Security firm Gemalto released a report on 2014 data breaches recently and the news was not good.

In its latest Breach Level Index report, the company revealed that one billion records were compromised last year in more than 1,500 data breaches worldwide. Compared to 2013, those numbers are an increase of nearly 80 percent in terms of data records and more than 40 percent in terms of breaches overall.

Gemalto’s Breach Level Index calculates the severity of data breaches across multiple dimensions based on breach disclosure information. Among the notable attacks included in the report are the Home Depot breach, the attack on JP Morgan Chase and the attack on eBay. 

“Easily at the top of the list in terms of the number of breaches was North America with 1,164 breaches, accounting for about three quarters of all breaches (76%),” according to the report. “Those attacks involved more than 390 million records, or 38% of the total.”

According to the data in the BLI, the main motive for cyber-criminals in 2014 was identity theft. Fifty-four percent of all data breaches were identity-theft related – more than any other category, including access to financial data. In addition, identity theft breaches accounted for one-third of the most serious incidents. Incidents where the compromised data was encrypted in part or in full increased from one percent to four percent.

“We’re clearly seeing a shift in the tactics of cybercriminals, with long-term identity theft becoming more of a goal than the immediacy of stealing a credit card number,” said Tsion Gonen, vice president of strategy for identity and data protection at Gemalto, in a statement. “Identity theft could lead to the opening of new fraudulent credit accounts, creating false identities for criminal enterprises, or a host of other serious crimes. As data breaches become more personal, we’re starting to see that the universe of risk exposure for the average person is expanding.” 

Broken down by industry, retail and financial services experienced the most activity compared to other sectors. Retail companies saw an increase in data breaches compared to 2013, and accounted for 11 percent of all breaches in 2014, according to the report. However, in terms of data records compromised, the percentage of retail records jumped drastically, from 29 percent to 55 percent. This was due in large part to attacks on point-of-sale systems, according to the report. 

In the case of the financial sector, the number of breaches remained relatively unchanged, though the average number of records lost per breach increased ten-fold. Overall, the number of data breaches involving more than 100 million compromised data records doubled compared to 2013. Most of the time, the malicious activity was traced to an outsider (55 percent), though 25 percent of incidents were tied to accidental loss. Fifteen percent were linked to a malicious insider. 

“Not only are data breach numbers rising, but the breaches are becoming more severe,” said Gonen. “Being breached is not a question of ‘if’ but ‘when.’  Breach prevention and threat monitoring can only go so far and do not always keep the cyber criminals out. Companies need to adopt a data-centric view of digital threats starting with better identity and access control techniques such as multi-factor authentication and the use of encryption and key management to secure sensitive data. That way, if the data is stolen it is useless to the thieves.” 

The full report can be read here.

Tags:

• NEWS & INDUSTRY
• Cybercrime

The Malaysia Airlines website was commandeered Monday by hackers who referenced the Islamic State jihadists and claimed to be from the “Lizard Squad”, a group known for previous denial-of-service attacks.

The website’s front page was replaced with an image of a tuxedo-wearing lizard, and read “Hacked by LIZARD SQUAD — OFFICIAL CYBER CALIPHATE”.

It also carried the headline “404 – Plane Not Found”, an apparent reference to the airlines’ puzzling loss of flight MH370 last year with 239 people aboard.

Media reports said versions of the takeover in some regions included the wording “ISIS will prevail”.

The airline did not immediately respond to a request for comment.

The Lizard Squad is a group of hackers that has caused havoc in the online world before, taking credit for attacks that took down the Sony PlayStation Network and Microsoft’s Xbox Live network last month.

The Islamic State, an extremist Sunni Muslim group, has seized large swathes of Syria and Iraq, where it has declared an Islamic “caliphate”.

It has drawn thousands of fighters from across the globe to its anti-Western cause, and shocked the world with its video-taped executions of journalists and other foreigners it has captured, the most recent being a Japanese security contractor it claimed Sunday to have beheaded.

A second Japanese captive being held by the militants has also been threatened with execution.

The IS group, which uses social media in recruiting and spreading its message, is believed to harbour ambitions of launching a cyber-war against the West.

It is unclear why Malaysia Airlines was targeted.

But concern has been rising in Malaysia after scores of its citizens were lured to the IS cause in the Middle East. Malaysian authorities last week said they have detained 120 people suspected of having IS sympathies or planning to travel to Syria.

