Enterprise Briefing

 

 

Anecdotally, the price of personal ID information on hacker Web sites has dropped from $14-16 per record 18 months ago to a mere 15-20 cents today – so there’s plenty of stolen data to go round.

 

Evidence of rising criminal activities in 2008 comes from F-Secure, which notes that malware threats doubled from 2006-07, but trebled from 2007-08. In a similar vein, Symantec’s April Internet Security Threat Report notes that 2008 saw a 265% increase in malicious code threats compared to 2007. Symantec attributes the explosive growth to the increasing professionalism of malicious code development, supporting the demand for goods and services that facilitate online fraud.

 

Trustwave’s analysis of 443 US and EMEA data breaches in 2008 found that many North American merchants used third party configured payment applications and so negligence on the part of the (trusted) third-party more often contributed to the payment card compromises. Because the use of outmoded payment applications is not as prevalent in EMEA as in North America, the problems caused by third-party installation, configuration or maintenance of such payment applications is less of an issue, whereas SQL injections targeting e-commerce sites was the number one cause of security breaches in EMEA.

 

 

It appears that mass attacks are rare these days and damage is limited. Instead, the use of ‘spearfishing’ – customized malware targeting specific applications or processes that are unprotected in otherwise compliant environments – is gaining prominence. This is costly for criminals and requires high levels of expertise, but the value of the stolen data is also much greater.

 

In conclusion, it appears that security threats are increasing across the board from botnet-building to targeted application and company attacks. This means that security-by-obscurity is even less of an option than before. So what should enterprises do?

 

1. Strong growth in both hacking activities (getting into corporate networks) and malware (getting access to the data) emphasizes the need for coherent security solutions that are continuously evaluated and updated. Given the numbers of security incidents discovered by external sources, companies should chose security services provider that can provide regular security reviews of networks and data centre.

 

2. In the payments industry, PCI DSS compliant companies have fewer security incidents than non-compliant organizations, but PCI is not the be-all, end-all of security solutions. Financial institutions need security services providers that can map all such transports and assign security procedures such as encryption and private networks to sensitive data.

 

3. When perpetrators are uniting their efforts to increase the level and complexity of attacks, customers need to look for integrated security services solution providers who are able to assess sensitivity of all corporate assets, and provide protection accordingly.

 

4. While it is still very early days for virtualization, there is no evidence that indicates higher risk to data and applications residing in a hosted virtualized environment than in normal data centers. In fact, with no indication that virtualized data centers have been compromised, it supports the view that virtualized environments in fact have a higher level of security. Customers can therefore look to combine hosting, outsourcing and security services from a single integrated provider.

 

5. The insider threat is increasing – anecdotally 20% of breaches are now from insiders – so its important to get policies in place for indentifying disgruntled staff and minimizing threats from employees who are about to be dismissed.