Month: November 2015

In response to the breaking news that LANDesk, systems management provider, suffered a data breach (more information here: https://krebsonsecurity.com/2015/11/breach-at-it-automation-firm-landesk/), @DFMag received the following insight from Thomas Capola, CEO of Sestus:

“How the LANDesk breach occurred is less important than having the proper tools to stop an unauthorized breach.  It is essential to secure customer data in every application it resides in from the inside out as well as from all the known access entry points.  It’s increasingly difficult for IT professionals to secure every applications entry point in real time. 

“Vendor access portals have become the launch point for unauthorized access and hackers are increasingly leveraging employee and contractor access credentials to cause harm.

“Using Multi Factor Authentication eliminates the need for IT managers and security professionals to identity or even know about every possible application access point,  it can help provide complete protection against unauthorized access at every point and notify managers of every access attempt.  The result is that only authorized, credentialed, legitimate users are able to access applications and the data they contain.”

(112)

The BBC broke the news earlier this afternoon that Electronic toy and educational material seller Vtech has confirmed that about five million customers were affected in the data theft reported on Friday – http://www.bbc.co.uk/news/technology-34963686.

@DFMag received the following commentary from cyber security experts;

Mark Bower, global director at HPE Security:

“This breach exposes a weakness in regulations and programs to enforce them. There are regulations in place about the collection, storage and use of data involving children; but perhaps they need a rethink, as compliance may not be enough to protect today’s children’s data from advanced threats.

In the United States, the regulation is called COPPA “Children’s Online Privacy Protection Rule” which is regulated by the FTC. There are specific controls that must be adhered to in collecting and using children’s data, and several companies have been fined to date for non-compliance[1]. Breach of children’s data in itself has many serious risks, as you could imagine, and anyone collecting such data must take steps to protect it from advanced attacks as in this case.

The COPPA regulation relates to ensuring consent to collect data for the most part, but the rule is quite specific about limiting the disclosure of information. However, compliance to it may not take into account the inevitable breach scenario after which it’s too late. Programs designed to allow vendors to meet COPPA, like KidSAFE, don’t go far enough against modern attack vectors. KidSAFE requires only basic protections.

So, this breach shows how little the perimeter security controls offered by KidSAFE do in protecting the child’s data from breach risk. If the data itself is not secured, it is at risk of theft irrespective of access controls and firewalls. Breach after breach proves this beyond any doubt.

Perhaps this is a call to action to revise and enhance KidSAFE and COPPA in light of this breach. The risk can be mitigated easily today. Leading vendors who truly value the security of their customer, and more importantly sensitive children’s data, can get ahead of the attack and compliance challenges in one swoop by adopting modern data-centric security to secure the data in use, in motion and in transit – not just the increasingly translucent IT perimeter.

CHILDREN’S ONLINE PRIVACY PROTECTION RULE:

https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/childrens-online-privacy-protection-rule

Reference to KidSAFE, that VTECH is a participant in:

https://www.ftc.gov/system/files/attachments/press-releases/ftc-approves-kidsafe-safe-harbor-program/kidsafe_seal_program_certification_rules_ftc-approved_kidsafe_coppa_guidelines_feb_2014.pdf

[1] The actual safeguards required will depend on a variety of factors, including (among other things) the sensitivity of the personal information stored about children, the amount of personal information stored, the method of storage, and the size of the company operating the site or service.”

David Gibson, VP of strategy and market development at Varonis:

“Hardly a day passes now without a breach of some sort, and it makes those of us embedded in the security and data protection world wonder when organisations will demonstrate a sense of urgency.  Our observations suggest that businesses – just like individuals – are still struggling to get the basics right when it comes to securing their data. SQL injection is something everyone needs to protect themselves against. It’s so critical, that it’s the first module covered in a security course that Varonis and Troy Hunt teamed up to provide to the community — for free — here: http://info.varonis.com/web-security-fundamentals-course

There are so many basic vulnerabilities that organisations need to address – external and internal – and even when you get the basics right, you still need to recognise that attackers will get inside, and insiders that may “break bad” are already there. When you work under the assumption that your outer defences will be breached, it frames the data security challenge somewhat differently. Instead of pouring all of your energy into building a very high, very strong fence, spend more time making sure that once someone is inside, their activities will be observed and controlled. Just because you have a great lock on your front door doesn’t mean that cameras and motion sensors aren’t also a good idea. Similarly, monitoring user access and analysing it properly will help organisations identify attackers on their network and hopefully mitigate any damage.”