Tags:

• NEWS & INDUSTRY
• Cybercrime

AT&T is advising customers that a rogue employee illegally accessed their personal information.

In a breach notification letter sent to customers and the Vermont attorney general, AT&T explained the breach occurred in August. The employee responsible is no longer with the company.

According to the letter, the employee was able to view and may have accessed customer information ranging from social security numbers to driver’s license numbers. In addition, while accessing user accounts, the employee would have been able to view their Customer Proprietary Network Information (CPNI) without authorization. CPNI data is associated with services customers purchase from AT&T.

It is not clear how many customers were affected by the breach or if consumers in other states may have been involved.

“AT&T’s commitments to customer privacy and data security are top priorities, and we take those commitments seriously,” according to the letter.

“Simply stated, this is not the way we conduct business, and as a result, this individual no longer works here,” the letter notes.

AT&T is offering affected consumers a year of free credit monitoring, and said in the letter that any unauthorized changes that had been made to accounts would be reversed. The company has contacted federal law enforcement as well.

Earlier this year, employees of one of AT&T’s service providers accessed customer information without authorization as well. According to AT&T, the perpetrators in that case were trying to gather information that could be used to request codes to unlock AT&T mobile phones so that they could be used with other telecommunications providers.

“Insiders are worse than hackers because there’s no way to protect against them that’s truly effective,” opined Jonathan Sander, strategy and research officer for STEALTHbits Technologies. “If you need to do business, you need people to access information. If the wrong person or the person in the wrong frame of mind decides to use that access badly, what can you do?”

“This proves, yet again, that humans are the weakest link in any security plan,” he added. “It’s the old IT administrator joke about a system error called PEBKAC – Problem Exists Between Keyboard And Chair.”

Tags:

• NEWS & INDUSTRY
• Virus & Malware

Security vendor Fortinet released a survey that shows homeowners want to embrace the Internet of Things (IoT), but are worried about privacy and security.

In a survey of 1,801 homeowners, Fortinet found that 61 percent of U.S. respondents believe the connected house – a home where appliances and home electronics are seamlessly connected to the Internet – is “extremely likely” to become a reality during the next five years. Eighty-four percent of homeowners in China felt that way.

But the excitement over the prospect is tempered by security concerns. A majority of respondents (69 percent) globally said they were extremely or somewhat concerned a connected appliance could result in data breach of sensitive information. Among U.S. homeowners, the figure was 68 percent. When asked how they would feel if a connected device in their home was secretly or anonymously collecting information about them and sharing it with third-parties, 62 percent said they would feel “completely violated and extremely angry to the point where I would take action.” The strongest responses came from South Africa, Malaysia and the U.S., with the U.S. coming in at 67 percent.

Fifty-seven percent of respondents in the U.S. also agreed with the statement that “privacy is important to me, and I do not trust how this type of data may be used.”

“The Internet of Things promises many benefits to end-users, but also presents grave security and data privacy challenges,” said John Maddison, vice president of marketing at Fortinet , in a statement. “Crossing these hurdles will require clever application of various security technologies, including remote connection authentication, virtual private networks between end-users and their connected homes, malware and botnet protection, and application security − applied on premises, in the cloud and as an integrated solution by device manufacturers.”

Many of respondents said they felt they should have access to any data collected by a connected home appliance. Sixty-six percent said that only themselves or others whom they have given permission should have access to this information. In the U.S., the number was 70 percent, with about a quarter also stating they thought the device manufacturer or their Internet Service Provider (ISP) should have access to the collected data as well.

Forty-two percent said the government should regulate collected data, while 11 percent said regulation should be enforced by an independent, non-governmental organization. In the United States, only 34 percent of respondents felt the government should regulate collected data.

Still, the respondents felt the device manufacturers should be primarily responsible for securing the device if a vulnerability is found. Forty-eight percent of all those surveyed agreed that the manufacturer is responsible for updating and patching their technology. However, almost 31 percent responded that it was the responsibility of the homeowner to keep the device up to date.  

“The battle for the Internet of Things has just begun,” Maddison said. “According to industry research firm IDC, the IoT market is expected to hit $ 7.1 trillion by 2020. The ultimate winners of the IoT connected home will come down to those vendors who can provide a balance of security and privacy vis-à-vis price and functionality.”

Tags:

• NEWS & INDUSTRY
• Cybercrime

Mojave Networks Introduces Mobile Application Reputation Feature

Mojave Networks has added a new feature to the company’s professional and enterprise services in an effort to help organizations minimize the risks posed by the mobile applications used by their employees.

