Posts Tagged ‘CyberCrime’

Deal With 2016 Cyber Threats Today

April 10th, 2014 by

The Information Security Forum (ISF) has recently published their forward-looking report on the security threats and cyber landscape of the future ‘Threat Horizon 2016 – on the edge of trust.’

This annual report attempts to identify what the cyber security issues will be in two years’ time and what organisations need to do now to mitigate the possible threats and scenarios they will face.

The forecast doesn’t look good. Heavily influenced by Edward Snowden’s revelations of cyber surveillance by the US government, the Threat Horizon report cites a breakdown in trust between individuals, business and governments.

It also brings in to focus increased cyber risks caused by inadequate cyber defences, a lack of encryption, poorly designed mobile applications and a shortage of skilled cyber security professionals.

The report states that organisations must build cyber resilience now: the ability to defend against cyber attack whilst also having provisions in place should an attack occur.

The threats identified included:

  • Service providers become a key vulnerability: cyber criminals target the supply chain rather than the organisation itself.
  • Big data = big problems: be wary of making strategic decisions based on incomplete data sets.
    • Ensure the organisation has the skills to analyse big data properly and apply it to cyber security issues.
  • Mobile apps become the main route for compromise: cyber criminals target mobile apps as their fast paced development often means a lack of security.
  • Encryption fails: due to the huge increase in processing power combined with poorly designed software.
  • Skills gap becomes a chasm.

The cyber threat landscape won’t wait for you. You need to address 2016 threats now. Developing an enterprise wide cyber resilience strategy is essential for all businesses.

Get started today by downloading our free Green Paper: Cyber Resilience: Cyber Security and Business Resilience

19 Year old wins UK Cyber Security Challenge

March 20th, 2014 by

This week a 19-year-old Cambridge University student, William Shackleton, took the much coveted title of UK Cyber Security Champion. The 12 month contest tasked the 41 finalists with protecting the UK critical infrastructure from cyber attack.

Jointly devised by experts from BT, GCHQ, Lockheed Martin, Juniper Networks and the National Crime Agency, the final event was held this week at the Churchill Cabinet War Rooms.

Finalists were selected over the course of a year in which they had to undertake face-to-face cyber battles. In the final task teams worked together to investigate and stop a simulated attack which first struck on the financial district, then the transport network, utilities and finally a nuclear reactor.

Sounds exactly like the plot of Die Hard 4 doesn’t it! But instead of a bloodied, gun-toting Bruce Willis, William Shackleton was the man to save the day. The Cambridge student, who is having a pretty good year after also just securing an internship on the facebook train, commented:

“It’s a big surprise and a huge honour. I never considered a career in cyber security before taking part in the Challenge but playing their competitions and meeting the industry leaders has shown me there are exciting jobs which need filling.”

There are indeed jobs which need filling in the cyber security industry. In fact the need for talented and skilled cyber security professionals is going to go through the roof (Mr Willis now that action movies are beyond you, you could re-train? Let’s face it, no one wants to see you in another romcom). The reason being that cyber security is now a Board level issue. With stories each week in the media, organisations have finally come to realise that they must act before they become the next victim.

If you don’t have a 19-year old cyber security Jedi in training to help protect your organisation, you might want to consider attending one of our upcoming events. They deal with the issue of addressing cyber security and what measures are appropriate for your business:

ISO 27001 2013 – The global standard for Cyber Security

2nd April – High Wycombe

ISO 27001 2013 and PCI DSS V3 – new Standards in the Global Cyber War

8th May, Churchill War Rooms, London

Both events feature talks from cyber security experts, software and penetration demonstrations, the chance to talk to a consultant (for free) and that all important buffet.

Cyber security is a challenge that you need to tackle.

Learn more about tackling cyber security with IT Governance’s events.

McAfee CTO: Cyber Criminals Target SME’s

February 13th, 2014 by

This week – in an article in the Financial Times – McAfee CTO Mike Fey stated that small businesses have become an easy target for cyber criminals because of their lacklustre approach to cyber defences.

