As you can see from the graph above, 57% of the botnets infecting enterprises are considered “small”, which is defined as a botnet with 1-100 active members. However, despite being less well-known, these botnets are potentially more dangerous:

While many people focus on the biggest botnets circulating around the Internet, it appears that the smaller botnets are not only more prevalent within real-life enterprise environments, but that they’re also doing different things. And, in most cases, those “different things” are more dangerous since they’re more specific to the enterprise environment they’re operating within.

The study indicates that many of these small botnets have been created with low-cost or free DIY kits that can be downloaded from the Internet. In most cases, these small botnets are described as “highly-targeted at particular enterprises”, sometimes requiring a degree of familiarity of the breached enterprise. This could indicate an insider threat issue that we previously haven’t seen or talked about. The target data in these small botnets is often professionally managed with financial controller authentication details (for money transfers), customer database and source code being the top targets.

The problem with these small botnets, aside from their very targeted attacks, is that they often evade detection. Though they are small, these botnets are very dangerous! Damballa puts out a product to detect botnets, but I know very little about it. You can do some independent research on your own to determine how your enterprise will try to detect such intrusions.

Via dark reading

Cyber attacks are a growing issue to organizations of all sorts, with new and sophisticated attacks being created every day. Though organizations may have difficulty keeping up with the threat landscape, this study found that organizations are not doing what they could to mitigate the two largest risk areas. Specifically, client-side software is remaining un-patched and websites are not being scanned for common flaws that criminals use to exploit visitors to those sites.

Waves of targeted email attacks, often called spear phishing, are exploiting client-side vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office. This is currently the primary initial infection vector used to compromise computers that have Internet access.

The ultimate goal of attackers is to steal information and to install “back doors” so that the attacker can return to further exploit organizational systems. The study found that major organizations take at least twice as long to patch client-side vulnerabilities as they do to patch operating system vulnerabilities. Addressing this single issue could drastically reduce your risk of being exploited. What this also means is that the question of Mac vs PC is not going to be your solution to mitigating risk, as these risks come from cross-platform applications and from the Internet.

The report, which is available here, targets major organizations who want to ensure their defenses are up to date. The report shows some interesting patterns to data and includes a tutorial on how some of the most damaging attacks actually work. You may find it handy to print this report off to study the graphs in detail.

The study was prompted by an increasingly mobile workforce carrying around more sensitive data on their laptops than ever before. The study focuses on samples of organizations in the US that have experienced laptop loss or theft within the last 12-month period. The 138 cases involved loss by employees, temporary employees and contractors.

Key Highlights from the Study:

• The average value of a lost laptop is $49,246 (replacement cost, detection, forensics, data breach, lost intellectual property costs, lost productivity and legal, consulting and regulatory expenses)
  • The occurrence of a data breach represents 80% of the cost associated with a lost laptop
  • Of the remaining 20% of cost, 59% of that can be attributed to intellectual property loss
• The faster a company realizes of a loss, the lower the average cost associated.
  • If a loss is discovered in the same day, the average cost is $8,950
  • If a loss takes more than 1 week to discover, the average cost rises to $115,849
• Director laptop losses are most costly
  • The average cost of a lost laptop for a senior executive is $28,449, with the highest costs for manager ($60,781) and director ($61,040)
• Encryption saves money, with an average savings of $20,000 for lost laptops with encryption vs those without – but that’s less than half the savings than if you discovered that the laptop went missing the first day it happened
• The cost of a lost laptop varies by industry. The average full cost of a lost laptop is highest for services industry ($112,853) and lowest in manufacturing ($2,184)
•  The average data breach cost of a lost laptop varies by industry. The highest average data breach cost is in the services industry ($108,699) followed by financial services, healthcare and pharmaceutical. The other industires were far less.

What the highlights demonstrate is the high cost associated with lost laptops, but also the possibilities for minimizing the damage if companies can identify when laptops are missing quickly. With software such as Computrace by Absolute Software, you can inventory all your mobile computers and devices, know when one is missing and when its stolen get the Absolute Recovery Team to help find it. You can also do a remote data wipe to ensure your lost data does not fall into the wrong hands. And Computrace with Intel Anti-Theft Technology can lock the computer so it can’t even be booted-up. It can easily help reduce the costs of a lost laptop.

Download the White Paper here [PDF]

Also check out Absolute Software’s recent study with the Ponemon Institute: The Human Factor in Laptop Encryption.

