Stuxnet, the worm created by the US and Israel for breaking down Iran’s nuclear plant Natanz got out of their control
An article published today in the New York Times shows that the Stuxnet virus-written and deployed by the US and Israeli government-targeting the Iranian nuclear plant Natanz got out in the wild. It seems that the purpose of the code was to set back the Iranian nuclear research program by commanding the control hardware responsible for the spin rate of the centrifuge equipment. The important aspect of this is the fact that the worm only targeted this specific nuclear plant, it was never intended to spread on the Internet.
The network at Natanz is air-gapped, which made it very difficult for the people who made the plan to introduce the code into the network. They needed someone with physical access to the site to get the worm inside through thumb drives (this is also the manner how the first versions of the worm were distributed). To quote one of the architects of the plan: ‘It turns out there is always an idiot around who doesn’t think much about the thumb drive in their hand.’
The way Stuxnet spread outside Natanz’s network is most probably on a laptop. Fortunately, security researchers were able to annihilate it.
The mobile industry is no longer thriving, as it has reached a critical point due to the security concerns raised by companies trying to integrate mobile computing into their overall security framework. A fresh survey on mobile security shows this type of devices represents a critical business tool, boosting creativity, but their malfunctions or security threats need to be avoided and carefully managed.73% of organizations reported visible efficiency increases due to integrating mobile computing into business operations and processes, according to the mobile industry study that queried over 6200 IT decision makers. Read more
99% of small healthcare organizations in North America suffered a data breach in the past 12 months and more than 70% do not have enough budget to invest in risk management solutions to be able to comply with legal requirements and industry standards. These are the key findings of a new survey by the Ponemon Institute.
The Ponemon Institute surveyed more than 700 IT and administrative professionals in healthcare organizations that employ a maximum 250 people.
“Cybercriminals are hunting for medical records,” said Larry Ponemon, chairman and founder of Ponemon Institute. “The most serious issue is just the complacency small healthcare providers seem to exhibit with respect to securing patient records.” Read more
Highly experienced professionals are very hard to find, as enterprises have to go through lengthy processes to hire security experts who, although very experienced, are rather rare. Organizations that work with more than 2000 members report increases in salary and number opportunities to grow and ascend for trained and experienced security professionals, despite the slow economic environment. These are the key findings of the (ISC)2 2012 Career Impact Survey.
According to the survey, 96% of security professinals are currently employed and only as low as 7% of information security professionals were unemployed at any point during the last year. Moreover, over 70% or respondents received a salary increase in 2011 and more than half expect to receive an increase in 2012. More than half of those who changed jobs said they did so because they had opportunities for advancement. Read more
Law enforcement agencies worldwide are getting better at catching cybercriminals, scoring some big cybercrime busts and getting better at detecting and investigating data breaches. Officials worldwide detected five times as many breaches in 2011 as in 2010, according to new data in the Trustwave’s 2012 Global Security Report. About 33% of organizations with data breaches discovered the incidents when alerted by law enforcement, up from 7% in 2010. These good results for law enforcement are mostly powered by the work of the U.S. Secret Service, Interpol, the Australian Federal Police, and the U.K.’s Serious Organised Crime Agency (SOCA).
Only 16% of victim organizations detected hacking incidents on their own in 2011, while the other 84% only discovered them when alerted by outside entities, such as law enforcement, regulatory bodies, or a public venue. When analyzing the circumstances of the hacks discovered by third parties, it’s been discovered attackers had been active within the victim organization’s network for an average of 173.5 days before being detected. Read more
Security professionals fear cyber-attacks and warn ab0ut them every chance they get. Countries all over the world are trying to put up the best cyber defenses technology advancements can buy, but it does take a well established institution in the field of global economy to actually make us all tremble and finally believe cyber attacks pose a great threat to global stability.
The World Economic Forum’s (WEF) Global Risks for 2012 report places cyber-attacks against governments and businesses among the top five risks in the world to global stability, in terms of likelihood. Cyber-attacks come right after income disparity, fiscal imbalances, and the rising greenhouse gas emissions, shows the report released in WEF’s annual conference held in Davos, Switzerland. Read more
Based on the many stories about data breaches reported by organizations in the healthcare industry, from hospitals to insurance companies and other third-party companies that deal with healthcare data, we could have guessed this is not even close to being a top sector when it comes to data security. A new report released by the Ponemon Institute now brings even further insight into the state of the healthcare industry, showing a spike in data breaches of over 30% and average annual costs of 6.5 billion US dollars.
The “2011 Benchmark Study on Patient Privacy and Data Security,” commissioned by IDExperts, idendified employee error to be one of the main cause for data breaches in hospitals and healthcare providers. These types of organizations in the healthcare industry suffered an average of four data breaches in the past year. Nearly 30 percent of healthcare companies said the breaches they suffered resulted in medical identity theft – an over 25 percent increase over 2010. Read more
Curiosity is stronger than any sense of security or any fear of hackers and other malicious individuals, this was the conclusion of a security study run by the US Department of Homeland Security. The study proved how easily hackers and other individuals outside companies can easily go beyond firewalls and other security measures by simply planting USB sticks or computer disks in the right place.
The test tempted government employees by dropping the said USB memory sticks and computer disks in parking lots of government buildings and private contractors that work with the government, just waiting for them to take the bait. Read more
A recently published study shows that database administrators don’t fully understand security. According to these fresh findings, database administrators and IT decision-makers in general admit to knowing very little about security issues like change control, patch management, auditing etc. This survey was conducted on 214 Sybase administrators belonging to the International Sybase User Group.
“A majority of respondents admit that there are multiple copies of their production data, but many do not have direct control over the security of this information,” the survey report stated. “Only one out of five take proactive measures to mask or shield this data from prying eyes.”
According to the report’s author, Unisphere Research analyst Joe McKendrick, the ISUG survey is the first released of a series of similar database security surveys being conducted across various database user groups, including those running other platforms such as Oracle and SQL Server. Read more
According to Verizon’s DBIR (Data Breach Investigations Report) issued this year, the number of data breaches in the last years has fallen significantly, but there is still reason to remain vigilant. The numbers show a decrease from 144 million compromised records in 2009 to 4 million compromised records in 2010. The progress is even more significant if we take under consideration the progress since 2008, when 361 million records have been compromised.
This study was conducted by Verizon along with U.S. Secret Service (USSS) and the Dutch High Tech Crime Unit (NHTCU).
“With the addition of Verizon’s 2010 caseload and data contributed from the USSS and NHTCU, the DBIR series now spans 7 years, 1,700-plus breaches, and over 900 million compromised records,” said a post to the Verizon Business Security Blog that accompanied the report.