Not Prepared for Hacks
U.S. News & World Report Weekly.
(May 30, 2014):
From Educators Reference Complete.
Copyright:
COPYRIGHT 2014 U.S. News and World Report, L.P.. All rights reserved.
http://www.usnews.com/
Full Text:
Data breaches are up and businesses aren't ready to deal with them
By Tom Risen
Hacking increased so much this past year that approximately half of U.S.
adults had their information stolen and less than half of U.S. companies have
taken enough precautions to protect consumer data, according to two studies
released this week.
Recent months have been filled with reports about hackers stealing credit
card data, online account passwords and other personal information from
consumers. These included data breaches of networks at retailers like Target
and Michaels, along with the Heartbleed security bug that made software
vulnerable to spying and online theft. Last week, in one of the latest major
security incidents, eBay urged its users to change their passwords
"because of a cyberattack that compromised a database containing
encrypted passwords and other non-financial data."
Approximately 110 million people, or 47 percent of adults, in the United
States have had their personal information exposed by such attacks, according
to a new study from CNNMoney and cybersecurity research firm the Ponemon
Institute. Attacks will likely become more frequent as Internet and mobile
device use grows, the report cautioned.
To make matters worse, companies are lagging behind trying to protect
themselves, according to PricewaterhouseCoopers' 2014 U.S. State of
Cybercrime Survey published Wednesday. Less than half of companies in the
survey took necessary steps to protect themselves. Only 38 percent
prioritized security investments based on the risks to their businesses, and
only 31 percent have a security strategy for the rapidly growing mobile
sector.
Businesses are unprepared in part because of poor cybersecurity training at
colleges, says Alan Paller, co-chair of the U.S. Department of Homeland
Security's Task Force on CyberSkills, which advises how to train
cybersecurity professionals. Security training was not provided for new
employees at 54 percent of the businesses in the PricewaterhouseCoopers
survey. "Colleges are creating people who can tell you about security
but they cannot fix the system," says Paller, founder of the SANS
Institute cybersecurity training organization.
Many cybersecurity specialists with practical computer expertise "are
not coming out of academia," Paller adds. Rather, "they are a lot
of self ...
Hierarchy of management that covers different levels of management
Not Prepared for Hacks .docx
1. Not Prepared for Hacks
U.S. News & World Report Weekly.
(May 30, 2014):
From Educators Reference
Complete.
Copyright:
COPYRIGHT 2014 U.S. News and World Report,
L.P.. All rights reserved.
http://www.usnews.com/
2. Full Text:
Data breaches are up and businesses aren't ready to deal with
them
By Tom Risen
Hacking increased so much this past year that approximately
half of U.S.
adults had their information stolen and less than half of U.S.
companies have
taken enough precautions to protect consumer data, according to
two studies
released this week.
Recent months have been filled with reports about hackers
stealing credit
card data, online account passwords and other personal
information from
consumers. These included data breaches of networks at
retailers like Target
and Michaels, along with the Heartbleed security bug that made
software
vulnerable to spying and online theft. Last week, in one of the
latest major
3. security incidents, eBay urged its users to change their
passwords
"because of a cyberattack that compromised a database
containing
encrypted passwords and other non-financial data."
Approximately 110 million people, or 47 percent of adults, in
the United
States have had their personal information exposed by such
attacks, according
to a new study from CNNMoney and cybersecurity research firm
the Ponemon
Institute. Attacks will likely become more frequent as Internet
and mobile
device use grows, the report cautioned.
To make matters worse, companies are lagging behind trying to
protect
themselves, according to PricewaterhouseCoopers' 2014 U.S.
State of
Cybercrime Survey published Wednesday. Less than half of
companies in the
survey took necessary steps to protect themselves. Only 38
percent
prioritized security investments based on the risks to their
businesses, and
only 31 percent have a security strategy for the rapidly growing
mobile
sector.
