IT Governance Blog on IT governance, risk management, compliance and information security.

2011 saw a vast growth in the number of malware attacks on businesses and individuals. Hackers are now at a point where they can “wreak havok and access the best-kept secrets of organisations without ever leaving their living-rooms”. From phishing scams, to the Sony hack, 2011 has seen the worst of all cyber attacks. Millions of people’s data has been compromised around the world: hackers have made millions, whilst companies have lost millions. So, will 2012 see a repeat of last year? Or will we clamp down on cyber crime once and for all?

We here at IT Governance Ltd have picked the bad and the very bad to show you just what a year it’s been in cyberspace….

1. Sony PlayStation hack

Now this really was the worst of the worst – names, addresses and card details were stolen from around 77 million people who had accounts with the PlayStation Network (PSN).

2. Student loan phishing scam

Students across the UK mistakenly handed over access to their bank details after receiving an email asking them to confirm their details. Anywhere between £1,000 and £5,000 was stolen from each student who gave access.

3. Android apps

22 apps were removed from the android market by Google after it was discovered they contained fradulant software. The apps tricked users into sending premium text messages.

4. RIM hack

Blackberry’s blog was hacked after the London riots, warning Blackberry not to assist the police.

5. Local council fined £130,000 for breach of DPA

Powys Council, England, was fined £130,000 after the details of a child protection case were sent to the wrong person. This was one of the largest fines the ICO have actioned against a council. Read more >>

6. WikiLeaks

WikiLeaks was responsible for releasing top secret information about governments across the world on its website.

7. NHS Breach

Lulzsec hacked the NHS, alerting them that their information security management system was inadequate. However, they put on the “white hat” approach, publicizing the hack but not revealing any compromising information.

8. Gmail phishing scam

Chinese identity thieves used ‘spear phishing’ tactics to take over hundreds of Gmail accounts, including those belonging to senior officials and military personnel.

9. Epsilon data breach

Epsilon, the email communication giant was hacked in March 2011, where customer email lists were stolen from at least 26 different companies.

10. RSA attack

One of the most high-profile breaches of 2011 involved the world’s most-used two-factor authentication systems. Hackers stole information relating to RSA’s SecurID system, by mimicking RSA naming conventions to avoid detection. What was so unique about this case, was that only one attack on an RSA customer was ever reported, showing that the counter-actions RSA took were extremely effective.

Source: Security News Daily, Information Week and Real Business.

The lesson to take away from these hacks and breaches is that companies and individuals alike need to be educated on cyber issues. There needs to be an understanding of what to look out for, what to click and what not to click, who to give your details to and who not to, and to generally be alert, rather than sticking our heads in the sand.

Education will help combat cyber issues and prevent repeat attacks occurring in 2012.

We have a number of staff awareness training courses available at IT Governance, covering DPA, Information Security and ISO 27001 and PCI DSS training. These are extremely effective and affordable, considering no travelling or other course attendance costs are incurred, as learners can study from their desk in their spare time.

Book your e-Learning course today >>

Indian computer security analysts have found a vicious malware virus streaming into its cyberspace, in the name of the late North Korean leader Kim Jong-Il. The said file, if opened, will hack and crash vulnerable e-mail addresses.

The Indian Computer Emergency Response Team (CERT-In) detected and alerted internet users to the spam mails that carried a fake name of; ‘brief_introduction_of_kim_jong_Ill_pdf.pdf’. They are currently asking all government and other IP addresses to not click on the link as it may lead to a loss of valuable data.

CERT-In clarified; “The said pdf file is exploiting vulnerabilities in Adobe reader and Acrobat, that once successfully exploited leads to remote code execution in the victim system,”

Source: The Times of India

Make sure your emails remain safe on the Internet with E-mail Security: A Pocket Guide. This guide will help you use email clients to improve security, preserve confidentiality, protect your company’s reputation and defend your business from an attack. This pocket guides is available for you to download today.

