- Email: [email protected]
Security finally climbs up the corporate agenda
NEWS ...Continued from front page each account holder, were taken along with “internal JPMorgan Chase information relating to such users” that the bank declined to specify. It also claimed that it has “no evidence” that more specific details of bank accounts were compromised and that it has not detected “unusual customer fraud” activity that it can relate to the incident. However, that’s not to say that the attackers aren’t already using this data for fraudulent activity. “The data taken is a spammer’s gold mine and could be used over a long period of time to drip feed potential victims with phishing, cold calling or targeted malware attacks via email,” said Chris Boyd, malware intelligence analyst at Malwarebytes. “If any of the 76 million affected have had other data leaked in the past, it would be easy for those behind this attack to build up a robust picture of their targets and throw a little social engineering into the mix, making the emails seem less random and the phone calls more persuasive.” There were reports of JPMorgan and several other banks having been breached back in August, but details were slow to emerge. It would appear that JPMorgan has only now released details because it is obliged to do so by SEC regulations. The New York Times has blamed Russian attackers with links to the Putin regime for attacks against 10 US financial organisations, including the JPMorgan heist. There have been unsubstantiated claims that the attacks were revenge for US sanctions against Russia over the war in Ukraine. The threat of phishing attacks using this data was underlined by Keith Bird, managing director of Check Point UK. “Attackers will try and trick customers affected by the breach into revealing more details, such as account numbers and passwords,” he said. “For the attackers, it’s just a numbers game, but it could have serious consequences for customers. Phishing emails continue to be the most common source for social engineering attacks.” Meanwhile, the fact that there have been so many large data breaches over the past year is causing ‘breach fatigue’ to set
October 2014
in among the general public in the US, according to a company called Software Advice. It found that three-quarters of the people it surveyed had already forgotten about major breaches like the one suffered by eBay. Even with recent events, 30% were unaware of the Target breach and 42% didn’t know about Home Depot. The one sector doing well out of all this is the insurance business. Research by the Ponemon Institute suggests that cyber-insurance – previously rolled into other insurance policies or ignored as unnecessary by many firms – is enjoying something of a boost. In 2013, only 10% of firms held cyber-insurance policies, but a year later this has more than doubled to around 23%. And insurers say the rise is continuing.
Cybercrime becoming more professional
E
uropol’s European Cybercrime Centre (EC3) has published a report suggesting that cybercrime is becoming increasingly ‘professionalised’.
According to Professor Alan Woodward of the University of Surrey, and co-author of the report: “Modern cybercrime, especially organised crime is by nature transnational so it is vital that we take an international view of the threat posed by this ever-increasing form of crime.” The report, the ‘2014 iOCTA (Internet Organised Crime Threat Assessment)’ draws on data from law enforcement agencies across Europe. “Cybercrime is developing to serve a growing dark economy with ‘crime as a service’ where organised gangs can access highly skilled people to enable them to engage law enforcement agencies in an ongoing arms race,” said Woodward. “The report also shows how legitimate technologies are being misappropriated by criminals, as well as ‘traditional crimes’ being enhanced by using emerging technologies.” The report highlights how cyber-criminals abuse legitimate services and tools such as anonymisation, encryption and virtual currencies. It also notes the abuse of ‘darknets’ to carry out illegal online trading in drugs, weapons, stolen goods, stolen personal and payment card data, forged
identity documents and child abuse material. This ‘hidden Internet’ has become a principal driving force in the evolution of cybercrime and represents a highly complex challenge for law enforcement, it says. Woodward added: “If agencies fail to mobilise to meet the threats highlighted in this report then organised cybercrime will gain the upper hand. However, if agencies work together, across borders, then we can use modern technologies to catch criminals, rather giving them a platform for ever more innovative forms of crime.” The report is available here: www. europol.europa.eu/content/organisedcrime-groups-exploiting-hidden-Internet-online-criminal-service-industry.
Security finally climbs up the corporate agenda
C
ybercrime and high-profile breaches are finally pushing security to the top of organisation’s business agenda, according to research by Fortinet. Now companies’ boards are putting pressure on IT departments to fix their security issues.
