Category: Trends

Targeted attacks have grown more sophisticated, with evidence that cybercriminals are pursuing not only commercial organizations, but also government and infrastructure targets. Moreover, with the growing use of fraudulent and/or stolen digital certificates, these attacks have become more successful and evasive.

The exploit kit market has shifted dramatically toward the Blackhole exploit kit, which has the capability to update frequently and rapidly to take advantage of application vulnerabilities.

Even though there has been a precipitous drop in spam volumes, more spam messages are likely to contain malicious links or attachments.

There has been a significant increase in fraud and malware proliferation using social networks as a conduit. While targeted attacks are not new, the serious growth in incidents during the second half of 2011 is real cause for concern, not just for companies but for entire countries.

According to the report, targeted attacks became sophisticated and pursued a wider range of organizations, including commercial, national critical infrastructure and military targets.

One of the new attack vectors researchers identified is the use of fraudulent digital certificates. The report indicates the DigiNotar intrusion resulted in the “fraudulent issuance of hundreds of digital certificates for a number of domains, including Google, Yahoo!, Facebook, and even for some intelligence agencies, such as the CIA, the British MI6 and the Israeli Mossad.”

M86 Security stresses that organizations must plan and deploy a multi-layered security policy to minimize risks of a successful targeted attack. The exploits monitored during the second half of the year targeted a variety of products, including Microsoft Internet Explorer, Oracle Java, Microsoft Office products and, quite commonly, Adobe Reader and Adobe Flash.

What’s really astonishing is that some of the top vulnerabilities that criminals continue to exploit have not only been known for years, but fixes have also been available for years. For example, M86 found that the most exploited Web-based vulnerability is Microsoft Internet Explorer RDS ActiveX, which was both discovered and patched in 2006. Here we are, six years later, and this vulnerability still affects 17.7% of the pages that contain Web exploits as observed by M86 Secure Web Gateway.

The M86 report states the obvious: “Many users and organizations do not patch all their installed software in a timely manner, and attackers leverage this weakness to their advantage.”

The report also indicates that exploits shifted focus from malicious attachments to malicious links that led to exploit kits, in particular, the Blackhole exploit kit.

There’s good news and bad news in the spam observations. By the end of 2011, 5% to 10% of all spam contained links or attachments which redirected users to malicious or compromised sites that delivered a malware payload.

A troubling trend is cybercriminals exploiting the popularity of social media and the apparent blind trust of the users by duping them with fake (and infected) notification messages to “Friend Me” on Facebook or inviting them to join a LinkedIn network. For instance, a campaign last August led people to a fake Facebook login page and ultimately to the Blackhole exploit kit and a Zbot Trojan.

Source: http://www.networkworld.com/newsletters/techexec/2012/021012bestpractices.html

However, despite the growing need for preventing these sorts of attacks, actual spending and preparedness in the area is nonexistent. A recent survey by Bloomberg of network managers at 21 energy companies, found that these firms only spend an average of $45.8 million a year on IT security. … However, analysts estimate that to prevent 95% of all attacks, it would take an average annual budget of $344.6 million per company.

To put that into context, the U.S.’s largest utility, Southern Company (NYSE:SO), only made around $277 million in profit last year. Nationwide, the U.S. would need to spend a total of $46.6 billion to prevent 95% of all attacks. Given how vital our infrastructure is to national security and under-funded nature of the sector, cybersecurity will undoubtedly get a larger share of the shrinking defense budget.

With cyber threats continuing to mount and the reliance on computer networks growing, adding an IT security component to a portfolio makes sense. Both the PowerShares Aerospace & Defense (ARCA:PPA) and iShares Dow Jones US Aerospace (ARCA:ITA) follow some of the largest defense contractors and could be used as proxy for the defense sector.

Communications defense contractor Harris (NYSE:HRS) has been increasing its security offerings in the space and could be great way to play the need for secured data systems.

http://stocks.investopedia.com/stock-analysis/2012/Cybersecurity-Is-The-Way-To-Play-Defense-Spending-SO-ITA-PPA-PCP0209.aspx?partner=YahooSA#axzz1lzqFqWJl

However, despite the growing need for preventing these sorts of attacks, actual spending and preparedness in the area is nonexistent. A recent survey by Bloomberg of network managers at 21 energy companies, found that these firms only spend an average of $45.8 million a year on IT security. … However, analysts estimate that to prevent 95% of all attacks, it would take an average annual budget of $344.6 million per company.

To put that into context, the U.S.’s largest utility, Southern Company (NYSE:SO), only made around $277 million in profit last year. Nationwide, the U.S. would need to spend a total of $46.6 billion to prevent 95% of all attacks. Given how vital our infrastructure is to national security and under-funded nature of the sector, cybersecurity will undoubtedly get a larger share of the shrinking defense budget.

With cyber threats continuing to mount and the reliance on computer networks growing, adding an IT security component to a portfolio makes sense. Both the PowerShares Aerospace & Defense (ARCA:PPA) and iShares Dow Jones US Aerospace (ARCA:ITA) follow some of the largest defense contractors and could be used as proxy for the defense sector.

Communications defense contractor Harris (NYSE:HRS) has been increasing its security offerings in the space and could be great way to play the need for secured data systems.

http://stocks.investopedia.com/stock-analysis/2012/Cybersecurity-Is-The-Way-To-Play-Defense-Spending-SO-ITA-PPA-PCP0209.aspx?partner=YahooSA#axzz1lzqFqWJl

The survey also found that remote and home working has increased almost across the board, with 85% of organisations saying in had increased and 15% saying it had stayed the same. 92% of those quested stated that if affordable, and data security was assured, they would extend mobile working to more employees. … Just over a third of organisations (38%) allow people to work from home using their own equipment via a secure connection, and 85% provide a council issued laptop for accessing the network.

Now nine out of ten councils are using VPN, port control and strong passwords, and just over eight out of ten are using encryption and other technologies such as thin client solutions like Citrix and terminal services.

The Insider Threat was by far the biggest concern for security officers with 54% of those questioned expressing concerns about controlling how people accessed and used data, and enforcing security policies, and 15% worried about maintaining security while costs were being cut. Just under a third of organisations expect to reduce spending on security, with just under half expecting it to stay the same. 70% of those interviewed expect the overall IT budget to be reduced in the next year with only 15% saying it will stay unchanged.

Marc Hocking, Chief Technology Officer at Becrypt said, “As the Government continues to drive cost cutting measures in the coming years, Becrypt believes that we will see more and more public sector staff working from home and hot desking.

http://www.prlog.org/11447525-data-security-moves-up-the-agenda-is-now-seen-as-important-as-cost-savings-within-the-public-sect.html