Gartner, in its survey of 5,000 adults, showed that 70% of respondents had never been a victim of identity theft / fraud. For those who have, the breakdown includes 14% of respondents who had their credit card data used, 7% had their debit card used, 6% had a new account opened in their name, 5% were the victims of money transfer fraud and 4% had checks forged.

Of those who had been victims of fraud, 19% cited a data breach as the cause. That is the highest figure cited, after which were wallet theft (16%) and online scams (13%). This data clearly shows that data breaches are leading to incidents of identity theft and fraud.

Victims of certain types of fraud are able to recover more easily than others. The cost of most credit card fraud, for example, is not borne by the consumer. However, the survey found that bank account fraud can damage credit rating, sometimes with damage that lasts for more than a year.

The survey indicates that less than one-third of victims reported these crimes to law enforcement and only 5% reported it to the Federal Trade Commission.

Via pogowasright, finextra, CNET ; Image: morguefile / penywise

The study was conducted in order to understand employees’ perceptions about ensuring information entrusted to their care remains effectively managed. This includes using encryption, strong passwords, and keeping their laptop physically safe when traveling. The study unearthed a number of troubling issues including a perception by employees that encryption solutions make other security measures unnecessary. IT security professionals were the most careful in abiding by precautionary steps in safeguarding data on their laptops, but non-IT employees were not so as careful (with 56% turning off encryption).

92% of IT security professionals indicate that a laptop has been lost or stolen in their organization. Of those stolen, 71% resulted in a data breach. In the event of a theft, companies relying solely on encryption cannot be sure whether all stored data on a laptop has been encrypted, if it has been compromised, or even which files have been accessed by thieves. To help solve security risks that encryption alone cannot adequately address, companies can employ a security solution that can locate a stolen or lost laptop, detect which data has been accessed, and remotely delete sensitive data. Such a solution, like Absolute’s Computrace, is not dependent on the diligent behavior of corporate employees.

“The data suggests that, because of user behavior, encryption alone is not enough to protect mobile devices and the sensitive data stored on them. These statistics are especially disconcerting when combined with our recent studies demonstrating that lost or stolen laptops are the number one cause of data loss, with 3 out of 4 companies experiencing a data breach when a laptop has been lost or stolen.” - Dr. Larry Ponemon, chairman and founder of The Ponemon Institute

“The Human Factor in Laptop Encryption: U.S. Study” key findings:

• 92% of IT security practitioners report that someone in their organization has had a laptop lost or stolen and 71% report that it resulted in a data breach;
• 56% of business managers have disengaged their laptop’s encryption;
• Only 45% of IT security practitioners report that their organization was able to prove the contents of missing laptops were encrypted;
• Only 52% of business managers – employees most likely to have access to the most sensitive data (personally identifiable information and/or intellectual property) – have employer-provided encryption;
• 57% of business managers either keep a written record of their encryption password, or share it with others in case they forget it;
• 61% of business managers share their passwords, compared to only 4% of IT managers; and,
• Business managers are much more likely than IT security practitioners to believe encryption makes it unnecessary to use other security measures for laptop protection.

The survey breaks down the types of encryption solutions used to protect data assets, from whole disk encryption to thumb drive encryption. The same questions were asked to IT professionals vs non-IT professionals (business managers), with differing perceptions of security protocols. Here’s a preview of one of the data segments from the survey:

To receive a full copy of the study on the Human Factor in Laptop Encryption, for the US, UK and Canadian markets, fill out this form.

The study was commissioned in order to understand the risks of an increasingly distributed and mobile business force. With the lines between work life and personal life blurring on a global scale, there are new risks. The collaborative tools that make this type of workforce possible also pose new challenges. Given that security is not just about technology, but about people and their behavior, this is a very interesting examination of the behavioral side of risks to data loss. The results could help businesses better tailor their security policies.

The 10 most noteworthy risks and mistakes by employees were:

1. Altering security settings on computers – 20% of employees bypass IT policy to access unauthorized websites
2. Use of unauthorized applications – 70% of IT professionals said unauthorized applications and websites resulted in as many as half of the data loss incidents
3. Unauthorized network/facility access - 39% of IT professionals said they have dealt with an employee accessing unauthorized parts of a company’s network or facility
4. Sharing sensitive corporate information – 24% of employees admit to verbally sharing sensitive information
5. Sharing corporate devices – 44% of employees share work devices with non-employees
6. Blurring of work and personal devices, communications – nearly two thirds of employees use work computers daily for personal use – music downloads, banking, blogging, chat rooms, personal email
7. Unprotected devices – at least one in three employees leave computers logged on and unlocked when away from their desk. Laptops often are left on desks without logging off.
8. Storing logins and passwords – one in five employees store login / password information on their computer or write them down near their computer
9. Losing portable storage devices - 22% of employees carry corporate data on portable storage devices
10. Allowing “tailgating” and unsupervised roaming – 13% of employees allow non-employees to roam around their offices unsupervised, 18% have allowed unknown people into corporate facilities

Some of these figures have been broken down by country in a great analysis here.