Businesses are unprepared in part because of poor cybersecurity
training at
colleges, says Alan Paller, co-chair of the U.S. Department of
4. Homeland
Security's Task Force on CyberSkills, which advises how to
train
cybersecurity professionals. Security training was not provided
for new
employees at 54 percent of the businesses in the
PricewaterhouseCoopers
survey. "Colleges are creating people who can tell you about
security
but they cannot fix the system," says Paller, founder of the
SANS
Institute cybersecurity training organization.
Many cybersecurity specialists with practical computer
expertise "are
not coming out of academia," Paller adds. Rather, "they are a lot
of self-taught people," he says.
Failure to protect a network from security gaps at partner
companies is also
a problem, as only 27 percent of firms have incident-response
plans in place
with businesses in their supply chain, and only 44 percent
evaluate the
cybersecurity of third-party companies they work with, the
PricewaterhouseCoopers survey showed. The five most used
hacks reported were
malware, phishing emails that send malicious links, network
interruption,
spyware that tracks computer activity, and denial-of-service
attacks that
overload online servers.
5. In recent months, Congress has hammered retailers, including
Target, for
failing to prevent data breaches, but lawmakers have yet to pass
legislation
that would set cybersecurity standards for businesses.
In the mean time, the Obama administration has encouraged
companies to share
information about online threats. Some retailers -- including
Target, Gap and
Nike -- have partnered with the Retail Industry Leaders
Association to form
the Retail Cyber Intelligence Sharing Center to advise each
other of
potential threats.
Source Citation
(MLA 8th Edition)
"Not Prepared for Hacks." U.S. News &
World Report Weekly, 30 May 2014. Educators Reference
Complete, http://link.galegroup.com.prx-
7. From Global Issues in Context.
Copyright:
COPYRIGHT 2017 SyndiGate Media Inc.
http://www.cpifinancial.net
Full Text:
In an exclusive interview with Banker Middle East, Wayne
Loveless,
Principal, Cybersecurity and Lutfi Zakhour, Senior Vice
President, Financial
Services, both at Booz Allen Hamilton MENA extensively
discuss major issues
surrounding blockchain technology and cybersecurity.
What are the major cybersecurity issues and concerns in this
region?
Wayne Loveless: Cybersecurity is a growing concern across
organisations around the world. In fact, this was discussed at
the World
Economic Forum's annual summit in Davos this year where
8. cybersecurity
was highlighted in the list of business risks across different
sectors.
Average annual losses to companies worldwide from
cyberattacks now exceed
$7.7 million per organisation, according to the Ponemon
Institute.
For example, one of the most notable cases to hit GCC shores
was
the Shamoon virus attack, which shut down more than 30,000
workstations at
Saudi Aramco in 2012. Despite the exceptional efforts to
remediate and
protect systems after the 2012 attack, the Shamoon virus
resurfaced in
January this year, impacting several government agencies and
private sector
companies.
Given these growing cyberrisks and threats, more
organisations in
the region are waking up to the potential hazards that a weak
cybersecurity
readiness presents. Currently, one of the major concerns around
cybersecurity
in the region is preparedness. As technology and digitisation
becomes more
prevalent across industries, the risk of attackers successfully
penetrating
and compromising systems, and the vital data they store and
process, is only
increasing. In addition to the government, other sectors that
have been
identified as being particularly vulnerable to cyberdisruption
include
9. finance, energy, manufacturing, utilities and transportation.
More than 50 per cent of recorded incidents in the Middle East
region were conducted against oil and gas corporations,
according to the
Repository of Industrial Security Incidents (RISI) data. This is
but a
precursor to the potential disruption of the energy and oil and
gas
sectors' industrial systems. A more targeted and concerted effort
from
governments and private companies in the region is warranted.
Therefore,Investing in a robust resilience strategy that could
prevent or
reduce the impact of potential threats and protect national
interest is key.
How is financial regulation developing in these markets and in
what ways will it help combat cybersecurity breaches?