SME’s are often guilty of not keeping software protection up to date, ensuring basic cyber training is given (for example awareness of phishing scams) and identifying risks when new technology (including mobile devices) is brought into the business

Mr Fey also commented on how sophisticated technology was being used not only against large corporations:

“Small- and medium-sized businesses are nice easy targets – and you can attack 2,000 small businesses at once,” he said. “We’re starting to see stuff which may have been built for very sophisticated industries put to all sorts of minor use cases.”

One of the most interesting points that Mr Fey made was the misconception by SME’s that they had nothing cyber criminals wanted. What smaller businesses fail to recognize is that cyber criminals are indiscriminate, using automated technology which exploits vulnerabilities wherever they find them.

It doesn’t matter if you’re Sony, Target or the local flower shop’s website. If a weakness is found criminals will exploit it, whether it’s intellectual property, credit card numbers or access to a larger network (as was the case in the Target breach, which started with a hack of one of their vendors networks).

One final thought. Contrary to what to what you might think hackers and cyber criminals do not require sophisticated skills. On the internet there are freely available hacking toolkits complete with simple instructions and even customer support. If you can read, you can hack. It’s that simple.

The question is, now you know you’re at risk (it’s nothing personal) what are you going to do about it?

The Cyber Security Risk Assessment Tool is an in-expensive (just $100) way of identifying your current levels of cyber security.  It will provide you with a clear idea of your current risks, your exposure and what gaps you need to close.

The Internet of Things – a new cyber crime target

February 10th, 2014 by

As we are entering the era of the Internet of Things (IoT), our homes are becoming increasingly populated by devices that are connected to the Internet in order to share information with each other and the external world more easily. Ranging from smart phones and smart TVs to motor-cars with 4G and Wi-Fi, from automated household appliances to sophisticated business tools, this web – connected smart devices are collectively known as the Internet of Things. According to a Cisco report, it’s predicted that 50 billion objects worldwide will be connected to the internet by 2020.

The benefits that the Internet of Things can bring are numerous, but so are the concerns that it can facilitate cyber attacks. According to a Proofpoint’s report on cyber attacks, cyber criminals are beginning to target home appliances and smart devices. Often these Internet-connected devices have significant implications for device owners. They are easier to hack as they don’t have robust security measures, such as strong passwords, in place so are obviously easier to infiltrate and to infect than PC, laptops or tablets.

Organisations using the Internet of Things can see huge benefits such as greater efficiency, lower costs, improved services, greater accessibility to information, increased employee productivity and higher customer satisfaction. But although there are numerous benefits, organisations face grave risks such as espionage, corporate and personal data breaches, theft of intellectual property, and attacks on infrastructure components because they are more exposed to the internet. It is strongly recommended that manufacturers of smart devices need to start focusing on building more secure tools for organisations and individuals. Organisations should implement robust measures to secure their infrastructures and business information.

According to an ISACA report on how European IT professionals perceive the Internet of Things, 27% stated that the risk outweighed the benefits. 39% of respondents said that increased security threats were seen as the biggest governance issue, followed by data privacy at 26%.

European Internet users are very concerned about cyber security. According to the Eurobarometer report carried out by the European Union in 2013, 28% of Europeans don’t feel safe when simply browsing the Internet and carrying out online transactions. The main fears among European Internet users are that personal information is not kept secure by websites and organisations and that banking information can be stolen and bank accounts hacked while transactions are carried out. 84% use the internet for email access, 50% for commercial transactions and 48% for online banking are Swedish, Dutch and Danish, but they are also the ones who feel more informed about cybercrime and cyber security. In contrast, the Romanians, Hungarians and Portuguese are less likely to use the internet for e-commerce and feel less informed about cybersecurity, and as a result are more concerned.