Check out more here:

• Data Leakage Worldwide: Common Risks and Mistakes Employees Make – Summary

Data Leakage Worldwide: Common Risks and Mistakes Employees Make [pdf]

Via network world

Host computers responsible for cyber attacks may have been compromised and are being used as bots, or they may originate from cyber criminals within the U.S. Hunter King, security researcher for SecureWorks, warns that not only are “organizations and personal computer users… putting their computers and networks at risk by not security them, but they are actually providing these cyber criminals with a platform from which to compromise other computers.”

Attempted cyber attacks by originating country:

• United States – 20.6 million
• China – 7.7 million
• Brazil- 166,987
• South Korea – 162,289
• Poland – 153,205
• Japan – 142,346
• Russia – 130,572
• Taiwan – 124,997
• Germany – 110,493
• Canada – 107,483

The figures for this study were based upon threats intercepted on behalf of its customers during the first 9 months of 2008. The report, as described here, outlines how Chinese hackers are taking control of unprotected networks, versus just using distributed bots.

Via security watch ; image: istockphoto

The researchers created a number of fake dialog boxes with various clues indicating to users that they were not real dialog boxes (what they said, mouse behavior, flashing text). One of the boxes read:

Warning! You are about to install some malware. Malware is bad. By reading this warning through to the end and still clicking yes you’re failing the Windows Darwin Test. Don’t be that guy, if you’re reading this message still then wise up and for the love of your family photos on your hard drive click the ‘No’ button.

A panel of 42 college students were told to watch as a series of websites loaded, with questions about the sites to follow. The fake dialog boxes were loaded in a random order, and user behavior was tracked. The study found that students were so anxious to get the dialog boxes out of the way that they ignored them. Here are the results:

• 26 out of 42 students clicked “OK” for the “real” dialog, but 25 out of 42 students clicked “OK” for two of the fakes and 23 on the third
• 9 out of 42 students closed the window (11 closed the dialog box)
• A few users would minimize the dialog window or drag it out of the way
• The response time between dialog boxes, real and fake, did not vary, indicating little time was spent evaluating them

When interviewed after, students indicated that they only cared about “getting rid” of the boxes. Many expressed a “degree of contempt” for the dialog boxes, after long-standing experience with them, which made them not care what the boxes said any longer.

In general, this type of user behavior is quite risky. It opens the opportunity for fake dialog boxes to infect a user’s computer by predicting this type of disinterested user behavior.

There is a lot of talk around this issue, some believing that software designers have some responsibility to make software easier to use, so users won’t be desensitized to clicking through dialog boxes, while others believe that users are at fault / are lazy. I believe that users lack education about potential risks, but also about what to do with pop-up dialogues. Even valid dialog boxes can be hard to decipher, so it’s no surprise that the ubiquity of confusing dialog boxes has created an environment of dismissive user behavior.

Via emergent chaos, ars ; Image: ppdigital @morguefile

The Encryption Solution Implementation Landscape report indicates that data is being put at risk mostly by a lack of understanding about encryption technologies. The three main areas that people cite as holding back encryption are: encryption legacy perceptions, a lack of awareness of the availability or ease of use of solutions, and a lack of understanding of the type of data that must be encrypted.

As Kelly Mackin, COO and President of CertifiedMail, notes, businesses no longer question the need for anti-virus or anti-spyware software, but it’s now the time to extend this line of thinking to other ways to protect confidential data. Encryption and laptop security software, among other security tools, should become standard practice.

Here are some of the highlights of the survey, which involved 205 organizations and more than 13,000 respondents:

• 47% of organizations did not have the ability to send encrypted emails from their desktops
• 45% can send encrypted email manually through their email client (22% of them found it difficult)
• 13% can send encrypted emails automatically through some sort of policy-based encryption capability
• 27% of organizations had experienced an accidental or malicious data leak during the previous 12 months

The survey found that users believed that encrypting email was a difficult process, although part of this has been attributed to perception rather than experience. Many users have experiences with legacy systems that have biased them against the easier tools today. The survey found an eagerness among respondents to have “click of a button” encryption available in email clients, with nearly one-half of users wanting automatic encryption capabilities.

Via security watch ; Image: iStockphoto.com