IT Governance Blog on IT governance, risk management, compliance and information security.

2011 saw a vast growth in the number of malware attacks on businesses and individuals. Hackers are now at a point where they can “wreak havok and access the best-kept secrets of organisations without ever leaving their living-rooms”. From phishing scams, to the Sony hack, 2011 has seen the worst of all cyber attacks. Millions of people’s data has been compromised around the world: hackers have made millions, whilst companies have lost millions. So, will 2012 see a repeat of last year? Or will we clamp down on cyber crime once and for all?

We here at IT Governance Ltd have picked the bad and the very bad to show you just what a year it’s been in cyberspace….

1. Sony PlayStation hack

Now this really was the worst of the worst – names, addresses and card details were stolen from around 77 million people who had accounts with the PlayStation Network (PSN).

2. Student loan phishing scam

Students across the UK mistakenly handed over access to their bank details after receiving an email asking them to confirm their details. Anywhere between £1,000 and £5,000 was stolen from each student who gave access.

3. Android apps

22 apps were removed from the android market by Google after it was discovered they contained fradulant software. The apps tricked users into sending premium text messages.

4. RIM hack

Blackberry’s blog was hacked after the London riots, warning Blackberry not to assist the police.

5. Local council fined £130,000 for breach of DPA

Powys Council, England, was fined £130,000 after the details of a child protection case were sent to the wrong person. This was one of the largest fines the ICO have actioned against a council. Read more >>

6. WikiLeaks

WikiLeaks was responsible for releasing top secret information about governments across the world on its website.

7. NHS Breach

Lulzsec hacked the NHS, alerting them that their information security management system was inadequate. However, they put on the “white hat” approach, publicizing the hack but not revealing any compromising information.

8. Gmail phishing scam

Chinese identity thieves used ‘spear phishing’ tactics to take over hundreds of Gmail accounts, including those belonging to senior officials and military personnel.

9. Epsilon data breach

Epsilon, the email communication giant was hacked in March 2011, where customer email lists were stolen from at least 26 different companies.

10. RSA attack

One of the most high-profile breaches of 2011 involved the world’s most-used two-factor authentication systems. Hackers stole information relating to RSA’s SecurID system, by mimicking RSA naming conventions to avoid detection. What was so unique about this case, was that only one attack on an RSA customer was ever reported, showing that the counter-actions RSA took were extremely effective.

Source: Security News Daily, Information Week and Real Business.

The lesson to take away from these hacks and breaches is that companies and individuals alike need to be educated on cyber issues. There needs to be an understanding of what to look out for, what to click and what not to click, who to give your details to and who not to, and to generally be alert, rather than sticking our heads in the sand.

Education will help combat cyber issues and prevent repeat attacks occurring in 2012.

We have a number of staff awareness training courses available at IT Governance, covering DPA, Information Security and ISO 27001 and PCI DSS training. These are extremely effective and affordable, considering no travelling or other course attendance costs are incurred, as learners can study from their desk in their spare time.

Book your e-Learning course today >>

ENISA has just released their first EU report on the cyber security challenges that the Maritime Sector face. The report highlights that maritime cyber security is low, to virtually non-existent, showing little difference between now and 8 years ago….

This report is extremely startling as 90% of the EU’s external trade, and more than 40% of the internal trade takes place via maritime routes. If this was to be disrupted by a cyber threat, then it would have disastrous consequences for the EU Member States’ governments and social wellbeing. Trade, resources and leisure would all be severely affected.

ENISA suggest there should be regulations and policies considering cyber security, on a risk-based approach. Better information exchange and statistics on cyber security is also needed to help people understand and improve their own actuarial models and help reduce risks.

The report shows that little has changed in the 8 years since the Port of Houston was crippled by a cyber attack, allegedly committed by a teenager back in 2003. As a result, data (tides, water depths and weather) to help pilots navigate through the harbour and by shipping companies became inaccessible. The UK teenager was accused of ‘electronic sabotage’, bringing down the Internet systems of the worlds 8^th busiest maritime facility, whilst attempting to extract revenge on a fellow IRC user. The recent ENISA study has shown that the state of the Maritime Cyber Security infrastructure has not changed since the attack, leaving it vulnerable to further cyber attacks.

Modern containerships and oil tankers are highly automated and manned by a small number of crew relying on automated systems. Additional harbours and container ports are also highly automated, meaning that the whole maritime network would come to a standstill if disrupted by a cyber threat. The recent Stuxnet and Duqu attacks have shown that industrial systems as well as traditional computer systems are vulnerable to cyber attacks.

