Security News Curated from across the world
Alan Paller, director of research for the Sans Institute, a computer-security training organization, said that the reason more vulnerabilities were being found was that it was becoming increasingly profitable for crooks to target the software.
http://www.news.com/Study-Huge-jump-in-Microsoft-flaws-since-last-year/2100-1002_3-6220719.html?tag=nefd.top
“A few years ago, you wouldn’t have a marketing officer concerned with a data breach. That was an IT problem. Nowadays all the execs around a boardroom table are concerned about it,” John Dasher, director of product management for PGP told InternetNews.com. “If I’m a marketing officer, the last thing I want to do is spend marketing money doing brand damage repair because of a breach.”
The report, called “The 2007 Annual Study: Cost of a Data Breach,” comes from a detailed analysis of 35 data breach incidents involving fewer than 4,000 records to more than 125,000 records.
The TJX breach, initially believed to be a small deal, has grown enormously expensive for the retailer. TJX in August announced it would take a $118 million charge related to the costs and potential liability resulting from the theft of more than 45 million credit and debit accounts. “This is one of the first widely publicized examples of how a data breach can affect you, your shareholders, and your stock price,” said Dasher. But Peter Firstbrook, security research analyst for Gartner, disputes this scale of impact. “How do they know how much revenue would have accrued before the breach? Our research shows that most consumers do not actually change business after a breach. Check out TJMax’s sales before and after their incident,” he said in an e-mail to InternetNews.com. Firstbrook appears to make a valid point. TJX may have gotten a black eye but sales rose 8 percent in the third quarter of 2007 compared to the same quarter last year, and the company plans to add more than 1,000 new stores in the next few years.
The report also claims that the average total per-incident costs in 2007 were $6.3 million, a 31 percent increase from the 2006 average per-incident cost of $4.8 million. On the bright side, if there is such a thing, the cost of notification fell 40 percent because firms got better at notifying their customers when a breach occurred.
One of the biggest vulnerabilities is found when data is stored, disseminated and shared with third parties. Outsourcers, contractors, consultants and business partners accounted for 40 percent of breaches, up from 29 percent in 2006. External breaches also cost more, averaging $231 compared to $171 per record.
The Real Point Of Vulnerability?
While outsourcing and third parties are a weakness, the notion of the nefarious hacker sniffing traffic coming into Amazon and Overstock may be overblown. Instead, it’s brick-and-mortar retail outlets like TJX stores that are the weak link. This past Sunday, the TV news magazine 60 Minutes showed how many retail outlets don’t secure the wireless networks of their stores. Sitting in a car with some computer experts with a laptop, correspondent Leslie Stahl showed how easy it was to pick up on wireless transmissions in the stores. “It makes sense because companies like Amazon that are born and bred of technology have a good security model from the beginning,” said Dasher. “A lot of brick-and-mortar companies don’t have this. They have conflicting setups. Some of them are still using a DOS-based point-of-sale system.” This disparity may prove retail’s real challenge compared to its online counterparts. Beyond the convenience and the chance to avoid paying sales tax, if an Amazon purchase is viewed as safer than an in-store purchase, it poses a real problem for traditional retail stores. “Retail is going to have to spend more effort on this issue, but it may prove harder for them,” Dasher said. “[Retailers] are starting off with a poorer hand they have been dealt with, since many of them use a custom point-of-sale system, so they can’t bolt on a quick aftermarket security fix.”
For some financial services firms, security breaches can often be the unfortunate result of living in the past. Many firms come from a background of mainframes connected via leased lines, so they have a history of doing insecure transactions over secured networks. With the advent of the Internet, they now have to do secure transactions over a very insecure network. “So it’s not surprising they may have had a false sense of security over their position,” said Dasher. Firstbook thinks more emphasis needs to be placed on the human element rather than focusing on the security products sold by the two companies that sponsored the report. “Besides technology, minimizing the risk of data breaches will involve lots of manual processes like data identification and classification data clean up and changes to procedures—as well as a health dose of user education,” he said. “Some technologies can help but they are not solutions.”
http://www.internetnews.com/ent-news/article.php/3713261
“Vulnerabilities on the client side have exploded over the last year,” says Rohit Dhamankar, senior manager of security research at TippingPoint and project manager for the SANS study.
One of the most critical vulnerabilities to computer security is “gullible, busy, accommodating computer users — including executives, IT staff, and others with privileged access — who follow false instructions provided in spear phishing emails, leading to empty bank accounts, compromise of major military systems around the world, compromise of government contractors, industrial espionage, and much more,” the report states.
The number three vulnerability on this year’s list is “critical vulnerabilities in software on personal computers inside and outside enterprises (client-side vulnerabilities) allowing these systems to be turned into zombies and recruited into botnets — and also allowing them to be used as back doors for stealing information from and taking over servers inside large organizations.”
Enterprises may not be able to solve these two problems entirely, but they can reduce the risk by limiting administrative privileges and restricting users’ ability to download and install applications, SANS says.
