many people, so you’re not alone if you find this hard to do.

It can be tempting for some senior executives to only look at the cost of security programs, while others are ambivalent toward their effectiveness. But either way, the true value of IT security is not getting across, and that’s a breakdown in communication. In fact, according to Infosecurity Magazine, the authors of a study done by the Ponemon Institute for Tripwire claim, “As business leaders are required to disclose more about their organization’s security risks, those business-oriented security executives with good communication skills will be in even greater demand.”

The study – which involved IT professionals from both the US and Britain – found that approximately half of those surveyed admitted they were ineffective at letting management know about security risks. Many say it’s because the security metrics are too complex for their bosses to understand. The result is that companies are allowing security threats to stick around because management simply doesn’t know about their severity.

But with increasing dependence on technology, security risks are not going away any time soon. In fact, there are more now than ever, which means it is increasingly important for security professionals to properly communicate the risks to senior executives. Getting the point across might require the use of graphs or even the ever-popular infographics, but getting management to comprehend the value of IT security is worth the extra effort.

Cybersecurity as Investment.

Information Security Wordle: RFC2196 – Site Security Handbook (Photo credit: purpleslog)

Many companies have experienced a threat to their cybersecurity at some point. It’s very likely that your own company has been breached, whether you are aware of it or not. Cybersecurity is an investment in protection for your company network but it can also be a money making investment as well. Money Morning has been explaining to investors why it is among the top investments available these days.

Hackers currently steal about $250 billion annually in intellectual property. Experts have estimated that corporations will spend more than $65 billion in information security by the end of 2013. That amount is set to increase to more than $90 billion by 2017. It’s no wonder that General Keith Alexander, Director of the NSA, has described cyber threats as “the greatest wealth transfer in history.”

According to MSN Money, threats to cybersecurity are not going away in the near future, which is why investing in this industry is a wise idea. One reason these threats will likely remain is an increased number of network vulnerabilities. Other factors that make companies vulnerable to cyber attacks include the increased use of the cloud for storage, the prevalence of mobile apps, and the trend for employees to use smartphones for work. As the stakes get higher and there is more money to be made on each deal, hackers are more willing to customize attacks to their targets, increasing their effectiveness.

According to research firm Gartner, about 80% of the 2,000 biggest companies in the world will soon begin strengthening cybersecurity efforts. Even the U.S. government plans to spend more on security measures. All of this means more money going around in the cybersecurity game and a chance for making two kinds of investments, both of which will serve to secure your future.

Defence Intelligence is a growing information security firm looking for investors to fund new cybersecurity research and launch new security tools and services. Contact us to discuss investment opportunities or for a free trial of our Nemesis or Harbinger services.

The evolution of the CIO and CISO

The role of the Chief Information Officer
was first created in the 1980s; before that the responsibility of
information security belonged to the Chief Financial Officer. As technology and society changed over the
years so has the role of the CIO in organizations.

The traditional role of the CIO and CISO is described by Bill Brenner, the senior editor at CIO magazine as “over-glorified
IT security administrators, babysitting the firewalls, arguing with software
vendors over botched antivirus signature updates and cleaning spyware off of
infected laptops.”

Since then the CIO has taken on a more
prominent role and become a central position in business operation. Expected to
be knowledgeable about business and up to date with technology, this makes the
modern day CIO a kind of Superman. This
explains CIOinsight writer Allan Alter’s discovery that the majority of CIOs
have a mixed background in technology and business.

Paul McDougall, a writer for Information
Week, discusses how the rise of the Internet economy has created a need for
CIOs to play a central role in organizations. The Internet economy has made IT
departments more central with the added pressure to deliver more results with
fewer resources. In a blog entry on Information Week, Cisco chief technologyofficer Padmasree Warrior explains the new expectations for the IT department:

“CEOs now expect IT to provide profitable growth and
business agility. The role of the CIO is changing.”

This significant shift in thinking is also
being faced with the emerging challenges of mobile integration and cloud
computing placing pressure on the CIOs to integrate more mobility into the
daily operations of the business environment.

With all of these new challenges and
demands it is necessary for the CISOs role to change from reactively responding
to security threats towards a more intelligent and holistic risk management
style.

A study conducted by the IBM Center for
Applied Insights called Finding a strategic voice: Insights from the 2012
IBM Chief Information Security Officer Assessment, found that security professionals are under intense
pressure to protect the firm’s most valuable assets; money, customer data, and
intellectual property. IBM created a list of mature security practices of
influencers in a variety of organizations.

