Category: Statistics

Key conclusions
– Europe’s IT professionals overwhelmingly indicate (78%) that data theft represents the primary information security threat – more significant than either viruses or hacker infiltration
– Of all possible results of compromised information security, the threat of leakage of confidential information is keeping more members of the IT department (93%) awake at night than any other
– Europe’s primary data leakage channels are identified as portable storage devices, e-mail, and Internet-based channels such as web-mail and forums
– Only 11% of those surveyed were confident their company’s information security had not been breached over the last year – a figure which closely mirrors the number of companies with anti-leakage solutions in place – with 42% admitting to between 1-5 breaches and 37% unable to say with certainty that that no breach had occurred
– The lack of industry standards is highlighted as the primary obstacle (42%) to wider implementation of anti-leakage technologies
– Perceived solutions include the deployment of comprehensive anti-leakage software, the implementation of appropriate organizational measures – such as clear and consistent internal security policies – controls on external network access, and raising staff awareness and discipline through training.

http://www.viruslist.com/en/analysis?pubid=204791935

More interesting are those areas with the highest per capita rate of perps: the District of Columbia, Nevada, New York, Tennessee, Maine, and Florida.

http://www.usnews.com/usnews/news/badguys/070416/top_10_internet_crimes_of_2006.htm

For example, internal information thieves can steal vital data using Skype. Meanwhile, there is no shortage of examples of hackers probing Skype for vulnerabilities. Date Vulnerability Nov. 2004 Having uncovered a hole, a hacker was able to gain complete control over a user’s computer by means of overloading Skype’s buffer. Apr. 2005 Skype did not always erase access rights promptly. As a result, ill-intentioned people could replace original attachments with modified ones using previously established authorization. Oct. 2005 A hole was discovered which could be used to induce an overloaded buffer error on the victim’s machine resulting in access to the system. Oct. 2005 A breach in Skype allowed a denial-of-service attack on a remote computer. May 2006 A new breach facilitated the theft of files from a user’s machine. However, for this to work it was necessary to send the victim specially formed packets provoking an abnormal program termination. Dec. 2006 A worm was found to be spread across several countries, infecting workstations which had Skype installed in chat mode.

The present research is the first Russian study into risk-free Skype use on corporate networks.
To assess anxiety among IT and IS specialists regarding the use of Skype on company intranets.
To identify additional IS threats which add to such fears.
To pinpoint the source of these risks.

Key conclusions Skype is the clear leader among VoIP products. Almost half of those surveyed (46.8%) use Skype. If one removes those without any form of VoIP, then Skype takes 64.9%.

The risk of a leak of confidential information is the greatest threat (55.6%) for a corporate network which has Skype. Skype itself can not seriously be blamed for these additional risks. The core problem is with the human factor (44.6%) rather than with faults in the program. Despite this, almost two-thirds of those surveyed (66.4%) incline to the view that the threats which attend the introduction of Skype into the corporate environment are a serious obstacle to the program’s wider acceptance. Only one-third of specialists (33.7%) felt that IS problems would not prevent the program’s wider acceptance among companies.

Research methodology and survey participant profile This research was conducted by InfoWatch’s analysis center between 15th and 30th of January, 2007. Survey participants submitted their answers via an online form with 1242 people taking part. Statistical processing and results analysis were carried out by InfoWatch’s analysis center. Percentages are rounded off to the nearest one-tenth of one percent. In the case of some answers, the total percentages exceed 100% due to the use of multiple choice questions.

IS specialists: 37.1% System administrators: 34.3% Users: 28.6% This means that around 71.1% of those surveyed are IT professionals. We should mention that slightly over a third of specialists surveyed (27.9%) had no VoIP service on their intranets at all.

The greatest risk — according to 55.6% of those surveyed — is the leakage of confidential information. In other words, more than half the specialists felt that as a result of using Skype, confidential corporate information could leak out.

The research concludes that the threat of a leak of confidential information is twice as likely (55.6% as opposed to 29%) than a hacker attack on intranet resources.

On top of this, as with the majority of software products, VoIP client programs have vulnerabilities which, theoretically, may be exploited. The most likely explanation is that fear has its roots in past dangers from hacker break-in.

Clearly, apart from factors connected with the Skype program itself, vulnerabilities can arise due to other causes, such as faults in a given piece of software or malignant intent or lack of discipline among users, etc. VoIP is beneficial and convenient, but to prevent the occurrence of the nightmare scenario — the loss of confidential information — companies need to protect their data in the same way as they protect against theft via e-mail, the Internet, printers or USB data-storage devices. Thirdly, there is the issue of copying valuable data to the clipboard then pasting it into the chat facility which Skype supports.

http://www.viruslist.com/en/analysis?pubid=204791933

“What this shows is that a surprising number of incidents actually involve corporate mismanagement more than hackers,” said Philip Howard, assistant professor of communication at the University of Washington and co-author of the report.

