| 05.06.14 | Microsoft steps up to the plate, patches critical zero-day IE hole

If you are unable to see the message below, click here to view.

Editor's Corner: 'Off with their heads!' What's New: 1. Microsoft steps up to the plate, patches critical zero-day IE hole 2. Costs of data breaches continue to climb 3. Infographic: More than half of utilities not ready for cyberattacks 4. DoD probes cryptocurrencies as potential terrorist funding mechanism 5. IT security pros are 'deficient, disconnected and in the dark,' survey finds Spotlight: EU, Japan to ink cybersecurity cooperation pact Also Noted: Heartbleed-like flaws rare; Bitcoin-mining malware infects DVRs; Much more... News From The Fierce Network: 1. Apple pulls experts from medical field to reportedly work on iWatch 2. Consumers embrace smartphone as a vital tool for mobile commerce 3. Mobile bad bot traffic surges by 1,000% May 6, 2014 Subscribe | Website Refer FierceITSecurity to a Colleague This week's sponsors: HP HP HP Follow @fierceitsec on Twitter This week's sponsor is HP.   Ponemon According to the Ponemon Institute's 2013 Cost of Cyber Crime study, the average cost to businesses of cyber crime is more than $7M per year—a 30% increase over last year. And the average number of attacks per company grew 20% to 73 successful attacks annually. With the incidence and cost of cyber crime rising sharply, this study of 234 companies in six countries details the types of cyber attacks found to be most common and the losses resulting from each type of attack. Read it to learn more. Editor's Corner 'Off with their heads!' By Fred Donovan Comment | Forward | Twitter | Facebook | LinkedIn I'm glad the CEO of Target, Gregg Steinhafel, took my advice and resigned. Of course, that probably wasn't the main reason for his resignation and it probably wasn't a voluntary decision. Until a new CEO is named, John Mulligan, the company's chief financial officer, will hold down the fort, Target said in a statement. Don't feel bad for Steinhafel. He's expected to walk away with $55 million, says USA Today. That's quite a golden parachute. Steinhafel, who was at Target for 35 years, follows former Target CIO Beth Jacob out the door. She paid the price for having a poorly structured information security program, with responsibility for information security dispersed among various executives. Mike Rothman, president of Phoenix-based security consultancy Securosis, tells TechTarget that he was "shocked" by the removal of Steinhafel over a security incident, even one that affected more than 100 million consumers. "I think that retailers are obviously public-facing and are at more risk as a result, but again, you've had so many public-facing companies that went through things like this and the leadership survived. That's something I have not seen." John Kindervag, vice president and principal analyst at Forrester Research, says holding the CEO accountable for a major security breach is long overdue. "Finally, some company understood that the buck ultimately has to stop at the highest level of executives, and if executives don't care about security, there [has] to be consequences," he tells TechTarget. In South Korea, it seems to be standard operating procedure. Following a data breach that resulted in the theft of 20 million credit card accounts (half of the number of the Target breach), CEOs from three South Korean credit card companies resigned in January. In a statement emailed to FierceITSecurity, Steve Durbin, global vice president of the Information Security Forum, observes: "The resignation of Target President and CEO Gregg Steinhafel reinforces what some of us in the security industry have been saying for some time and that is that data breaches of this nature have significant impact not just on reputation (and therefore stock price) but also on customer and board confidence in the leadership of the organization." The fact that a huge retailer like Target that handles millions of credit cards did not have one person in charge of IT security is a massive failure of leadership. While the breach might not have been the only reason Steinhafel was pressured to resign, it was undoubtedly in the top three. CEOs and CIOs beware! Your job may be at risk if you don't take basic steps to ensure the security of your IT infrastructure and data. -- Fred Check out our timeline of the Target breach. Read more about: data breach, CEO Sponsor: HP Webinars > Reduce Datacenter Energy Costs by up to 15%: Software Meets Datacenter ROI - Friday, May 16, 2014 - 2 pm ET / 11 am PT > WEBINAR: Rethinking Enterprise Mobility Management ? Beyond BYOD - SPONSORED BY: CA Technologies Marketplace > Whitepaper: Finding ROI in Document Collaboration > Whitepaper: Delight & Engage Customers with Mobile APIs > eBook: eBrief | How Big Data Changes The Way You Think and Operate > eBook: Critical Infrastructure and Cybersecurity > Whitepaper: 5 Unsung Tools of Dev Ops > eBook: Getting to DevOps (And Getting the Payoff) > Whitepaper: 802.11ac in the Enterprise: Technologies and Strategies > Whitepaper: Defense Against the Dark Arts: Finding and Stopping Advanced Threats > Whitepaper: Longline Phishing: A new Class of Advanced Phishing Attacks > eBook: eBrief | Best Practices in Mobile Application and Management Delivery > Whitepaper: Hardware Test Equipment is the Key to Accurate Network Testing > Whitepaper: Supporting VDIs and Thin Clients > Whitepaper: Four Ways to Improve IT Efficiency This week's sponsor is HP. eBook | Critical Infrastructure and Cybersecurity Critical infrastructure industries vary in the sophistication of their digital defenses. In this FierceITSecurity eBook, industry experts discuss how to stay ahead of cuber security threats and maximize their defensive efforts.Download this eBook today. What's New 1. Microsoft steps up to the plate, patches critical zero-day IE hole By Fred Donovan Comment | Forward | Twitter | Facebook | LinkedIn Microsoft decided not to wait for Patch Tuesday to fix the zero-day security hole in every supported version of Internet Explorer that could enable an attacker to deploy malware by a victim visiting a malicious website.   Redmond issued an out-of-band patch for the critical vulnerability, which is being subjected to "limited, targeted attacks." Security firm FireEye uncovered the security hole as well as an ongoing attack campaign, which it dubbed "Operation Clandestine Fox." Microsoft said that even Windows XP users will receive an update for the security bug, even though XP is no longer supported. "We have made the decision to issue a security update for Windows XP users. Windows XP is no longer supported by Microsoft, and we continue to encourage customers to migrate to a modern operating system, such as Windows 7 or 8.1. Additionally, customers are encouraged to upgrade to the latest version of Internet Explorer, IE 11," explains Dustin Childs, group manager for response communications at Microsoft Trustworthy Computing. Security researcher Graham Cluley warns XP users not to expect this type of treatment in the future. "If I were you, I wouldn't bank on Microsoft keep coming back to Windows XP. They're only doing this out of the goodness of their hearts," he writes in a blog. Trey Ford, Global Security Strategist at Rapid7, notes that out-of-band security updates are a "big deal ... Corporate and private users should prioritize downloading (testing, where required by change controls) and deploying this patch." For more: - check out Microsoft's security bulletin - read Childs' blog - see Cluley's blog Related Articles: IE users beware, here comes 'Operation Clandestine Fox' As Windows XP support deadline approaches, security concerns mount Spotlight: Firms continue to resist upgrade from Windows XP Read more about: Microsoft, Security Vulnerability back to top This week's sponsor is HP.   Reputation Whitepaper A study by Verizon finds 86% of security breaches come from the outside. Spotting cyber attacks in your network means identifying the signatures of known threats. Reputation data takes that one step farther by identifying communications coming from or going to known bad actors based on their reputations. Read this white paper now for more details. 2. Costs of data breaches continue to climb By Fred Donovan Comment | Forward | Twitter | Facebook | LinkedIn The costs associated with data breaches are on the rise, according to an annual report prepared by the Ponemon Institute. In this year's report, the average cost of a single data breach totaled $3.5 million globally, a 15 percent jump from last year. The average cost for each lost or stolen record increased nine percent to $145, up from $136 in 2013. The Ponemon Institute conducted interviews with 1,690 IT, compliance and IT security pros at 314 companies (in 10 countries) that had experienced a data breach, for the IBM-sponsored study. One reason why data breach costs are rising is that a majority of companies have low or no confidence that they are making the right investments in people, processes and technology to address threats. For U.S. firms, the data breach costs are significantly higher than the global average. The average cost per record lost was $201 in 2014, up from $188 in last year's report, which was sponsored by Symantec. Companies surveyed by Ponemon estimate that they deal with an average of 17 malicious codes each month, 12 sustained probes each month and 10 unauthorized access incidents each month. "The goal of this research is to not just help companies understand the types of data breaches that could impact their business, but also the potential costs and how best to allocate resources to the prevention, detection and resolution of such an incident," says Larry Ponemon, chairman and founder of the Ponemon Institute. For more: - check out IBM's release on the 2014 report - see the 2013 report (reg. req.) Related Articles: IT security execs convinced data breach