Posts Tagged ‘statistics’

The SANS Institute has just released the results of a comprehensive study on the topic of cyber security risks. The study is based upon prevention systems in 6,000 organizations and vulnerability data from 9 million systems. The study indicates that there are two major risks out there to organizations, both of which could be mitigated.

Cyber attacks are a growing issue to organizations of all sorts, with new and sophisticated attacks being created every day. Though organizations may have difficulty keeping up with the threat landscape, this study found that organizations are not doing what they could to mitigate the two largest risk areas. Specifically, client-side software is remaining un-patched and websites are not being scanned for common flaws that criminals use to exploit visitors to those sites.

Waves of targeted email attacks, often called spear phishing, are exploiting client-side vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office. This is currently the primary initial infection vector used to compromise computers that have Internet access.

The ultimate goal of attackers is to steal information and to install “back doors” so that the attacker can return to further exploit organizational systems. The study found that major organizations take at least twice as long to patch client-side vulnerabilities as they do to patch operating system vulnerabilities. Addressing this single issue could drastically reduce your risk of being exploited. What this also means is that the question of Mac vs PC is not going to be your solution to mitigating risk, as these risks come from cross-platform applications and from the Internet.

The report, which is available here, targets major organizations who want to ensure their defenses are up to date. The report shows some interesting patterns to data and includes a tutorial on how some of the most damaging attacks actually work. You may find it handy to print this report off to study the graphs in detail.

Breach Security has released it’s Web Hacking Incidents Database (WHID) 2009 Bi-Annual Report, indicating that social networking sites were the most targeted market for hackers so far this year.

The data, compiled from application-related security incidents that are publicly reported, indicates that 19% of the hacks in the first half of 2009 were targeting social networking sites like Twitter and Facebook. This is the first year when social networks became an attack sector. In 2008, government was the leading sector being targeted. The data also indicates a 30% increase in overall web attacks compared to the first half of 2008.

“The dramatic rise in attacks against social networking sites this year can primarily be attributed to attacks on popular new technologies like Twitter, where cross-site scripting and CSRF worms were unleashed,” said Ryan Barnett, director of application security research for Breach Security. “Looking back at 2008, a notable election year, government-related organizations were the top-ranked attack victims and have now dropped to number three. The WHID report demonstrates that hackers can be fickle, following popular culture and trends to achieve the most visible effect for their efforts, which means that companies must be vigilant in implementing web application systems and monitoring application activity.”

Download a copy of the report here.

Also making major news right now is the indictment of Albert Gonzalez on charges of hacking into the Heartland Payment Systems. Gonzalez is already awaiting trial over his involvement in the TJX hack, putting him as part of the hacking team behind two of the largest hacker-based breaches in history. Read more here.

Sophos has released its mid-year Security Threat Report for 2009, which looks at cybercrime for the first half of this year. The report indicates that cybercriminals have increased the focus of their attacks on social networking sites and that hackers are increasingly using scare tactics to solicit users to pay for rogue anti-virus software.

The report indicates that cybercriminals are both exploiting social networks to identify potential victims and then using these networks to attack them. The report encourages Web 2.0 companies to defend their existing users, rather than focusing on growing their userbase at the expense of security standards.

In terms of business data, the survey indicates that two thirds of businesses are worried that information shared by employees online may put their corporate infrastructure at risk. Right now, a quarter of organizations have been exposed to spam, phishing or malware via social networking sites like Facebook, Twitter and MySpace.

Read more about, and download, the report here.

According to The Times, more than 4 million British identities and more than 40 million individuals’ identities worldwide are being offered for sale on the internet. The information available for sale includes sensitive financial information (credit card / bank details, some PINs).

This information was reportedly made available online as the result of several initiatives. From what the report indicates, at least 250,000 bank / credit accounts were hacked into. Other information was the result of phishing, a process that dupes individuals to give over their details (such as log in details or credit card details). The information was intercepted over a four-year period by a British company, Lucid Intelligence, and collated into a single database, allowing these figures to be determined for the first time:

The Lucid Intelligence database contains the records of four million Britons, and 40 million people worldwide, mostly Americans. Security experts described the database as the largest of its kind in the world.

The report from The Times indicates that other sensitive information, such as corporate email access details, is being sold in online forums or hacking websites. This puts companies at risk for data breach issues.

Individuals can search the database for free, for now, to see if their information has been sold online. It will specify what information about you is known – whether it’s just your email address, your mailing address, or more high risk information such as banking details. You can learn more about the initiative here.