Gavin Reid, VP of threat intelligence, Lancope:

“It is terrible even thinking that these children have had their data exposed before they even know what it is. This is the new world order in privacy, where you should expect anything handed over to organisations to be exposed to at some point”.

(91)

In response to the news that a DDoS attack has been launched against the San Jose PD and their IT assets (see full story here: http://www.informationsecuritybuzz.com/articles/ddos-attack-on-the-san-jose-pd-website-and-it-assets/), Dave Larson, chief operating officer at Corero Network Security,offered the following brief insight to @DFMag regarding the motives and tactics behind DDoS attacks:

“Motivation for DDoS attacks can be wide ranging. Regardless of the motivations, this DDoS attack event highlights the need for a proactive defence woven into enterprise IT infrastructure, upstream hosting and internet service provider networks, in order to protect our growing dependence on online business and activity.

“Further, DDoS attacks are often used as a distraction technique for ulterior motives. They’re not always intended for denying service, but rather as a means of obfuscation, intended to degrade security defenses, overwhelm logging tools and distract IT teams while various forms of malware sneak by.”

(73)

It was reported yesterday that a former Goldman Sachs employee has been charged by the Securities and Exchange Commission with making nearly half a million dollars by stealing non-public information from the bank’s email system and using it to make illegal trades ahead of client mergers.

Yue Han, a former associate in Goldman’s compliance department, faces insider trading charges over the accusation that he netted more than $450,000 in illicit profits thanks to information gleaned from emails from and to investment bankers.

Commenting on this, Mark Bower, global director at HPE Security, told @DFMag

“The case to use powerful internal email encryption to separate unauthorised users from sensitive financial and market data is very strong for avoiding insider risks like this. Today’s message encryption can enable email confidentiality that’s end-to-end secure from creation to archive, transparent in use and maintains protection of content in in-boxes in the enterprise and cloud without compromising discovery and recovery common in SEC regulated financial services businesses.

When streamlining compliance processes, there is the double benefit of mitigating the contemporary risk of “internal” email inside the firm becoming inadvertently “external” from the loss and theft from today’s mobile endpoints across the financial interaction value chain, and enabling secure customer services .”

(148)

By Doug Rangi, OPSWAT

According to a recent report from the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the energy sector, including oil and gas, is facing a significant rise in cyber attacks. There are a number of reasons that this industry is an ideal target for attack: Oil and gas pipelines are part of a country’s critical infrastructure, and they are an ideal target for those looking to cause disruptions in critical services for political or military motives; The industry is highly competitive, as both private enterprise and countries engage in aggressive market share tactics, often with global implications; Intellectual property is highly-valued, making it an attractive target for cyber-espionage. Finally, the sheer value of the oil and gas industry’s commodities make it an especially lucrative target. With producer and broker transactions ranging in the millions, one carefully crafted attack can lead to a payout that could support the hacker’s operations for months, or even years.

Spear phishing attacks are socially engineered emails that try to trick employees into triggering network breaches, conducting fraudulent wire transfers, or even aiding in corporate espionage. Regardless of motivation, the high volume of business communications conducted via email within this industry give hackers quite the window of opportunity to intercept sensitive information through the use of spear phishing, including log-in credentials, reserve records, order forms, broker correspondences, and other documents which can then later be used to defraud unsuspecting industry professionals.

This article describes spear phishing attacks that have occurred in various sectors of oil and gas, along with recommendations on how the industry can boost their cyber security and specifically adopt new preventative measures to protect against these and other email-borne threats.

1. Government Warnings: Critical Infrastructure Disruption

Politically-motivated hacker groups sometimes target state-owned facilities by breaching a point within the supply chain in order to hinder the nation’s ability to obtain, transport, and store energy resources. Other rogue political groups use phishing attacks to gain access to privileged information to pose as corporate decision makers in order to delude, debunk, or destroy a nation’s oil and gas industry. A data breach at any point in an energy supply chain, or within a bureaucratic organisation, can cause severe damage to infrastructure, put public safety in jeopardy, or even sway the balance of international negotiations.

For instance, new evidence showed that a Turkish pipeline explosion that occurred in 2008 was caused by hackers who injected malware into the system through the pipeline’s wireless network. The pipeline was thought to be one of the most secure in the world, but hackers were able to successfully destroy the pipeline by injecting malware (Brocklehurts, 2014). Although the malware used in this attack wasn’t delivered via email, it does provide a stark warning about the physical damages that could be inflicted via cyber-attack.