With a robust Information Security Management System (ISMS) in place, customers and clients will feel more secure when making online transactions, and will build trust towards organisations and experience greater customer satisfaction. IT Governance EU thinks that cyber security training course are necessary for individuals and organisations in countries like Portugal, Hungary and Romania in order to raise awareness of cyber security risks. ISO 27001 ensures organisations are protected from information risks and threats which could otherwise lead to reputational damage, financial repercussions and the loss of assets. The ISO27001 Certified ISMS Foundation Training Course is an introductory training course which raises awareness and builds information security knowledge. To those who need an advanced level of training to deliver information security management to an organisation, we recommend attending the ISO27001 Certified ISMS Lead Implementer Online which is designed to give comprehensive and practical advice for implementing and maintaining the requirements for ISO27001.

We recommend downloading our ISO27001 & Information Security greenpaper overview which gives organisations the foundation to start with their implementation towards a better security.Download our free green paper on information security and ISO27001 >>

IT Governance is a specialist in helping organisations with cyber security, cyber governance and cyber compliance. Find out more about our products and services here.

For more information about IT Governance training courses call us on 00 800 48 484 484 or
email us at servicecentre@itgovernance.eu

Yahoo Mail suffers another cyber attack

January 31st, 2014 by

Have you checked your yahoo account this morning? I suggest you do. Yesterday Yahoo announced that its email service had suffered a cyber attack, resulting in the usernames and passwords of an undisclosed amount of users being compromised.

It’s always fun isn’t it when they don’t tell you how many accounts have been affected. 3? 3,000? 3 million?! (For the record Yahoo has 273 million accounts worldwide). Anyway, best to log in (if you can) and get that password changed. Something like your birthday, password 123 or qwerty should be fine. Sorry I’m being flippant (it sometimes happens on a Friday). It’s just that I discovered this week that 40% of all passwords appeared in the top 100 list of passwords. Basically a bunch of keys for hackers. Try enough locks and you’re going to open 40% of doors.

Anyway, back to Yahoo. In a blog published on their website yesterday they stated:

Based on our current findings, the list of usernames and passwords that were used to execute the attack was likely collected from a third-party database compromise. We have no evidence that they were obtained directly from Yahoo’s systems. Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts. The information sought in the attack seems to be names and email addresses from the affected accounts’ most recent sent emails.

What’s the potential damage, I hear you ask. Well it could be anything from targeting email addresses for spam or scam messages to using the details for banking and shopping sites. Add in the fact many of us use the same password across multiple sites, and that if a hacker had access to your email account they could simply send themselves a password reminder, and the alarm bells start ringing.

It’s Friday so I’m not going to lay any particular blame at anyone’s door. You can draw your own conclusions. What I will say is this: we all need to do more.

Individuals need to use better, stronger (and not repeated!) passwords and educate themselves of how to be safer on the internet. Organisations need to do more to secure their data bases, networks and our personal information. We’ve been living in the digital world for a while now. It’s time everyone took more responsibility for their digital existence.

Take advantage of IT Governance’s free resources:

The ‘Why’, ‘How’ and ‘Who’ of Cyber attacks

January 24th, 2014 by

Every minute of every day European organisations are attacked by cyber criminals, and the consequences can be catastrophic. If your organisation suffers a data breach and loses important information then your business could even be forced to close down. In many instances you won’t even know you have been hacked until it is too late, and even then you may not know what to do or who to call for help.

Why is your organisation targeted?

You may think your organisation is safe from cyber attack, but every company is a target, whatever its size or type. If you have a web presence, you are at risk, and for a variety of reasons. The main reasons hackers target companies of any sector or size are that:

  • there are vulnerabilities within your system
  • competitors want your customers’ personal information (e.g. full names, email addresses, physical addresses, mobile number etc.);
  • cyber criminals want your company’s  sensitive information, assets and/or money;
  • an activist group wants to destroy you for ideological reasons or
  • criminal organisations want your software information.

