Security professionals fear cyber-attacks and warn ab0ut them every chance they get. Countries all over the world are trying to put up the best cyber defenses technology advancements can buy, but it does take a well established institution in the field of global economy to actually make us all tremble and finally believe cyber attacks pose a great threat to global stability.

The World Economic Forum’s (WEF) Global Risks for 2012 report places cyber-attacks against governments and businesses among the top five risks in the world to global stability, in terms of likelihood. Cyber-attacks come right after income disparity, fiscal imbalances, and the rising greenhouse gas emissions, shows the report released in WEF’s annual conference held in Davos, Switzerland. 

The report put together by the WEF’s Risk Response Network is based on assessments of the tech industry which pointed out cyber-attacks as the biggest threat of all, as they can lead to devastating malfunctions in power plants, water supplies and other critical systems. The likelihood of such a globally debilitating attack is still up for debate, and other economic threats to global stability, such as income disparity, are far more pressing. WEF however believes we are not even close to understanding the risks posed to and handled by internet security.

Steve Wilson, chief risk officer for general insurance at Zurich and a member of the project, said:  ”We don’t even really understand the risks yet.”

The old-news threat to tech experts is now becoming an issue making its way into all the political agendas that matter. The the report calls “urgently” for new mechanisms to get private investment into exploring system vulnerabilities. It also pointed out how information about cyber-attacks and cybercrime is hard to get to in an objective fashion:

Research into cyber threats against governments and the private sector has largely been funded by those who are in the business of selling internet security solutions – a potential bias that causes scepticism. Academic and policy papers are based largely on anecdotal case studies.

Vendors of online security products have an interest in talking up the threats of cybercrime, while victims of cybercrime often have an interest in remaining silent. It is therefore very difficult for firms and organisations to get a clear picture of the true levels of the risk and needs for investment. Correcting such information asymmetries should be at the centre of policies to improve global cyber security and to ensure an efficient market.

The full report is available online here.

If you had any doubt that security breaches cost companies a lot, it is all clear now – the damages companies have to deal with after one breach are overwhelming! According to recent reports by te Ponemon Institute, organizations get hit by at least one successful attack per week, and the annualized cost to their bottom lines from the attacks ranges from1 million to 53 million USD per year. The reports were based on the analysis of 45 U.S. organizations hit by data breaches.

Ponemon Institute’s released two separate reports,  ”The First Annual Cost of Cyber Crime Study” (PDF), which was sponsored by ArcSight, “The Leaking Vault” (PDF) released today by the Digital Forensics Association, both showing troubling findings for companies’ finances:

• a median cost of $3.8 million for an attack per year, including all costs, from detection, investigation, containment, and recovery to any post-response operations.
• out of 2,807 publicly disclosed data breaches worldwide during the past five years, the cost to the victim firms as well as those whose information was exposed reached $139 billion.
• nearly half of all of the reported breaches came from a laptop, which in 95 percent of the cases is stolen
• hacks led to the most stolen records during 2005 to 2009, with 327 million of the 721.9 million covered in the report, although hacks represent  only about 16 percent of the data breaches
• Web-borne attacks, malicious code, and malicious insiders are the most costly types of attacks, making up more than 90 percent of all cybercrime costs per organization per year
• A Web-based attack costs 143,209 USD; malicious code, 124,083 USD; and malicious insiders, 100,300 USD.

“Information theft was still the highest consequence — the type of information [stolen] ranged from a data breach of people’s [information] to intellectual property and source code,” says Larry Ponemon, CEO of the Ponemon Institute. “We found that detection and discovery are the most expensive [elements].”

US President Obama and cybersecurity czar Howard Schmidt have both issued statements on cybersecurity presenting very optimistic progress reports and supporting increased activity in the private sector.

Some of the points discussed in the progress reports included the recent organizational changes and new cybersecurity initiatives of the Obama administration presented as evidence that the White House is making advances on the cybersecurity front.