Considering how important the maritime trade is to the EU, and that attacks on critical infrastructure are increasingly becoming common, it just shows how serious cyber security in the maritime industry needs to be taken.

Protect your company from cyber threats with the complete cyber security toolkit: The No 3 ISO27001 Comprehensive ISMS Toolkit.

Use this toolkit to implement your very own ISO 27001 (the world’s only cyber security standard) project. Coming with complete documentation and books to guide you through the process, this all-inclusive toolkit will have your business’ cyber defences up in no time.

Take action now against cyber threats with the No 3 ISO27001 Comprehensive ISMS Toolkit >>

We know it’s the season of good will, for giving and for spreading Christmas wishes, but the worst thing you could do is to spread your company’s confidential data across the web.

With cyber attacks on the rise, companies are building up their cyber defense systems – and so should you! Just because it’s the festive season doesn’t mean you’re safe from an attack; in fact, hackers are more likely to attack when they know barriers are down.

Read Cyber Risks for Business Professionals: A Management Guide to truly understand the risks involved with online threats. As an eBook, you’ll be able to download it straight away for some reading over the holiday period. This book will help you understand and manage the technological risks, familiarise yourself with the legal issues, control employee use of Web 2.0 technologies and use technology to address the risks.

Find out more information >>

Alternatively, if you wanted to get kick started on a cyber security project straight away, then download the No 3 ISO27001 ISMS Comprehensive toolkit. In line with ISO 27001 (the world’s only cyber security standard), this unique toolkit provides complete coverage on how to implement, develop and accelerate an ISO 27001 project within your business.  This toolkit comes with all the documentation, books and guidance you will need to get started and make your company fully cyber secure.

Find out more information >>

The Information Commissioner’s Office has formally requested greater powers to conduct compulsory audits of local government and public sector organisations. The ICO presented the secretary of state with a business case stating that there were “particularly significant and widespread data protection compliance concerns’ within the public sector. The ICO presented statics, which included the amount of complaints of potential data protection breaches from individuals. Over the last five years local government (4,110) and the health sector (3,701) topped this list. Read the full report here. 2011 saw the ICO issue more fines than ever to public sector organisations. With these potential new powers of compulsory audit, the ICO will be clamping down even further in 2012. Ensure you are compliant with the data protection act for 2012. Complete Data Protection Toolkit (Download) Price: £156       ICT Strategy Toolkit FREE with this best selling toolkit until December 23rd 2011! The DPA toolkit contains all the tools, guides and documentation templates you need to become DPA compliant. The ICO is expected to come down even harder on those found to be in breach of the DPA in 2012. Can you afford not to be compliant? Achieve DPA compliance for less than £156 with this toolkit >>>

More products to help you improve your data handling…

Data Protection Act Staff Awareness e-Learning Course	SafeStick (CESG Approved FIPS 140-2 Certified USB Stick)

Published this week, Cisco’s annual 2011 security report highlights how cyber criminals are moving away from mass spam campaigns and using far more sophisticated, targeted means of attacking its targets.

Scott Olechowski, threat research manager of Cisco commented that cyber criminals were now employing “…a precision, assassin-like model versus a horrible, carpet bomb type of model.“

Let’s look at the up and coming and most effective models and means in which cyber criminals are going to employ in 2012:

Mass account compromise: Piecing together pieces of data gathered from trojan theft and then utilizing them as stepping stones for more lucrative means.
For example: email addresses and passwords acquired from a dating website, then re-used on a banking site, or the use of the email address to re-set passwords for other sites.

VoIP Abuse: Targeting SME’s, hackers place fraudulent long distance calls, some cyber criminals have used VoIP as a means of phishing and have extracted social security numbers from some individuals in US organisations.

Money Laundering (Muling): Criminals use data theft malware to access online bank accounts and then transfer monies to the accounts ‘money mules’. Muling is increasing at a rapid rate and Operation Trident Breach in the US this year saw the arrest of 60+ criminals who had stole over $70 million dollars.

Mobile Devices: With the proliferation in the technology and use of mobile devices, cyber criminals will look to exploit weaknesses in operating systems and in social engineering. The creation of bogus and nefarious apps is a real danger, as is the threat to businesses because of the organisational level network access many have on their mobile devices.