In essence, any organisation with inadequate information security management systems (ISMS) in place is a potential target. The absence of an ISMS could leave the doors open to cyber attack, and increases the risk of a data breach. Any unprotected business information is likely to be targeted by hackers. The growing number and sophistication of cyber attacks in Europe not only reflects criminals’ expertise but also the lack of adequate information security management systems in European organisations. Don’t let the cyber criminals be smarter than you!

ISO 27001 is the internationally recognised cyber security best practice specification for an information security management system (ISMS). The standard provides companies with assurance and also helps to develop and enhance information security best practice. It ensured that organisations are protected from risks and threats which could otherwise lead to heavy financial losses and reputational damage.

How could your organisation be hacked?

Methods of cyber attack are increasing every day, and criminals are constantly working to find new ways of accessing your organisation’s information. Common types of incident are:

  • hacking, which is the unauthorised access to a computer or network, and which simply means that an illegal intrusion has occurred without the permission of the computer or network owner;
  • denial of service attack, which occurs by flooding your network with external requests  so that it no longer has sufficient bandwidth to provide its intended service;
  • virus dissemination, which is when malicious software (e.g. viruses, worms, Trojans etc.) attack your organisation’s systems ;
  • credit card fraud, when  hackers steal credit card numbers when a transaction is taking place via your company’s website;
  • net extortion, when the company’s confidential data is copied in order to extort money; and
  • phishing, which is the technique of extracting confidential information by pretending to be a trustworthy entity such as a bank.

IT Governance recommends reading CyberWar, CyberTerror, CyberCrime  for you to understand the risks of cyber crime and learn what measures you and your business should take. With this book you will understand the case for applying international standards and practices as the key counter-measure to the global threat of CyberAttacks

To learn about the origins of cyber risks and the development of strategies for their management is recommended reading Cyber Risks for Business Professionals: A Management Guide.

 

Who is responsible for protecting your organisation?

The first thing to do is find out how (or if) your organisation is protected. Don’t think that the IT department is solely responsible for cyber security: cyber security is a shared business responsibility throughout the organisation. Good security awareness means that all of your employees are aware of, and are able to identify, cyber threats.

The  ITG e-learning Course – Information Security Staff Awareness helps you deliver basic information security training to your staff making sure that employees are fully aware of their role in achieving effective information security.

For more information on how to protect your organisation, visit IT Governance EU.

How much custom would you lose from a data security breach?

October 30th, 2013 by

We take it for granted nowadays that we can work pretty much wherever we are. The majority of us use laptops, tablets and smartphones for work as well as for leisure, Wi-Fi is by and large available wherever we go, 3G and increasingly 4G service is the norm, and cloud computing means we can access our data on the move. But an increasing reliance on virtual networks means sensitive data is more and more vulnerable to targeted attacks. Web-based applications may be convenient for you and your workforce to operate wherever you are, but they are also convenient for cyber criminals, as your and your customers’ information is more exposed.

US Government hacked

In the news this week, it was reported that 28 year-old Lauri Love from Stradishall in Suffolk was arrested in a joint operation by the UK’s National Crime Agency and the FBI on suspicion of hacking into US Army, NASA and government computer systems and allegedly stealing data on thousands of individuals, causing $25,000-worth of damage. If a vicar’s son in East Anglia can hack into the networks of some of the most powerful organisations in the world, what chance do you stand?

You are vulnerable too

FireHost this week reported a 32% rise in the third quarter in cross-site scripting (XSS) and SQL injection activity targeting web applications carrying sensitive information. Evidence shows that SQL attacks are becoming more automated as hackers and cyber criminals are moving away from enterprise infrastructure attacks and are identifying and exploiting vulnerable application assets. Automated scanning means even if you are a relatively small, unknown organisation, your web presence will be found. This puts any business with hosted resources at risk, including yours. It isn’t scare-mongering but fact: it’s not a matter of if you will be attacked; it is a matter of when.

