Для тех, кто интересуется безопасным доступом к онлайн-играм, наш партнер предлагает зеркало Вавады, которое позволяет обходить любые блокировки и сохранять доступ ко всем функциям казино.

Travelers Stages Live Hack to Examine Realities of Cyberrisk

NEW YORK—Yesterday, Travelers hosted “Hacked: The Implications of a Cyber Breach,” a panel of the insurer’s top experts and outside consultants drilling down into the realities of the cyber threat.

According to Travelers’ brand new 2015 Business Risk Index, cybersecurity rose from the #5 threat in 2014 to the #2 threat perceived by business leaders, with 55% most concerned about malicious and criminal attacks.

In an exercise to show just how valid that concern it is, panelists Kurt Oestreicher, a member of the cyber fraud investigative services team at Travelers, and Chris Hauser, former Silicon Valley FBI agent and current member of the cyber fraud investigative services team at Travelers, successfully carried out a live hack. Using a fake website created for this demonstration, the experts staged an SQL injection attack—the same kind of attack as Heartbleed, these are still responsible for 97% of breaches. Using an open-source penetration testing program that Hauser described as “point and click hacking,” they easily found a way to tunnel into the site’s SQL database. The process of scanning for vulnerabilities and acting on a known exploit—in other words, conducting the actual, successful “hack”—took about two minutes, including the time Hauser spent talking the audience through the process.

The program used to conduct this hack was free, and the number of resources readily available for free or very low cost means that more everyday businesses will become victims as malicious actors face very few obstacles to attempt a hack. “As tools and techniques like this become more common, it becomes far easier to target small- and medium-sized businesses and that exposure increases, especially because there are such low costs up front,” said Oestreicher.

Every day in the United States, 34,529 of these known computer security incidents take place. Yet many go undetected, and a lot are willfully unreported. While larger breaches impact more records, the preponderance of breaches strike Main Street businesses, not Wall Street corporations. In fact, of those that are identified and reported, 62% of breaches impact small and medium-sized businesses, Travelers found. Increased awareness among this group has yet to translate into increased coverage, however. According to a survey by Software Advice, insurance penetration among this group hovers at just over 2%, a trend Mullen has seen in the field as well. “Only about 10% of those who should have that coverage actually do,” he said.

According to data from NetDiligence, those incidents that are covered by insurance break down as follows:

NetDiligence Cyberinsurance Claims by Business Sector

NetDiligence Cyberinsurance Claims by Data Type

With hefty fines, costly investigation and notification requirements, and possible lawsuits and class actions, the true costs rapidly spiral. According to Mark Greisiger, president of data breach crisis services and security practices company NetDiligence, the average cost of a breach is $733,000 for SMBs—before any possible lawsuits or fines. Per record, the cost ranges from 1 cent to $1,000, based on the type of information contained. The average legal settlement after such breaches is currently about $550,000. Yet these numbers primarily reflect incidents where insurance was in place. Without the trusted vendor agreements, for example, the cost of retaining forensic investigation services in the midst of a crisis can be up to three times higher, he reported.

Recovering from these incidents varies wildly by the type of records exposed, and the resources available to aid in the effort. “It’s a wild pain in the butt with insurance,” said breach coach John Mullen, a managing partner of the Philadelphia Regional Office and chair of the U.S. Data Privacy and Network Security Group at Lewis Brisbois Brisgaad & Smith. “Without insurance, it’s a small- and medium-sized business killer. The Main Street story is a $2 million bill and no business.”

In the 2015 Business Risk Index, Travelers also shared a more detailed view of preparedness among specific industries:

Business Risk Index Cyber Preparedness

Cyberattacks Targeting Big Companies Up 40%

Five out of six companies with more than 2,500 employees were targeted in cyberattacks in 2014, representing a 40% increase last year, according to Symantec’s annual Internet Security Threat Report. But by no means does that imply big businesses are the primary target: 60% of all targeted attacks struck small- and medium-sized organizations.

The spear-fishing and fraudulent email scams deployed in these hacks have also become more effective. Overall, 14% less email was used to infiltrate an organization’s network, yet 2014 saw a 13% increase in attackers as the cause of a data breach, and the total number of breaches rose from 253 in 2013 to 312 in 2014. This notable increase in precision is a clear indication that companies are not updating their defenses to match current threats.

