[From the desk of Paul G Davis – his opinion and no-one else’s, apart from those of the authors of the articles.]
And so, now the news
* Collaboration Is Key to Information Security
* Social media, the gateway for malware
* ATM hack prompts Thai state-run banks to install anti-malware
* US Senators Urge Obama To Prioritize Cyber Crime At G20 Summit
* Stop procrastinating: Signing emails is now a necessity
* 8 tips for building tech leadership skills
* Encryption hiding malware in half of cyber attacks
* DNSSEC: Don’t throw the baby out with the bath water
* Risk and the Pareto Principle: Applying the 80/20 rule to your risk management strategy
* New Cyber-Security Conference Focuses On Real-World Threats
* Buying cloud access security brokers with confidence
* Why the death of SIEM has been greatly exaggerated
* How to Build an Economically-Driven Cyber Defense Strategy
* Five Signs of Identity Governance Trouble
* New data breach notification standards should be flexible, adaptive, ITAC says
* McCaskill wants military to fight cybersecurity brain drain
* Study Shows 137 Percent Spike In Fraud Attacks Over The Past Four Quarters
* Cyber security should be expanded to other departments other than IT: CII-KPMG report
Collaboration Is Key to Information Security
Collaboration and information sharing within security can of itself introduce risk, however.
Any such engagement has to, therefore, be built upon a sense of trust and shared purpose.
Dependent on the levels of confidence required, that trust may be gained through real-world relationships and informal ‘Chatham House rules’ or via more formalized legally binding NDA arrangements.
Outside of the more altruistic world of non-profit organizations, such factors are not always easy to establish, especially where protected IP, profit margins, livelihoods, kudos and commission may be at odds with such a notion.
It is fantastic when different vendors can work together for the greater good of the industry.
This fascinating piece around one of the first documented attacks using steganography demonstrates just that.
As threats become ever-more sophisticated, research is certainly an area that requires collaboration of the best and brightest minds.
Here in the United Kingdom, CERT-UK has established the Cyber-Security Information Sharing Partnership, which is a joint industry-government initiative aspiring to encourage members across all sectors to share threat and vulnerability information.
On a regional level, we in the South West of England are fortunate to benefit from an active security community of trust.
We even have a first-class event Secure South West that runs in cooperation with Plymouth University.
Even within the untrusted online realm, we can all take advantage of and contribute to useful and rapid information sharing.
For all the negatives we are used to hearing about through its misuse, social media provides most of us with a daily feast of news and other publicly disseminated security related information.
The challenge here can be to discern ‘the wheat from the chaff’ and then find the time to watch/listen/read the most useful and relevant items.
Isolate, hoard, divide and fall or collaborate, share, unite, and win.
The choice is ours.
Your adversaries know this only too well and will often collaborate where there is some mutually beneficial nefarious gain to be had.
They are also adept at the art of spreading misinformation of course, but that is an altogether different consideration for another post.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b62be88cf5&e=20056c7556
Social media, the gateway for malware
Why the Common Vulnerability Scoring System (CVSS) doesn’t give an accurate picture of the security risks from social media sites
A recent NopSec 2016 State of Vulnerability Risk Management Report found that organizations use inadequate risk evaluation scoring systems.
The report claimed that social media — which often isn’t included in any risk evaluation system — is now a top platform for cybersecurity.
According to the NopSec report, “Twitter is becoming one of the top platforms for security researchers and attackers looking to disseminate proof-of-concept exploits.
Vulnerabilities associated with active malware are tweeted nine times more than vulnerabilities with just a public exploit and 18 times more than all other vulnerabilities.”
In the sixth annual Smarsh 2016 Electronic Communications Compliance Survey, 48 percent of the respondents cited social media as the number one channel of perceived compliance risk.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=dc40f4a6b6&e=20056c7556
ATM hack prompts Thai state-run banks to install anti-malware
GSB chief executive officer Chatchai Payuhanaveechai said the Scottish company NCR, the bank’s ATM vendor, has upgraded a programme to protect ATMs from malware virus, which is also the first in Asia-Pacific, will be installed at the existing ATMs manufactured by NCR.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=3137d7ad7a&e=20056c7556
US Senators Urge Obama To Prioritize Cyber Crime At G20 Summit
At a November summit, the G20 pledged not to conduct economically motivated cyber espionage, an agreement intended to reduce the estimated hundreds of billions of dollars worth of commercial trade secrets that are stolen by foreign governments seeking to benefit industry in their own countries.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d8f9d830a1&e=20056c7556
Stop procrastinating: Signing emails is now a necessity
I’ve used encryption for a long time, but only recently have I started signing all outgoing messages by default.