Lutfi Zakhour: Recent brazen attacks have brought regulatory
requirements and standards in the financial services sector to
the limelight.
For instance, last year a Bangladesh hack leveraged the SWIFT
payment system,
allowing attackers to successfully steal $81 million of their
targeted $951
million from Bangladesh Bank before a spelling error
compromised the attack.
With regional financial institutions also not being immune to
such attacks
GCC governments have been eyeing changes to the regulatory
role within their
respective countries.
While SWIFT is taking actions to improve security
10. requirements and
preclude a repeat of the Bangladesh Bank heist, GCC
governments are also
increasingly viewing financial services as a critical national
infrastructure. A prime example can be found in the UAE where
the federal
government is seeking across the board improvements to the
cybersecurity of
critical infrastructure. In fact, the National Electronic Security
Agency
(NESA) is rolling out its latest cybersecurity framework with an
initial
focus on the financial services industry. Further actions taken in
other GCC
countries include new updates to e-transactions laws and
cybercrime laws to
place further emphasis and controls on ensuring the protection
of both banks
and consumers.
With the MENA region waking up to the importance of digital
technologies, today's financial landscape has seen key players
re-evaluate their strategies and regulations to guarantee
maximum efficiency
and security. What is your view on this?
LZ: The financial services sector in the UAE, specifically, has
picked up on blockchain technology, with one leading bank
pursuing proof of
concept of a blockchain network for international remittances
and open
account trade finance and another launching a pilot of
blockchain, using the
technology through Ripple. Additionally, Dubai has announced
plans to use
blockchain for all government documents by 2020 and several
11. departments have
announced that they would explore the technology in areas
including
healthcare, wills and diamond transactions.
Other initiatives include The Global Blockchain Council,
established by the Dubai Museum of the Future Foundation,
which has
spearheaded several blockchain-related initiatives and launched
pilot
projects across several sectors such as healthcare, diamond
trade, title
transfer and business registration in order to test the cost-saving
and time
reducing effects of the technology.
Blockchain has now been recognised as a potentially game-
changing
approach to cybersecurity. Described as a generational
disruptive force in
the financial services industry, these distributed ledgers
maintain
tamper-proof lists of ever-growing data records and enable
secure value
exchanges-money, stocks, or data access rights-between
different parties.
Blockchain also creates a more secure, efficient, and
collaborative ecosystem
for sharing and accumulating critical data and information. It is
particularly beneficial in the financial services sector, where it
could
enable safe and secure applications across payments services,
trade finance
and KYC registries benefitting both firms and consumers.
We foresee a lot of growth potential for blockchain in the
12. GCC,
across different industries, with several entities wanting to
continuously
advance the technology in order to complete their digital
transformation and
truly realise the potential of a smart city.
What are your suggestions to improve the cybersecurity
standards
in the region?
WL: Cybersecurity standards represent a baseline for tackling
cybersecurity threats and improving overall readiness in
prevention and
mitigation of cyberincidents. While progress towards minimum
standards for
security is underway across the GCC and many institutions
continue to follow
industry standards and best practises, further efforts will be
needed to
improve security.
As demonstrated in the SWIFT attacks on the Bangladesh
Bank,
attackers can take any number of routes when compromising the
security of
systems and data, both stored and in transit, to meet their
motives. With
cybercriminals, nation states, and hacktivists all seeking to meet
their
objectives across the region, a more robust, and beyond baseline
perspective
on security is certainly warranted.
One of the biggest impediments to improving cybersecurity is
not
13. necessarily improving compliance to the minimum standards but
understanding
more fully how organisations can improve beyond the basics.
This means
foregoing basic compliance in favour of a more a maturity based
approach to
cybersecurity.