United States
In April of 2012, the Industrial Control Systems – Cyber Emergency Response Team (ICS – CERT), issued a statement in their monthly report regarding their investigation of a year-long campaign to try to infiltrate multiple natural gas pipelines. ICS-CERT analysis found that the malware used and artefacts associated with these cyber-attacks were tied to a single spear phishing campaign, from a single source or group, and had been attempting to disrupt the control systems of the pipelines (ICS, 2012). Approximately 200,000 miles of these natural gas pipelines are responsible for over 25 percent of the nation’s energy supply, and so threats to this infrastructure are taken very seriously by the federal government.

Norway
In August of 2014, Norway’s national security authority (Nasjonal Sikkerhetsmyndighet – NSM) stated that 250 oil sector organisations may have been breached by hacker groups while 50 of those organisations had confirmed data breaches. All of the breaches were reported to be the result of targeted spear phishing attacks in 2011. When asked to comment on the largest breach in Norwegian history, NSM Director Kjetil Nilsen told a local publication that, “The ability to attack [networks] is increasing and there is great interest for our data”.

The main source or method of the 2014 attacks remains unclear, but apparently this type of attack has happened to Norwegian oil companies before. Three years ago, hacker groups used spear
phishing emails to obtain industrial drawings, contracts, as well as log-in credentials (Ibid).

2. Loziak Trojan: Corporate Espionage

Corporations in highly competitive industries may have incentives to obtain sensitive trade information about their competitors in order to gain a strategic advantage. In March of 2015, Symantec reported that hackers have been targeting energy industry workers with malicious spear phishing emails. The campaign primarily targeted OPEC, specifically the UAE, Kuwait, and Saudi Arabia, but has also affected the United States, UK, and Uganda. The intended targets and method of attack made those at Symantec believe that industrial espionage was the motive. Stating that “whoever is behind these attacks may have a strategic interest in the affairs of the companies affected” (Hacket, 2015). The Trojan used in the attack, Loziak, was able to masquerade as an Excel spreadsheet, in order to spread strains of malware designed to observe and report device data. Once downloaded, the malware would steal sensitive information such as system configuration data and send it back to its source. The configuration data told the source whether or not the infected device was a valuable target. If the hackers decided that the device was worth targeting, they would then forward additional malware to that targeted device in order to strip it of more information. In this case, the Loziak Trojan was followed by Back.door.cyberat and Trojan.Zbot.

Once the Loziak Trojan was able to infect, inspect, and transmit data, it opened up new backdoors on the system in case additional breaches were needed in the future. In order to repair the damage done, administrators would have to patch each new backdoor in order to limit future exploits (Hacket, 2015).

3. The Phantom Menace

Fraud targeted attacks impacting oil and gas organisations usually focus on the big-ticket transactions inherent to the industry, and seek to capitalise on their efforts by deluding the victims into sending them large deposits for oil orders. Panda Security, a leading computer software company in Spain, investigated a targeted attack that employed or used a fake .pdf containing compressed files, encryption instructions, and files designed to affect the registry of the device each time the system restarted (Operation Oil Tanker, 2015) . The file, later referred to as the Phantom Menace, was a self-extracting executable file capable of bypassing the latest malware behaviour filters and leaking sensitive personnel information and corporate resources in a text file back to the original sender. This attack was very troubling because of its ability to remove traces of its actions from the registry, allowing it to do the damage and leave little to no clues. With the sensitive information and resources in hand, hackers were easily able to pose as legitimate oil producers who were offering extremely competitive oil prices—prices that seemed especially attractive given Saudi Arabia’s dominance of the market at that time. The Phantom Menace hackers used the order forms and business insights to craft an illusion that they were, in fact, a legitimate oil producer. The oil brokers were then prompted to pay an “advance fee” in order to finalise their crude and refined orders. However, once the advance fee or deposit was sent, neither their oil nor their contact to the oil producer could ever be found.

Even if oil brokers, producers, and distributors use antivirus, anti-malware, and the necessary endpoint protections, they are still vulnerable to socially engineered attacks via email. The human component of receiving and opening a seemingly harmless email can leave an entire organisation’s resources and strategies open to prying eyes. Those at Panda Security said that for those in the oil and gas industry:

The most concerning fact to the antivirus research community and those at Panda Security, was not only that the Phantom Menace was able to avoid detection, but also that it was able to extract all the information it needed without utilising any malware. The only point of prevention hinged on the ability of the user to somehow know that the senders were impostors. However, there are few security solutions available to comprehensively protect against a socially engineered attack like the Phantom Menace.