Why.
Because attacks (spoofing, phishing, SPAM, etc.) are not only growing more and more common, they’re becoming smarter and trickier to spot.
To this end, I now sign every email…not just those related to business communications.
Digitally signing all outgoing email should be in your company’s security policy.
Every employee that communicates using the company server should have, at the bare minimum, their emails digitally signed.
Any employee sending sensitive company data should also up the ante with full-blown encryption (but that’s another issue altogether).
According to The Radicati Group, over 205 billion emails a day were sent in 2015 and by 2019 that figure will reach over 246 billion a day.
Even if only 1% of those emails are spoofs or phishing scams, that still comes out to just over 2 billion a day.
That’s a massive number of malicious email.
If you’re not employing digital signatures for all outgoing company email, someone could spoof you.
When that happens, trust is lost.
Lose the trust of your customer base, and your bottom line suffers.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=be264b5885&e=20056c7556
8 tips for building tech leadership skills
Experts offer the following tips to gain leadership skills and rise up the tech ladder:
1) Make the choice.
“If you’re an engineer, it has to be a conscious decision that you want to be on this track, and want to be a leader and a manager of people and projects,” Hewes said.
2) Observe your leaders.
Every organization has a particular culture and definition of leadership and management, even if it is not explicitly stated, Hewes said.
3) Talk to your manager.
Ensure you’re on the career advancement path of your choice at your current company, or at least make your aspirations known, Hewes said.
4) Join a professional organization to observe and connect with leaders in your field.
Anne Krook, owner and principal of the consulting firm Practical Workplace Advice, especially recommends this for young women looking for role models.
5) Seek out feedback from your manager and peers.
“Everybody has strengths and challenges—get a good balanced view of where your strong points are, and what you should focus on,” Hewes said.
6) Avoid the “delegation trap.”
Once you are given more responsibility, don’t put the pressure to do all the work on yourself, Hewes said.
7. Don’t define yourself as “apolitical” in the workplace.
“Anytime you have two or more people together, you need to understand how people work,” Hewes said.
8) Don’t expect any leadership program to be a cure-all.
“You can’t rely on any one program to give you soft skills,” Krook said. “It can provide you with guidance and a framework for thinking about how to get more skills.
But it’s not a discrete subject matter class.”
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=581dd5222b&e=20056c7556
Encryption hiding malware in half of cyber attacks
Malware in nearly half of cyber attacks in the past 12 months has been sneaked into organisations under the cover of encryption, a study has revealed.
“The Hidden Threats in Encrypted Traffic study sheds light on important facts about the malicious threats lurking in today’s corporate networks,” said Larry Ponemon, chairman and founder of the Ponemon Institute.
While 80% of respondents said their organisations had been hit by a cyber attack in the past year, nearly half said their attackers had used encryption to evade detection.
The trend is expected to grow in parallel with the greater legitimate use of encryption.
Inbound encrypted traffic is expected to rise from 39% to 45% next year, and outbound encrypted traffic from 33% to 41%.
When asked about malware hiding outbound data within encrypted traffic, 74% said this was highly likely but only 16% thought their organisation could identify and mitigate SSL-encrypted malware attack before data exfiltration.
When asked if traffic from an SSL-secured malware server could be spotted by their intrusion prevention system (IPS), 79% of respondents said it is highly likely this could occur in their organisation; only 17% thought their organisation has the ability to mitigate such an attack.
When asked if an attacker could mask outbound communications or stolen data from a command and control server, two-thirds said it is highly possible.
Only 26% thought their organisation could spot such behaviour and prevent data loss.
The main reasons cited for not inspecting decrypted web traffic were a lack of enabling security tools (47%), insufficient skills and resources (45%), and degradation of network performance (45%).
