CyberSecurity Institute

Too often overlooked, many analysts argue, are savvy “synthetic” fraud schemes that frequently don’t directly victimize individual consumers.

By some estimates, this accounts for three-quarters of the money stolen by identity crooks. “There’s a lot of fraud that is not being identified as fraud, not being measured accurately,” said Anne Wallace, executive director of the Identity Theft Assistance Center, an industry-funded group that helps victims resolve fraud problems for free.

To understand the risks we really face, it’s worth analyzing the statistics. Multiple surveys have found that around 20 percent of Americans say they have been beset by identity theft. The Identity Theft and Assumption Deterrence Act of 1998 defines it as the illegal use of someone’s “means of identification”–including a credit card. So if you lose your card and someone else uses it to buy a candy bar, technically you have been the victim of identity theft.

In both cases, the survey didn’t ask whether a faulty memory or a family member–rather than a shadowy criminal–turned out to be to be the culprit.

When Chubb’s report asked whether people had suffered the huge headache of finding that someone else had taken out loans in their name, 2.4 percent–one in 41 people–said yes.

So what about the claim that 10 million Americans are hit every year, a number often used to pitch credit monitoring services? Perhaps some people decide that raising a stink over a wrongful charge isn’t worth the trouble. Even so, the finding made the overall validity of the data seem questionable to Fred Cate, an Indiana University law professor who specializes in privacy and security issues. After all, identity theft remains widespread even by conservative measurements. And companies that handle our personal information still could go to greater lengths to protect it–often simply by encrypting their files.

http://www.securitypipeline.com/news/173602995

Hackers are on a pace to deploy a record-setting 6,191 different keyloggers in 2005, a 65 percent boost from the 3,753 keyloggers released in 2004, said iDefense.

A keylogger-based theft of 220 million pounds ($382 million) from the London offices of the Japanese bank Sumitomo Mitsui was foiled in March, while in August, researchers at Sunbelt Software stumbled on an offshore server jammed with information — including usernames, passwords, telephone numbers, credit card and bank account numbers — stolen with a keylogger.

“Everybody knows about viruses and worms, but the threat of the unknown is the greatest threat we face,” said Dunham.

http://www.securitypipeline.com/news/174300038

“We’ve made significant progress in reducing the window of exposure,” said Eschelbeck, noting that the half-life for a critical vulnerability on an externally-facing computer is now 19 days, down from 2004’s 21. In large part, that’s due to the perception, rightly deserved, that the risk on external machines is higher.”

“Automated attacks [now] create 85 percent of their damage within the first 15 days from the outbreak,” said Eschelbeck. Last year, he reported that 80 percent of the damage was done in the first 42 days.

According to Eschelbeck’s data, patches released on a predefined schedule — monthly or quarterly — are deployed 18 percent faster than those for vulnerabilities whose fixes are released ad hoc.

“It seems a predictive schedule makes it easier to organize and plan and put together resources for patching, rather than scramble when a patch suddenly appears.” That finding should sit well with Microsoft, one of the first major developers to go to a regular release schedule.

Among his other conclusions, Eschelbeck downplayed concern over wireless security, saying that the problem is really overrated. “People think that wireless is such a big exposure point for networks, and that’s it’s a real problem, but only 1 in 18,220 critical vulnerabilities is caused by a wireless access point.” “By reducing it another 20 percent, we can make networks even more secure.”

In addition, with an increasing number of critical vulnerabilities, enterprises need to look harder at prioritizing their patching. The Common Vulnerability Scoring System (CVSS), which was designed by several technology companies, including Cisco, eBay, Internet Security Systems, and Qualys, is the primary initiative. “Scoring and prioritization are going to be more important in 2006.

http://www.securitypipeline.com/news/173602790

Though most of the executives surveyed believe that the majority of threats originate from within the organization, 89% identified viruses and worms as their primary security. Nevertheless, they appear optimistic that the risks from these kinds of malicious code can be contained. Only 83% expect viruses and worms to be the primary threat two years from now.

However, there is growing concern about the predations of hackers and crackers. Some 57% of respondents identified hackers and corporate espionage as a top threat, double what it was two years ago. “The new capabilities of the ubiquitous network are great for commerce, but open a whole new dimension of risk,” AT&T vice president of managed security services Stan Quintana said in a statement. “A multi-layered approach to security is required.”

Indeed, AT&T and EIU report that organizations are willing to put the necessary resources into security to meet the threats. The survey found that network security spending has stabilized at about 15% of IT budgets.

http://www.securitypipeline.com/news/173601939