It’s quite an interesting venture – what do you think about it?

Symantec recently released a ranking of which countries are responsible for most of the world’s cybercrime. Countries with high rates of high-speed Internet connections rank the highest on the list, as we’d expect, with the top 3 countries being the US, China and Germany.

Symantec put together this list by looking at malicious code, spam zombies, number of websites hosting phishing sites, number of bot-infected computers controlled by criminals, and country of attack initiation. The study investigated data for 2008 to come up with this list.

Top 10 Countries with Most Cybercrime

1. United States - 23% share of malicious computer activity
2. China - 9% share of malicious computer activity
3. Germany - 6% share of malicious computer activity
4. Britain - 5% share of malicious computer activity
5.  Brazil – 4% share of malicious computer activity
6. Spain - 4% share of malicious computer activity
7. Italy - 3% share of malicious computer activity
8. France - 3% share of malicious computer activity
9. Turkey - 3% share of malicious computer activity
10. Poland – 3% share of malicious computer activity

As you can see, the US accounts for some 23% of the world’s malicious computer activity. That’s a big jump from those countries ranked lower on the list, with the US leading the way on nearly all of the malicious activities tracked by Symantec.

If you download the latest Spam Intelligence report, which looks at spam in the second quarter of 2009, you’ll see that overall levels of spam are on the rise. Malicious websites are also on the rise, with 67% more malicious websites blocked per day in June vs May of this year.

Via businessweek / Image: ppdigital @morguefile

Qualys recently published a new report on the Laws of Vulnerabilities 2.0. The report reveals the vulnerability half-life, prevalence, persistence and exploitation for 5 industry segments. The report found that different industries are patching their systems at different speeds.

The report is based on an analysis of 680 million vulnerabilities, from 80 million scans, which resulted in 11% of those vulnerabilities being listed as “critical.” The service industry patches their system the fastest, with a half-life of 21 days (meaning 50% of all systems were patched in the first 21 days after a fix is released); Manufacturing ranked lowest at 51 days.

The 2008 data was compared against the same study done in 2003, revealing an average half-time for patching of 29.5 days, only a half a day faster than in 2003. While companies are not speeding up their patching practices, attackers are speeding up their exploits. 80% of vulnerability exploits are now available within single digit days after the vulnerability’s public release.

Check out the full Laws findings here

Also check out this interview with FBI Special Agent J. Keith Mularski, who spent 2 years posing as a cybercriminal as part of an undercover operation. Very interesting read.

Via security focus

The National Health Care Anti-Fraud Association (NHCAA) estimates that 3% of all healthcare spending – about $68 billion – is lost to fraud each year in the United States. The FBI / CDC estimate that figure could be as high as 10%, or $226 billion.

In the past, we’ve talked a great deal about the impact that fraud has on businesses and on consumers, including those affected by medical fraud. But we have yet to talk about the cost – the billions of dollars – this fraud is costing all of us in other ways.

Whether you have employer-sponsored health insurance or you purchase your own insurance policy, health care fraud inevitably translates into higher premiums and out-of-pocket expenses for consumers, as well as reduced benefits or coverage. For employers—private and government alike—health care fraud increases the cost of providing insurance benefits to employees and, in turn, increases the overall cost of doing business.

The NHCAA estimated in 2007 that $2.26 trillion was spent on health care and the 4 billion health insurance claims processed in the US. They conservatively estimated that $68 billion of this was lost to fraud, quite an astounding figure. The majority of health care fraud was found to be committed by a small number of dishonest health care providers submitting false claims to insurers and to public programs. Other types of provider-initiated fraud can be found here.

This abuse of claims can have damaging effects on patients who may find themselves victims of medical identity theft, with their insurance benefits affected by misuse. In addition to providers, organized criminal groups and individuals also perpetrate health care fraud. The report includes examples of crime rings that shifted from illegal drug trafficking to medical fraud schemes, resulting in millions of dollars in fraud.

If you want to learn more about health care fraud, read here.

Hat tip to I’ve been mugged ; Via dotmed ; Image: clipart

The Ponemon Institute, along with Intel, have released the results of a new study about the Cost of a Lost Laptop. The study concluded that the average cost of a lost laptop was nearly $50k, in both tangible and intangible costs.

The study was prompted by an increasingly mobile workforce carrying around more sensitive data on their laptops than ever before. The study focuses on samples of organizations in the US that have experienced laptop loss or theft within the last 12-month period. The 138 cases involved loss by employees, temporary employees and contractors.