A report released last week by the IT Policy Compliance Group showed that human error is the overwhelming cause of losses of sensitive data — contributing to 75% of all occurrences, while malicious hacking activity contributed to just 20% of data losses. According to that report, the primary channels for data loss involve laptops and mobile devices as well as e-mail and instant messages. Even in incidents that were publicly blamed on external hackers, the reality is a bit more nuanced, Howard said.

When it comes to just the volume of compromised records, though, external hackers accounted for some 45% of breached records, while 27% came from internal errors and 28% remained unattributed, Howard said. The university study also showed that there were more reported incidents in 2005 and 2006 — 424 — than the previous 25 years combined, when there were 126. But that’s likely because of breach-disclosure laws in California and several other states that require companies to notify consumers of incidents involving the potential compromise of their data, he said.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9013142&source=NLT_AM&nlid=1

The survey – which aims to provide a guide book of the net’s most dangerous top level domains – also looked at generic top level domains. Some web activities, like registering at a site or downloading a file, are significantly more risky when done at certain domains.

http://www.theregister.co.uk/2007/03/12/malware_atlas/

The goal was to analyze all leaks of confidential or personal data, cases of employee sabotage or negligence, and any other breach of internal IS which had received at least one mention in the mass media during 2006. The survey is truly global since the analysis includes all internal violations regardless of the geographical location of particular company or government structures affected by insider sabotage. Thus, all patterns and tendencies revealed in the survey can be equally applied to companies of all industries and countries. This survey is the first global project targeted at the study of breaches of internal IS. In 2004, the InfoWatch analytical center began keeping a database of breach occurrences. This database provided the initial information for the survey.

In addition to financial loss, a company’s reputation is ruined and hundreds of thousands of people face having their identities stolen.

On average, 785,000 people suffered from every leak of private information in 2006. Organizations which allow their employees to use mobile devices are in a high-risk group. The use of mobile devices led to information leaks in half of all breaches (50%); meanwhile, the Internet was used as a medium for leaks in only 12% of cases.

The main threat for a business is a lack of discipline among employees. Negligence led to the overwhelming majority of all leaks (77%) in 2006.

The sources of information leaks A survey of 145 breaches of internal IS shows that information leaks have a global character.

One cannot point to any area of business or any particular geographical region where companies have rarely or never suffered from the activities of insiders. Small business and giant corporations, commercial organizations and governmental establishments all experienced cases of information leakage in 2006.

Insiders managed to jeopardize the security of such strong and well-protected structures as military and special services. Again, such cases involved mobile devices and the Internet. Often, as a result, top secret information became freely available on the Internet, or ended up in the hands of journalists or foreign states.

It is clear that private companies suffer from twice as many data leaks, cases of sabotage and other breaches than government structures. It often happens that the controlling body is responsible for a breach of internal IS. Thus, we have the problem of lack of control over the controller.

Meanwhile, some cases of information theft from government structures become public. This happens when it is simply impossible to hide the incident, or when it becomes necessary to make public example of the offender. For instance, for many years the US government kept quiet about breaches of internal IS. But today, news about information leaks and gaps in security systems is commonplace. One of the latest cases reached the news when the US Tax Inspectorate announced in November 2006 that almost 500 laptops had been stolen over the preceding 4 years.

Commercial organizations, on the other hand, do not just experience a lot of data leaks, but also suffer from the huge losses they cause. The company’s reputation and brand image are significantly damaged by such leaks. This problem is as vital for government organizations. In a competitive market, customers can easily switch to a more reliable supplier, but one has no alternative but to engage with one’s own state and its governmental ministries. An example which immediately comes to mind in this regard is the information leak from the US Department of Veterans’ Affairs which occurred in May of that year. Whereas IS specialists may need time to identify such channels, insiders — in most cases — already know exactly what they need to do to steal data.

For instance, laptops with unencrypted data are quite often lost, despite the fact that company security policy requires all information on mobile computers be encrypted.

The biggest information leaks of the year. The five most notorious information leaks of 2006 (see table 1) make 2006 the year with the largest volume of information leaks in history. Burglars got into the house of an employee of the Nationwide Building Society and stole a laptop with the company’s clients’ personal information in unencrypted form.

http://www.viruslist.com/en/analysis?pubid=204791919