Are you satisfied with your enterprise security? According to a report from IBM released today, you may want to avoid getting too complacent.
Results of IBM's latest X-Force 2011 Trend and Risk Report indicate that, though application security vulnerabilities, exploit code, and spam are down from a year earlier, more danger lurks where IT may not be so vigilant. Specifically, the report showed a 19 percent increase in exploits aimed at mobile devices. And phishing emails related to social networks were also up. The report warns too that online criminals appear to be having a field day with the information gleaned by careless social site users.
"In 2011, we've seen surprisingly good progress in the fight against attacks through the IT industry’s efforts to improve the quality of software," said Tom Cross, manager of threat intelligence and strategy for IBM X-Force, in a prepared statement. "In response, attackers continue to evolve their techniques to find new avenues into an organization. As long as attackers profit from cyber crime, organizations should remain diligent in prioritizing and addressing their vulnerabilities."
So, the good news is that last year saw a drop in security exploits by more than 30 percent compared to the average of the preceding four years. And when security problems do occur, IT is patching them with software vendor solutions more thoroughly. In 2011, about 36 percent of vulnerabilities went unpatched -- down 16 percentage points from 2010.
What's more, spam levels were cut in half in 2011, thanks in part to better filtering. And the number of SQL injections aimed at manipulating, vandalizing, or destroying Website databases was down by 36 percent last year.
On the downside, though, attackers have been using two to three times more shell commands to directly manipulate Web servers, the report says. And in the second half of 2011, automated password guessing rose significantly.
What also rose were phishing attacks, in which senders create phony emails that appear to be from a user's credit card company or bank.
A faked message about a charged credit card. (Source: IBM X-Force Research and Development)
Mobile devices also have become a target for miscreants. In the wake of "Bring Your Own Device" (BYOD), enterprise IT pros are adjured to realize that employees may be bringing unsecured and unpatched smartphones and tablets to work. Many of these machines may be infected with malware specially targeted to their devices.
(Source: IBM X-Force Research and Development)
Cloud computing too has its risks. Last year saw some high-profile breaches, IBM observes. In this environment, it's vital for users to obtain service level agreements that cover exactly what the provider is responsible for -- and how quickly an enterprise can expect to have service restored or data retrieved in the event of a breach.
The IBM X-Force report is the latest of an ongoing series that IBM issues based on intelligence gathered by the vendor's managed security services, which operate out of nine Security Operations Centers worldwide. The information was culled from a database of more than 50,000 computer security vulnerabilities, a global Web crawler and spam collectors, and real-time monitoring of 13 billion events daily for 4,000 clients in more than 130 countries.
apparently it has been. reports I've seen have stated loss to fraud at 20 cents per $100 commerce generally but 50 cents per $100 for electronic commerce
a credit card today simply uses a magnetic stripe reader instead of the old 'embosser'. remember those? you put your card on the embosser, laid a ticket on top and rammed the handle across the card -- which would then imprint the card nuber via carbon paper onto the tickets. the merchant could then deposit the ticket to his account -- which would be processed against your credit card account as if it were a check: a simple automation of the process that has existed since the 1960s ( checks well before that )
my proposal will require replacing all the plastic\magnetic strip cards with 'smart cards' AND all of the Point of Sale terminals ( POSTs ) -- in order to create a system that can be secured in our electronic environment
"Because that's where the money is"
according to urban legend when the police asked Willie Sutton: "Why do you rob banks?" Willie replied: "Becuase that's where the money is."
There is a lesson for all of us in this: you can't steal what isn't there
if the merchant does not have your account number the hackers cannot steal it even if they do break into the merchant's system
my proposal has the additional advantage in that you not only do not give your account number to the merchant you don't give him any other information, either-- which will be a + for Privacy
Great ideas here, Mike. How likely is it that a strategy like this would be adopted by credit card processing firms? I'm surprised they aren't already doing this.
As a result of the breach, Visa removed Global Payments from its list of approved service providers. Visa told The Wall Street Journal (subscription required) that the move was in response to "Global Payments' reported unauthorized access." Visa said it has invited Global Payments to re-apply for validation by submitting evidence that its security is in compliance with Visa's standards.