is coming Security 'game changers' forcing IT security pros to 'do things differently,' says SANS chief Target breach, Heartbleed bug cause high anxiety among IT security pros Read more about: data breach, IBM back to top 3. Infographic: More than half of utilities not ready for cyberattacks By Fred Donovan Comment | Forward | Twitter | Facebook | LinkedIn More than half of utilities say they are not ready for cyberattacks, according to data in an infographic compiled by the Smart Grid Interoperability Panel, or SGIP. The SGIP is a non-profit. public-private partnership established by industry members to improve technical and interoperability standards harmonization to speed the modernization of the energy grid. A full 53 percent of cybersecurity breaches investigated by the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team from October 2012 to May 2013 occurred in the energy sector, the infographic notes. Utilities cite four main reasons why data breaches occur: misunderstanding of risk, insufficient investment in cybersecurity, lack of cybersecurity awareness and inadequate cybersecurity training. The SGIP offers seven steps for utilities to manage cybersecurity risk better: create prioritized list of business functions based on risk, prioritize processes that support those business fuctions, inventory smart grid systems and assets, identify smart grid system interactions, determine smart grid high-level security requirements, create a plan to prioritize and plug security gas, and monitor smart grid high-level security requirements. To view the full-size infographic, click here. Read more about: cybersecurity, DHS back to top 4. DoD probes cryptocurrencies as potential terrorist funding mechanism By Robert Bartley Comment | Forward | Twitter | Facebook | LinkedIn Cryptocurrencies--used in the past to facilitate the illegal transfer of drugs, guns and anything else you can't find at the corner store--are under investigation by the U.S. government for their potential to fund terrorist plots. A Department of Defense division called the Combating Terrorism Technical Support Office, or CTTSO, is asking third-party vendors to help research the effect virtual currencies could have on terrorist operations. In an advanced planning briefing for industry, the CTTSO explained that, "The introduction of virtual currency will likely shape threat finance by increasing the opaqueness, transactional velocity, and overall efficiencies of terrorist attacks." According to the briefing, some proposed solutions vendors should consider researching case studies from the past 20 years to determine the effect the introduction of cryptocurrencies would have, whether or not it is possible to analyze threat finance models that use cryptocurrency, and how authorities can use information--such as publicly available blockchains--to model and test flows of funds to prevent future attacks. The CTTSO also encourages vendors to research whether countermeasures can be made using the virtual currencies to mitigate terrorist threats. By investigating the potential behaviors of virtual currency within threat networks, the division hopes to recognize patterns and act on them before terrorists have the chance to execute operations. Cryptocurrencies keep identities private, but all transactions are publicly available, a valuable tool when tracking cash flow. While the DoD is exploring the link between virtual currency and terrorism, the Department of the Treasury is downplaying its potential for funding international terrorism. In March, David Cohen, the undersecretary for terrorism and financial intelligence, said during a press conference that virtual currency is of little use to people looking to support terrorist activity. "Terrorists generally need 'real' currency, not virtual currency, to pay their expenses--such as salaries, bribes, weapons, travel, and safe houses," Cohen said. However, Cohen highlighted the use of virtual currency in domestic crimes, and described its effectiveness for bankrolling identity fraud, credit card theft, online scams and malware operations. For more: - check out the CTTSO memo - read a Bloomberg article about Cohen's remarks - watch the Cohen press conference Related Articles: Heartbleed undermines Bitcoin client, developers advise update Malware empties Bitcoin wallets, denies access to files until ransom is paid New worm infects thousands of IoT devices, mines cryptocurrency, Symantec warns Read more about: Bitcoin, Department of the Treasury back to top 5. IT security pros are 'deficient, disconnected and in the dark,' survey finds By Fred Donovan Comment | Forward | Twitter | Facebook | LinkedIn In an era of increasingly sophisticated and well-resourced cybercriminals, IT security pros are feeling underfunded and overwhelmed. That is the conclusion of a survey of 4,881 IT and IT security pros in 15 countries conducted by the Ponemon Institute on behalf of security firm Websense. According to