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=61ccc265ea&e=20056c7556
DNSSEC: Don’t throw the baby out with the bath water
DNSSECA recent report raiseed concerns about the abuse of DNSSEC to conduct DDoS attacks.
The article reported that DNSSEC-signed domains can be used to conduct reflected DDoS attacks with large amplification factors (averaging 28.9x in their study) that could potentially cripple victim servers.
The report went on to recommend that organizations deploying DNSSEC should configure their DNS servers to prevent this and other types of abuse.
While this report presents some useful information about the potential for misuse of DNSSEC, it has the side-effect of casting doubt on the overall value of the DNSSEC protocol itself.
It would be a shame if someone reading this report concludes that DNSSEC creates more problems than it solves.
In fact, DNSSEC is an essential protocol that continues to add critically needed trust to internet communications.
DNSSEC adds a missing ingredient to this globally distributed, highly scalable database – trust.
Trust means two things – first, knowing that data received from a domain came from the owner of the domain; and second, knowing that the data has not been altered while in transit.
It is important to note that DNSSEC does not provide confidentiality to the DNS – it makes the DNS a trustworthy place to publish and retrieve public information, but it does not make it a place to publish confidential or sensitive information.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=edca4b0d51&e=20056c7556
Risk and the Pareto Principle: Applying the 80/20 rule to your risk management strategy
While organizations are investing in Threat and Vulnerability Management (TVM) solutions to understand their exposure to risk, they’re also realizing that it’s nearly impossible to address the explosion of vulnerabilities that they’re suddenly detecting in their environment.
A TVM solution might be a step in the right direction, but organizations also need to approach their risk posture more strategically.
Research indicates that the majority of risk (about 80 percent) is sourced to a fraction of their vulnerabilities (20 percent or less.) Looking ahead, that means organizations need to prioritize the vulnerabilities that present the most risk.
By focusing on critical flaws with the potential for damage, enterprises can make a huge dent to business risk, while also streamlining threat management processes to be more efficient, cost effective and smarter.
How can organizations hope to wrap their arms around all of those vulnerabilities hidden in their network.
The short answer is that they probably can’t – and shouldn’t try.
In order to truly understand their risk posture and address the threats that have the potential to cause the most damage, they need to be more strategic.
To start, organizations need to understand the Pareto Principle – otherwise known as the 80-20 rule – and how it applies to their threat environment.
At a high level, the Pareto Principle, named for economist Vilfredo Pareto, stipulates that roughly 80 percent of the effects or results are attributed to 20 percent of the causes or invested input.
The Data Model: Like the foundation of a building, the ability to locate, query and prioritize the data is where it all starts, essentially setting the stage for an effective Pareto Principle approach to risk.
Automation: These days, automation is not a luxury but a necessity for any organization attempting to get ahead of their business risk.
Automation gives organizations the ability to streamline the process of operationalizing their security solutions – this includes content mapping, leveraging pre-built workflows, data ingestion with filtering, self-service business intelligence, and UI customization among other things that are now available “out of the box.” In addition to streamlining operations, automation is now an essential feature for data collection, providing organizations security threat information and asset discovery on an ongoing basis.
And the biggest advancement in automation is the ability to configure, not program, changes.
Risk Scoring and Analytics: For organizations, one of the biggest priorities is board reporting – which means they need quick and easy access to dashboards and heat maps that can be generated in near real time.
They also need the ability to easily slice and dice risk intelligence as needed for business leaders, security personnel and IT team members.
They need the ability to assemble vulnerability and threat intelligence feeds into comprehensive analytics that reflect their own business-specific risk likelihoods and impacts.
Organizations can’t manage what they can’t see.
A big picture of risk environment is a start.
But ultimately, honing in on the most important 20 percent by understanding where to look and what to look at will offer a crucial leg up in managing the threats and vulnerabilities that have the potential to cause the most damage.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=ddd026ab4d&e=20056c7556
New Cyber-Security Conference Focuses On Real-World Threats
SAN RAFEAL, Calif., Aug. 30, 2016 /PRNewswire/ — Netswitch’s virtual conference SecurliCon, scheduled for January 2017, provides vital help in understanding and defending against evolving and advanced external and internal security threats based on hard-earned experience in the real world.