As it did last year, SANS put Microsoft Windows vulnerabilities among the most serious on the list, but it is home-grown applications that present the greatest threat, according to the report.
http://www.darkreading.com/document.asp?doc_id=139984&WT.svl=news1_4
Several hundred attendees, ranging from established tech players to upstarts hoping to carve out a niche in this booming space, came in search of new ideas, potential business partners and maybe even a little validation of their emerging Web 2.0 strategies.
“What’s clear to me as I look out into this room is that I’m looking at the future of the software industry,” Donald Proctor, senior vice president of Cisco’s collaboration software group, said during his keynote address kicking off the conference.
Unified communications—the cobbling together of instant messaging, Web conferencing, e-mail, desk phones, mobile phones, blogs and all the other tools employees and businesses use to communicate into one central location or platform—and collaboration—the tools and processes needed for meaningful productivity—have replaced customer relationship management (CRM) (define) as the markets of choice for the SaaS crowd. That’s partly because those applications lend themselves so well to a browser-based distribution model and partly because they’re precisely the type of applications employees and companies need to manage their data and business processes online.
Cisco CEO John Chambers, during a conference call Wednesday with analysts following the company’s first-quarter earnings report, couldn’t have been more clear when he repeatedly said unified communications and collaboration will not only be the key to Cisco’s growth in the next 10 years but will “drive the next wave of productivity around the world.”
Cisco isn’t the only company that’s caught on this tectonic shift in communications. “It’s enabling people to collaborate on documents that matter,” said Erik Larson, director of marketing and product management for Adobe’s business productivity unit. Larson said boundaries such as time and physical locations or technology platforms and disparate browsers have impeded productivity for years.
http://www.internetnews.com/ent-news/article.php/3710121
The council noted that Visa created the standard to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 and PIN data, and support compliance with the PCI DSS.
PCI data security standards: Don’t blame PCI DSS for TJX troubles, IT pros say: Data breaches at TJX and elsewhere have some questioning the effectiveness of PCI DSS, but others say the real problem is how companies approach the guidelines. Banks neglect responsibility for data breaches, some say: TJX has become the poster child for bad data behavior, but some believe the bank and credit card companies aren’t accepting enough responsibility for the data breach epidemic.
The addition of PA-DSS comes as merchants fight for more control over the data they store and as attackers target Web applications with growing zeal.
Last month the National Retail Federation (NRF) sent a letter to the Payment Card Industry (PCI) Security Standards Council asking for changes in how the credit card industry requires merchants to store credit card data.
NRF Chief Information Officer David Hogan wrote that retailers should not have to store credit card numbers because doing so increases the risk that hackers will try to steal the information.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1281251,00.html
Bananas.com was caught off guard last year. The musical instrument sales site suffered a data breach that was followed swiftly by a double whammy of consequences. Because its own resources were limited, Bananas referred victims to large credit-reporting agencies to monitor for subsequent financial damage from the breach. Despite its efforts, Bananas apparently failed to meet all the various state notification requirements and was subsequently slammed with fines and fees by major credit companies. The Bananas experience provides a hint of the turmoil a company can face as it tries to cope with disclosure requirements in the wake of a data breach.
With no imminent legislative relief in sight, corporations sometimes resort to blanketing customers with notifications after a breach — lobbing disclosures even in those states that don’t require them, simply to cover all bases. But this practice can have “unintended detrimental consequences,” says Robert Scott, managing partner at the Dallas office of Scott & Scott LLP, a law and IT services firm.
Studies have shown that most customers would take their business elsewhere if they received two or more security breach notices, says Scott. “When faced with a security incident, businesses should carefully determine who has been impacted, review their breach notification laws in the relevant states, and devise a breach notification strategy that satisfies the legal obligations and properly notifies affected consumers,” he says. Others are stepping up encryption efforts, since many states don’t force companies to disclose security incidents if the compromised data was encrypted.
In large companies, disclosure activity often involves multiple jurisdictions, such as the offices of the chief auditor, the chief compliance officer, the chief privacy officer and the chief technology officer or the CIO, says Joseph RosemÂbaum, a partner at New York law firm Reed Smith LLP.
“Where responsibilities are partitioned across a diverse set of functions, each office may have the ability to provide greater focus on individual issues, but the challenge of coordination across multiple disciplines is more difficult,” Rosembaum notes. Moreover, it takes corporate vigilance to keep pace with so many differences in state disclosure laws — variations that start with notification triggers. “For some states, any breach that compromises the security or confidentiality of covered personal information triggers the obligation to notify the affected individuals,” notes Thomas Smedinghoff, a partner at Chicago law firm Wildman, Harrold.
For example, although one state might allow exemptions for compromises of encrypted data, “another state without such an exception would require a notice, even though the data was unreadable,” says Geoff Gray, a privacy and data security consultant at the Cyber Security Industry Alliance in Arlington, Va.
And as Bananas.com learned, the high cost of notification compliance doesn’t stop with the resources it takes to coordinate a response and alert customers. “We expanded upon legislation that only existed at the time in California and opted to make nationwide notification of potentially affected consumers, without any state or federal law requiring us to do so,” says Christopher Cwalina, ChoicePoint’s assistant general counsel and vice president for compliance.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=304931&source=NLT_AM&nlid=1