Category: Trends

“If more states would publish breach notification lists, there would be more information to study and to help us understand this growing concern,” she said.

Additionally, more companies are starting to audit their security and network systems and use readily available security measures.

The group highlighted a recent massive breach caused by a retailer using unsecured or poorly secured networks to store customer data. Early this month, the US Attorney General’s office indicted members of a hacking ring that allegedly lifted 40 million credit and debit card numbers from retailers TJX, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21, and DSW.

Feds estimate the hackers netted about 45.7m payment cards from TJX (which operates T.J. Maxx stores) alone.

http://www.theregister.co.uk/2008/08/27/itrc_data_breaches_2008_beat_2007/

“Those companies become victims of the breach as much as the individuals whose information has been affected,” said Linda Foley, founder of the ITRC. “In many cases they entrusted a vendor to provide a service to safeguard information at the highest level, and when they transport it from one place to another unencrypted, they’re not taking it to the highest level… Companies need to have a better understanding of the contractual obligations of the firm they outsource payroll and other processes to, Foley said.

Foley said the growth in the number of breaches from year to year can no longer only be attributed to required reporting laws and media investigative work. Since each state has its own law requiring notification, companies are not held to one consistent standard to report a breach. Some states are adding language to the law, making it a requirement to provide public notification of the breach notification letters issued to customers, Foley said.

The researchers said current breach laws are problematic because they leave any action, such as canceling a credit card, up to the consumer.

Foley said the ITRC’s breach response program provides a consultant to the company to advise them on an appropriate breach notification letter and first responder calls.

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1327048,00.html

Adrian Davis, senior research consultant and author of the report comments:Without doubt, our research shows that information security professionals want to change; to become information risk professionals and true business partners to add value and shape business strategy and processes. This change will involve more than just re-labelling job functions, activities and responsibilities. Skill sets will need to change, as will the way security professionals communicate with their businesses and measure performance.The ISF study examined where security in organisations is headed along with the security value proposition and challenges that have to be faced. Using this extensive research work and analysis including input from over 160 senior security professionals in some 100 major ISF Member organisations from around the world, Adrian Davis and his team identified key areas of change and drivers for change, and looked at the future for information security.

Davis added:It is clear that Information security is changing radically and will continue to change. The pressure for this comes from within the profession and from external forces such as businesses, regulators and changes in culture and behaviour.Although differences exist between both geographical regions and industry sectors, common themes can be identified.

The Report entitled, the Role of Information Security in the Enterprise, is one of over 200 authoritative reports available free of charge to ISF Members.

http://www.net-security.org/secworld.php?id=6357

The report includes real documented discussions conducted by the company’s researchers with resellers of stolen data and their “bosses”, confirming it’s analysis of the current state of the cybercrime economy.

“Over the course of the last 18 months we have been watching the profit-driven Cybercrime market maturing rapidly… This makes businesses today even more vulnerable for cybercrime attacks, especially considering the maturity of the cybercrime market and its well-structured cybercrime organizations,” said Yuval Ben-Itzhak, Finjan’s CTO.

The report explores the trend of loosely organized clusters of hackers trading stolen data online being replaced by hierarchical cybercrime organizations. These organizations deploy sophisticated pricing models, Crimeware business models refined for optimal operation, Crimeware drop zones, and campaigns for optimal distribution of the Crimeware. These cybercrime organizations consist of strict hierarchies, in which each cybercriminal is rewarded according to his position and task. Directly under him is the “underboss”, acting as the second in command and managing the operation. This individual provides the Trojans for attacks and manages the Command and Control (C&C) of those Trojans.

As a preventative measure, businesses should look closely at their security practices to make sure they are protected.

http://www.security-industry-today.com/news/news_all.asp?ID_key=381

Many other protocol implementations are built entirely from scratch, and have not benefited from years of public analysis and repeated attack, resulting in unproven protocol implementations that may be vulnerable to attack.

Even when vulnerabilities are identified, patches must be developed for each device or device family by the vendor, requiring tight collaboration between embedded software developers and the OEM’ s building devices based on the developers’ software.

http://www.net-security.org/secworld.php?id=6247

The report summarizes the latest trends in the cybercrime marketplace over the first six months of 2008.

One of the biggest among those trends is the growing commoditization of some kinds of stolen data, according to Yuval Ben-Itzhak, chief technology officer at Finjan. Until recently, he said, credit card numbers and bank accounts with personal identification numbers (PIN) were considered valuable items in the underground market.

Technologies from Citrix Systems Inc. are being used by an increasing number of health care organizations to enable remote network access, Ben-Itzhak said, and stealing Citrix log-in credentials often allows data thieves to gain single sign-on access to a wide range of health-related information from inside hospital networks.

There’s a growing focus on stealing log-in credentials that provide remote access to business networks as well. For instance, Finjan recently discovered a Argentina-based server containing over 500MB of stolen data and another server containing over 1.4GB of similar information in Malaysia. For instance, one of the servers had a cache of data that included passenger reservation data and flight scheduling information stolen from a major airline.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9100338&source=NLT_AM&nlid=1