The agenda will cover topics ranging from security analytics to encryption, SCADA and Critical Infrastructure Protection to public key cryptology, behavior baselining, active response and the role of vulnerability assessments and penetration testing in today’s cyber-security environment.
Among the expert speakers and panelists are keynoter Kim Green, President and CEO of KAZU Security, Phil Ferraro, CISO for the Las Vegas Sands, the FCC and now serving as Global CISO for Nielsen, Mischel Kwan, former Vice President of Public Sector Security for RSA Security and Director for the United States Computer Emergency Readiness Team (US-CERT) now serving on the board of the National Cyber Security Hall of Fame, Mary Landesman, CISO at Netflix and former Data Scientist for Norse Corporation and recently named as one of the “3 Women Leading the Way in IT Security”, and many others.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=af242636cb&e=20056c7556
Buying cloud access security brokers with confidence
Cloud access security brokers (CASBs) are either in-house network gateways or security-as-a-service cloud offerings that inspect network traffic destined for the cloud.
These platforms and services inspect all network traffic to determine whether sensitive data is being transmitted to the cloud, and they apply various policies and security controls to protect the data or prevent it from being transmitted in the first place.
All CASB platforms should provide the ability to inspect network traffic, apply customer-defined policies for controlling what data can go where and apply some form of protective controls to the data as warranted.
Some CASBs are integrated with significantly more cloud services than others and may also have many more tightly integrated features.
Enterprises should carefully evaluate the partnerships each CASB has.
Features to look for:
-Cloud service visibility and access control
-Data protection
-Threat protection
-Access controls
-Dashboard metrics and reporting
While not critical must-have features, the following are nice to have in a CASB offering:
-Integration with network malware sandboxes
-User behavior timelines
-In-house threat intelligence teams
-Cloud service reputation ratings
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=e21313eb4c&e=20056c7556
Why the death of SIEM has been greatly exaggerated
Those proclaiming the death of SIEM point to the proliferation of newer analytics tools that can scour infrastructures and alert security staff to anomalies needing closer examination.
They believe these tools can replace SIEM while at the same time delivering more value to the enterprise.
Nothing could be further from the truth.
SIEM is not only alive and well, it’s also being put to work by small and mid-sized firms in increasing numbers.
They are seeing value in the ability to proactively monitor their growing IT infrastructures and spot threats before they can cause disruption.
However SIEM has evolved and the tools of today bear little resemblance to those of the past.
Modern SIEM tools are based on a big data analytics platform which enables them to scour much larger data sets.
This is important for organisations experiencing a data deluge and with infrastructures that continue to grow in complexity.
Today’s SIEM tools can also deal with large volumes of both structured and unstructured data.
This is relevant as potential security threats come in many forms and can only be identified through the careful analysis of both data types.
Once in place, SIEM tools need to become part of a comprehensive security monitoring program.
Managed by one person in smaller firms or a team within a large corporate, this program will involve closely monitoring the output of the SEIM tool.
One of the most important factors to consider is what capabilities it can provide out-of-the-box.
Many tools require complex configuration before they can be used, which make them inappropriate for organisations without skilled in-house security teams.
It is also important to assess how well the tool will be able to monitor the volume of data being generated by the organisation’s IT infrastructure.
If it can’t deal with the constant flow, it will be unlikely to add the value expected by the security team.
The tool should also not trigger too many security alarms.
If it is constantly providing alerts of potential low-level security threats, IT teams will quickly become overwhelmed and may miss critical alerts when they actually occur.
While modern tools usually have an intuitive user interface, some training will still be required to ensure maximum value can be gained from the investment.
A good SIEM tool will mask much of its underlying complexity, but it is still important to have an understanding of what is going on under the hood.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=5c167690e0&e=20056c7556
How to Build an Economically-Driven Cyber Defense Strategy
There still lingers an undeserved mystery around cyberattacks.
A romantic mythology born in the 1980s of a “rebel with a modem,” preserving freedom of information or simply hacking to prove that they can.
Today, the numbers overwhelmingly favor attackers and the bar has been lowered to the point that almost anyone can enter a life of cybercrime.
A standard ransomware campaign could earn an attacker a 1,425 percent ROI, according to a report by Trustwave.