Email Protection Solutions

Phishing attacks against oil and gas can have various motives, from committing espionage and fraud to causing critical infrastructure and supply chain disruptions. Though there may not be a single silver-bullet solution to secure an organisation’s network from all of these potential motives, protecting the organisation from targeted attacks is not impossible, and it doesn’t have to cost a fortune.

Investing in advanced security architecture now may save a corporation from targeted attacks in the future. As the risks associated with not investing in one can lead to losses in revenue, market share, and reputation, the costs of recovery far outweigh the initial investment in preventative measures.

In order to combat the growing challenges of protecting against orchestrated email scams, oil and gas professionals should look for email security systems that use advanced threat detection and prevention, and are equipped to detect spear phishing scams. Traditional email security products are typically not designed to detect and block spear phishing attacks, and most spam filtering products rely on prior detection and black lists in order to flag an email as spam. Also, many spear phishing attacks make use of unknown threats or zero-day vulnerabilities that not all anti-malware engines will be able to detect. Organizations can improve their email threat protection by taking the following precautions:

Use Multiple Anti-malware Engines:
Multi-scanning leverages the power of the different detection algorithms and heuristics of multiple engines, therefore increasing detection of both known and unknown threats, as well as protecting against attacks designed to circumvent particular antivirus engines. In addition, since anti-malware vendors address different threats at different times, using multiple scan engines will help detect new outbreaks much faster. It is important to distinguish between multi-scanning and simply using multiple antivirus engines. When using multi-scanning technology, performance is greatly enhanced and potential conflicts between different engines are avoided.

Sanitize Email Attachments:
Many spear phishing emails include malicious Word or PDF attachments, so as a precautionary measure it is highly recommended to sanitise incoming email attachments in order to remove any embedded threats that may go undetected by antivirus engines.

Set Attachment Limits:
By blocking potentially dangerous email attachment types such as .exe files and scripts, it is more difficult for malware to spread. It is also important to verify the attachment file type so that .exe files that are renamed as .txt files do not get through the company’s filters.

Enforce an Email Content Policy:
With user-based email content policies, such as keyword and attachment filtering, organisations can ensure that no confidential content or intellectual property is sent out through email.

Implement an SFT Server:
A secure file transfer server allows an organisation to easily send and receive large and confidential files ensuring trackable, instant, and secure delivery. By encrypting files and implementing user authentication, the interception of potentially valuable information can be prevented.

Utilize Advanced Threat Detection and Prevention:
Ultimately, organisations need to make sure their email security system is backed by powerful anti-malware engines, as the performance of the email security program will hinge on the engine’s ability to detect, prevent, sanitise, or quarantine the suspicious email or attachment.

Scan Running Processes on Endpoints:
If email-born threats have already entered your network, scanning running processes and DLLs on both in-network and remote endpoints helps to identify malware before it spreads.

By having these added layers of security incorporated into the organisation’s email security infrastructure, those in the oil and gas industry can better protect themselves from targeted email attacks, and not risk losing millions to fraud, or having to conduct costly image campaigns.

(150)

Hilton Worldwide issued a statement confirming that malware had found its way onto point-of-sale systems and stole payment card information.

That stolen information includes cardholder names, payment card numbers, security codes and expiry dates. However, addresses and PINs have not been exposed. Hilton isn’t currently sharing any information about how many or which hotel locations may have been affected by the breach, but is telling customers to review their payment card statements – particularly if they used their cards at a Hilton Worldwide hotel between November 8 – December 5 2015 or April 21 – July 27 2015.

Mark Bower, Global Director of Product Management, Enterprise Data Security for HPE Security, commented:

“Once again with last night’s news of a payment card data breach at Hilton Hotels, we see that hospitality service providers face extraordinary challenges with customer data security at point of sale (POS).

Card-on-file transactions are common, meaning card data is often stored longer than typical, to maintain customer bookings and for resort service charges after check-in. Online booking systems often channel card data from various sources and third parties over the internet, creating additional possible points of compromise. Partner booking systems accessing the hotel platforms also present additional risks and malware paths for entry to data processing systems to steal sensitive information.

However it’s important to note, especially going into the busy holiday season, that hospitality organisations, as well as retailers and any businesses using POS systems, can avoid the impact of these types of advanced attacks.

Proven methods are available to neutralise this data from breaches either at the card reader, at the POS, in person, or via web booking platforms. Leading travel-related organizations, airlines, and travel booking aggregators have adopted these data-centric security techniques with huge positive benefits: reduced exposure of live data from the reach of advanced malware during an attack, and reduced impact of increasingly aggressive PCI DSS 3.1 compliance enforcement laws, laws aimed at making data security a ‘business as usual’ matter for any organisation handling card payment data.

