Gartner: Top trends in IT security technology

National Harbor, MD. — Gartner kicked off its annual Gartner Security and Risk Management Summit 2014 by pointing to the top threat challenges heading into next year — and added that in the future, the term IT security will give way to “digital security” to encompass newer challenges, such as the Internet of Things. Please read the full article here.

In 2012, average time from breach to detection is 210 days!

During 2012, nearly every industry, country and type of data was involved in a breach of some kind, reports Trustwave, data security & PCI compliance firm, in its recently released Global security report 2013.

The findings are interesting, though not unexpected. Some of the key findings are below:

Web applications have now emerged as the most popular attack vector. As organizations embrace mobility, mobile malware continues to be a problem for Android, with the number of samples in Trustwave’s collection growing 400% in 2012.

Businesses are embracing an outsourced IT operations model. In 63% of incident response investigations, a major component of IT support was outsourced to a third party. Outsourcing can help businesses gain effective, cost-friendly IT services; however, businesses need to understand the risk their vendors may introduce and proactively work to decrease that risk.

Businesses are slow to “self-detect” breach activity. The average time from initial breach to detection was 210 days, more than 35 days longer than in 2011. Most victim organizations (64%) took over 90 days to detect the intrusion, while 5% took three or more years to identify the criminal activity.

Spam volume declines, but impact on the business doesn’t. Spam volume shrank in 2012 to a level lower than it was in 2007 but spam still represents 75.2% of a typical organization’s inbound email. Most importantly, new malware research conducted by Trustwave found nearly 10% of spam messages to be malicious.

And finally, as expected, basic security measures are still not in place.  “Password1” is still the most common password used by global businesses. Of three million user passwords analyzed, 50% of users are using the bare minimum.

Trustwave recommends six security pursuits to address the issues. (Picture) Cyber criminals will never stop trying to compromise systems to obtain data. Organizations need to be aware of  where they may be open to attacks, how attackers can enter their environment and what to do if (and when) an attack occurs.

Some interesting data breaches and simple lessons we have not learned!!

 

Data breach – the word may ring alarm bells in the minds of some people – thanks to the series of penalties imposed by the regulatory bodies and heightened awareness created by the media. However, on a deep analysis, many of these breaches are result of some careless and casual decisions of a low level employee. One simple but effective solution – education and awareness. Unfortunately, information security awareness training is not able to achieve desired results and data breaches continue.

Let us have a look into some of the data breaches of first week of February 2013, in courtesy of the Privacy Rights Clearinghouse.

February 7, 2013 A simple data encryption could have saved your day.
Hackers were able to access customer credit card information stored on computer servers. The cyber attack affected customers who made purchases on www.thorlo.com between November 14, 2012 and January 22, 2013. Credit card numbers, credit card expiration dates, credit card security codes, names, and contact information were exposed.

February 7, 2013 If you’re sending mass e-mails, hide the recipient list. Please..

Schneider-Electric A vendor’s mailing error resulted in the exposure of employee Social Security numbers. Call for Candidacy letters were mailed sometime around January 16 that had Social Security numbers, names, and addresses visible through the address window of the letter.

February 7, 2013 Data encryption, encryption, encryption !!!

Wayne Memorial Hospital An unencrypted disc that contained patient information was lost in transit. The disc had names, Medicare account numbers, and outstanding account balances from patients who visited the Honesdale hospital between 2007 and 2012. A legal envelope that contained the disc was mailed on November 28 and arrived at Novitas Solutions in Pittsburgh in a cardboard box without the disc.

February 3, 2013 Not just storage and custody, ensure safe disposal.
River Falls Medical Clinic River Falls Medical Clinic officials reported a burglary during the summer of 2012. The equipment and paper documents that were stolen were recovered by police on November 28. An employee of a cleaning service that subcontracted with the Clinic is the main suspect. The items were found in the employee’s home and he was charged with felonies associated with theft and drug possession. It is believed that the documents were intended to be shredded. They contained patient names, dates of birth, patient account and billing account information, diagnosis codes, insurance information, account numbers, medical chart numbers, and scheduling information. An unspecified number of patients also had their Social Security numbers, home addresses, and phone numbers exposed.

February 1, 2013 Watch out what you are sending in your email.

Antioch Unified School District A document with sensitive Worker’s Compensation claim information was accidentally sent out with an email to a limited number of Antioch Unified School District employees. Social Security numbers and other information related to current and former employees that reported injuries were exposed. The incident occurred on January 18 and people who received the email were instructed to remove and destroy any saved information contain in the email. Those who received the email were also instructed to provide written verification that they had removed and destroyed the information.

February 1, 2013 Take care of your trash bins too!!

Tallahassee Memorial HealthCare A former Tallahassee Memorial HealthCare food service employee was indicted on 31 counts of filing false tax returns, wire fraud, false claims, and aggravated identity theft. He and two others are believed to have participated in a conspiracy that led to $818,000 in fraudulent claims. The employee worked for Tallahassee Memorial HealthCare for three years. He gathered patient names and dates of birth from food tray receipts when he delivered food to the rooms of patients in August of 2011 and stole emergency room data sheets from the trash. The information was then passed to the two others who participated in the conspiracy.

February 1, 2013 How many copies of your data is available and WHERE?

Central Laborers’ Pension Fund, Central Laborers’ Welfare Fund, Central Laborers’ Annuity Fund, Illinois A home burglary resulted in the theft of a CD that contained the information of over 30,000 beneficiaries. The CD contained names, Social Security numbers, and dates of birth and was taken from the home of an accountant at an unnamed counting firm. The three funds sued the accounting firm for $200,000 to cover the cost of credit monitoring and insurance.