Cloud Infrastructure Hacking: With so much data now held in the cloud, it is an irresistible target for cyber criminals. By attacking a cloud, criminals can attack multiple enterprises in one go.

Data Theft Trojans / Web Exploits / Spyware / Click/re-direct Fraud: These classic forms of cyber attack will continue to be prevalent in 2012 as off-the-shelf software is available to anyone who fancies giving it a go.

In short, cyber crime isn’t going to go away. Quite the opposite. Organised cybercrime is growing at an exponential rate and cyber criminals are quick to use the latest technology to deliver ever more effective and targeted attacks.

You need to ensure you and your businesses are protected. Make a start today by reading our free White Paper on Cyber Security.

Source: Cisco 2011 Annual Report

You can read Cisco’s full report here.

	Compliance by Design: IT controls that work by Chong Ee Price: £39.95 Availability: Immediate download Reconsider how you view compliance – and your business will reap the rewards!

More to explore …

Data Protection Compliance in the UK: Second edition

Data Protection vs Freedom of Information (eBook)

PCI DSS: A Practical Guide to Implementing and Maintaining Compliance

There has been reports that the new EU Data Protection Directive (meant to be released Jan 2012) has been leaked. And guess what? There are at least two new changes that will shake up the EU (as if it hasn’t been shaken up enough already).

Article 27 states that there will be an obligation of controllers to inform their supervisory body and data subjects within 24 hours of any breach. This will mean that more people will be aware of those companies who suffer a breach, which could cause severe brand damage and suffer a loss in customer relationships.

Article 32 introduces a mandatory data protection officer for the public and private sector. This means that large organisations will have to make room for an internal data controller and assign appropriate measures to comply with the Directive.

(These two points will make a profound effect if true, but it is important to note that it is from a leaked version.)

Indeed – we’re not yet clear on what the implementation or transition requirements will be – i.e how this will pass from EU directive into national legislation……but it certainly raises the game for Data Protection….

IT risk and business resilience are the most important security issues facing organisations today. Effective cyber security depends on co-ordinated & integrated preparations for responding to, and recovering from, a range of possible cyber attacks. Cyber security standards enable you to mitigate these risks and implementation is simplified when you use our proven and highly effective toolkits. Each of the following toolkits have been used by organisations across the globe to implement standards, and in many cases achieve certification. Buy any of these toolkits before December 23rd 2011 and you will also receive a free ICT Strategy Toolkit.

ICT Strategy Toolkit FREE with these best selling toolkits until December 23rd 2011!

	ITSM, ITIL® & ISO/IEC 20000 Implementation Toolkit Price: €575.95 Adopt ITIL and achieve ISO20000 with this toolkit

	PCI DSS Documentation Compliance Toolkit (V2.0) Price: €299.95 Protect customer data and become PCI compliant with this toolkit

	BS25999 BCMS Implementation Toolkit Price: €469.95 Ensure your organisation is resilient with this toolkit

	IT Governance Framework – Toolkit Price: €589.95 Improve IT Governance within your organisation with this toolkit

IT Governance toolkits are unique and fit for purpose – they are designed to give you the knowledge and information you need to cost-effectively implement a management system or standard and accelerate organisational learning.

Buy any of these toolkits before December 23^rd 2011 and receive a free ICT Strategy Toolkit.

The number of data breaches in health organizations in the U.S has increased by 32%  in 2011, costing the industry an estimated $6.5 billion.

President of the U.S, Barack Obama, has been incentivizing doctors and hospitals to spur on adopting digital health records. This has in fact had a negative effect, with most hospitals spending their time, money and efforts in gaining electronic equipment,  leaving behind the importance of  data security for their patients.

The report, conducted by Ponemon Institute LLC,  also found out that 49% of  health organization breaches came from lost or stolen devices which contained sensitive data.  The majority of the hospitals surveyed  said that they uses mobile devices to transmit patient data, but only 38% of organizations said they were confident of the security of these devices.

The solution?

Use encrypted hardware. SafeStick is a secure USB stick with AES 256 bit hardware encryption and is FIPS 197-certified.

This stick includes brute force attack lockdown protection which means should the password to your SafeStick be entered incorrectly a number of times, the SafeStick is disabled or the data on it wiped.

Over 1 million SafeSticks are now in use in the NHS (UK), helping to keep patient data and other confidential data secure.

This SafeStick will keep you safe from suffering a data breach -  Find out more >>