Key Highlights from the Study:

• The average value of a lost laptop is $49,246 (replacement cost, detection, forensics, data breach, lost intellectual property costs, lost productivity and legal, consulting and regulatory expenses)
  • The occurrence of a data breach represents 80% of the cost associated with a lost laptop
  • Of the remaining 20% of cost, 59% of that can be attributed to intellectual property loss
• The faster a company realizes of a loss, the lower the average cost associated.
  • If a loss is discovered in the same day, the average cost is $8,950
  • If a loss takes more than 1 week to discover, the average cost rises to $115,849
• Director laptop losses are most costly
  • The average cost of a lost laptop for a senior executive is $28,449, with the highest costs for manager ($60,781) and director ($61,040)
• Encryption saves money, with an average savings of $20,000 for lost laptops with encryption vs those without – but that’s less than half the savings than if you discovered that the laptop went missing the first day it happened
• The cost of a lost laptop varies by industry. The average full cost of a lost laptop is highest for services industry ($112,853) and lowest in manufacturing ($2,184)
•  The average data breach cost of a lost laptop varies by industry. The highest average data breach cost is in the services industry ($108,699) followed by financial services, healthcare and pharmaceutical. The other industires were far less.

What the highlights demonstrate is the high cost associated with lost laptops, but also the possibilities for minimizing the damage if companies can identify when laptops are missing quickly. With software such as Computrace by Absolute Software, you can inventory all your mobile computers and devices, know when one is missing and when its stolen get the Absolute Recovery Team to help find it. You can also do a remote data wipe to ensure your lost data does not fall into the wrong hands. And Computrace with Intel Anti-Theft Technology can lock the computer so it can’t even be booted-up. It can easily help reduce the costs of a lost laptop.

Download the White Paper here [PDF]

Also check out Absolute Software’s recent study with the Ponemon Institute: The Human Factor in Laptop Encryption.

According to a new report from Gartner, 7.5% of Americans were victims of financial fraud in 2008. Data breaches were the main cause of the financial losses.

Gartner, in its survey of 5,000 adults, showed that 70% of respondents had never been a victim of identity theft / fraud. For those who have, the breakdown includes 14% of respondents who had their credit card data used, 7% had their debit card used, 6% had a new account opened in their name, 5% were the victims of money transfer fraud and 4% had checks forged.

Of those who had been victims of fraud, 19% cited a data breach as the cause. That is the highest figure cited, after which were wallet theft (16%) and online scams (13%). This data clearly shows that data breaches are leading to incidents of identity theft and fraud.

Victims of certain types of fraud are able to recover more easily than others. The cost of most credit card fraud, for example, is not borne by the consumer. However, the survey found that bank account fraud can damage credit rating, sometimes with damage that lasts for more than a year.

The survey indicates that less than one-third of victims reported these crimes to law enforcement and only 5% reported it to the Federal Trade Commission.

Via pogowasright, finextra, CNET ; Image: morguefile / penywise

A study released by J. Campana & Associates indicates that data breaches reported in the US may be under-reported by a factor of 100.

The report examines how information has been compromised in the private, public and volunteer sectors from 2005-2008. The report, which shows the risk factors of data breaches per sector, indicates that the vast majority of data breaches reported are from medium and large enterprises. However, these enterprises may be dwarfed by the smaller entities not reporting data breaches.

These smaller entities, with significantly less resources and governance, are highly vulnerable to data loss and may not have the ability to detect or report breaches that do occur. Additionally, mishandling of physical documentation (vs data) often goes without report. The author suggests that the 1,100 reported data breaches may be as high as 110,000 in reality.

“For example, the smallest units of local government comprise more than 90% of government yet this subsector only reported one breach in four years.”

The data also indicates that though the private sector makes up 94% of all enterprises in the US, it only accounts for 37% of the reported data breaches. The public sector accounts for 55% of all breaches. The major breach type in most sectors involved laptops. 60% of all breaches involve the loss, theft and improper disposal of computers and other devices.

Large data breaches, the “mega breaches”, accounted for less than 2.5% of the 1,100 breaches. However, these breaches accounted for 85% (230 million) of all profiles compromised. The author of the report points out that sensational data breaches are alarming, but we need to be just as concerned with the average data breach, what it looks like, how to detect it, and how to prevent it.

Learn more about “Data Breach Risk Factors 2005-2008: An Information Security Risk Management Resource Guide for Security and Risk Professionals” here. The 55-page report is not free.