According to the company, organizations can use the new feature to discover potential risks by analyzing data collected and transmitted from mobile apps, and create policies for data loss prevention based on the information.

The new mobile application reputation offering, which is available immediately, includes features like customizable analytics, categorization of apps by risk level, application tracking, and integration with device management and network security solutions.

“The ‘bring your own device’ (BYOD) trend is transitioning to ‘bring your own applications’ (BYOA) as users download more and more apps to share data, increase productivity and stay connected,” noted  Garrett Larsson, CEO and co-founder of Mojave Networks.

“If any application running on a mobile device connected to the network is insecure, it can put highly sensitive corporate data at risk. Our new application reputation feature can help enterprises improve their mobile security posture by eliminating the risk of insecure applications.”

The company analyzes over 2,000 mobile apps every day by tracking 200 individual risk factors in 15 different categories. In addition to static and dynamic analysis, Mojave Networks said that it uses data from real-world usage of the tested applications to determine if an application is safe.

One risk that’s particularly problematic for enterprises is when private data is collected and sent to remote Web APIs, the company warned.

“Some of the most significant risk factors affecting corporate employees and individual mobile users, such as data loss and PII collection, occur not by the application itself, but within mobile advertising libraries and other library components such as social media or analytic tools,” Ryan Smith, Mojave’s lead threat engineer, explained in a blog post.

Based on the analysis of more than 11 million URLs to which mobile apps connect to, Mojave Threat Labs determined that business users connect to at least as many data-gathering libraries as consumers. During its analysis, the company found that 65% of applications downloaded by business users connect to an advertising network, and 40% of them connect to a social network API.

“It is critically important that users and IT Administrators understand what data is being collected from their devices, where it is being sent, and how it is being used. Given that the majority of the sensitive data being collected occurs within these third party libraries such as ad networks, social media APIs, and analytics tools, it is therefore important to fully understand each of the libraries included in your mobile apps,” Smith noted.

Founded in San Mateo, CA in 2011, Mojave Networks raised a $ 5 million round of funding in November 2013, in addition to launching a cloud-based, enterprise-grade solution that protects mobile devices starting at the network level. 

Tags:

• Mobile Security
• NEWS & INDUSTRY
• Privacy
• Data Protection
• Mobile & Wireless

Balancing data privacy and data security is a long-standing information security challenge. Historically, companies have focused their response efforts on establishing strong perimeter and endpoint controls; data was considered at risk from external actors, and protected by encryption, DLP, and network controls, but often left open to insiders without respect to role and need to see the information. Success and failure were measured in terms of data access; if an outsider was able to read company data, the security program had failed.

The public cloud has changed this model, however. The very market forces that sparked the explosive adoption of public cloud platforms (mobile technology, a robust app market, consumerization of IT, and the technological convergence of our personal and professional lives) have rewritten the rules for how and where users are accessing and sharing their information. In allowing employees to bring their devices to work, organizations have created expectations around access and efficiency that are radically different from the top-down control model that dominated the previous decade. More importantly, the decision as to whether to implement public cloud technologies such as SaaS applications has been made already, by those very users; fail to address their needs, and they will simply use consumer-grade alternatives of their own accord.

As security professionals, the initial response — to simply block all applications coming in from a cloud environment — is no longer the most appropriate or most effective way to respond to the market’s demands for information protection and security. Where companies establish restrictive controls, end-users are presented with myriad options for circumventing them; where collaboration technologies where once the domain of IT, they have become democratized, and end users who are familiar with traditionally consumer-focused apps such as DropBox or Box are likely to bring those technologies into play if alternatives like Google Apps or Salesforce are locked down by organizational policies, preventing them from operating in a way that maximizes their efficiency.

In response, organizations need to rethink how they approach the challenge of data management. Engaging the user when working through data security is something that most companies have come to accept; the question that remains is how they can also enforce data privacy rules, through which highly sensitive information is protected from inadvertent exposure and external threat without driving users “underground’ into consumer-grade filesharing applications.

A Change in Expectations

End users often feel comfortable working with familiar apps that have not been subject to a security review because they do not see evidence of risk. As an industry trend, this is understandable; even catastrophic data breaches often go undetected by IT and InfoSec teams for months prior to discovery.