Some 90% of CIOs and CTOs believe the job of keeping their enterprise protected is becoming more challenging, according to the research. And serious boardroom pressure to keep the enterprise secure has jumped almost one-third in the past year, making security paramount and a primary consideration over other business initiatives. Among the IT decision makers (ITDMs) recording the highest boardroom pressure, 63% admit abandoning or delaying at least one new business initiative because of IT security concerns. The figure was still high (53%) across all organisations. Some 88% of the executives contacted believe that the increasing frequency and complexity of threats and the new demands of emerging technology such as the Internet of Things (IoT) and biometrics pose the biggest challenge to ITDMs to keep their organisations secure. The majority of ITDMs have been provoked into action by rising data privacy concerns (90%) and securing big data initiatives (89%); in the majority of cases this means new IT security investment.
Computer Fraud & Security
3
October 2014
in among the general public in the US, according to a company called Software Advice. It found that three-quarters of the people it surveyed had already forgotten about major breaches like the one suffered by eBay. Even with recent events, 30% were unaware of the Target breach and 42% didn’t know about Home Depot. The one sector doing well out of all this is the insurance business. Research by the Ponemon Institute suggests that cyber-insurance – previously rolled into other insurance policies or ignored as unnecessary by many firms – is enjoying something of a boost. In 2013, only 10% of firms held cyber-insurance policies, but a year later this has more than doubled to around 23%. And insurers say the rise is continuing.
Cybercrime becoming more professional
E
uropol’s European Cybercrime Centre (EC3) has published a report suggesting that cybercrime is becoming increasingly ‘professionalised’.
According to Professor Alan Woodward of the University of Surrey, and co-author of the report: “Modern cybercrime, especially organised crime is by nature transnational so it is vital that we take an international view of the threat posed by this ever-increasing form of crime.” The report, the ‘2014 iOCTA (Internet Organised Crime Threat Assessment)’ draws on data from law enforcement agencies across Europe. “Cybercrime is developing to serve a growing dark economy with ‘crime as a service’ where organised gangs can access highly skilled people to enable them to engage law enforcement agencies in an ongoing arms race,” said Woodward. “The report also shows how legitimate technologies are being misappropriated by criminals, as well as ‘traditional crimes’ being enhanced by using emerging technologies.” The report highlights how cyber-criminals abuse legitimate services and tools such as anonymisation, encryption and virtual currencies. It also notes the abuse of ‘darknets’ to carry out illegal online trading in drugs, weapons, stolen goods, stolen personal and payment card data, forged
identity documents and child abuse material. This ‘hidden Internet’ has become a principal driving force in the evolution of cybercrime and represents a highly complex challenge for law enforcement, it says. Woodward added: “If agencies fail to mobilise to meet the threats highlighted in this report then organised cybercrime will gain the upper hand. However, if agencies work together, across borders, then we can use modern technologies to catch criminals, rather giving them a platform for ever more innovative forms of crime.” The report is available here: www. europol.europa.eu/content/organisedcrime-groups-exploiting-hidden-Internet-online-criminal-service-industry.
Security finally climbs up the corporate agenda
C
ybercrime and high-profile breaches are finally pushing security to the top of organisation’s business agenda, according to research by Fortinet. Now companies’ boards are putting pressure on IT departments to fix their security issues.
Some 90% of CIOs and CTOs believe the job of keeping their enterprise protected is becoming more challenging, according to the research. And serious boardroom pressure to keep the enterprise secure has jumped almost one-third in the past year, making security paramount and a primary consideration over other business initiatives. Among the IT decision makers (ITDMs) recording the highest boardroom pressure, 63% admit abandoning or delaying at least one new business initiative because of IT security concerns. The figure was still high (53%) across all organisations. Some 88% of the executives contacted believe that the increasing frequency and complexity of threats and the new demands of emerging technology such as the Internet of Things (IoT) and biometrics pose the biggest challenge to ITDMs to keep their organisations secure. The majority of ITDMs have been provoked into action by rising data privacy concerns (90%) and securing big data initiatives (89%); in the majority of cases this means new IT security investment.
Computer Fraud & Security
3