Month: December 2015

In light of the news that the National Crime Agency has arrested 682 people for downloading child abuse images, Christian Berg, CEO of NetClean provided @DFMag the following comments;
 
“Tracking down child sexual abuse is like a cat and mouse game. But advancements in image tracking technology have significantly sped up the time it takes for police to stop perpetrators and organised criminal gangs from spreading indecent images online, thus minimise further abuse from happening. Griffeye Analyze is the technology behind the Child Abuse Image Database (CAID), which has aided the NCA-led operation in the recent arrest of 682 people who have downloaded child sexual images in the past nine months. 
 
“Indecent images are circulated and download on the Internet, frequently accessed via a corporate or public Wi-Fi network. As many as two people in one thousand watch child sexual abuse material during working hours. A shocking revelation, yet many people still refuse to wake up to the fact that it’s happening right here, right now. 
 
“Businesses and public sector organisations can stop further abuse from happening, by ensuring they have policies and procedures in the workplace to monitor for indecent child abuse content in circulation. Once suspicious material is identified on the corporate network, it must be reported to the authorities for further investigation.” 

(265)

Researchers have found that hackers are using a bootkit malware called Nemesis, to steal payment card data. Even though it was discovered in September, further investigation by FireEye shows that Nemesis has the ability to load ahead of the operating system making it difficult to detect and outside the bounds of normal anti-malware software.

Tim Erlin, Director of IT Security and Risk Strategy at Tripwire offered @DFMag the following expert opinion;

“Malware has moved from coming through an open door to being built into the foundation. It’s harder to detect, and harder to remove. 

We should expect malware to evolve to defeat security controls. The industry is, and should be, working to develop new ways to detect and defeat evolving malware. 

While it’s important to work on tools to detect specific malware, implementing tools to identify suspicious changes in the environment provides a solid defense in depth strategy. Even the most stealthy malware has an objective, most often making changes in the environment or moving data across the network to accomplish it. Security teams should be working to identify these behaviors, in addition to installing more basic detective tools.”

(101)

By Ryan Wilk, Director, NuData Security

Gone are the days when online security could be trusted to a simple username and password combination or simple identity checks. As fraudsters got better at bending and breaking the system, e-commerce and digital banking initiatives had to keep pace, creating tough rule-based systems to check for fraud and adding new technology like IP detection and Device ID. But even these measures are no longer enough. The next great leap in digital security isn’t based on a device or a password, but on the user themselves.

User Behavioral Biometrics combines a biometric and behaviour-based analysis of the user. Until recently, security technology looked solely at what data was entered and what device was connected. But you can only understand so much about the user with only two pieces of information.  And what if the user changes or upgrades their device? You would lose half the visibility. User Behaviour Analytics (UBA) adds multiple layers of nuanced information of passively observed behaviour that goes beyond what data they input and what device they use and really understand how the user interacts with the mobile or web portal.

But how exactly do we define behaviour in this context? It’s how the user interacts with the website in passive, yet very specific ways that are unique to every person – akin to a fingerprint. Information like typing speed and patterns, how they habitually navigate the website, patterns of online usage, or even how they hold their mobile device. These behaviours and hundreds of others, coupled with traditional passwords and connectivity details, offer multiple layers of information, and a more complete picture of the user.

When you start passively observing multiple layers of user behaviour and biometrics, from the moment they land on your site, create an account and across every interaction on the website, you build a profile for that user that doesn’t rely on the device they use or password they enter. Every time they return to the environment, you can measure that behaviour against their unique historical data. You can finally answer, “Is this the real user?” with confidence. You can compare that behaviour with other good users to broaden your understanding of how your good users behave and you can even answer with the same certainty, “is this user behaving like a human being?” and “is this user acting safely” and take action accordingly in real-time.

User Behavioral Biometrics helps e-commerce businesses fight fraud by bringing a wider context to every transaction decision. Most e-commerce merchants simply look at the transactions and use knowledge-based fraud prevention techniques that rely on PII and PCI even though that data is too freely available to be secure. Moving beyond easily compromised PII and instead relying on a user’s unique behaviour protects both your site and your users.