“President Obama appointed a Cybersecurity Coordinator to provide White House leadership on cybersecurity issues,” the progress report says. “The Cybersecurity Coordinator leads a new Cybersecurity Directorate within the National Security Staff (NSS), works closely with the economic team, and has created a close partnership with the Office of Management and Budget (OMB) and the Office of Science and Technology Policy.”

As stated before while speding a year to decide who will be the czar everyone expected, cybersecurity is considered a “key management priority” by the white house.

“Enhancing cybersecurity is a central component of the Administration’s Performance Management Agenda,” the progress report says. “The Federal Chief Performance Officer has targeted key performance strategies for improving government operations, which include moving to real time monitoring and integrating cybersecurity into system design, rather than bolting it on as an afterthought.”

I am thrilled to see things are movig along just fine and the White House is also focusing on ecouraging cybersecurity projects in the private sector as well. Let’s hope they keep it up and others start following their lead.

For more details of the two statements, visit DarkReading.

Tired of being the main target of cybercriminals and other mean characters of the virtual world, SMBs are reconsidering their stand of security and starting to seriously apply it to their corporate infrastructures. These are the finding of a new survey conducted by Applied Research and published by Symantec. The new report shows that SMBs views have drastically changed over the past year, leading to more spendings on IT security and giving security policies a higher priority.

“Last year when we conducted this survey, a lot of SMBs were very confident in their security posture, but they weren’t always clear on the threat,” says Monica Girolami, senior product marketing manager at Symantec, who worked with Applied Research on the study. “This year they realize that they have gaps in their security stance, and they’re getting more serious — in fact, they rated data loss and cyberattacks as their top risks, even above natural disasters.”

If you’re wondering why this major shift, ask your self no more! It’s a mere cause and effect phenomenon: 42% of SMBs have lost data and the cost of a breach exceeds 188,000 USD. So insted of paying for the damages, better invest less in security and prevent them. Although it is happening rather late, it is still a smart move!

The respondents ranked data loss and cyberattacks as their top business risks, ahead of traditional criminal activity, natural disasters, and terrorism, according to the report. SMBs are now spending an average of $51,000 a year — and two-thirds of IT staff time — working on information protection, including computer security, backup, recovery, and archiving, as well as disaster preparedness.

While their cybersecurity czar plans have been delayed for so long we were all a bit tired for waiting, the White House approach to fighting cyber threats seems to have found a new focus these days: recommending training, exams and detailed certification requirements for cybersecurity professionals employed or contracted by the federal government. And this is going through the careful review of a commission whose main purpose is to advise the Obama administration on cybersecurity policy.

The Commission on Cybersecurity for the 44th Presidency, which in December 2008 issued its Securing Cyberspace for the 44th Presidency report to Congress, is currently working on a sequel to that report, due sometime in late June or early July. The commission, made up of a who’s who of experts and policy-makers, is debating strategies for building and developing a skilled cybersecurity workforce for the U.S., as well as issues surrounding an international cybersecurity strategy and online authentication.

Of course, the discussion got a bit stuck in the first part of the future report, the cybersecurity workforce. With no one knowing if the new certification recommendation will take into account existing certifications or not, with people in the commission and in the field of cybersecurity having different takes on the issues, and given the need to details qualification needed for each type of IT security pro, I assume it will take a while to get to a common decision on this one

According to Tom Kellermann, a member of the Commission and vice president of security awareness at Core Security Technologies, the federal government has bigger problems: an insufficient workforce that’s about to shrink some more if certifications become mandatory requirements:

“I would suggest that we need to increase our workforce, but not ostracize those that don’t have certifications to get them or lose their jobs. They should be grandfathered in,” Kellermann says.

Exploring a movie-like scenario, I have to wonder – If they ever want to cut a deal with a genius hacker and have him/her do some anti-hacking work for them, would they care if that person has the required certifications?

As many as 37 percent of German companies were the victim of economic crime in the last three years, a new study has found. Internet fraud and the theft of business secrets have become a particular problem.
The use of USB Flash Drive in high capacity has made it easy to steal even the most complex business or construction plans in just a few seconds.

