Kroll just released its fourth annual worldwide fraud survey. For the first time “Information theft, loss, or attack” surpasses “Theft of physical assets or stock,” 27.3% to 27.2% respectively. In addition overall fraud increased by 20%.
What accounts for this dramatic increase?
The fast pace at which technology changes poses a huge challenge in combatting electronic theft–28 percent of the companies polled said this is the one factor that raises their vulnerability to fraud. But still, only 48 percent said they plan to spend more money on IT security over the next year, down from 51 percent last year.
Here are four recent security incidents which were serious enough to require public notification. Thanks to Adam Dodge at Educational Security Incidents.
Our testing shows we’re spending billions on defenses that are no match for the stealthy attacks being thrown at us today. What can be done?
Greg Shipley has written an excellent article about the state of information security. The hard copy version in this week’s InformationWeek magazine sums up the situation – “Epic Fail.”
…collectively, we’ve spent billions of dollars on security technologies, and we still can’t curb these threats. Intruders trot through firewalls deployed to block them, while malware flourishes on systems that antivirus vendors pledge to immunize. Meantime, our identity management efforts guzzle funds faster than politicians before a crucial vote.
Recent events suggest that we are at a tipping point, and the need to reassess and adapt has never been greater. That starts with facing some hard truths and a willingness to change the status quo.
Greg points out what we’ve been saying for the last three years:
…sometime in the last few years a number of our key security technology controls crossed that threshold and ceased to be effective, yet as an industry we have yet to adjust. We’re pouring billions of dollars–literally–into security products that are gaining us very little. We don’t retire anything but rather pile on more layers, leading to increased complexity, expense, and exposure.
One of the big three security technology controls Greg calls out is firewalls. I would be more specific and say “stateful inspection” firewalls. These have been the staple of network security for 15 years. But Web 2.0 applications and social networking breeze right by the stateful inspection firewall. In fact, the stateful inspection firewall provides practically no control or protection at all.
Fortunately, we have begun to see the rise of what Gartner calls the Next Generation Firewall as exemplified by Palo Alto Networks. NextGen Firewalls are application aware and more importantly enable you to build policies based on applications and users rather than ports, protocols, and IP addresses.
Greg’s four recommendations are:
1) Start spending money on controls that are more in line with threats. This is in fact why Cymbel has embraced (and enhanced) the SANS 20 Critical Security Controls for Effective Cyber Defense. Controls were selected based knowledge of exploits. For example, Controls #1 and #2 are about Discovery of network assets and the software running on them. Unknown and/or unmanaged devices will thwart a patch management program every time.
2) Adjust assumptions and put to rest some age-old debates. For example the insider vs. outsider debate. Due to what we call the ‘inside-out” attack vector, the outside attacker becomes an insider once the attacker steals the insider’s credentials. We discuss this in more detail in the Threats section of the Five Forces of Change. This is why internal network segmentation based on application and user policies has become critical.
3) Stop rewarding ineffectiveness and start rewarding innovation. Here Greg repeats his observations about the ineffectiveness of (stateful inspection) firewalls and antivirus. It is for this reason that we developed our Next Generation Defense-in-Depth architecture, which features real, proven, innovative solutions which mitigate these new threats. Another good example is FireEye, which prevents 0-day and unknown malware attacks using heuristics plus virtual sandboxes to test suspicious code. The virtual sandbox capability practically eliminates false positives, the bane of heuristics-based intrusion prevention systems.
According to the Deputy Assistant Secretary of Defense for Cyber, Identity & Information Assurance (DASD CIIA) there are 119 different information security documents published by the Department of Defense (including the NIST SP 800 series). DASD CIIA helpfully published a two-foot long chart to help you make sense of it all.
Unauthorized, but not illegal, “web scraping” of personal data is big business – $840 million according to an estimate by the Wall St. Journal.
The market for personal data about Internet users is booming, and in the vanguard is the practice of “scraping.” Firms offer to harvest online conversations and collect personal details from social-networking sites, résumé sites and online forums where people might discuss their lives.
The emerging business of web scraping provides some of the raw material for a rapidly expanding data economy. Marketers spent $7.8 billion on online and offline data in 2009, according to the New York management consulting firm Winterberry Group LLC. Spending on data from online sources is set to more than double, to $840 million in 2012 from $410 million in 2009.
The Wall Street Journal’s examination of scraping—a trade that involves personal information as well as many other types of data—is part of the newspaper’s investigation into the business of tracking people’s activities online and selling details about their behavior and personal interests.
The fact-filled article is well worth reading its entirety, but it offers no ideas for a solution. At this point, you have to assume that anything you say on the web is public knowledge.
Good set of recommendations for Gmail users. If you Gmail account is hacked and you change your password, you could still have problems. Make sure you do the following:
10. October 2010 · Comments Off on Ukraine Detains 5 Individuals Tied to $70 Million in U.S. eBanking Heists — Krebs on Security · Categories: Uncategorized · Tags: bank fraud, Becrypt
Authorities in Ukraine this week detained five individuals believed to be the masterminds behind sophisticated cyber thefts that siphoned $70 million – out of an attempted $220 million — from hundreds of U.S.-based small to mid-sized businesses over the last 18 months, the FBI said Friday.
At a press briefing on “Operation Trident Breach,” FBI officials described the Ukrainian suspects as the “coders and exploiters” behind a series of online banking heists that have led to an increasing number of disputes and lawsuits between U.S. banks and the victim businesses that are usually left holding the bag.
This is an excellent article by Brian Krebs detailing the latest in a series of arrests related to electronic funds transfer fraud.
No business should be using the “general purpose” computer for electronic funds transfer transactions. As I said in my last post, either use a dedicated computer or an encrypted bootable USB stick like the one we offer from Becrypt.
Sen. Charles Schumer (D-N.Y.) has introduced a bill that would protect municipalities and school districts against financial losses resulting from certain types of cybertheft.
Under the proposed bill, cities, towns and school districts would not be held liable for losses tied to online account takeovers and fraudulent electronic funds transfers initiated by cyberthieves, as long as the theft is reported in a timely manner.
It is the same sort of protection that consumers have under the Electronic Fund Transfer Act, which caps consumer liability for an unauthorized EFT at $50. Schumer’s bill (S. 3898) would modify portions of the EFTA to offer the same protection to schools and municipalities.
The idea of moving the liability electronic funds transfer fraud from the bank account holder to the bank will force banks to implement better protection measures.
In our opinion, there are only two ways online account holders can protect themselves from online bank fraud: (1) use a dedicated computer for online bank transactions, (2) use a dedicated encrypted bootable USB stick. Using just a separate browser, even in a separate virtual machine is not good enough.
If a dedicated computer is not feasible, we at Cymbel recommend Becrypt‘s Trusted Client solution.
Of the 81 fixes in Oracle’s quarterly patch release, seven of them are for databases.
The question is how long will it take to test and install these patches? Experience says months. That means your systems will be exposed to these vulnerabilities for months.
I am by no means suggesting you should rush the deployment of these patches. Thorough testing is a must.
The answer is the virtual patching capability of Sentrigo, a database protection solution. In a matter of days, if not sooner, Sentrigo updates their agents protecting your databases with new “vulnerability signatures” that protect against threats looking to exploit the well documented vulnerabilities for which Oracle is providing patches.
In many cases, Sentrigo ships the “vPatches” before Oracle ships their patches.