Fraudsters know that traditionally e-commerce merchants and financial institutions have relied on KBAs for their fraud prevention strategy, which means they authenticate by the user having the right answer to pass the test. So long as the fraudster has the cheat sheet, they don’t have to worry about getting the answers right.

That’s why UBAs are so important. Even if the fraudster has the correct password, their behaviour on the site before the transaction is a dead give away that something’s wrong. They behave completely different from a good user, so different that it gives security teams a sneak peak at fraudsters plans because it becomes strikingly evident when they are testing stolen accounts in bulk before an upcoming brute force attack. And since all of these transactions are monitored in real time, it’s easy to determine which accounts at are risk right now and what future interactions are highly likely to be fraudulent.

By observing behaviour from the point of login, to registration to point of purchase, companies are able to better understand when a purchase may not be legitimate, even when a “user” is successfully logged in using stored payment information. And while fraudsters are just starting to realise their tactics of yesterday don’t work anymore, user behavioral biometrics will continue to hold them back because user behaviour can’t be copied, stolen, or spoofed.

User Behaviour Analytics layered with Behavioral Biometrics combined with traditional security measures gives the industry the ability to understand their users like never before. Knowing who the user is based on how they behave protects business and users alike in a passive, unobtrusive, invisible way with a success rate second to none.

(83)

By: Carl Herberger, Radware vice president of security solutions

Radware’s Emergency Response Team (ERT) has been investigating OpParis, an Anonymous-credited revenge campaign against ISIS for the Paris attacks on November 13, 2015. Anonymous is a well-known hacktivist group that uses hacking to raise awareness of socio-political or socio-economic concerns or wrongdoing. They use a mix of methods, including distributed denial of service attacks (DDoS), whereby networks are flooded with fake requests for a sustained and intense period, rendering the network servers useless. 

This campaign is an aggressive operation targeting supporters and sympathisers of the Paris attack. Retaliation on French based companies following the Anonymous response to the attack in Paris is expected. Just as we saw with the Charlie Hebdo attacks, Anonymous condemns the terrorism. It has mobilised a team to gather information about the ISIS sympathisers.
 
The prolific spread of technology means it will be possible to undertake the unthinkable attack on a country where traditional terrorism is co–ordinated with cyber network attacks. Life’s essentials; water, food production, refrigeration, heat, light could be disabled very quickly right through to chasing mass destruction of power plants, and disruption to emergency services and aviation. Combined with a biological or incendiary attack, this makes for a very frightening prospect. 
 
Automation is now a driving force behind many aspects of life, including the cyber-attack landscape. Anyone doubting this reality should consider that we’ve seen a more than 300% increase in organisations under constant cyber-attack, a sure indication that attacks now come from tireless machines. For those wondering how the security community should respond, the answer may well be a “if you can’t beat them, join them” approach where the same degree of automation is implemented into security management. We’ve reached a “my good bot against your bad bot” state in security. It’s a frightening prospect and is why governments are in the spotlight, and why big corporations need to ensure they do all they can – an insurance policy won’t be enough when lives are at risk. 

(95)

AppRiver’s manager of security research, Troy Gill, has analysed threat trends over the last 12 months and offers his perspective of what lies ahead…

Evolving malware: More sophisticated malware will continue to defeat detection by hiding in common services and using non-traditional forms of communication such as TOR or Peer to Peer.

In tandem, recent highly effective social engineering ploys, such as those utilised in ransomware, will continue to terrorise businesses.

Speaking of ransomware, victims continue to payoff these cyber criminals and, in turn, the bad guys keep doing what’s working so well for them. As long as they’re being paid, these crafty cybercriminals will continue to innovate new attacks that will push the needle. Remember the attackers are agile and often take advantage of zero-day vulnerabilities and we can only attempt to harden against these.

Unfortunately there is no easy way to “defeat ransomware” but paying the ransom is, in my opinion, ill advised and also there’s no guarantee that you’ll even get the keys to unlock your data.

For all malware infections, prevention is definitely better than cure although, agreed, I personally don’t see a means to impeding infections 100% of the time – but you can shrink the attack surface significantly:

-keep operating systems and software updated
-install robust security defences such as firewalls, IDS, spam and virus filtering and web filtering
-perform regular security awareness training to identify attacks
-always back up your data so if you do fall victim, you can simply restore your files.

