Fail a security audit already — it’s good for you

Network World, By Andreas M. Antonopoulos, October 04, 2011

Failing an audit sounds like the last thing any company wants to happen. But that’s because audits are seen by many as the goal of a security program. In reality, audits are only the means of testing whether enforcement of security matches the policies. In the broader context, though, an audit is a means to avoid a breach by learning the lesson in a “friendly” exercise rather than in the real world. If the audit is a stress-test of your environment that helps you find the weaknesses before a real attack, you should be failing audit every now and then. After all, if you’re not failing any audits there are two possible explanations:   1) You have perfect security. 2) You’re not trying hard enough.    I’ve never met a security person who will claim they have perfect security. Nemertes research further illustrates this issue. In our most recent benchmark we found that in the past three years 36% of companies had suffered a breach and yet only 15% had failed an audit. I can’t emphasize this enough: Those numbers are *backward*. Companies should be failing audits, whether internal or external, far more often than they suffer breaches. The fact that few companies are failing any audits should be cause for concern, not celebration. I would celebrate if there were no companies suffering from actual security breaches because then we could assume that the audits were working: uncovering problems to fix them before they became breaches. But unfortunately, it seems that audits are not thorough enough, consistent enough or “hard” enough. If you accept that the purpose of internal or external audits is not just to “prove” security but to “improve” security, then the audit should subject the company to enough pressure to validate that it can withstand a security breach.


Leave a comment

Hacker attacks against retailers up 43 percent

SC Magazine, By Angela Moscaritolo, October 12, 2011

Hacks targeting the retail sector have increased 43 percent since last year, largely due to an increase in SQL injection and the use of exploit toolkits, according to researchers at Dell SecureWorks.  During the first nine months of 2011, Dell SecureWorks blocked an average of 91,500 attacks per retailer, compared to 63,651 during the final nine months of 2010. The rise is primarily due to an increase in SQL injection assaults against servers, as well as attacks stemming from web-based exploit kits, Ben Feinstein, director of operations and analysis with the Dell SecureWorks Counter Threat Unit, told on Tuesday. Other verticals have also experienced an increase in attacks, though not to the same degree as the retail sector, he said. Merchants are being more heavily targeted than those within other sectors, likely because they maintain vast amounts of information that attackers want, and often have less stringent security controls.  Specifically, attackers have been hitting retailers hard with injection attacks, a technique for exploiting web application security flaws by inserting malicious SQL code in web requests. Though this type of attack has been well known for some time, it still proves successful for cybercriminals.

Leave a comment

White House Issues ‘WikiLeaks’ Order to Secure Classified Data

Wired, By Kim Zetter, October 7, 2011

More than a year after thousands of classified and sensitive U.S. government documents were leaked to the secret-spilling site WikiLeaks, the White House has issued an executive order designed to improve the security of classified networks and prevent further leaks. The so-called “WikiLeaks Order” (.pdf) was issued by President Obama on Friday and largely focuses on establishing committees, offices and task forces to work on implementing a balance between the needs of federal agencies to access classified data and the necessity of securing that data against improper usage and leaks. To the latter end, the order requires federal agencies to have built-in auditing systems to monitor access to data. It also establishes an interagency Insider Threat Task Force, led by the attorney general and the director of national intelligence, to establish policies and evaluate the efforts by agencies to spot and deal with discontented personnel who may be at risk of leaking classified information. The order also calls for minimum standards to be developed for securing information and systems. A steering committee will oversee the implementation of the orders and will be chaired by senior representatives of the Office of Management and Budget and the National Security Staff, but the secretary of defense and the director of the National Security Agency will be responsible for developing technical safeguards to protect classified information on networks.

Leave a comment

ICO Calls For Audit Enforcement Power

Information Age, October 13, 2011

Information Commissioner Christopher Graham says the data protection watchdog should be able to audit local authorities, businesses and the NHS without their consent. Currently, the ICO only has compulsory audit powers over central government, with consent required for an audit to be carried out in other sectors. However, Graham argues that these sectors are sources of particular concern. The NHS accounted for 40% of data breaches since April this year, while two thirds thirds of data breach fines were issued to local government authorities. “Something is clearly wrong when the regulator has to ask permission from the organisations causing us concern before we can audit their data protection practices,” Graham said. “With more data being collected about all of us than ever before, greater audit powers are urgently needed to ensure that the people handling our data are doing a proper job.”

Leave a comment

SEC Pushes For Disclosure Of Business Risk Profiles And Attack Details

The U.S. Securities and Exchange Commission (SEC) released guidance to public corporations on Thursday, urging better disclosure when it comes to security incidents, and investment risks. The recommendations originated from the Corporation Finance division of the SEC, which looks after investors and ensures they’re properly informed of all investment related details. While there are no disclosure requirements on the books that mention cybersecurity, registered companies “should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky,” the SEC’s recommendations explain. “In determining whether risk factor disclosure is required, we expect registrants to evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents. As part of this evaluation, registrants should consider the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption.”

Leave a comment suffers blips as Anonymous takes aim

CNN Money, By David Goldman, October 10, 2011

Anonymous’ call for a massive attack on the New York Stock Exchange’s website was met Monday — but very, very briefly. A group calling itself Anonymous, a name used by disparate groups of online “hactivists,” threatened to take down at 3:30 p.m. ET today as an extension of the “Occupy Wall Street” demonstrations that have continued into a fourth week.  The website was slow and then unavailable from about 3:35 p.m. to around 3:37 p.m, after which it returned to normal. Keynote, a mobile and Internet monitoring company, confirmed that slowed down during that time. It also measured widespread disruptions to the site between 5:30 p.m. and 5:55 p.m. Another tracking site, AlertSite, measured “a definite increase in response times from 3:45 p.m. to 4 p.m. ET.” After that, the site returned to normal. Monitoring site also registered a series of brief outages.  But Rich Adamonis, a spokesman from the NYSE, rebutted the monitoring sites’ findings. “We detected no service outage on our corporate website at that time,” he said. In a message that went out in early October through a video on YouTube, the group called for a “distributed denial of service” (DDoS) attack, which directs a flood of traffic to a website and temporarily crashes it by overwhelming its servers. It doesn’t actually involve any hacking or security breaches, and would have no effect on NYSE’s stock-trading systems.


Leave a comment

111 arrested in massive ID theft bust

IDG News Service, By Robert McMillan, October 7, 2011

Restaurant workers and bank insiders are charged in what’s billed as the largest-ever ID theft round-up. Prosecutors call it the biggest identity theft bust in U.S. history. On Friday, 111 bank tellers, retail workers, waiters and alleged criminals were charged with running a credit-card-stealing organization that stole more than $13 million in less than a year-and-a-half. “This is by far the largest — and certainly among the most sophisticated — identity theft/credit card fraud cases that law enforcement has come across,” the Queens County District Attorney’s office said in a statement announcing the arrests. The credit card numbers came from far and wide: from skimming operations in the U.S., where restaurant employees or retail cashiers were paid to steal credit card data from customers; from carder forums on the Internet; and also from shady overseas suppliers in countries such as Russia, China and Libya. In all, five groups of criminals were targeted in the two-year law enforcement operation, dubbed “Operation Swiper.” Together, they ran the full gamut of criminal activities required to steal credit card numbers and convert that data into cash, prosecutors said. Eighty-six of the defendants are in custody; police are looking for the remaining 25, prosecutors said.  The accused are charged with running a thoroughly modern identity theft ring that included ID thieves, skimmers, card makers, fences and shopping crews: groups that would buy thousands of dollars worth of merchandise in stores throughout the U.S.

Leave a comment