The delay in detection is not equivalent to a delay in damage, however. Even if a given file is only theoretically externalized, and no indicators suggest that sensitive or regulated data has been viewed by a malicious party, the exposure itself can be a data breach sufficient to warrant regulatory response.

Are your people the problem, or the solution?

What needs to change is the perception that the primary role of IT is in safeguarding and blocking data from being viewed by an outsider. The notion that the company’s employees are the source of risk is counterproductive when translated to attempts at formulating a solution; given the tremendous autonomy that the cloud grants the typical user today, especially when they own and control the endpoint devices being used to access organizational information, it is clear that security needs to make all of the people who interact with sensitive data and systems participants (and even custodians) of information security.

Putting the Pieces Together

Training is a fundamental part of the change process. Information security threats are constantly evolving and changing; to assume that your people inherently have a full understanding of the risks they are confronted with and the appropriate skills to respond is foolhardy. Make them aware of the risks, make them aware of the practices they should follow to protect data security, and importantly, make them aware that their performance in safeguarding information assets can and will be measured.

Supporting this effort requires the implementation of a risk appropriate response framework: content awareness to differentiate sensitive and mundane data, encryption where it makes sense, and the ability to easily and efficiently monitor your total risk space. Consider the following elements:

– Content Awareness: the ability to discover and classify information assets on the network that belong inside the secure perimeter, right down to the level of individual words and numbers. This allows you to flag files containing potentially sensitive data such as social security numbers, health information, credit card data, or internal IP, without manually parsing the contents.

– Risk-appropriate Encryption: Encryption is a tool, and a necessary component to a good security framework, but it is not a solution in itself. It should be an iterative response, one that builds on the content-aware policies that an organization puts in place; ideally, users will be able to self-select which files should be encrypted, to add a defense-in-depth security layer to their sharing activities. This might then be extended by policy-driven encryption actions, which can automatically encrypt files considered highly sensitive; note that this is different from universally applied encryption designed to establish a perimeter, but without any means of protecting against insider threat.

– Consolidated Security View: As mentioned above, one of the primary challenges around information security is how to narrow the gap between an incident and its detection. Any strategy designed to support a cloud security model should address this; a particularly effective approach will entail the consolidation of incidents into a single interface, highlighting policy violations, end-user data access activities, geo-awareness regarding logins and data access, and application risk in a single view.

Importantly, by enlisting information workers as part of the data security system, this total solution approach changes the equation in security management. The organization’s staff can become a vital part of the process of protecting secure information assets, rather than working at cross-purposes with InfoSec efforts, and instead of pushing users away from the environment and into consumer apps, they can be converted into essential perimeters unto themselves.

The cloud is already here; talking about adoption in 2014 is passé, because users have and will continue to find ways to move your data into cloud platforms, and will do so even more quickly when forced by overly coercive policies. Instead of trying to obfuscate and block, or worse, attempting to solve for a threat that no longer exists (that is, the perimeter security model), change your focus. We as an industry are on the cusp of a technological paradigm shift; you need to decide whether you will embrace that change, or be cast aside by it.

Tags:

• INDUSTRY INSIGHTS
• Cloud Security

Kickstarter, a web site that serves as a funding platform for creative projects, said on Saturday that malicious hackers gained unauthorized access to its systems and accessed user data.

“On Wednesday night, law enforcement officials contacted Kickstarter and alerted us that hackers had sought and gained unauthorized access to some of our customers’ data,” Yancey Strickler, Kickstarter’s CEO, wrote in a security notice. “Upon learning this, we immediately closed the security breach and began strengthening security measures throughout the Kickstarter system.”

According to Strickler, customer information accessed by the attacker(s) included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords.

“Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one,” Strickler said.

The company said via Twitter that “old passwords used salted SHA1, digested multiple times. More recent passwords use bcrypt.”

Strickler said that no credit card data was accessed by the attackers, and that so far only two Kickstarter user accounts have seen evidence of unauthorized activity.

Kickstarter did not say how many user accounts were affected in the breach, but the company says that since launching in 2009, more than 5.6 million people have pledged $ 980 million, funding 56,000 creative projects through its platform.

“As a precaution, we strongly recommend that you create a new password for your Kickstarter account, and other accounts where you use this password,” the advisory suggested.

“We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come,” Strickler wrote. “We are working closely with law enforcement, and we are doing everything in our power to prevent this from happening again.”

*Updated with additional details on password encryption.

Tags:

• Network Security
• NEWS & INDUSTRY
• Cybercrime