Breach Tsunami: The bevy of breaches that occurred during 2015, and the abundance of credit card and other personal information obtained from them, will lead to an increase in spear-phishing and other more targeted attacks.

The veritable treasure trove of private personal information that exists on the cyber underground, coupled with further information gleaned from social media, means criminals can generate highly targeted attacks or used as convincers in fraudulent transactions.

Cyber Warfare: Acts of cyber aggression will continue amongst many nation states including the U.S. and China, as well as remain a tool of warring nations. While we may not be privy to the majority of these attacks against infrastructure or corporate espionage between our collective countries, evidence suggests that the internet has become an important tool in every aspect of our lives including war and politics. Expect this “boots at home” tactic to remain in the playbook as a first move in most conflicts whether it be just reconnaissance or even the disabling of infrastructures and communications.

Internet of Things: Practically every business and even some individuals will have Wi-Fi enabled fixed devices that are controlled remotely – from switching on lights at home to cooling nuclear reactors in power plants. 

When vulnerabilities exist in any popular OS, and hackers know about them, it is only a matter of time before they are exploited. The issue is that people are not installing security patches in a timely manner, and inadvertently leaving their devices vulnerable. 

Bring Your Own Device (BYOD): No threat list would be complete without referencing this threat. BYOD often provides the business with cost savings and increased productivity/effectiveness from their workforce.  However, the security challenge that this movement has created has also left IT departments in a bit of a quandary.

Organizations need to have a BYOD strategy and policy that is appropriate to their situation. Obvious security points to address with the policy include: password enforcement; encryption; device management; access control, etc. should all be kept in mind while still maintaining enough freedom to keep the employee happy.

Striking that balance is important to keeping the organization more secure and at the same time, empowering employees.  Of course, that’s often easier said than done as organisations need to properly enforce the policy – something that presents a challenge in its own right.  Security training that includes reminders about safe browsing and identifying suspicious links wouldn’t go amiss.

Wearables: The ever-expanding marketplace of health and fitness apps coupled with wearable devices monitoring our every move, heartbeat, and location continue to gain popularity. Compromised or just poor privacy settings could leak this personal data out into the world.

TOR: Often referred to as the ‘Dark’ or ‘Deep Web, TOR continues to attract both the good and bad of society, lured by its promise of anonymity. Facebook’s new experimental move into the TOR network may inspire other reputable services to want to provide anonymous access thereby enticing new users who may have been unwilling to try them beforehand.

While there are legitimate reasons visitors may require secrecy, a great many illegal things have also been discovered on Tor’s network: items that should be protected by fair trade, copywrite and other laws; stolen credit card forums; general hacking services and malware creation. Even the groups behind ransomware, such as CryptoLocker, have begun to demand their ransoms through the TOR network utilizing CryptoCurrency like BitCoin to remain anonymous to authorities and their victims.

It is important to be aware of all of the different ways that Tor can be used and make any necessary adjustments.  If this is something that concerns you as a business owner then policy should be put into place that restricts the installation of Tor software.  And remember, it always pays to be vigilant.  No matter what the circumstance.     

Unexposed vulnerabilities: The past few years showed some major issues with secure communication – like that in SSL as leveraged by Heartbleed, and a long time bug in Bash with Shellshock. The discovery of vulnerabilities such as these will continue to be a major goal for attackers and defenders alike.

Mobile Payment Systems: Vendors have been trying hard to change the way we make transactions with features such as Near Field Communication and virtual wallets in mobile devices. Unfortunately, its early adoption has left a lot to be desired thanks to security issues and concerns.

Thanks also to these early flaws, and the attack on the CurrentC payment system through third parties which led to the leak of the email addresses of early adopters, we can expect mobile payment systems and its architectures as a highly likely target of attack. Hopefully the organisations concerned will work aggressively to make digital payments through services such as ApplePay, Google Wallet and CurrentC much more secure.

Individual cloud storage: The use of Dropbox, OneDrive, Box, Google Drive as well as all of the other cloud storage services by individuals as a means to more easily access documents in multiple locations will pose a greater risk to personal as well as professional targets as company documents and data comingle with personal files in the cloud.