Building cybermature organisations requires maturation across
all
three perspectives of cybersecurity. It does not mean having the
latest and
greatest technology. While technology certainly plays a role in
automating
much of the security domain, it is actually other dimensions-
namely, people
and process-where greatest levels of improvement are needed
across the
region.
organisations are only ever as secure as their people. Each
employee, no matter where they stand within an organisation, is
often both
the first and last line of defence. Better trained people, more
cyber-focused
skillsets, and a defined organisation-wide cybersecurity focus
on improvement
are three key means of improving organisational prevention,
protection, and
response.
Additionally, another area of focus should be improving the
overall processes around cybersecurity. Many of the
cybersecurity standards
actually centre on the process aspect of the cybersecurity
dynamic. Stronger
14. governance, adherence to sound practises and procedures, and
implementation
of security first processes can ensure that systems and data
remain secure
while continued growth in digitisation and adoption of
technologies like
blockchain rapidly progress.
How will big data and blockchain technology impact the
financial
sector? What are the pros and cons of these technologies?
LZ: There is no doubt that big data, predictive analytics and
blockchain technology in the financial sector (and beyond) have
the potential
to create a myriad of new services and a new frontier of
business
intelligence.
Deploying big data can fuel job creation especially for
personnel
with specialised skills such as data scientist, digital app
developers,
digital payment experts, and cybersecurity specialists. It can
also fuel
lateral job movements and a re-positioning of current jobs in the
financial
sector, whereby traditional counter clerk positions will
transition to
financial services analyst positions.
With the power of advanced data analytics, today's counter
clerk will be able to proactively and predictively offer a
customer the most
personalised services required when that customer enters a
financial centre,
15. or over the phone or internet-based on data insights from that
customer's financial behaviour.
This customer data will then allow institutions to benefit from
data insights related to spending patterns, financial capabilities
and income
thresholds of customers. The more access to data, the better the
ability to
harness power to make customers more satisfied and employees
more productive.
These socio-economic benefits can lead to an increased
customer base, a
higher performing work force, and consequently to overall
market growth.
Furthermore, data analytics capabilities will eventually allow
for
Data-Analysis-as-a-Service (DAaaS) offerings to different
establishments-a
merging of today's credit rating companies and financial
institutions,
for example. This will allow SMEs to benefit from the data-
analytics
revolution and become more relevant and prosperous in their
services
industry.
The challenges would l---ie in that with the creation of these
new
services, comes the need to support their development,
marketing,
provisioning and continuous enhancement, among other
requirements, to support
the creation of jobs across the current and future financial
services value
chain. If this is overlooked, the potential of these services will
16. not be
realised.
As for blockchain technology, it can offer support on a wide
range
of use cases for financial institutions, including trade finance,
remittances, syndicated loans, loyalty programmes and KYC
registries, to name
a few.
Blockchain improves cost efficiency, durability and reliability,
ensures transparency and speeds up transactions, while
enhancing security and
privacy. Due to its decentralised network, blockchain does not
have a central
point of failure and is better able to withstand malicious
attacks. Changes
to public blockchains are also publicly viewable by all parties,
which
ensures that all transactions are unchangeable.
The blockchain payment system will, however, come with
challenges.
An example of this is the persistent doubt on whether the
blockchain can
handle the speed, scale, and security required to process high
volume
payments. To cater to a significantly larger volume of
transactions, high-end
servers would need to be put in place, which could impact the
potential cost
savings of moving to a distributed ledger.
There is no silver bullet on selecting the right path to develop
blockchain technology for financial services in the GCC region.
What is clear
17. though is that central banks and financial services players need
to engage
with the technology to understand, harness, and develop it
appropriately to
bring about the potential benefits it promises to both businesses
and
consumers.
[c] 2017 CPI Financial. All rights reserved. Provided by
SyndiGate
Media Inc. ( Syndigate.info ).
Source Citation
(MLA 8th Edition)
"Bringing cybersecurity management to
another level." CPI Financial, 20 June 2017. Global Issues in
Context, http://link.galegroup.com.prx-
herzing.lirn.net/apps/doc/A505630529/GPS?u=lirn50909&sid=G
PS&xid=98522427. Accessed 23 Jan. 2018.
18. Gale Document Number:
GALE|A505630529
2018 IT security predictions--attacks, investment
areas and cybersecurity strategies
CPI Financial.
(Dec. 5, 2017): News:
From Global Issues in Context.
19. Copyright:
COPYRIGHT 2017 SyndiGate Media Inc.
http://www.cpifinancial.net
Full Text:
It's that time of year again when we look back at what has
motivated the market for IT security solutions in the last year,
in order to
develop our plans for the next year. With so many public
exploits, and data
breaches, writes Morey Haber, VP, Technology, BeyondTrust.
There is certainly no shortage of material to leverage! I have
grouped my predictions in to three categories: methods for
major hacks,
breaches and exploits; the business of cybersecurity-focus and
investments;
and offensive and defensive strategies.
Methods for major hacks, breaches and exploitsbr />Prediction
#1 - The bigger they are, the harder they fall
If we think the headlines, with news of major organisations
getting breached, shocked us, we will learn that large
20. organisations have
poor cyber security hygiene, are not meeting regulations, and
are failing to
enforce the policies they developed, recommend, and enforce on
others. Next
year's news will have even more high-profile names.
Prediction #2 - Increase in mobile phone spam
With there being more mobile phones in most countries than
there
are citizens in those countries, mobile phone spam will rise
10,000 per cent
due to automated spam and dialling 'botnets' that essentially
render most phones unusable because they receive so many
phone calls from
unidentified numbers. This rise in phone spam pushes cellular
carriers to
start to require that end users adopt an "opt in" policy so only
those in their contacts can call them.
Prediction #3 - Major increase in 'gaming deleteware'
infections
'Gaming deleteware' infections across most major
platforms will increase as botnets continuously attack gaming
networks and
devices such as Steam, Xbox, PlayStation, and Nintendo
systems with the sole
intention of rendering the machine inoperable. The malware is
downloaded as
an embedded game add-on, causing millions of devices to need
to be replaced.
Prediction #4 - The first major Apple iOS virus hits within a
popular "free" game
21. As users click on the 'ad' to play a game for free,
their iOS11 device will be compromised, leaking all data stored
in the local
Safari password storage vault.
Prediction #5 - Continued growth in the use of ransomware
and
cyber-extortion tools
2017 has proven the model that vulnerabilities nearly 20 years
old
are being exploited in organisational networks (Verizon DBIR
2017), so the
opportunity is too great and too easy for organised crime to
ignore. Further,
the commoditization of these tools on the deep web opens the
door to anyone
who feels the risk is worth the reward. This is likely to continue
until
organisations get the basics right and the risk/reward balance
tips, making
ransomware far less appealing.
Prediction #6 - More end-user targeting
Penetration through unpatched servers like in the case of
Equifax
will happen, but hackers will continue to target end users with
more
sophisticated phishing and targeted malware, taking advantage
of unpatched
desktops where clients have far too many privileges. Again, do
not take your
eyes off the end users.
22. Prediction #7 - Biometric hacking will be front and centre
Attacks and research against biometric technology in
Microsoft
Hello, Surface Laptops, Samsung Galaxy Note, and Apple
iPhone X will be the
highest prize targets for researchers and hackers. The results
will prove
that these new technologies are just as susceptible to
compromise as touch ID
sensors, passcodes, and passwords.
Prediction #8 - Cyberrecycling
As we see a rise in the adoption of the latest and greatest
devices, we will see devices, and now IoT, be cyber recycled.
These devices,
including mobile phones, will not be destroyed however. They
will be wiped,
refurbished, and resold even though they are end of life (EOL).
Look for
geographic attacks against these devices to rise since they are
out of
maintenance.