Fortifying against cyberbreach continues to demand even more concerted effort as malicious actors grow more sophisticated, introducing more and better malware to their campaigns. “While advanced targeted attacks may grab the headlines, non-targeted attacks still make up a majority of malware, which increased by 26% in 2014,” Symantec reported. More than 317 million new pieces of malware were created last year, meaning almost a million new threats were released daily.

Changes in the top causes of data breach offer both good and bad news. While 13% more cyberbreaches were caused by attackers and breaches due to insider theft increased 3%, Symantec found that 15% fewer were due to accidental exposure, theft or loss.

Check out the infographics below for more of Symantec’s findings and insights on how hackers operate:

Symantec 2015 Internet Security Threat Report

Symantec Path of a Cyber Attacker

 

Improving IT Training Makes Cyberrisk Every Employee’s Responsibility

IT training cybersecurity

For many organizations, risk management spans four distinct categories – physical, financial, human and intellectual. When thought about in context, it’s easy to see how one risk area might impact another. An earthquake that takes down an office building, for example, has clear financial implications in the form of productivity downtime and the cost of building repairs. Given these seemingly easy correlations, it is baffling that so many businesses remain siloed when it comes to managing each area, especially given how it puts them at a higher risk as a result.

Unsurprisingly, these siloes create a lack of communication throughout an organization. Physical security, for example, can often be dealt with by facilities management teams, whereas financial risk is handled by the finance team.

buy cenforce online www.cappskids.org/wp-content/uploads/2023/10/jpg/cenforce.html no prescription pharmacy

Technology hackers are no strangers to this common, organization-wide breakdown – they prey on communication lapses when strategizing an attack.

The solution is simple: break down these siloes to minimize risk gaps. But, as with most pieces of advice, the steps required to achieve this are much easier said than done, especially when it comes to silo-busting in business. The trick is for an organization to use its employees to its advantage. With collaboration between departments and strengthening universal security training across every department, IT teams can make it much harder for hackers to execute coordinated attacks across the business.

Avoid Letting a Hyperlink Be Your Downfall

Email is the primary communication tool in business, and is also the platform that reinforces employees’ position as being both the biggest threat and biggest asset to risk management. Email also happens to be a commonly chosen route for hackers to take when infiltrating an organization.

Phishing attacks via email, for example, are underpinned by social engineering and can be targeted to specific employees and job functions. According to the August 2014 HP TippingPoint survey, State of Network Security, they are dealt with by nearly 70 percent of IT professionals at least once a week, and involve a hacker disguising a malicious link as one from a “trusted” sender. When clicked by the employee, the link can give hackers the ability to pivot within their target’s network and gain unprecedented access to an organization’s network and beyond. Once attackers breach a system like email, or trick the humans reading those emails into clicking a link, it’s easy for them to exploit the organization’s financial, intellectual and physical assets further.

For example, infrastructure attacks on building control systems, although not new, can now be perpetrated remotely over the Internet.

buy sildalis online www.cappskids.org/wp-content/uploads/2023/10/jpg/sildalis.html no prescription pharmacy

Malware attacks such as Flame, Duqu and Regin highlight how threat attacks are specifically targeted to control systems more and more often. As such, employing a security guard to take watch over an organization’s physical control system is no longer enough to keep outside attacks at bay.

Current IT Security Training is Failing

So, what’s an organization to do? Current training and prevention methods are lackluster, and many organizations still embody the “set it and forget it” method. It’s often assumed that once employees have been trained on IT security once, that’s all it takes. Or worse, IT security training is coupled with other training, thereby diminishing its value. For example, training on an organization’s fire evacuation procedure might be thrown in with IT security training during an employee’s induction sessions.

Organizations that do this are setting themselves up for failure. The IT department has implemented training in a way that works best for them, such as a webinar, PowerPoint or squeezed in with another training for time-saving purposes. This takes the place of training that is tailored to make the most sense for the employees.

How to Revitalize IT Security Training

The key to getting past common training slumps is by not only finding unique ways to train employees to help prevent breaches, but also by having them understand the impact a breach can have on other areas of the business, and even their own job.