How would your customers react?

Elsewhere, a Harris Interactive survey commissioned by Cintas Corporation has revealed that two thirds of US adults would take their business elsewhere after a data breach. Whilst these results may seem on first glance to be specific to the US, there can be no doubt that their application is global, and the message is clear: you only get one chance. If your data is breached, your customers could go straight to your competitors and not come back.

How can you prevent attack?

Penetration testing identifies the vulnerabilities in your information security systems by simulating a malicious attack, testing known and unknown weaknesses in your security arrangements, including open ports, Wi-Fi passwords, packet sniffing, phishing schemes, browser exploits and social engineering. Whether complying with DPA, other Data Protection Laws, or meeting business, legal and contractual requirements in line with ISO27001, organisations must carry out penetration tests at least quarterly on all their Internet-facing websites.

50% discount

IT Governance currently has a special 50% discount offer on all our CREST-accredited penetration testing services booked by the end of November 2013. Visit our website or call us today on 0845 070 1750 to find out how we can address your security needs.

Snowden: One of the worst information leaks in US history

August 23rd, 2013 by

Edward Snowden, a former CIA worker, leaked materials to the media that allegedly showed the US to have conducted widespread and illegal surveillance of its citizens and other nations.

Reports from the Guardian and Washington Post claim that the US National Security Agency (NSA) have been illegally collecting millions of telephone records from Verizon customers, emails, live chats and search histories from Facebook and Google and had even bugged EU offices in Washington and UN headquarters in New York.

What this news story breaks down to is an employee had access to sensitive information that he decided to leak for personal reasons.

This begs all kinds of questions for the CIA. Was there adequate screening of his role? Did he have more access than he needed to? Was he left unsupervised for long periods of time?

In turn, you could ask this of yourself. Do you monitor your staff regularly? Do you ensure appropriate information security training is enforced?

An employee leaking sensitive data from your organisation may not have the same impact that Snowden has caused, but it will cause you brand damage, it will cost you and you will have breached the law.

Everything is relative. If one person can bring down US security, think what one person, armed with the right information could do to your business.

One of the first steps every organisation should take is to conduct a risk assessment. This will help you assess areas of weakness and the vulnerabilities posed by internal and external threats. Find out more >>

Growing demand for cyber security professionals

August 21st, 2013 by
The demand for cyber security professionals in the past 5 years has grown more than 3.5 times

The demand for cyber security professionals in the past 5 years has grown more than 3.5 times

A report from Burning Glass International found that the “demand for cyber security professionals in the past five years has grown more than 3.5 times faster than the demand for other IT jobs and about 12 times faster than the demand for all other jobs”.

This shows that organisations are recognising the importance of cyber professionals and their value in mitigating cyber risks.

Cyber security skills are essential to any organisation committed to addressing the rising cyber threat. For information security professionals, developing knowledge and skills in this area through certificated training is crucial to future career development. The IT Governance Cyber Security Learning pathway provides opportunities to develop expertise and gain industry-standard certifications. Find out more >>

New EU-wide rules on cyber defence

August 16th, 2013 by

After cyber attacks emerged as a threat to national security, it’s been about time that the Council of the European Union adopted new rules in support of cyber defense.

The legislation focuses primarily on large-scale attacks on information systems within the EU.

Cecilia Malmstrom, EU Commissioner for Home Affairs, said:

“We all need to work together to achieve the objectives that we have set ourselves. It is therefore essential that all member states get up to speed and make cyber security a top priority”.

Help bolster EU cyber defences by downloading and implementing good cyber defence practice as contained in the Cyber Security Governance & Risk Management Toolkit.

This toolkit consolidates the five leading approaches to managing cyber risk into a single, robust framework. Including ISO 27001, ISO 27032 and PAS 555, this toolkit will help you implement a cyber security framework for your business that is manageable and concise.

Find out more >>


%d bloggers like this: