IT Governance Blog on IT governance, risk management, compliance and information security.

‘Time will only tell just how bad the state of e-Crime, and related matters stand, but one thing is for sure. It would certainly seem to be the only growing industry of the current day.’

John Walker speaking at the e-Crime Congress, 2009

This statement was made 3 years ago by Professor John Walker and CEO of Secure Bastion Ltd at the e-Crime Congress. John and a small number of other security professionals were predicting darker things to come. But at the time, John and his friends were scoffed at and rejected for making such predictions, and told that cyber crime was in fact declining.

Now take a look at the current state of cyber crime. Data breaches on companies of all sizes are now a regular occurrence, phishing schemes are on the rise and even tensions between countries are building because of  criminal activities over the Internet. Cybercrime is estimated to cost the global economy $388 billion, which is $100 billion more than the global black market.

If we’d have listened to John Walker back in 2009, would we be in the state that we are in today? Probably not. By 2012 we might have reached a global solution to fighting cyber crime and information would be made more freely available on how to beat it.

We are only now seeing the emergence of a united approach to data breaches throughout Europe. So how long will it take to fight a united approach globally? Four, five more years? Can the economy wait that long?

It’s all well and good to look back on the past and discuss what we  should have done, but we need to take steps to prevent what is happening now and for the future. Protect your business against cyber threats today.

Discover how to protect your business from cyber crime and risks >>

Today the Commons Select Committee published its report on Malware and cybercrime. The report stated that the government should do more to educate people about how they can protect themselves on line and advocated a major publicity campaign to do so.

The report stated:

• Online identify theft in 2011 costs individuals £1.7 billion
• Online scams cost individuals £1.4 billion
• Scareware (where cybercriminals tick users into downloading harmful software) cost individuals £30 million

The report cited statistics from McAfee which stated that 38% of respondents to the latest Norton Cybercrime Report had suffered a malware incident. Malware was the most common attack vector followed by online credit card fraud and network profile hacking.

Andrew Miller, Chairman of the committee, commented “Government departments need to realise that better public information about computer safety could save huge numbers of people the hassle of having their personal details stolen.”

The Select Committee’s report also said far more needed to be done in regards to the policing of cyber crime. The report states:

“There is no overarching body that provides consumers with a first place of contact to complain about disreputable or criminal behaviour.’ It continued ‘While the police now clearly take the problem of cyber crime seriously, both they and the Minister agreed that the policing of cyber crime needed to become mainstream to the point that local police officers are comfortable talking about cyber security. We share the sentiments of Janet Williams of the Association of Chief Police Officers (ACPO):

I don’t think we are as good as we need to be in policing, in terms of every single police officer in this country being as equipped to give a member of the public a piece of advice around cyber-security as they are, for example, for their windows and their doors—their general house issues.”

This has surely been the case for some time. Hopefully, however, this select committee recommendation will act as the much needed catalyst for the government to implement a complete overhaul of how it treats cybercrime. Cybercrime grows exponentially in parallel with the development of technology. Those in power though, lag well behind in terms of the education, training and adequate policing. Some would argue, however, that the cyber criminals will always be ahead of the game. But that doesn’t mean that we shouldn’t try and bridge the gap.

In the meantime, you can read more about cybersecurity, and how to protect yourself here >>>

It seems like every week we hear of a new news story where a company has been hacked, broken the Data Protection Act and/or fined. Although in these hacking stories the data of innocent people is often compromised, it seems like the blame is often being put upon the companies, when in fact it should be the hackers who are taking the blame.

After a data breach occurs, how much investigation goes into finding the hacker that committed the crime? Little? Or none? It is easier to blame the company where the attack occurred, issue a fine, and pronounce them incompetent of looking after your data. But is this really the case? Lee Howell, Managing Director at the World Economic Forum, stated that “it’s impossible to be completely secure online”. So if this is true, then why should the victims (companies) be put to blame? Yes, I agree that companies who manage sensitive data should take the necessary precautions to do everything they can to protect that data, but where does the justice lie for them if they did not commit the real crime?

Take it like this; if you were to lock your house up at night (doors, windows etc.) before you went to bed, and you were burgled during the night, should it then be you who faces prosecution for not protecting your house properly, or should the person who broke into your house be prosecuted?

Lee Howell talks about social norms in terms of cyber crime, concluding that “we do not yet fully understand how social norms are shaped in the virtual world. Why is it that many people who would be ashamed to admit stealing a DVD from a shop will happily discuss illegally downloading a movie?” This can be referenced to the point above about the current justice system for hackers and hacked companies.

It is important to note that one of the main reasons cyber criminals don’t get caught is because of the anonymity of it all. Hackers are often more technologically advanced than the people tracking them down, which can mean that most investigations come to a halt before they’ve even begun. You can find hacking software easily on the web, meaning that anyone can try their hand at it, which has thus been a major cause in the proliferation of hacking. Another main reason why hackers fail to get caught is the difficulty in cross-border policing. If you notice a computer attack that came from country X, tracking down that cyber criminal would be near-on impossible due to the different laws and regulations held between two different countries. Adam Segal from The Diplomat says, “It’s hard to deter if you can’t punish, and you can’t punish without knowing who is behind an attack.” With so much difficulty in tracking down hackers, they often get away with the crime, but does their anonymity give them the right to this?

More attention should be put on the hackers themselves (tracking them down and prosecuting them), rather than the companies who suffer data breaches because of them. A unified approach and shift in focus will lead to a more realistic deterrent for cyber criminals, hoping to break the cyber gang culture that is appearing across the web.

Food for thought anyway.

Security company Seculert has confirmed that a computer worm known as Ramnit has stolen the email addresses and passwords of 45,000 facebook users. The majority of affected users are in accounts from France and the UK.

The culprit – the malicious Ramnit worm – has been around since early 2010 and has previously stolen bank account details. Discovered by researchers at Seculert they commented:

“We suspect that the attackers behind Ramnit are using the stolen credentials to login to victims’ Facebook accounts and to transmit malicious links to their friends, thereby magnifying the malware’s spread even further.“

Seculert report that Ramnit had infected over 800,000 machines from September to December 2011. The sophisticated worm can infect executable Windows and html files; and most worryingly, most users will have no idea that it is even present within their machine. Once the Ramnit worm has acquired the login details on a facebook account, it has the ability to post messages – loaded with a malicious link – on the walls of the users friends.

Cybercrime increased exponentially in 2011 and this trend is due to continue in 2012, especially on social networking platforms. Cybercriminals are using ever more sophisticated malware to attack their victims, however there is a much greater requirement for individuals to be more proactive in their preventative action.

Cybercriminals are exploiting the fact that many users use the same login and password details for multiple accounts, including work and personal accounts. This increases the scope for cybercriminals when they acquire login credentials and places both individuals and businesses at greater risk.

2012 should be the year that individuals and businesses finally take ownership of their cyber security. It’s an unpleasant truth that cybercrime is growing and will potentially affect all of us at one time or another. The thing to do though is to understand how to mitigate against such cyber attacks, put in place measures against them and use the internet in a sensible way (for example don’t use the same login details for your facebook, bank account and work profiles!).

To download a free white paper on cyber security click here >>>

To read about our social meida toolkit click here >>>

Source: Seculert & BBC News

2011 saw a vast growth in the number of malware attacks on businesses and individuals. Hackers are now at a point where they can “wreak havok and access the best-kept secrets of organisations without ever leaving their living-rooms”. From phishing scams, to the Sony hack, 2011 has seen the worst of all cyber attacks. Millions of people’s data has been compromised around the world: hackers have made millions, whilst companies have lost millions. So, will 2012 see a repeat of last year? Or will we clamp down on cyber crime once and for all?

We here at IT Governance Ltd have picked the bad and the very bad to show you just what a year it’s been in cyberspace….

1. Sony PlayStation hack

Now this really was the worst of the worst – names, addresses and card details were stolen from around 77 million people who had accounts with the PlayStation Network (PSN).

2. Student loan phishing scam

Students across the UK mistakenly handed over access to their bank details after receiving an email asking them to confirm their details. Anywhere between £1,000 and £5,000 was stolen from each student who gave access.

3. Android apps

22 apps were removed from the android market by Google after it was discovered they contained fradulant software. The apps tricked users into sending premium text messages.

4. RIM hack

Blackberry’s blog was hacked after the London riots, warning Blackberry not to assist the police.

5. Local council fined £130,000 for breach of DPA

Powys Council, England, was fined £130,000 after the details of a child protection case were sent to the wrong person. This was one of the largest fines the ICO have actioned against a council. Read more >>

6. WikiLeaks

WikiLeaks was responsible for releasing top secret information about governments across the world on its website.

7. NHS Breach

Lulzsec hacked the NHS, alerting them that their information security management system was inadequate. However, they put on the “white hat” approach, publicizing the hack but not revealing any compromising information.