This is in large part thanks to the explosion of Exploit Kits (EKs) – toolkits with packaged exploit codes – and other black market malware that puts sophisticated attack techniques into criminals’ hands for a fraction of the cost of the potential payout.
The most secure and economically sound approach is to stack the optimum, rather than maximum, complementing security technologies.
This proposed new cybersecurity stack should balance traditional and innovative approaches while always keeping benefit, risk and operational load in mind.
Endpoints are the first line of cyber defense and the place most often compromised – more than 70% of successful breaches originate on the endpoint, according to IDC Research.
At a minimum, an optimal endpoint stack should start with effective and efficient prevention.
Rather than rip and replace with New Gen products (let’s admit it, it will take years to throw AV out), could the stack be addressed differently?
Despite these flaws, anti-virus is still the most efficient prevention for run-of-the-mill malware.
Rather than replacing it, one could augment AV with new memory protection and exploit prevention technologies.
Other components could be added according to some unmet critical (rather than incremental) risk mitigation need, with the goal of bringing the widest range of protection with the least cost and business disruption.
Businesses that are attacked frequently may want to add EDR and sandboxing techniques, especially given that malware is most likely already in their network.
By changing the economics of attacks – making the cost of attack higher than the gain – cybercriminals will take their business elsewhere.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=8279e86675&e=20056c7556
Five Signs of Identity Governance Trouble
There still lingers an undeserved mystery around cyberattacks.
A romantic mythology born in the 1980s of a “rebel with a modem,” preserving freedom of information or simply hacking to prove that they can.
Today, the numbers overwhelmingly favor attackers and the bar has been lowered to the point that almost anyone can enter a life of cybercrime.
A standard ransomware campaign could earn an attacker a 1,425 percent ROI, according to a report by Trustwave.
This is in large part thanks to the explosion of Exploit Kits (EKs) – toolkits with packaged exploit codes – and other black market malware that puts sophisticated attack techniques into criminals’ hands for a fraction of the cost of the potential payout.
The most secure and economically sound approach is to stack the optimum, rather than maximum, complementing security technologies.
This proposed new cybersecurity stack should balance traditional and innovative approaches while always keeping benefit, risk and operational load in mind.
Endpoints are the first line of cyber defense and the place most often compromised – more than 70% of successful breaches originate on the endpoint, according to IDC Research.
At a minimum, an optimal endpoint stack should start with effective and efficient prevention.
Rather than rip and replace with New Gen products (let’s admit it, it will take years to throw AV out), could the stack be addressed differently?
Despite these flaws, anti-virus is still the most efficient prevention for run-of-the-mill malware.
Rather than replacing it, one could augment AV with new memory protection and exploit prevention technologies.
Other components could be added according to some unmet critical (rather than incremental) risk mitigation need, with the goal of bringing the widest range of protection with the least cost and business disruption.
Businesses that are attacked frequently may want to add EDR and sandboxing techniques, especially given that malware is most likely already in their network.
By changing the economics of attacks – making the cost of attack higher than the gain – cybercriminals will take their business elsewhere.
So, what are the leading signs of identity governance trouble that can put an organization at risk.
Here are our top five in no particular order:
1. Orphaned Accounts
2. Poorly Defined Certification Processes
3. Inadequate Access Request Approvals
4. Lack of Segregation-of-Duty Controls
5. Independent Processes Across the Organization
If any of these signs of identity governance trouble ring true, you’re not the only one.
Fortunately, the right identity governance and intelligence solution can solve these issues to minimize your security risks and help you systematically achieve and manage your regulatory compliance.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=41a0a3f0c5&e=20056c7556
New data breach notification standards should be flexible, adaptive, ITAC says
As Innovation Science and Economic Development Canada (ISED) prepares to release a second version of the country’s new data breach notification standards this fall, the Information Technology Association of Canada (ITAC) hopes the latest proposed regulations will take a flexible, outcome-based approach, while also providing a grace period to give businesses time to adjust.
“We want there to be an appropriate balance between the need to protect Canadians by notifying them of data breaches, and the costs and challenges sometimes faced by businesses in in doing so,” ITAC senior director David Messer tells ITBusiness.ca.
Since 2015, data breaches have been governed by the Personal Information Protection and Electronic Documents Act (PIPEDA), a law passed in 1998 to regulate how non-government organizations (excluding charities and not-for-profits) were allowed to collect, use, disclose, and dispose of personal data.