It’s also worth noting that using cloud storage for data backup does not automatically negate the risk from Ransomware – in fact MANY previous Ransomware attacks (aka Cryptolocker) have relied on free cloud storage sites like Dropbox to distribute their payload.

Organisations need to limit access to folders within their cloud network to only the individuals that need access to perform their job role.  This will help prevent both accidental and purposeful data loss.

Carefully select which devices employees are permitted to use when accessing the cloud, and what types of encryption to use to keep the devices from connecting to unsafe networks.

As mentioned previously, another helpful practice is maintaining regular security training so users know the risks. This will help those who otherwise may inadvertently expose sensitive company data by keeping them on course with best practices.

Staying Safe in 2016

While these ten threats are expected to dominate 2016, this list is in no means exhaustive. Sophisticated attacks will continue to be problematic and perhaps even more difficult to detect. 

To help, here is a summary of best practice tips:

Educate users on current threats in the digital landscape, including phishing campaigns, malware and malicious websites Introduce layered security – Adopting a layered security approach is the best way to ensure your business is covered from all angles. While protecting your business from viruses via email filtering is a great start, it doesn’t protect your business from malware threats on the Web and vice versa, so … Shielding your business from as many vulnerabilities to your network as possible is essential to staying ahead of hackers. Don’t skip software and firmware updates; these often contain security patches for vulnerabilities. The longer you go without updating your software, the more susceptible your network is to malware. If any of your software or hardware has reached its end-of-life, meaning the manufacturer will no longer support it or make security patches, it’s time for an upgrade. While it may seem expensive on the front end, it can save you from lost labour, costly fines and lawsuits on the backend.

Of course, there is no “silver bullet” when it comes to online threats. However, with a blended security approach that leverages current intelligence and technology from several sources, combined with regular security training, organisations can prevent most malware from entering their network and deflect threats that might otherwise damage systems.

(289)

By Lauren Sporck, associate, OPSWAT

All malware is inherently dangerous, but there are a few threats that stand out amongst the others when it comes to inflicting damage. We took a look at some of the most destructive malware of all time from traditional viruses, worms and Trojans to increasingly prevalent PUAs such as adware and spyware. This list, while covering most of the all-time worst threats, is not inclusive. For example, notable threats are not on this list such as the ILOVEYOU bug, although they also rank as highly destructive. How many of these threats do you remember?

1. My Doom Worm – 2004

The My Doom worm, known as one of the fastest spreading viruses in history, passes both the ILOVEYOU bug and SoBig worm in speed. It was transmitted via email and usually contained a variety of subject lines including, “Error”, “Mail Delivery System”, “Test” or “Mail Transaction Failed”. Though its creator still remains unknown, some speculate that it originated in Russia. The worm was first discovered and named by an employee at McAfee for the line, “mydom” that appeared in its code.

2. Superfish Adware – 2014

Superfish adware made its claim to fame through a class action lawsuit filed against Lenovo, the largest maker of PCs in the world. Superfish spyware came pre-installed on Lenovo machines without Lenovo customers being told of its existence. Superfish installed its own root certificate authority which allowed it to void SSL/TLS connections, creating an opening or “hole” for attackers. This exposed Lenovo users to potential cyber criminals while providing Superfish and Lenovo with a way to target unsuspecting users with tailored advertisements.

3. Code Red Worm – 2001

Code Red was a computer worm that affected almost 360,000 computers by targeting PCs that were running Microsoft’s IIS web server. The worm was first discovered by two eEye Digital Security employees and was named for the Code Red Mountain Dew they were drinking when they discovered it. The worm targeted a vulnerability in Microsoft’s IIS web server using a type of security software vulnerability called a buffer overflow.

4. Slammer Worm – 2003

In January of 2003, the Slammer worm struck 75,000 users with a DoS attack. The worm targeted a vulnerability found in Microsoft SQL and spread rapidly. Denial-of-service attacks are used by malware writers to overload a companies’ network with meaningless traffic, eventually causing the network to crash. Owen Maresh of Akamai is credited with being the first person to discover the destructive worm from Akamai’s Network Operations Control Center. At its height, the Slammer Worm sent 55 million database requests across the globe and is said to have spread within just 15 minutes, surpassing the speed of the Code Red Worm from 2001.