Security is
seen as a business (versus technology) imperative.
The use of data-driven
decision making and measurement
Sharing
budgetary responsibilities with the C-Suite

“This data painted a profile of a new
class of CISO leaders who are developing a strategic voice, and paving the way to a more proactive and integrated stance on information security,” said
David Jarvis, author of the report and senior consultant at the IBM Center for
Applied Insights. “The path of the CISO is now maturing in a similar
pattern to the CFO from the 1970s, the CIO from the 1980s – from a technical
one to a strategic business enabler. This demonstrates how integral IT security
has become to organizations.” [v]

The role of the CISO in organizations will
continue to change over the next few years.
It’s apparent that the CIO and CISO have a crucial role that needs to be
recognized and given proper authority to put into place their in depth security
plans. This will help avoid incidents such as the recent breach at the South
Carolina Department of Revenue. We’ll follow this discussion up in our
subsequent blog. Do you agree that while a good start there is room for improvement?

By Sarah Raphael

Cyber Security Made Easy – Part 5

National
Cyber Security Awareness month is coming to a close. We’ve already touched on
best practices for email and Twitter direct message links, search engine
searches, WiFi, and passwords. For our
send off of the month, we offer the following final tips:

Update
your antivirus and all other programs (Microsoft, Adobe, Java, etc.) when you
receive update notifications. (Double check with the software directly that it
requires an update as rogue pop ups can mislead you into downloading unwanted
software.)
Use
well formed passwords on your computer, laptop, smart phone, and tablet. Not
only will this help you avoid being hacked by some cyber-criminal but it can
also save you from family or friends tweeting or posting how much you love Rick
Astley. (Don’t ask.)
Backup
your data on a regular basis. This can be with an external hard drive or a
cloud data storage plan. Don’t wait until it’s too late because we WILL say “I
told you so.”

Angry Birds Space – 082/366 (Photo credit: Frikjan)

Be
thoughtful when adding new apps; don’t add unnecessary apps to your phone. Is it a known trusted source for an app?
Don’t forget that apps even from trusted sources are used to collect data from
your laptop, smart phone, and tablet. A recent article in New York Times’ discusses how this is legally still a grey area. Applications that seem so handy and innocent such as Angry Birds or the one that turns your phone
into a flashlight, are also collecting personal information, usually the user’s
location and sex and the unique identification number of the smartphone. What
is even more unsettling is that “in some cases, they cull information from
contact lists and pictures from photo libraries.” So think twice before
downloading that app.

Closing
our series so close to Halloween it seems fitting to mention a scary statistic:
In a recent survey by AT&T and the Polytechnic Institute of New York University, 83% of small businesses allow employees to use personal devices for
work.

We hope we’ve contributed to your
awareness of security this all important month. Be sure to use what you’ve
learned here all year-round. Be safe out there. The Internet is a spooky place. Why not check out our complimentary Nemesis trial?

Cyber Security Made Easy – Part 2

Image representing Google as depicted in Crunc...

Image via CrunchBase

There
is encouraging news on the horizon for those in the professional security
field. A recently published survey by NCSA and APWG confirms a shift in
attitude towards online security. Not only are people taking it seriously, but
they also view it as their personal responsibility and welcome the opportunity
to learn more. Below are a few key statistics from the survey.

96
percent of Americans feel a personal responsibility to be safer and more secure
online.

93
percent believe their online actions can protect not only friends and family
but also help to make the Web safer for everyone around the world.

60
percent believe that much of the online safety and security falls under their
own personal control, and consistent with those feelings, 90 percent said they
want to learn more about keeping safer on the Internet.

Making
it easier to educate those 90 percent, here’s our overview on how to safely
search the Internet.

What
could possibly go wrong when searching online with a popular search engine? As
with everything if you do it absent-mindedly and click on the first item that
comes up you might end up with more than just the answer to your search, you
might end up with an infected computer.

You
should be able to answer yes to each of the questions below if not then don’t
click on the link.

Is the text that shows up in the preview for the page grammatically correct?
Is the domain a name that you recognize?
Does the domain of the link end with a country tag that has a history of NOT being associated with malware?For
the complete list of country abbreviations you can source on Wikipedia.
Does
the domain name and the text describing the page seem logical?

Warning:
don’t click on a link just because it piques your interest because it seems
such a random response to your search.

Cover of Mark Twain

Top tips from Google include:

Simple one or two word searches give you the broadest results.
Use common terms for example instead of my head hurts use headache.
Use quotation marks around your search for an exact search. For example searching for “Samuel Clemmens” will not include results for Samuel Langhorne Clemens or Mark Twain.

The
best and easiest advice to give is limit your searching to trusted sites, not
search engines. If you always get your news from three places, go to those
places first when looking for news. If you usually rely on Wikipedia for your
facts, go to Wikipedia and search there. Find some safe zones that you know and
trust and stick to them. It’s when you stray and explore that you can get lost.

Our next blog in this series we’ll look at using WiFi.

Related articles

Related articles

Related articles