A USB Thumbdrive is all that’s required to steal valuable information.

A new study carried out by the German research institute Emnid for the financial services firm KPMG has found that criminal methods are being used more and more often in the ruthless and competitive world of business.

The survey, which took in 375 companies of all sizes, found that around one in three companies had been the victim of business crime. Two thirds of the companies surveyed also expected the level of criminality to rise.

The biggest economic crimes remain fraud, theft, embezzlement and breach of trust, but money-laundering and the forgery of accounts and financial information have all risen since the last survey was carried out in 2006.

Ignorance breeds carelessness

According to KPMG spokesman Frank M. Huelsberg, companies still need to be more aware of how crimes operate. “Despite these alarming results, small and medium-sized companies are particularly prone to underestimate the danger of falling victim to crime,” he said.

Fifty-six percent of the employees surveyed said that their company was less likely to be a victim of economic crime than a major corporation, while 76 percent believe they have made adequate security arrangements.

“Privately- or family-owned companies like to put their trust in their employees. But that makes them vulnerable,” Huelsberg said, “Experience shows that basic security mechanisms are often neglected in such companies.”

Third-party threat

In 62 percent of economic crimes involving small and medium-sized companies, employees conspired with an external third party. This figure is only 40 percent with large companies.

The theft of business or operational secrets is a growing threat, according to the study. A third of small and medium-sized companies have been a victim of such theft, the study said.

“The sale of sensitive information to competitors or criminals is particularly strong in times of economic crisis,” Huelsberg says, “Nowadays even the most complex construction plans fit on a USB stick. Data theft and industrial espionage can be child’s play if security fails, and the loss of sensitive designs or formulas can be fatal for a small, innovation-based company.”

Read the enitre article here on DW.

With security journalists complaining about hazy security predictions for 2010, we thought I thought I should get my crystal ball out and share with you what the future holds for the world of Endpoint Security! My predictions are based on what I’ve noticed in the past few years, on recurring issues and generally how things work in the industry. So here goes!

1. The much hyped and awaited US Cybersecurity Czar will spend at least 6 months sorting through inter-agency policies, egos and feeble budgets and only then starting to do some work! The boost the security industry is expecting to come from the authorities interest in cybertheats will continue to lag.

2. The economy is picking up. But slowly and mostly on paper. Security budgets won’t be much increased and cost effectiveness will remain an important factor in selecting security products. Let’s hope it will come into play after the ineffective products are eliminated and not before!

3. While misplaced laptops might not be as big of a cause for security threats – shrinking budgets might put an emphasis on accountability for company technology and hardware and people might start paying more attention to where they through their notebooks – portable hard drives, USB sticks and other such devices will still be grossly lost and left unencrypted. So we’re still up for plenty of news on misplaced hardware leading to humongous sensitive data exposures.

4. I completely agree with the ICSA labs prediction – “Network-attached peripheral security threats will continue to increase. With more network-attached devices than ever before, disgruntled employees and other insiders will find ways to use unsecured printers and other network-connected devices to steal data while covering their tracks.“

No surprises there! USB sticks, MP3 players, smart phones, portable hard drives, they’re all hooked to the corporate networks and can pretty much drain all the data out of your company. With people still being let go and the competition willing to do anything for and edge and a chance to survive the dire conditions of a barely recovering economy, the insider threat will continue to lead them all when it comes to data theft.

5. 2010 will be the year of Security as a Service. With so many companies relying on overworked and understaffed IT departments and unwilling to allot too much money to the IT infrastructure, security products offered as a service will all see significant increase. Of course only those that get the job done! Pretty obvious if you think about it: no time wasted on installation and maintenance, no additional hardware needed to accommodate the new software, easy to learn and intuitive interfaces, it makes sense.

6. As a consequence of point 5 up there, companies providing software as a service solutions will have to better explain and promote them. They need to address reliability, liability and other security concerns, as well as point out the many benefits of choosing this type of security service.

