What's New Senior business leaders are not prepared for a data breach, with fewer than one in four knowing enough to take the lead should a breach occur, according to a survey of 341 senior executives and in-depth interviews with 17 senior executives conducted by the Economist Intelligence Unit on behalf of HP. In fact, fewer than half of CEOs had been trained on what to do after a data breach, despite the fact that nearly half of the companies surveyed had experienced a data breach in the past two years. This lack of awareness is not confined to the C-suite. Only 27 percent of companies reported that they have an "extensive awareness" of information across their organization. One-third of respondents estimate that the value of the information their company holds makes up between 10 percent and 50 percent of total assets. "Technology has been instrumental in transforming the value of information, but at the same time, it is also a contributor to the elevated level of threat companies perceive to this asset," explained Denis McCauley, editorial director of the Economist Intelligence Unit, in a webinar releasing the study's results. "Cloud computing, social media, and bring your own device, for example, are developments that are helping to make information widely accessible, some would say borderless, but also more vulnerable, not just to cybercriminals but also to careless employees," he added. A majority of respondents said that the importance of protecting information has not filtered down to lower levels of the organization. Yet, even those in the company who are aware that protecting information is important believe it can be secured with technology fixes to hardware and software, the survey found. To increase the priority of managing information risk, companies are placing a monetary value on the information they hold. One in ten companies have already done so, and half of the companies are undertaking an effort to do so or are actively considering do so. For more:
- see the the survey results (reg. req.) Related Articles:
CIOs upping security spending, accepting inevitability of breaches
Data breaches are significantly underreported, survey of IT pros finds Read more about: data breach
back to top
Are you stumped for a gift for your favorite cybercriminal who has already stolen everything? Fret no more. Give him or her a nice gift card. Turns out, your favorite cybercriminal may already have thousands of stolen gift cards, warns security firm ThreatMetrix. With the National Retail Federation is estimating that gift card sales will reach $30 billion this year, making gift cards a lucrative market for fraudsters. "Cybercriminals have developed several highly sophisticated ways to compromise gift cards and take advantage of consumers during the upcoming holiday shopping season, when merchants are often too busy with a high volume of transactions to spot all suspicious activity," said Carmen Honacker, director of customer advocacy at ThreatMetrix. ThreatMetrix identified a number of holiday gift card fraud scenarios: stolen gift card web IDs, in which fraudsters gain access to virtual gift cards and purchase goods and services that are then resold for profit outside the country or on auction sites; virtual goods, in which fraudsters compromise online currency and steal virtual goods, such as extra lives, levels and customized features in video games, for fun and profit; and purchasing gift cards with a stolen credit card, in which fraudsters purchase gift cards online or in-store using a stolen credit card number and then purchase goods that are shipped abroad and sold at a higher price for profit. "Gift card purchases using stolen credit cards have become so prevalent that some retailers have resorted to ceasing online gift cards altogether and only accepting cash in-store for gift cards," said Honacker. "However, retailers don't need to miss out on these revenue opportunities due to the risk of cybercrime. With effective strategies and technologies in place to differentiate between authentic and fraudulent transactions, retailers can continue selling gift cards via credit card transactions and drastically decrease fraud attempts," she added. For more:
- check out ThreatMetrix's release Related Articles:
Cybercrime is big business
PCI Council updates PCI DSS credit card security rules Read more about: holiday shopping
back to top
An increase in targeted attacks against enterprises in Europe, the Middle East and Africa has prompted many to turn to managed security services to secure their organizations, according to a new report from Frost & Sullivan. To differentiate themselves, managed security service providers are increasingly offering security analytics and threat landscape research to help enterprises thwart targeted attacks. Frost & Sullivan estimates that the managed security service market in the EMEA region will double by 2018, reaching $5.5 billion, up from $2.6 billion last year. Many enterprises are feeling overwhelmed by the increasing number of attacks and a dearth of in-house IT security personnel. "In addition to the lack of in-house expertise and the growing complexity of threats, the need to comply with industry standards and regulatory requirements has incentivised organisations to outsource at least a part of their security operations. This is fueling the demand for MSS in the region," said Mario Fernandez, a Frost & Sullivan information and communication technologies senior industry analyst. At the same time, many enterprises are uncertain about the legality of outsourcing IT security operations and this may deter businesses from opting for managed security services. Leading providers are adopting a risk-based approach to understand a client's business context before delivering services. According to Frost, the enterprise segment will continue to be dominant in terms of market value. From a regional perspective, the U.K. and Germany lead in terms of market value. For more:
- see Frost's release Related Articles:
Firms can't outsource security oversight and risk, warns Manulife's CISO
BYOD fueling $2B cloud-based security services market, says Gartner Read more about: IT security personnel
back to top
There is a new kind of cyber threat on the horizon. It's called a distributed reflection denial of service attack and it's on the rise, according to security firm Prolexic Technologies. "DrDoS techniques usually involve intermediary victim machines that unwittingly participate in a DDoS attack against the attacker's target. Requests to the intermediary victims are redirected, or reflected, from the secondary victims to the primary target," explained Prolexic. DrDoS attacks increased 265 percent year-over-year in the third quarter of 2013 and 70 percent sequentially, according to Prolexic data. The firm blamed the increase on misconfigured servers and the ability of attackers to obtain lists of IP addresses and misconfigured servers from the cyber underground. "DrDoS attacks provide the benefits of obscuring the source of the attack (providing anonymity), while enabling the bandwidth of intermediary victims to be used, often unknowingly, to multiply the size of the attack (amplification)," Prolexic said in a release. Check out Prolexic's full-size DrDoS infographic here 
Related Articles:
Spotlight: DDoS attacks spiked in second quarter, says Akamai
FS-ISAC threat information sharing helped thwart DDoS attacks against US banks Read more about: DDoS attack
back to top
The technology industry lags far behind a number of other industries in terms of information security effectiveness, according to a new report by security firm BitSight Technologies. The finance industry performs best in information security effectiveness, followed by the retail and energy industries. To evaluate information security effectiveness, BitSight analyzed security incidents for more than 70 Fortune 200 companies in the finance, retail, energy and technology industries between October 2012 and September 2013. The firm based its ratings on the number and duration of observed security incidents, such as communication with a botnet, spam propagation and malware distribution. The finance industry rated highest in information security effectiveness because the companies were "generally quicker to respond to threats than their peers in other industries," the report noted. By contrast, the technology industry performed poorly in terms of detecting and responding to data breaches. "High profile breaches during the period of our analysis give some hint as to why the technology industry rates less effective than other sectors we analyzed. Recent headlines abound with details of the massive Adobe data breach that also impacted data brokers Dun & Bradstreet and Lexis Nexis," the report noted. BitSight cited a 2012 Carnegie Mellon Cylab Report that suggests one reason for the gap between the financial services and technology industries. The report found that 90 percent of financial services companies have a chief risk officer, while only 55 percent of the companies in the IT and telecom spaces had a chief risk officer, and none had a chief privacy officer. "All of the companies included in this report have significant IT and risk management budgets and have implemented sophisticated cyber security products and services. They are also frequent targets of attack. However – whether due to regulation, the amount of executive level focus on cyber risk, or their individual technology implementations--there are distinct differences in industry security effectiveness," the report concluded. For more:
- read the BitSight report Related Articles:
FS-ISAC threat information sharing helped thwart DDoS attacks against US banks
Firms can't outsource security oversight and risk, warns Manulife's CISO Read more about: malware
back to top
| 
Follow @fierceitsec on Twitter
No comments:
Post a Comment
Keep a civil tongue.