News Recap: Rise of Mobile Payments Dominates Security Concerns for 2015

By | January 8th, 2015|Uncategorized|

SecurityAs experts weighed in this week with their predictions on security trends that will shape the coming year, the growth of mobile payments and mobile banking quickly emerged as a popular topic of focus.

Steve Weisman of USA Today shared his predictions on top cyber trends to come in 2015, among them, the concern that as personal banking and financial transactions become “increasingly mobile,” they will become a larger target of hackers. Weisman points to Europe (which has implemented mobile banking for longer) as an example, saying we can learn from the issues the country has faced with hackers “even being able to defeat dual factor identification.” Weisman advises that “malicious apps that are unwittingly downloaded” are often a root cause of smartphone security, and that “limiting sources for apps to legitimate vendors can help limit vulnerability.”

Stuart Dredge of the Guardian also expressed his concerns with mobile payments, stating that “several security companies expect cyber criminals to crack [Apple Pay] and its rival services in 2015.” Dredge points specifically to the fact that cyber criminals will be looking for flaws in these newer systems, especially if user adoption picks up in 2015, as “hackers tend to attack popular platforms where the yield is likely high.”

Forbes contributor Sue Poremba also highlighted attacks against virtual payment systems as a key concern for 2015. Quoting Patrick Nielsen of Kaspersky Lab, Poremba writes that cyber criminals will focus on “attacks against banks/virtual currency operators, the end users and their devices, and everything in-between.” Nielsen comments that we have already seen “examples of malware stealing virtual wallets from users’ devices.”

When considering the biggest security trends to come this year, is the rise of mobile payments on your list? Let us know your thoughts on Twitter and Facebook, and be sure to check out our Tumblr for the latest industry news stories.

Security Trends: A Look Back at 2014 and Ahead to 2015

By | December 11th, 2014|Uncategorized|

Security Trends2014 was a busy year for the security industry, with an unprecedented number of breaches, malware strains and POS hacks. With cybercrime becoming an unfortunate but increasingly common consequence of seemingly benign Internet activities, business and consumers alike will have to up the ante on the measures they use to protect themselves. Here’s a round up of some of 2014’s most talked about security problems and some measures that can help mitigate their prevalence in the new year.

Medical Identity Theft
Looking Back: As CSID President Joe Ross discussed in his Huffington Post column, medical identity theft has become an easy and lucrative target for criminals.

Looking Forward: Our recent webinar highlighted a number of effective best practices to reduce the opportunities for medical identity theft. We suggest auditing third party vendors who can access patient credentials and implementing a robust authentication system across all business platforms. With medical identity theft likely to increase in the new year, businesses must continue to practice diligent monitoring and alert techniques to circumvent the problem.

Recruiting Top IT Talent
Looking Back: Over the past few years we have seen a shortage in cyber security and IT talent, and this has become even more difficult as demand continues to surpass supply.

Looking Forward: While there is no overnight resolution to the talent deficit, talent advisory company CEB has identified two significant shifts that can help the industry expand the number of potential candidates:

  1. Look to other IT hubs – Silicon Valley has long been the center of IT activity, but looking beyond to incubator cities like Denver, Phoenix and CSID’s hometown Austin can help expand the pool of potential candidates.
  2. Changing the competency evaluation model – While traditional skills are still necessary, looking for individuals who can learn and adapt quickly to IT needs can help businesses change with the pace of the industry.

Additionally, look out for information on our upcoming SXSW Interactive panel where we will discuss ways to recruit talent and encourage malicious hackers to move away from dark web practices and use their skills and expertise for good.

Tackling Global Identity Theft And Data Breaches
Looking Back: Identity theft – as well as that which occurs through data breaches – is an increasingly global issue, particularly as we all become more connected and dependent on the digital world.

Looking Ahead: The first step towards confronting identity theft with viable solutions is to recognize that the problem requires global collaboration and strategies. While tools like our comprehensive Global Protector can help protect businesses and consumers against breach on a global scale, government initiatives and global agendas must also be implemented to confront the issue. We will discuss solutions and a comprehensive global approach to the problem in our panel at the 2015 SXSW Interactive conference.

What do you think will be our biggest security challenge in 2015? Tell us your predictions on Twitter, Facebook or LinkedIn.

2014 Verizon Threat Intelligence Report: A Snapshot of Results

By | April 30th, 2014|Uncategorized|

Verizon ReportWe love data here at CSID, and one of the things we look forward to each year is Verizon’s annual Data Breach Investigations Report. This annual report takes a look at the past year’s cyber security incidents and identifies trends, statistics and provides analysis. This year’s report looked at over 63,000 global security incidents from 2013 – an alarming number that underscores the myriad of cyber security challenges that consumers and businesses face. We recommend giving the report a look, but if you are pressed for time, here are a few observations from this year’s report that mirror some of the trends that we’ve been seeing here at CSID.

2013 was the year of Point-of-Sale system attacks.

The Verizon report looked at 198 total Point-of-Sale (POS) system incidents, all of which resulted in data loss. In previous years, POS system attacks were mostly confined to SMBs, and they still largely are. But the high profile, high impact breaches of Target and Niemen Marcus in late 2013 brought the vulnerabilities inherent in POS systems into the limelight. To learn more about how POS system breaches happen, check out this Huffington Post piece by CSID president, Joe Ross. Overall, POS breaches have been decreasing over the last several years, but a resurgence in RAM scraping malware and the popularity and success of the Target breach may change this trend in 2014. The FBI has warned retailers to prepare for more cyber attacks of this sort.

When it comes to security, humans are your weakest link.