Read more about E-mail Security: A Pocket Guide >>

IT risk and business resilience are the most important security issues facing organisations today. Effective cyber security depends on co-ordinated & integrated preparations for responding to, and recovering from, a range of possible cyber attacks. Cyber security standards enable you to mitigate these risks and implementation is simplified when you use our proven and highly effective toolkits. Each of the following toolkits have been used by organisations across the globe to implement standards, and in many cases achieve certification. Buy any of these toolkits before December 23rd 2011 and you will also receive a free ICT Strategy Toolkit.

ICT Strategy Toolkit FREE with these best selling toolkits until December 23rd 2011!

	ITSM, ITIL® & ISO/IEC 20000 Implementation Toolkit Price: €575.95 Adopt ITIL and achieve ISO20000 with this toolkit

	PCI DSS Documentation Compliance Toolkit (V2.0) Price: €299.95 Protect customer data and become PCI compliant with this toolkit

	BS25999 BCMS Implementation Toolkit Price: €469.95 Ensure your organisation is resilient with this toolkit

	IT Governance Framework – Toolkit Price: €589.95 Improve IT Governance within your organisation with this toolkit

IT Governance toolkits are unique and fit for purpose – they are designed to give you the knowledge and information you need to cost-effectively implement a management system or standard and accelerate organisational learning.

Buy any of these toolkits before December 23^rd 2011 and receive a free ICT Strategy Toolkit.

Imperva (data security specialist) has issued nine top cyber security issues that could affect us in 2012:

1. Cyber security decisions will be based on security, rather than regulations. The growing infrastructure of hackers and data breaches will mean businesses will be protecting themselves out of neccessity, rather than regulation

2. The rise of ‘cyber brokers’. An increasing supply and demand for compromised machines containing sensitive data.

3. Increase in hackers automating social media attacks

4. Time being wasted as IT professionals profess regulation of end-user devices and cloud data access, instead of controlling data at the source

5. Inadequte security around big data (NoSQL) inhibiting integration as third party components within companies.

6. Organisations will have to look for tools to protect and control access as internal collaboration suites (such as Microsoft Sharepoint and Jive) might be deployed in ‘evil twin’ (external) modes.

7. In regards to DDoS, attackers will increase sophistication and effectiveness by shifting from network level to application level attacks – even business logic level attacks, citing increasing exploitation of SQL injection vulnerabilities as one of the modes. 

8. HTML 5 standard will enable hackers to exploit vulnerabilities in the browser’s themselves to install malware.

9. There is currently a rise in attacks which target the worldwide infrastructure that supports SSL. Imperva expect these attacks to reach a tipping point in 2012 which, in turn, will invoke a serious discussion about real alternatives for secure web communications. 

Source: Works Management

Protect you and your business for 2012 with the No 3 ISO27001 Comprehensive ISMS Toolkit.

This toolkit contains simply everything you need to accelerate your ISO 27001 project and to protect yourself from the cyber security threats listed above.  This toolkit contains documentation templates, practical and informative books, and an ISO 27001-compliant risk assessment tool.

Buy before Friday 23rd December 2011 and receive the ICT Strategy Toolkit free!

The number of data breaches in health organizations in the U.S has increased by 32%  in 2011, costing the industry an estimated $6.5 billion.

President of the U.S, Barack Obama, has been incentivizing doctors and hospitals to spur on adopting digital health records. This has in fact had a negative effect, with most hospitals spending their time, money and efforts in gaining electronic equipment,  leaving behind the importance of  data security for their patients.

The report, conducted by Ponemon Institute LLC,  also found out that 49% of  health organization breaches came from lost or stolen devices which contained sensitive data.  The majority of the hospitals surveyed  said that they uses mobile devices to transmit patient data, but only 38% of organizations said they were confident of the security of these devices.

The solution?

Use encrypted hardware. SafeStick is a secure USB stick with AES 256 bit hardware encryption and is FIPS 197-certified.

This stick includes brute force attack lockdown protection which means should the password to your SafeStick be entered incorrectly a number of times, the SafeStick is disabled or the data on it wiped.

Over 1 million SafeSticks are now in use in the NHS (UK), helping to keep patient data and other confidential data secure.

This SafeStick will keep you safe from suffering a data breach -  Find out more >>