Category: The business of cybersecurity - focus and
investmentsbr
/>Prediction #9 - More money for security, but the basics still
will not
be covered
Organisations will continue to increase spending on security
and
new solutions, but will struggle to keep up with basic security
hygiene such
as patching. Hackers will continue to penetrate environments
23. leveraging known
vulnerabilities where patches have existed for quite some time.
Regardless of
whether it is an employee mistake, lack of resources, or
operational
priorities, we are sure to see this theme highlighted in the next
Verizon
Breach report.
Prediction #10 - IAM and privilege management going hand-
in-hand
Identity Access Management (IAM) and privilege management
adoption
as a required security layer will continue. We will see more
security vendors
adding identity context to their product lines. Identity context in
NAC and
micro-segmentation technologies will increase as organisations
invest in
technologies to minimise breach impact.
Prediction #11 - Greater cloud security investments
Vendors will begin to invest more heavily to protect cloud
specific deployments for customers migrating to the cloud.
Supporting
Docker/containers, DevOps use cases, and enforcing secure
cloud
configurations are some initiatives that will be driven by
customers.
Prediction #12 - Acceptance that "completely safe" is
unobtainable
As 2018 progresses and more and more organisations accept
24. that
breaches are inevitable there will be a shift toward containing
the breach
rather than trying to prevent it. This doesn't mean abandoning
the wall,
but rather accepting that it isn't perfect, can never be, and
shifting
appropriate focus toward limiting the impact of the breach.
Organisations
will refocus on the basics of cybersecurity best practise to
enable them to
build effective solutions that impede hackers without impacting
legitimate
users.
Prediction #13 - Chaos erupts as the GDPR grace period ends
As organisations enter 2018 and realise the size of the task to
become GDPR compliant by 25 May, there will be a lot of
panic. This
legislation seems poorly understood which has led to many
organisations
tabling it for 'later' and, for many, they will wait until the
first prosecution is underway before they react. The EU gave
over two years,
after GDPR passed into law (27 April 2016), for organisations
to become GDPR
compliant, so there is likely to be little tolerance for non-
compliant
organisations which are breached after 25 May and, more than
likely, some
example setting. Those who completed their GDPR compliance
ahead of the
deadline will be right to feel smug as they watch their
competitors flail.
25. Category: Offensive and defensive strategiesbr />Prediction
#14
- Increased automation in cybersecurity response
The size of the cybersecurity threat continues to grow through
2018, with increasing numbers of attack vectors combined with
increased
incidence of attacks via each vector (driven by commoditization
of attack
tools) leading to massive increases in the volume of data being
processed by
cybersecurity teams. This demands improvement in the
automation of responses
in cybersecurity tools to do much of the heavy lifting, thereby
freeing the
cyber teams to focus both on the high-risk threats identified and
in planning
effectively for improvements in defences. Increased use of
machine learning
technologies and, from that, more positive outcomes will lead to
a
significant growth in this area.
Prediction #15 - Richer cybersecurity vision
As organisations' needs for more comprehensive cybersecurity
solutions grows, so will the need for effective integration
between the
vendors of those technologies. This will lead to more
technology partnerships
in the near-term and eventually to industry-standards for
integration in the
longer term. The ability for systems to work with relatively
unstructured
data will allow for more effective information interchange and,
as a result,
26. far richer and more rewarding views across our cyber
landscapes.
Prediction #16 - It is now law
Governments will begin passing legislation around
cybersecurity
and the basic management of IoT devices required for safe and
secure
computing.
[c] 2017 CPI Financial. All rights reserved. Provided by
SyndiGate
Media Inc. ( Syndigate.info ).
Source Citation
(MLA 8th Edition)
"2018 IT security predictions--attacks,
investment areas and cybersecurity strategies." CPI Financial, 5
Dec. 2017. Global Issues in Context,
http://link.galegroup.com.prx-
herzing.lirn.net/apps/doc/A517415080/GPS?u=lirn50909&sid=G