Point of sale (POS) systems – what consumers often call the checkout system – are often the weak link in the chain and the choice of malware. They should be isolated from other networks, but often are connected. A checkout terminal in constant use is usually less frequently patched and updated, and is thus vulnerable to all manner of malware compromising the system to gain access to cardholder data.

Risks of theft from point of sale (POS) malware is totally avoidable. The good news is that savvy merchants are already tackling this risk and giving the malware nothing to steal through solutions that also have a dramatic cost reducing benefit to PCI compliance. Encrypting the data in the card reading terminal ahead of the POS eliminates the exposure of live information in vulnerable POS systems. If it’s GammaPOS, Abaddon, Dexter or other variations of malware designed to steal clear data in memory from POS applications, resulting in the loss of magstripe data, EMV card data or other sensitive data exposed at the point of sale, the attackers get only useless encrypted data. No live data means no gold to steal. Attackers don’t like stealing straw.”

(118)

Starwood Hotels & Resorts Worldwide disclosed on Friday that malware designed to help cyber thieves steal credit and debit card data was found on point-of-sale systems at some of its hotels. This announcement makes Starwood the latest in a recent string of hotel chains to acknowledge credit card breach investigations, and comes only days after the company announced its acquisition by Marriott International. Starwood published a list of more than 50 of its hotel properties that were impacted by the breach.

Commenting on this, Ryan Wilk, director at NuData Security, said:

“When we set out on vacation, we like to think we’re getting away from it all and our only worry should be making flight connections. But hackers don’t take vacations, and they are just as excited about your vacation as you are. Why? Because while you’re enjoying yourself, they will be too when they skim your credit cards while you’re there.

On Friday, Starwood Hotels & Resorts disclosed that malware designed to help cyber thieves steal credit and debit card data was found on point-of-sale systems at some of its hotels. This credit card breach announcement is just one of a spate of similar hacks that have occurred over the last year or so targeting hotels.

While we can’t know for sure what hackers long-term plans are, it does seem credible that they are targeting specific industries that likely have the same exploits in order to maximise their efforts before moving on to the next industry. Once they get the card numbers, hackers then sell them on the Dark Web, use them directly in credit card cycling scams, or tie them to other data leaks to create full personas ripe for identity theft or fraudulent account creation, likely contributing to the overall increase in account takeovers we’ve seen, over 100% increase since February 2015.

If the information is out there, it’s only a matter of time before it’s tested and used. Instead of waiting for that shoe to drop, or bemoan how frequent these thefts are as if it’s simply the unavoidable cost of doing business in the digital age, it’s time to up our collective game. Behavioural analytics, using passive behaviour detection that doesn’t rely on personally identifying information, protects customers transactions and companies from fraud with the same surety of knowing you locked the front door before you left on holiday.”

(86)

News broke yesterday of extortionists attacking Bitcoin news sites using DDoS and demanding a ransom before sites could be brought back online. The sites have responded by issuing a bounty for information leading to the identification of the culprits – see the full story here: http://www.corero.com/blog/677-corero-observes-surge-in-ransom-driven-ddos-attacks.html.

@DFMag received this insight from Dave Larson, CTO and VP Product for Corero on the uptick in Ransom related DDoS activity. “The collateral damage associated with successful DDoS attacks can be exponential. When service providers lack proper protection mechanisms to defeat attacks in real-time, the costs associated with the outages are wide ranging and the impact to downstream or co-located customers can be devastating.”  Dave adds, “Further fueling this epidemic is the payout on these ransom related threats. DDoS attack tools are easy to come by and perhaps even easier to use. This is an easy and anonymous recipe for anyone looking to make a quick buck, and the victims are proving this every day.  Properly prepared organizations can stem this tide by refusing the ransom requests, secure in the knowledge that they are protected and can withstand the storm.”

(97)

By: Ryan Wilk – Director at NuData Security

Keep your customers out of the in-store bedlam and safe online. For e-tailers that use behavioural analytics and passive biometrics, and who know their genuine good, trusted users, give them added discount or lessen their authentication rules – make them VIPs for the day!

Don’t look for the needle in the haystack; focus on all that good hay instead! Passive biometrics and behavioural analytics lets you focus on the good users, the ones driving your business. Fraud will reveal itself.