the survey, 57 percent of respondents doubt that their firm is protected from advanced cyberattacks and 63 percent don't think they can stop the theft of confidential data. This lack of confidence is reflected in the frequency of successful cyberattacks. A full 44 percent of respondents said their firm was the victim of one or more cyberattacks that infiltrated networks or enterprise systems in the past year. Close to 60 percent of respondents said that their company lacks adequate intelligence about cybercriminal activities or that they are unsure about the effects of attack attempts on their firm. Surprisingly, their companies' leaders do not equate losing confidential data as a potential loss of revenue, despite the devastating effect that large data breaches, such as that at Target, have had on companies. Nearly half of respondents say their board-level executives don't understand IT security issues. In fact, research by the Ponemon Institute and Symantec shows that a data breach costs the average U.S. enterprise $188 per record lost and $5.4 million per incident. A majority of respondents don't believe they have a good understanding of the threats facing their companies. Only slightly more than one-third could say with certainty whether their organization had lost sensitive or confidential data from a cyberattack, and 35 percent of respondents who knew that they had lost sensitive data did not know what the data was that was stolen. For more: - read the full report (reg. req.) - check out the Ponemon/Symantec release Related Articles: IT security execs convinced data breach is coming Target breach, Heartbleed bug cause high anxiety among IT security pros Verizon provides insight into attackers' behaviors Read more about: data breach, cybercriminals back to top Also Noted TODAY'S SPOTLIGHT... EU, Japan to ink cybersecurity cooperation pact The European Union and Japan are set to sign a strategic partnership agreement, or SPA, which will include a cybersecurity cooperation pact, when Japanese Prime Minister Shinzo Abe visits Brussels this week, AFP reports. The two sides began talks on the SPA, covering more than 30 policy areas that include political, scientific and cultural cooperation, in early 2013. Read more >> Heartbleed-like security flaws far-reaching but rare (eWeek) >> What should enterprises look for in vulnerability assessment tools? (TechTarget) >> Infecting DVRs with Bitcoin-mining malware even easier than you suspected (Ars Technica) >> Symantec unveils roadmap of security integrations and managed services (Security Week) >> Into Malware? Time to play in the cuckoo sandbox (CSO) And Finally…. Is it time to 'reset the net'? (Wired) Webinars > Reduce Datacenter Energy Costs by up to 15%: Software Meets Datacenter ROI - Friday, May 16, 2014 - 2 pm ET / 11 am PT Join us for a look at two Intel Datacenter Software solutions, sample use cases, and implementation overviews. Intel Data Center Manager (Intel DCM): Energy Director provides device-level power and thermal monitoring and management for groups of servers, networking, storage, and other IT equipment. Register Today! > WEBINAR: Rethinking Enterprise Mobility Management ? Beyond BYOD - SPONSORED BY: CA Technologies Enterprise mobility management is about more than just getting handle on the flood of BYOD devices coming into the organization. It is about managing the explosion of new devices, applications, content and transactions, which threatens to overwhelm IT managers. Our panel of experts will help you understand how to develop effective strategies that accelerate mobility transformation and prepare your organization for the mobile future. Register Today! Marketplace > Whitepaper: Finding ROI in Document Collaboration Read this Accusoft whitepaper to learn about the factors that make document collaboration more difficult than it should be, and about how to create a collaboration strategy that makes sense for your organization. Download Now! > Whitepaper: Delight & Engage Customers with Mobile APIs Read this success story and learn how a robust API and secure API Management powered Keep’s iOS app to become one of the most popular apps in the Lifestyle category in the iTunes App Store. > eBook: eBrief | How Big Data Changes The Way You Think and Operate Big data allows companies to focus on individuals instead of vague trends. Businesses that jump in and start learning now can reap an advantage over slower competitors. Download this eBrief today! > eBook: Critical Infrastructure and Cybersecurity This FierceITSecurity eBook looks at key dependencies among critical infrastructure sectors and how companies in these areas can stay ahead of threats and maximize their defensive efforts. Download this eBook today! > Whitepaper: 5 Unsung Tools of Dev Ops Jonathon Thurman shares his five favorite DevOps tools which have been around a long time. They may not be flashy but they're time tested and just work. He also tells you how to use them