8. Gmail phishing scam

Chinese identity thieves used ‘spear phishing’ tactics to take over hundreds of Gmail accounts, including those belonging to senior officials and military personnel.

9. Epsilon data breach

Epsilon, the email communication giant was hacked in March 2011, where customer email lists were stolen from at least 26 different companies.

10. RSA attack

One of the most high-profile breaches of 2011 involved the world’s most-used two-factor authentication systems. Hackers stole information relating to RSA’s SecurID system, by mimicking RSA naming conventions to avoid detection. What was so unique about this case, was that only one attack on an RSA customer was ever reported, showing that the counter-actions RSA took were extremely effective.

Source: Security News Daily, Information Week and Real Business.

The lesson to take away from these hacks and breaches is that companies and individuals alike need to be educated on cyber issues. There needs to be an understanding of what to look out for, what to click and what not to click, who to give your details to and who not to, and to generally be alert, rather than sticking our heads in the sand.

Education will help combat cyber issues and prevent repeat attacks occurring in 2012.

We have a number of staff awareness training courses available at IT Governance, covering DPA, Information Security and ISO 27001 and PCI DSS training. These are extremely effective and affordable, considering no travelling or other course attendance costs are incurred, as learners can study from their desk in their spare time.

Book your e-Learning course today >>

ENISA has just released their first EU report on the cyber security challenges that the Maritime Sector face. The report highlights that maritime cyber security is low, to virtually non-existent, showing little difference between now and 8 years ago….

This report is extremely startling as 90% of the EU’s external trade, and more than 40% of the internal trade takes place via maritime routes. If this was to be disrupted by a cyber threat, then it would have disastrous consequences for the EU Member States’ governments and social wellbeing. Trade, resources and leisure would all be severely affected.

ENISA suggest there should be regulations and policies considering cyber security, on a risk-based approach. Better information exchange and statistics on cyber security is also needed to help people understand and improve their own actuarial models and help reduce risks.

The report shows that little has changed in the 8 years since the Port of Houston was crippled by a cyber attack, allegedly committed by a teenager back in 2003. As a result, data (tides, water depths and weather) to help pilots navigate through the harbour and by shipping companies became inaccessible. The UK teenager was accused of ‘electronic sabotage’, bringing down the Internet systems of the worlds 8^th busiest maritime facility, whilst attempting to extract revenge on a fellow IRC user. The recent ENISA study has shown that the state of the Maritime Cyber Security infrastructure has not changed since the attack, leaving it vulnerable to further cyber attacks.

Modern containerships and oil tankers are highly automated and manned by a small number of crew relying on automated systems. Additional harbours and container ports are also highly automated, meaning that the whole maritime network would come to a standstill if disrupted by a cyber threat. The recent Stuxnet and Duqu attacks have shown that industrial systems as well as traditional computer systems are vulnerable to cyber attacks.

Considering how important the maritime trade is to the EU, and that attacks on critical infrastructure are increasingly becoming common, it just shows how serious cyber security in the maritime industry needs to be taken.

Protect your company from cyber threats with the complete cyber security toolkit: The No 3 ISO27001 Comprehensive ISMS Toolkit.

Use this toolkit to implement your very own ISO 27001 (the world’s only cyber security standard) project. Coming with complete documentation and books to guide you through the process, this all-inclusive toolkit will have your business’ cyber defences up in no time.

Take action now against cyber threats with the No 3 ISO27001 Comprehensive ISMS Toolkit >>

We know it’s the season of good will, for giving and for spreading Christmas wishes, but the worst thing you could do is to spread your company’s confidential data across the web.

With cyber attacks on the rise, companies are building up their cyber defense systems – and so should you! Just because it’s the festive season doesn’t mean you’re safe from an attack; in fact, hackers are more likely to attack when they know barriers are down.

Read Cyber Risks for Business Professionals: A Management Guide to truly understand the risks involved with online threats. As an eBook, you’ll be able to download it straight away for some reading over the holiday period. This book will help you understand and manage the technological risks, familiarise yourself with the legal issues, control employee use of Web 2.0 technologies and use technology to address the risks.

Find out more information >>

Alternatively, if you wanted to get kick started on a cyber security project straight away, then download the No 3 ISO27001 ISMS Comprehensive toolkit. In line with ISO 27001 (the world’s only cyber security standard), this unique toolkit provides complete coverage on how to implement, develop and accelerate an ISO 27001 project within your business.  This toolkit comes with all the documentation, books and guidance you will need to get started and make your company fully cyber secure.

Find out more information >>