Don’t overlook gift cards! Guessing gift card numbers or cycling through many gift cards is a sign of fraudulent activity. Treat them like you would any other payment method.

Watch out for “aged” online accounts that have never been used before suddenly become active. Cybercriminals are patient, and create accounts that sit dormant waiting for the perfect time to strike! They could have been planning this day for a long time.

E-tailers still have time to audit their website security in advance to test for load, security loopholes and account protection. Go in knowing what your system can handle and prepared for contingencies!

After the huge spat of breaches we saw this year, expect stolen account credentials will be used to create new accounts in preparation for the best deals. Fraudsters will use the chaos to cloak their fraudulent activities. 

As mobile transactions continue to gain market share, cybercriminals will develop sophisticated strategies to target iOS and Android software for personal gain. Retailers accepting mobile transactions must have layered, preventative measures in place to differentiate between authentic and fraudulent transactions and protect against cybercrime.

Not only do online merchants need to be prepared for fraud activity during the peak online shopping days, but so do consumers shopping online. On Cyber Monday law enforcement agencies globally will be busy catching domain names owned by websites selling counterfeit goods. Consumers are also more likely to see phishing attacks, malicious pop-up ads and other scams as fraudsters know consumers are spending more time looking for great deals on Black Friday and Cyber Monday.

Shop only with merchants you trust! Trust goes both ways – shop at retailers that offer a passive, friction free experience. Why should you have to jump through hoops to prove who you are? 

(117)

Tenable Network Security®, Inc., today released findings from the 2016 Global Cybersecurity Assurance Report Card, in which the world’s information security practitioners gave global cybersecurity readiness a “C” average with an overall score of 76 percent.

The 2016 Global Cybersecurity Assurance Report Card tallied responses from six countries and seven industry verticals, and also calculated a global score reflecting the overall confidence levels of security practitioners that the world’s cyber defenses are meeting expectations.

According to survey data, global cybersecurity earned an overall score of 76 percent—an underwhelming “C” average. Nearly 40 percent of respondents said they feel “about the same” or “more pessimistic” about their organizations’ ability to defend against cyber attacks compared to last year. When asked about the biggest challenges facing them today, the practitioners cited an overwhelming threat environment as the biggest challenge, while reporting relative confidence in the effectiveness of cybersecurity products.

“What this tells me is that while security innovations solve specific new challenges, practitioners are struggling to effectively deploy an overarching security strategy without gaps between defenses,” said Ron Gula, CEO, Tenable Network Security. “It’s no surprise that many in the profession feel overwhelmed by the increasingly complex threat environment. The recent, unprecedented cyberattacks have disrupted business for leading global companies, infiltrated governments and shaken confidence among security practitioners. With so much at stake, organizations need to know whether their security programs are effective or if they are falling short.”

Key Global Findings

Cloudy days ahead – Respondents consistently cited cloud applications (graded D+) and cloud infrastructure (D) as two of the three most challenging IT components for assessing cybersecurity risks.

A mobile dilemma – Mobile devices (D) also were reported as particularly challenging when assessing cyber risks. The inability to even detect transient mobile devices in the first place (C) was another big challenge for the world’s security practitioners.

Uninvested board members – On the upside, respondents largely believe they have the tools in place to measure overall security effectiveness (B-) and to convey security risks to executives and board members. On the downside, respondents question whether their executives and board members fully understand those security risks (C+) and are investing enough to mitigate them (C).

Overall Cybersecurity Assurance Report Cards by Country

Australia: D+ (69 percent)
Canada: C+ (77 percent)
Germany: C- (72 percent)
Singapore: C- (72 percent)
United Kingdom: C (74 percent)
United States: B- (80 percent)

Overall Cybersecurity Assurance Report Cards by Industry

Education: D (64 percent)
Financial Services: B- (81 percent) Government: D (66 percent)
Health Care: C (73 percent)
Manufacturing: C (76 percent)
Retail: C+ (77 percent)
Telecom & Technology: B- (81 percent)

“These index scores reflect a startling lack of ability to detect and assess cyber risk in both cloud infrastructure and applications as well as mobile devices,” said Gula. “Another concern is the uphill battle security professionals face in mobilizing their organizations’ leadership to prioritize security. There’s a disconnect between the CISO and the boardroom that must be bridged before real progress can be made.”

Original research for the 2016 Global Cybersecurity Assurance Report Card was conducted by CyberEdge Group, a research and marketing firm serving the security industry’s top vendors.

To view or download the full report and survey details visit http://tenable.com/2016-global-cybersecurity-assurance-report-card/.

(151)