We’ve said this before and we’ll say it again, if you have a human component to your security system (and most security systems do) that human is going to be the likeliest source of a breach. Verizon accounts for this in their “Miscellaneous Errors” section of the report and aptly states in their key findings “people screw up sometimes.” The most common miscellaneous error that resulted in lost data was misdelivery (44% of 16,554 analyzed incidents), which includes sending paper documents or emails to the wrong recipients. Misdelivery is followed by publishing errors (22%) and disposal errors (20%). Keeping human error in mind, some businesses we have spoken with over the past couple of years are operating under the assumption that employee and consumer credentials are already compromised and are taking proactive measures to mitigate the financial and reputation impact of these compromised credentials. Our ETI service offers a good solution for this approach.

Device theft and loss will gain importance as more businesses adopt BYOD.

This category is pretty self-explanatory – when a laptop or phone with sensitive information goes missing, that constitutes a data breach. While the loss or theft of devices isn’t really “cyber-y”, they do make up a large portion of the data loss incidents reported by businesses. This is especially true for the healthcare industry. In October 2013, Seton Hospital here in Austin, Texas had an unencrypted laptop stolen that held medical data for more than 5,000 patients. The type of data theft and loss holds a valuable lesson – when it comes to cyber security, we can’t forget the basics. Sensitive data must be stored and encrypted properly, businesses need to implement BYOD security procedures that can mitigate the impact of a lost device, and employees and consumers need to exercise common sense and not leave a laptop of phone aimlessly unattended or generally unsecured.

There is a lot more data and insight to be gleaned from this year’s report. Take a look and let us know what you found most interesting on Facebook or Twitter.

Security Insights: 8 Cyber Security Predictions for 2014

By | December 31st, 2013|Uncategorized|

Cyber security in 2013:

“Cyber security took center stage in 2013 with nation-state attacks, numerous high-profile data breaches and prominent cybercriminal arrests. According to Websense, in 2014, cyber attacks will be even more complex and diverse. While the general volume of advanced malware will decrease – we predict the volume of targeted attacks and data destruction incidents will increase.” – InformationWeek

Websense 2014 Security Predictions:

  1. Advanced malware volume will decrease – Cybercriminals will rely less on high-volume advanced malware because over time it runs a higher risk of detection. They will instead use lower volume, more targeted attacks to secure a foothold steal user credentials and move unilaterally throughout infiltrated networks. Although the volume of attacks will decrease, the risk is even greater.”
  2. A major data-destruction attack will happen – Historically, most attackers have used a network breach to steal information for profit. In 2014, organizations need to be concerned about nation-states and cybercriminals using a breach to destroy the data. Ransomware will play a part in this trend and move down market to small – and medium-sized organizations.”
  3. Attackers will be more interested in cloud data than your network – Cybercriminals will focus their attacks more on data stored in the cloud vs. data stored on your network. This tactical shift followed the movement of critical business data to cloud-based solutions. Hackers will find that penetrating the data-rick cloud can be easier and more profitable than getting through the “castle walls” of an on-premise enterprise network.”
  4. Redkit, Neutrino and other exploit kits will struggle for power in the wake of the Blackhole author arrest – The Blackhole exploit kit was arguably the most successful in history. Everything changed in October 2013 when “Paunch,” the alleged hacker author behind the famous kit, was arrested in Russia. We will see a fight for market leadership between a number of new entrants and existing exploit kits in 2014. We anticipate Redkit and the Neutrino exploit kit will secure a strong foothold in the coming year.”
  5. Java will remain highly exploitable and highly exploited – with expanded repercussions – Most end points will continue to run older versions of Java and therefore remain extremely exposed to exploitation. IN 2014, cybercriminals will devote more time to findings new uses for tried-and-true attacks and crafting other aspects of advanced, multi-stage attacks. Attackers will reserve zero-day Java exploits for targeting high-value networks with good Java patching practices.”
  6. Attackers will increasingly lure executives and compromise organizations via professional social networks – As social networking continues to appeal to the business community in 2014, attackers will increasingly use professional websites, such as LinkedIn, to research and lure executives. This highly targeted method will be used to gather intelligence and compromise networks.”
  7. Cybercriminals will target the weakest links in the ‘data-exchange chain’ – Attackers will go after the weakest links in the information chain and target the consultants outside of the network who have the most information. This includes consultants, contractors, vendors and others who typically share sensitive information with the large corporate and government entities. And, it turns out, few of these partners have sufficient defenses.”
  8. Mistakes will be made in ‘offensive’ security due to misattribution of an attack’s source – For several years, we’ve been hearing more about ‘offensive’ security, where global governments and enterprises have been threatening retaliatory strikes against anyone caught attacking them or their interests. As in traditional warfare, tactical mistakes will increasingly happen in these cyber trenches. Failure to accurately identify a cyber-perpetrator could result in an innocent organization being caught in the crossfire.”

Source: InformationWeek

How to stay secure:

A company cannot stay secure without the help of every singe employee. Below are some tips that you can follow in order to help your company stay secure:

  • Stay informed on emerging trends and threats, such as phishing, viruses, Trojans, etc. via (newsletters, training, etc.)
  • Follow all policies and procedures including Clean Desk Policy
  • Do not re-use, write down or share passwords under any circumstances
  • Create strong passwords consisting of a combination of capital letters, lowercase letters, special characters, and digits (B36o0d!4975$)
  • Verify someone’s identity before providing them any information

– Kristin Badgett, CSID Information Security Officer

What are your security predictions for 2014? Let us know on Twitter and Facebook, and be sure to check out our Tumblr for the latest industry news stories.

Load More Posts