7. More lawsuits. Yes, more data breaches will lead to lawsuits. Customers are becoming more knowledgeable, so the lawsuit threat will increase for all companies mishandling private data of their customers. They might not all win, but companies need a better plan to handle breaches. For example, waiting for months to disclose them might not be the sharpest idea.

What do you think? Which of these will come true and which are your own predictions for 2010?

A nice Christmas present wrapped up and delivered to the cybersecurity world. When we all started to doubt there will be a czar appointed in 2009, when all hopes were fading after months and months of delay (the initial announcement was made in May), the Obama administration finally chose Howard Schmidt to fill this position.

Schmidt is also a former member of the Bush administration and will be the leading star of the cybersecurity initiative, although experts fear the position does not come with any real power, says the Dark Reading. A little background info on the new czar:

Schmidt, who most recently served as president and CEO of the international nonprofit Information Security Forum and was previously chief information security officer at eBay and at Microsoft, said in a statement that he looks forward to bringing to the table all stakeholders in efforts to better secure U.S. networks and systems. He will work with the National Security Council and the National Economic Council.

Schmidt will have to settle all differences between the National Security Agency and the Department of Homeland Security, add a side of Deparment of Defense and other federal agencies involved in related projects, and serve a over common and effective US cybersecurity posture. And all this on a not so significant budget and with not so much power over these US security giants. We all wish him best of luck!

If you’re wondering how many cybersecurity threats a federal agency faces on a daily basis, a new survey has the answer to your question. At least one, each day, every day. About a third of the IT professionals employed by federal agencies say they experience at least one cybersecurity incident each day, be it external attack, malware, lost device, inappropriate employee access, or other threat.

When one thinks that of these 31% at least a few work for the same agencies. Threfore the numbers are troubling. The frequency of such problems are at the same level or slightly higher than last year for most survey respondents, and their severity has remained about the same. The top issues of this year are malware (33% of respondents), inappropriate employee activity or network use (25%), managing access for approved remote users (25%), and data encryption (23%).

As most of the participants find a solution to this problem in acquiring new, better performing cybersecurity solutions, and as many agencies already make efforts to buy such technologies, it comes to no surprise that market research firm Input, quoted by DarkReading,  says federal cybersecurity spending will increase 48% from USD 7.9 billion this year to USD 11.7 billion in 2014. And the shining stars of this future wave of inestments are a USD 1.5 billion cybersecurity data center currently being developed by the National Security Agency and a cybersecurity operations center recently opened by the Department of Homeland Security.

The White House might have a bright, shiny plan for cybersecurity, but it seems unable to keep the security heads it needs to manage and further implement it. No less than the people holding key positions related to the USA’s cybersecurity have resigned in the past few months.

The trend was started in March by Rod Beckstrom, who at the time resigned from his position as head of the National Cybersecurity Center within the Department of Homeland Security. The said center coordinates the defense of civilian, military, and intelligence networks. The reason for Beckstrom’s resignation? As he stated in a letter quoted by the Register, the post was underfunded and unduly controlled by the National Security Agency.

The next person to announce their resignation was Obama’s top cybersecurity director, Melissa E. Hathway. What led to her decision was the long months of delays by the Obama administration in appointing a permanent director to oversee the safety of the nation’s vital computer networks. As the Register points out, Hathway was one of the best candidates for the “cybersecurity czar” position. The czar would hold the authority for securing networks and infrastructure that serve US banks, hospitals and stock exchanges.

The third and most recent top cat in the US government to go is Mischel Kwon, the head of the US Department of Homeland Security’s Computer Emergency Readiness Team. Washington Post rumor has it that Kwon  had grown frustrated by bureaucratic obstacles and a lack of authority to fulfill her mission. And it seems people in her position don’t stick around for too long, she was the fourth US-CERT director in five years.

Hopefully, the critical cybersecurity plan will eventually be implemented, without any further delays and resignations. Let’s keep our fingers crossed!