Category: Trends

After a wave of cyber attacks hit a Federal Reserve website, the New York Times and other news outlets, and U.S. banks, President Barack Obama issued an executive order in February to better protect businesses and critical assets, such as pipelines and power grids.

The SEC issued guidance in October 2011 telling companies to disclose cyber attacks or risks if that information is material, meaning it would affect an investor’s willingness to buy, hold, or sell the company’s stock.

“For the sake of investors, the SEC needs to figure out a way of enforcing the appropriate disclosure of material cyber attacks,” said Jacob Olcott, who led a congressional review as counsel to Senator Jay Rockefeller, a West Virginia Democrat, that resulted in the SEC guidance.

Cyber attacks are more likely to be material for some companies than others, Brian Lane, a former SEC corporation finance director, said in an interview.

Almost all of the top 100 U.S. companies by revenue said they rely on technology that may be vulnerable to security breaches, theft of proprietary data and disrupted operations, according to a review of their most recent annual reports.

ConocoPhillips, one of at least six major U.S. and European energy companies reported by Bloomberg to have been breached by China-based hackers beginning in 2009, said in its 2012 annual report no cyber breaches “had a material effect.”

Coca-Cola acknowledged its “information systems are a target of attacks,” in its 10-K and said the disruptions “to date have not had a material effect on our business, financial condition or results of operations.”

If a company doesn’t disclose an attack in an SEC filing that was reported in the news media, “don’t be surprised if we ask you to provide us with a materiality analysis,” Jim Lopez, an SEC branch chief for disclosure operations, said at a Washington conference in February.

While Verizon said in its 2012 10-K the cyber attacks it experienced haven’t been material, the company said the potential costs of a major assault include “expensive incentives” to keep customers, a jump in security spending, lost revenue and damage to the company’s reputation.

Link: http://www.bloomberg.com/news/2013-04-04/cyberattacks-abound-yet-companies-tell-sec-losses-are-few.html

“ICS-CERT encourages asset owners to review their network for these common security gaps and take measures to eliminate known system vulnerabilities,” ICS-CERT wrote.

For some organizations, the network architecture was not well understood, or the administrators were not consistently enforcing remote login policies or controlling incoming and outgoing media.

Along with improperly deployed network devices, the assessment uncovered configuration issues, such as weak testing environments, weak backup and restore capabilities, and poor or limited patch management.

“The assessments also assisted these organizations in identifying and prioritizing their most critical vulnerabilities requiring immediate attention and provided real-time resolutions and recommendations for enhancing their security awareness and defensive posture,” ICS-CERT said.

Link: http://www.securityweek.com/ics-cert-examines-3-years-data-reveal-common-vulnerabilities-critical-asset-owners

Critical data includes the information needed to run network attached infrastructure as well as the intellectual property used to manage business and drive innovative solutions.

We can expect to see a higher risk of business impacting threats with the shift from computer-based attacks, generating large number of lower bandwidth events, to virtual server or cloud-based attacks, generating ultra-high bandwidth events. With these new attack vectors it becomes even more beneficial to identify and mitigate large DDoS events while traffic is in the network cloud.

The List:

1. State-sponsored espionage
2. DDoS attacks
3. Cloud migration
4. Password management
5. Sabotage
6. Botnets
7. Insider threat
8. Mobility
9. Internet
10. Privacy laws 

For more information on the AT&T 2013 Top Security Challenges visit http://www.att.com/ThreatTraq and look for show “Top Security Challenges for 2013 – 12/20/2012” or visit us at www.att.com/security.

Link: http://networkingexchangeblog.att.com/enterprise-business/top-10-security-challenges-for-2013/

U.S. companies with operations in China are weary about cybersecurity and 90 percent of them distrust China’s cloud computing services, according to a new report from a business support lobby in Beijing.

The study was released Friday and conducted in late 2012 by the American Chamber of Commerce in the People’s Republic of China, or AmCham China, a nonprofit organization that advocates for U.S. companies and individuals doing business in China.

Although the 325 businesses surveyed by the group report high margins and expect business activity in China to grow, 26 percent of them say their proprietary data and trade secrets have been compromised by hackers.

.”Data security is clearly top of mind for member companies,” Greg Gilligan, chairman of AmCham China, said. “Over a quarter reported that proprietary data or trade secrets had been breached or stolen from their China operations. Over 40 percent stated that the risk of a data breach to their China operations is increasing…. This poses a substantial obstacle for business in China, especially when considered alongside the concerns over IPR [intellectual property rights] enforcement and de facto technology transfer requirements,” the chamber said.

Link: http://www.ibtimes.com/us-companies-china-distrust-cybersecurity-efforts-claim-data-breaches-1161119

A six-by-eight-foot miniature city, CyberCity features a SCADA-controlled power grid, traffic system, trains, a military base and more, all of which can be hacked and defended in cyberspace similar to a real city. When asked by an audience member whether any significant vulnerabilities were found in the CyberCity hospital, Skoudis offered a stark reminder of the insecure state of the nation’s health care infrastructure.

Attackers, whether they are nation-state actors or run-of-the-mill cybercriminals, are increasingly trying to hide their trails by purposefully inserting code that mimics other attackers.

Or sophisticated malicious hackers may purposefully insert what may be considered rudimentary mistakes into their malcode just so forensics experts won’t think to attribute an attack to them.

Now, Skoudis said, attackers are able to target the exact data they want through the use of forensics tools, with the added benefit that it reduces the noise in the network so they’re less likely to be noticed. “Offensive forensics is taking forensics techniques, analyzing in-depth file systems and memory and combing through it, looking for the needle in the haystack,” he said.

The ultimate point driven home by Skoudis and Ullrich was that defending industrial control systems and financial institutions should be an absolute priority, though the track record of the security industry doesn’t provide much comfort for those concerned about these matters.

Link: http://searchsecurity.techtarget.com/news/2240178966/Emerging-threats-include-kinetic-attack-offensive-forensics-RSA-2013?utm_medium=EM&asrc=EM_ERU_20845656&utm_campaign=20130305_ERU%20Transmission%20for%2003/05/2013%20(UserUniverse:%20635547)_myka-reports@techtarget.com&utm_source=ERU&src=5111753

HTTP proxy, used both as a security component and to evade controls, exhibited the 7th highest volume of malware logs.

René Bonvanie, chief marketing officer at Palo Alto Networks, said: “Correlating threats with specific applications allows security teams to directly see and control risks in their networks.”

Matt Keil, senior research analyst at Palo Alto Networks and author of the report said:”The volume of exploits targeting business critical applications was stunning and serves as a data centre security wake-up call. These threats will continue to afflict organisations until they isolate and protect their business applications by bringing threat prevention deeper into the network.”

Custom or unknown applications are defined as either TCP or UDP based applications that are custom (internal to the organization), unrecognised commercially available, or a threat.

Link: http://www.iwr.co.uk/information-management-and-technology/3011498/Fresh-evidence-on-IT-security-threat