5. SoBig.F Worm – 2003

The SoBig.F Worm was a piece of malware that appeared only a few weeks before the Slammer worm mentioned above. The SoBig.F worm entered a device via email, which if opened could search the infected computer for additional email addresses, then sending messages to those aliases. The worm caused $37.1 Billion in damages and is credited with bringing down freight and computer traffic in Washington D.C, as well as Air Canada. Email subject lines used to entice users included, “Your details, Thank you!, “Re: Details, Re”, “Re: My details”, as well as various others. The speed at which the worm spread is said to surpass that of the ILOVEYOU virus and Anna Kournikova worm, both of which also spread via email. The worm’s creator still remains unknown.

6. CIH Virus – 1998

The CIH virus, also known as the “Chernobyl virus”, was named after the explosion of the nuclear plant in Russia because it was written to execute on the anniversary of the explosion. The virus worked by wiping data from the hard drives of infected devices and overwriting the BIOS chip within the computer, which rendered the device unusable. BIOS chips, originally manufactured by IBM for PCs, are a type of firmware used when a device is booted or turned on. This virus caused tremendous damage because the BIOS chip was not removable on many PCs, requiring the user to replace the entire motherboard. The virus was created by a student at the Taipei Tatung Institute of Technology, named Chen Ing Hau. Although the virus caused millions of dollars in damages, Chen was never imprisoned or fined and actually got a job at a software company through his resulting infamous creation.

7. Stuxnet Worm – 2010

The Stuxnet Worm entered devices through infected USB drives and thus had to be manually inserted into a device in order to spread. The dangerous thing about this particular virus, is that internet connectivity was not needed for it to spread, making it particularly fatal for critical infrastructure plants. Once on a device, the worm would then run a check to see if the infected device had access to industrial control systems. If it did, the worm would then take control of plant centrifuges, causing them to eventually fail. The main victims of Stuxnet’s payload were Iranian nuclear plants and a uranium enrichment plant. Although not verified, some believe that the United States and Israel were responsible for the creation of the worm, in order to hamper Iranian nuclear development.

8. Melissa Worm – 1999

The Melissa worm was a macro virus that caused millions of dollars in damages to infected PCs. The virus spread via email and was supposedly created by David L. Smith, who named the virus after an exotic dancer from Florida. The virus used an enticing subject line to get its victims to open it. Once the email was opened, the virus was able to replicate and send to an additional 50 email addresses accessed through the originally infected computer.

9. Cryptolocker Trojan – 2013

The Cryptolocker Trojan is ransomware that encrypts its victim’s hard drives and then demands a payment. When the ransom message appears on the victim’s computer, they are given a time limit in which they must pay the ransom in order to unlock their files. The Trojan enters a user’s system through an email, which is disguised to be from a logistics company. Within the email, there is an attached zip file which contains a PDF that the users must enter a provided password to open. Once opened, the Trojan begins its attack on the victim’s computer. By posing as a legit company, the ransomware uses social engineering to trick the user into performing the required actions.

10. ZeroAccess Botnet – 2013

Known as one of the largest botnets in history, ZeroAccess affected over 1.9 million computers, using them to earn revenue through bitcoin mining and click fraud. Botnets involve a group of computers, also known as zombies, which are controlled by malicious software and used to send SPAM emails or launch HTML attacks, the first of which was utilized by the ZeroAccess Botnet. These controls are orchestrated by the BotMaster or the command center of the botnet. SPAM emails sent often contain malware that is then used to infect more computers.

(233)

Tenable Network Security®, Inc., disclosed that the UK received a ‘C’ overall grade for its 2016 Global Cybersecurity Assurance Report Card. Information security practitioners from the UK were asked about confidence in their respective organizations’ abilities to assess risk, invest in appropriate tools and successfully respond to cyber threats, scoring 73% overall—an underachieving “C.”

Mobile device security is the Achilles heel in the UK: the country’s security professionals gave a failing grade to their ability to assess cyber risks related to mobile devices (rated “F” in UK, and “D” globally). The inability to even detect transient mobile devices in the first place (rated “D”) was another big challenge for the UK’s security practitioners, who scored themselves lower than the global average.