Canada’s current privacy commissioner, Daniel Therrien, has expressed concern that federal privacy laws including PIPEDA haven’t kept up with technology.
Fortunately, ISED has been developing new data breach notification standards since last June, and released a draft version in March 2016.
In contrast to the privacy commissioner, ITAC is comfortable with PIPEDA’s current notification requirements, Messer says, though it also supports the introduction of new data breach notification regulations.
ITAC also believes that whatever it chooses to do, the federal government needs to help facilitate its new data breach reporting laws – by introducing accreditation and support programs to help businesses make sense of the cybersecurity landscape, for example, so that meeting the new requirements is as painless as possible, Messer says.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=5068a52aa6&e=20056c7556
McCaskill wants military to fight cybersecurity brain drain
U.S. Sen. Claire McCaskill says the military needs to be more aggressive in attracting and recruiting qualified people for cyber security operations.
Speaking to reporters after the briefing, McCaskill said cyber security experts could often make much more money working in the private sector.
That’s why it may make sense to create incentives for active duty personnel to eventually join the National Guard.
Another thing McCaskill heard from Missouri National Guard personnel is how a cyber unit member almost had to leave because of physical fitness requirements.
“I think the example they gave of one of the most crucial members of this team almost having to leave the team because he couldn’t do enough sit ups,” McCaskill said. “That doesn’t make sense to me.
I understand it in a conventional military culture that having that physical capability is very, very important.
But if you’re part of an elite team that is working in a cyberspace where we are trying to go toe-to-toe with people who have no constitutions they have to respect and have no rules they have to obey, we’ve got to get the best and the brightest in this space.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=7956b0a35f&e=20056c7556
Study Shows 137 Percent Spike In Fraud Attacks Over The Past Four Quarters
BOSTON–(EON: Enhanced Online News)–Fraudsters have been causing problems for retailers over the past four quarters, leading to a 137 percent jump in fraud attacks and affecting $7 out of every $100 made in retail sales, according to the latest PYMNTS.com Global Fraud Attack Index.
The collaborative study with Forter measures the rate of fraud attempts made on U.S. online merchants and how that changes over time, and examines the types, sources and geography of fraud attacks.
The study also quantifies the potential cost to merchants, left unchecked, of these attempts based on attack amounts and how these amounts are trending over time.
There was a significant increase in the rate of fraud attacks throughout 2015 and the first quarter of this year.
Typically, fraud rates decrease in the fourth quarter each year due to the high volume of transactions made during the holiday season before increasing in the first quarter of the following year when transactional volume drops, according to the Index.
However, that was not the case late last year into the first quarter of this year.
The majority of industries saw increased fraud attacks, with digital goods seeing a 186 spike, followed by food and beverages with a 116 jump.
One industry, clothing, saw fraud attacks diminish by 19 percent.
For every 1,000 transactions made in the first quarter this year, there were 34 fraud attacks, compared to 15 per 1,000 during the second quarter of 2015, which represents a 126 increase.
Additionally, the fraud attack rate rose from quarter to quarter, increasing 11 percent between the third quarter of last year to the fourth quarter of 2015 and 26 percent from Q4 2015 to Q1 2016.
Some of the other highlights from the study include:
• Fraud attacks in the U.S. are up more than 10 percent since the liability shift in October 2015.
• More and more fraudsters are utilizing botnets. 83 percent of fraud attacks now deploy the networks of infected computers.
• In the U.S., fraud attacks have increased 26 percent since the October 2015 liability shift.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=57c3371a60&e=20056c7556
Cyber security should be expanded to other departments other than IT: CII-KPMG report
Titled ‘De-risking India in the new age of technology,’ the paper launched at the second CII National Risk Summit 2016 in Mumbai suggested that cyber security has started gaining visibility at the top level and is now an essential part of boardroom discussions. “Well-orchestrated risk management practices help organizations deliver sustainable results by keeping pace with changes in client behavior, staying ahead of competition, identifying emerging technology trends and business model changes early,” added Suresh Senapaty, Chairman, CII National Risk Summit 2016.
Regulators are increasingly holding board members and senior executives of a company accountable for c