Organizations must think outside the box and adopt the mindsets of both the employees and hackers to start making a behavioral change in their users. This includes tactics such as making training apply to specific job titles and departments, suggesting a job swap for a day so one department can learn another’s issues, or leveraging creative ways to remind employees not to click on suspicious links. This could include Christmas cards, SMSs or private social media groups and forums.
buy lipitor online https://royalcitydrugs.com/lipitor.html no prescription

But, IT security can be taken even a step further, being made an organization-wide campaign. How about taking after Facebook and making a game of it?  As reported by a director on the Facebook security team in November 2012, Facebook decided to put an end to dull employee cyber-security training with the launch of Hacktober in 2012. October is National Cyber Security Awareness Month, and throughout the month, Facebook’s cyber security team created a series of simulated security incidents that are targeted at specific internal departments, based upon the types of threats they are most likely to see. Employees that spot a Hacktober attack are rewarded with a prize, thus achieving the goal of being both educational and interesting.

Beginning with IT security to eradicate risk throughout the organization is only possible by approaching it from a human-interest angle. Humans are both the perpetrators and victims, and it’s time IT starts designing training that reflects that. Above all else, mitigating risk requires organization-wide support, including from the C-suite. Organizations can make quite an impact on prevention—not by spending a large budget on training, but by taking it back to their employees and helping them understand the ripple effect just one malicious email or link can have.

Guarding Against PoSeidon and Other Point-of-Sale Breaches

According to Cisco’s Security Solutions team, there is a new malware family targeting point-of-sale (PoS) systems, infecting machines to scrape memory for credit card information and send the payment card data to servers for harvesting and, likely, resale. This malware, which the group has nicknamed PoSeidon, works like this:

Unlike other PoS memory scrapers that store captured payment card data locally until attackers log in to download it, PCWorld reported, PoSeidon communicates directly with external servers and can update itself automatically, and also has defenses against reverse engineering.

PoS malware using the “memory scraping” technique also caused the Home Depot and Target data breaches. In the latter, hackers were able to save names, credit card numbers, expiration dates, security codes from the backs of cards and encrypted PINs when at least 40 million customers swiped at in-store registers.

“The new PoSeidon malware has retailers on alert, particularly as the frequency and relative ease with which POS system breaches are occurring is forcing them to take a closer look at their IT infrastructure and reassess how secure it actually is,” said Andrew Avanessian, EVP of consultancy and technology services at security firm Avecto. “It is also prompting many to ask, what will it take to get ahead of these attacks?”

Avanessian believes the answer is clear: a more defense-in-depth approach to security. “While perimeter technologies like firewalls can prevent against certain types of external attack, it cannot block malware that has already found its way onto endpoints within an organization,” he explained.

buy abilify online metabolicleader.com/p7pmm/img/jpg/abilify.html no prescription pharmacy

“With a multi-layered security strategy that incorporates solutions like patching, application whitelisting and privilege management, organizations can more effectively protect against the spread of malware, defending their valuable assets and ultimately their reputation.”

As I wrote in the March 2014 issue of Risk Management, the adoption of EMV chip technology presents one of the most promising ways to increase PoS security. Already common in Europe, EMV technology—named for its founders, Eurocard, MasterCard and Visa—utilizes embedded chips that, unlike magnetic strips, make it nearly impossible to counterfeit cards. In Europe, 81% of cards have EMV chips, and countries that have adopted the technology saw sharp declines in credit card fraud. Meanwhile, the United States accounts for 27% of worldwide credit transactions, but sees 47% of card fraud.

As organizations roll-out chip and pin technology across the country, these breaches may start to decline, Avanessian agrees, but he urges a more holistic approach to fighting PoSeidon and other PoS malware. “EMV (or chip-and-pin) will absolutely help stop card fraud, however, retailers should not become complacent and think this is the silver bullet they have been waiting for,” he said. “Yes it will help stop fraud once the details have been stolen, but it does not stop businesses from being breached. Companies gather a huge amount of data about their patrons, such as names and addresses, and this data is still valuable to fraudsters.

buy lexapro online metabolicleader.com/p7pmm/img/jpg/lexapro.html no prescription pharmacy

Unless retails take a multi-layer defense-in-depth approach to security, they will still get breached.”

To prevent consumers from losing and shopping elsewhere, Avanessian believes it is critical to evolve the means of combatting cyberattack just as the means of hacking has changed. “In our experience, retailers are still relying on antiquated ‘detection’-based technologies to keep the bad guys out. They all spent hundreds of thousands of dollars on detection, yet they still get breached,” he said.

buy arimidex online metabolicleader.com/p7pmm/img/jpg/arimidex.html no prescription pharmacy

“The world has changed, the players have changed, cyberattacks are now a trillion dollar industry—the approach has to change.”