While most global respondents believe they have the tools in place to measure overall security effectiveness, scoring “B-,” this view isn’t mirrored in the UK, where survey respondents assigned a “C+.” Cloud vulnerability management and risk assessment is another key concern for Brits, with the ability to assess risks in cloud infrastrucuture (IaaS) and cloud services (SaaS) earning a “D” and “D+” respectively.  

“What this tells me is that UK security pros have a fairly realistic idea of where they stand when it comes to overall cyber readiness, and they believe there is a lot of room to improve,” said Gavin Millard, EMEA technical director, Tenable Network Security. “Cloud and mobile continue to disrupt enterprise IT, but what the survey shows, alongside an alarming lack of ability to detect and remediate threats associated with these non-traditional attack surfaces, is that security has to evolve in order to keep up with the rate of innovation. Organizations need next-generation solutions that can definitively answer the question ‘How secure are we?’”

According to the survey results, the biggest non-technical challenge facing UK information security professionals is an overwhelming threat environment, followed closely by a lack of qualified workers.

“Attackers are breaching the world’s cyber defenses seemingly at will, and organizations of all kinds are feeling the strain,” said Millard. “As we move into 2016, hopefully all parties will continue to come together to assess cyber security risks, build robust defences and mitigate attacks.”

About the 2016 Global Cybersecurity Assurance Report Card

Research for the 2016 Global Cybersecurity Assurance Report Card was conducted by CyberEdge Group, a research and marketing firm serving the security industry’s top vendors.

Tenable surveyed 504 IT security professionals employed by organizations with 1,000+ employees in August 2015. A 12-question web-based survey asked respondents to provide a rating on a five-point scale. By adding together the two most-favorable responses (e.g., strongly agree + somewhat agree) for each question, and then averaging together associated responses, two summary indices were derived. The Risk Assessment Index measured an organization’s ability to assess cybersecurity risks across 10 key components of enterprise IT infrastructure. The Security Assurance Index measured an organization’s ability to mitigate threats by investing in security infrastructure fueled by executive and board level commitment. The index scores were averaged to produce the overall report card score for each country and industry. For more information, please visit http://tenable.com/2016-global-cybersecurity-assurance-report-card/ .

(51)

In response to the recent news that a bug exists in Node.js, all versions of v0.12.x through to v5.x inclusive, whereby an external attacker can cause a denial of service (more information here: http://www.scmagazineuk.com/warnings-over-nodejs-flaw-that-could-lead-to-dos-attacks/article/457205/), Dave Larson, chief operating officer at Corero Network Security, has offered @DFMag the following short insight:

“Node.js is a quite popular open source javascript app deveopment environment, so the vulnerability is likely quite widespread.

“The most effective defense again this latest threat is to upgrade the server application to the latest software rev. Certainly, there are many other security reasons to upgrade to the latest revision including potential breach vulnerabilities.

“Likely exploitations would be DoS for ransom.  But there seems to be some full compromise vulnerability with some of the versions that could result in breach activity.”

(48)

By: David Gibson, VP of strategy and market development at Varonis

1. The U.S. Presidential campaign will be affected by a cyber attack.   

Hillary Clinton’s private email server has already brought cybersecurity into the U.S. Presidential race. In 2016, a cyberattack will strike the campaign, causing a major data breach that will expose donors’ personal identities, credit card numbers and previously private political preferences. Imagine being a donor with an assumption of anonymity. Or a candidate whose “ground game” depends on big data analytics about voter demographics and factors affecting turnout – data that turns from an asset to a liability if it isn’t protected. The breach will affect the campaign not only as a setback for the unfortunate candidate or party affected, but by bringing the issue of cybersecurity prominently into the campaign as a major issue that is closely related to geopolitical threats such as the spread of terrorism. Campaign data is a gold mine for hackers (donor lists, strategies, demographics, sentiment, opposition research), and an event like this will serve as another wake-up call to the U.S. government that cybersecurity needs to be a continual, central focus and investment at the highest levels. The candidate who demonstrates knowledge and command of cybersecurity threats and government readiness will win the election.  