The message should be clear: get serious about seciurity or you are going to get nailed for huge costs and a big hit on your reputation
either hit can put your company out of busness
hacking goes on and on. but there is a single persistent method to it: malware. hacking is accomplished by getting unauthorized programming into an endpoint computer -- either the customer's or the vendor's servers. while the methods for doing this are as varied as a Game of Chess the last move is always the same: PWNED: i.e. your computer is controlled by the hacker's software.
putting an end to un-authorized programming is the right answer but this must be backed up with detection and response: the software inventory audit is required to verify the effectiveness of any software protection plan.
the most difficult key to controlling unauthorized software will be the question of executable documents. we know we can control an executable document by running it only in a 'sandbox' ( restricted user; RING3 ) but a deeper question about these must be answered: what do you do when an executable document, e.g. an excel sheet, must be moved out of the sandbox to another working directory ??
Google\Chrome solution is : strip the executable code from the document.
executable documents were a bad idea to begin with and i think i'll put them on my list of the 13 worst products in modern history.
MJ = "A depressing reminder that enterprise security is an ongoing fight."
that's the problem Mary: there is no fight. as long as it's cheaper to just cover the loss than to fix the problem that is the response we will continue to get
but when you or a personal friend get hit by the hackers PCI\industry response will no longer be adequate and hacking will be more than messages on the 'Net to you: it will be personal
~
interestingly an analyst on NPR last night reported what I've been saying for a year here on IEv: PCI process of giving card data to merchant is incorrect: it facilitates large scale hacking as is being reported this morning: 10,000,000 Master Card \ Visa Accounts -- stolen
current PCI processing is a vestage of the Pen and Ink procedures of the 1950s
what should be done:
use Smart Card not magnetic stripe
customer does not give account data to merchant, rather
merchant must submit invoice to customer's smart card
customers smart card encrypts invoice with authorization for payment and returns this as cipher text to the merchant point of sale terminal (POST)
POST forwards cipher text to PCI
on approval PCI forwards paid invoice and EFT to merchant
POST prints sales receipt for customer
at no time did the merchant have the customer's PII; in fact merchant doesn't even need to know who the customer was. YEA!!
hackers will now need to get malware into either (a) the customers smart card or (b) PCI processing center. the attack surface is drastically reduced
customer must not use mobil phone for this: those are hackable. smart card must be non-modifiable. these expire and are re-issued periodically
Well I guess it's a double-edged sword. Most organizations probably believe that they can have full trust in their employees so they don't need the extra layers within the network. BUT once that trust gets compromised, that's the wakeup call.
OR they haven't found out yet that something was taken. I have seen organizations where the breaches were from internal users. It took hours of surveillance to figure out what was happening only after the suspicions arose. But I could only imagine how long it was going on before an eyebrow was even raised.
Enterprises should learn that, not only if there a thief in the neighborhood, but the thief has probably visited them already. If it's not obvious, then that's probably because there wasn't really anything worth taking.
I've found that when it comes to technology, security is what you want it to be. No one leaves there front door open if there's news of a thief in the neighborhood. But every day, business owners claim they are not concerned with security as a practice while they are fully aware that a breach of any sort would be a disaster. In the end, it's all about education.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Facebook and Twitter are great for posting cat pictures. But are people really using social media for life-changing communications? Like, if a hurricane comes by and blows down their house?
In a standout presentation at the Jefferies 2013 Global Technology, Media & Telecom Conference in New York this week, the UK government talked about becoming a "very intelligent client."
A consumer business would have to be crazy or desperate to change call-center software in December, the peak of the holiday season. But that was exactly Positec's position.
To help enterprises deploy software faster for mobile, social, big-data, and cloud applications, IBM this week acquired development tools vendor UrbanCode.
All the recent hoopla about cloud security overlooks an important point, which is that it's not strictly a cloud problem. The linkage of online services into cooperative chains creates the risk, and only biometrics and federation of providers can save us.
The Amazon smartphone rumor and the Apple mini-iPad rumor show that the mobile device giants think they have to be in all the device spaces to win. Why? Because the cloud can create an ecosystem where every device can cooperate to support the user, and if you don't supply all the devices you miss out on the total value.
Enterprises are discovering that using social networking within the secure setting of a SaaS provider's network gives them an unusual opportunity to freely collaborate with partners, suppliers, and even competitors.
Microsoft's recent decision to bundle its Office software with business partner offerings indicates that cloud software may be in the news, but licensed packages are still in demand for failover.
Mozilla's Firefox OS could be a major advance in building smartphones and tablets with a more cloud-friendly and open interface, but there are still questions of performance and security that will have to be managed.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Multi-tenant clouds assure security for clients, but not necessarily for their ideas. Here's one thing you should discuss with your cloud provider before you sign on.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
Email This