and how to configure them for maximum value. Download 5 Unsung Tools of DevOps to see which tools make the cut and why. > eBook: Getting to DevOps (And Getting the Payoff) DevOps is a more holistic approach to application development, more fully taking into account deployment and ongoing operational needs – and tossing a lot of automation into the mix. This FierceEnterpriseCommunications eBook provides step-by-step guidance on implementing DevOps for CIOs and IT and application development managers. Download this eBook today! > Whitepaper: 802.11ac in the Enterprise: Technologies and Strategies Download the White Paper "802.11ac in the Enterprise: Technologies and Strategies" to learn from industry expert Craig Mathias about the technologies behind 802.11ac, deployment misconceptions and review steps that every organization should take in getting ready for 802.11ac. Download today! > Whitepaper: Defense Against the Dark Arts: Finding and Stopping Advanced Threats Today's most-damaging targeted attacks don't occur by happenstance. They are carefully planned and executed by a new breed of professional adversaries. Read this white paper, Defense Against the Dark Arts: Finding and Stopping Advanced Threats to gain a practical understanding of today's Advanced Threat Landscape and strategies for detecting and stopping Advanced Threats. Download today! > Whitepaper: Longline Phishing: A new Class of Advanced Phishing Attacks The last few years have seen a dramatic increase in the use of email as a vehicle for cyberattacks on organizations and large corporations. Recently, Proofpoint researchers identified a new class of sophisticated and effective, large-scale phishing attack dubbed "longline" phishing attacks. Download this whitepaper to learn about the unique characteristics of these attacks, how they are carried out, and the alarming effectiveness they have. Download today! > eBook: eBrief | Best Practices in Mobile Application and Management Delivery Your organization knows that mobile productivity is important, and it may have already started down the road toward Mobile Device Management (MDM) and Mobile Application Management (MAM). But have you developed a holistic view of application management and delivery -- and its impact on the business? Download this free eBrief to learn about best practices for your mobile deployment. > Whitepaper: Hardware Test Equipment is the Key to Accurate Network Testing Surprisingly, many organizations are not adequately testing their networks. Network testing is crucial for any IT organization that wants to ensure availability, security and performance of applications and services running on their networks. Download this whitepaper now to learn more! > Whitepaper: Supporting VDIs and Thin Clients Companies have already begun deploying VDIs and thin clients (like Google's Chromebook) on a massive scale. The low-cost, easily deployed workstations present a significant cost savings for companies, but require unique tools to support them. This whitepaper, written by Proxy Networks, outlines the best way to do that. Download now. > Whitepaper: Four Ways to Improve IT Efficiency The role of the help desk within businesses has expanded considerably over the last decade, becoming an integral piece of the overall corporate strategy. In this whitepaper, Proxy Networks outlines the best way to align your IT department with that strategy in order to improve overall departmental efficiency. Download now. ©2014 FierceMarkets, a division of Questex Media Group LLC This email was sent to ignoble.experiment@arconati.us as part of the FierceITSecurity email list which is administered by FierceMarkets, 1900 L Street NW, Suite 400, Washington, DC 20036, (202) 628-8778. Refer FierceITSecurity to a Colleague Contact Us Editor: Fred Donovan. VP sales and business development: Jack Fordi. Publisher: Ron Lichtinger. Advertise General advertising: Jack Fordi. Press releases: Fred Donovan. Request a media kit. Email Management Manage your subscription Change your email address Unsubscribe from FierceITSecurity Explore Our Network You may enjoy these publications from FierceMarkets: FierceBigData FierceBiotech FierceBiotechIT FierceBiotech Research FierceCable FierceCIO FierceCIO:TechWatch FierceCMO FierceCFO FierceContentManagement FierceCRO FierceDeveloper FierceDiagnostics FierceDrugDelivery FierceEMR FierceEnergy FierceEnterpriseCommunications FierceFinanceIT FierceGovernment FierceGovernmentIT FierceHealthcare FierceHealthFinance FierceHealthIT FierceHealthPayer FierceHealthPayerAntiFraud FierceHomelandSecurity FierceITSecurity FierceMedicalDevices FierceMedicalImaging FierceMobileGovernment FierceMobileHealthcare FierceMobileIT FierceMobileRetail FierceOnlineVideo FiercePharma FiercePharmaManufacturing FiercePharmaMarketing FiercePracticeManagement FierceRetail FierceRetailIT FierceSmartGrid FierceTelecom FierceVaccines FierceWireless FierceWireless:Europe FierceWirelessTech Hospital Impact