2. The frequency of public data breaches will increase substantially.

The Identity Theft Resource Center (ITRC) reports a total of 641 data breaches recorded publicly in 2015 through November 3. Most organisations know this number represents the tip of the iceberg. The frequency of known data breaches will increase in 2016, due not only to increasing privacy and breach disclosure laws but also the increasing failure of traditional perimeter-focused security investments to protect valuable data. Employees’ use of mobile devices and companies’ migration of IT workloads to the cloud will also contribute to a sharp rise in breaches. Over time, this should help to shift priorities toward investing in more proactive data-centric protection, but it’s likely things will become worse before they get better.

3. End-user education and monitoring will become the focal point of data security efforts.

Insiders are the new malware. Executives and IT professionals are becoming as afraid of their own employees – as innocent vessels for outside attackers with dangerous levels of access to sensitive data – as they are of outside attackers. Companies will turn to the importance of end-user education in 2016 as they realise that, no matter how intensely they invest in security, they hit a dead end if their users don’t drive by the rules of the road. They need to be involved in the security processes, observe classification and disposition policies (that need to be defined) and know to stop clicking on phishing emails. Employees are crucial to the security process, and have more power in controlling it than they realise. You can’t patch users but you can educate them. You can also monitor and analyse how they use data to spot unwanted attacks.

4. At least five more C-level executives will be fired because of a data breach.

In recent years we have seen the careers of several top executives suffer in the wake of cyberattacks. Target CEO Gregg Steinhafel and CIO Beth Jacob, U.S. Office of Personnel Management Director Katherine Archuleta, Sony Pictures’ Amy Pascal and others were either fired or forced to resign after massive data leaks cost their organizations money, customers and credibility. This will accelerate in 2016.  Blame for data breaches is shifting from IT to the C-suite. Data impacts every facet of an organisation. If management is not investing in and focusing heavily on securing data and its use, it is now understood that they are putting the entire company and its stakeholders at risk.

5. Increasing false positives in data security bring to light the need for limited, accurate information.

Organisations will get much more serious about how much data they collect and their deletion efforts. When Target suffered its massive breach during the 2013 holiday season, the alerting capabilities of its IT team had generated months of warnings.  Still, no one caught it. This remains a common problem today. Why? The plethora of security tools installed in most companies overwhelms IT security. Their teams are strapped and the amount of false positives generated by exponentially growing volumes of information cause these teams to miss crucial vulnerabilities. In 2016, smart IT teams will focus on signal-to-noise ratio improvements in the analysis and alerting solutions they deploy.

(76)

Customers’ personal and financial data is being put at risk as many industry personnel are not assigned unique login and password details, new research has revealed. The ‘Financial services: access security compliance’ report by IS Decisions, security software provider, showed that 37% of finance personnel do not have unique user logins – a basic security requirement for enabling user identification – which also leaves financial organisations open to the threat of insider trading. Furthermore, 26% are not required to logon to their employer’s network at all in order to access data, despite it being a specific requirement of virtually all regulations around security, from the FCA to GLBA, SOX and PCI DSS.

The figures also showed that half (51%) of financial industry personnel did not receive training as part of their induction even though the FCA’s Financial crime: a guide for firms recommends that new employees should have access to training on financial crime risks. In addition to this, despite clear guidance from compliance requirements in the UK, only 37% of organisations provide ongoing training sessions to meet an acceptable level of security education.

The ability to log in to more than one machine at anyone time can also be a security risk in terms of tracking access and individual user identification, so it was alarming to note that 76% of finance personnel are able to login to multiple machines concurrently. In the event of a breach occurring, only 34% would know how to report it and an even lower 27% were aware of the penalties their company would impose for stealing or leaking sensitive data.

The study also showed that only 48% of organisations do not immediately revoke access rights when employees leave, leaving a window of opportunity for an ex-employee to steal sensitive information.

François Amigorena, CEO of IS Decisions commented, “Data, including card and customer information, is the lifeblood of any financial organisation. Security is the very reason we trust banks with our finances, while data access and ability to identify users is also key to combatting insider trading. As such, sensitive information should be restricted to only those who need it in order to minimise any risk of a breach or possible misuse. Identifying and implementing access control policies are requirements of the financial regulators, but it seems many UK financial organisations are not compliant with these security basics.”

The full report is available on the IS Decisions website.

(34)