A new report published this week by Trustwave SpiderLabs shows that the food and beverage industry was the main target for cyber criminals in 2011 and will likely continue to be a target in 2012.
In the "2012 Global Security Report" the food and beverage industry was singled out as the top target for cybercriminals for the second straight year. The industry made up 44% of data breach investigations conducted by SpiderLabs in 2011. The company's report is based on 300 data breach investigations and 2,000 penetration tests.
According to the report, the thieves targeted customer records, making up 89% of breached data investigated. The next targets were trade secrets or intellectual property.
"The food and beverage industry was the top target of our investigations. That may be surprising. Most people might think that banks and governments would be at the top of the list?, said Nicholas J. Percoco, head of SpiderLabs.
"The criminal element wants to turn their criminal activity into money as quickly as they can. They go after the food and beverage industry because it tends to have high transaction volume. The criminals have found that those organizations have a low barrier to entry from an infiltration standpoint. Once they are in the environment, the lack of security awareness within those organizations affords them almost unlimited amounts of time to aggregate that data. They are then able to extract that data out of the environment and use it for fraudulent activities", said Percoco.
SpiderLabs found that restaurant franchises were the most targeted because they often use similar IT systems across all of their locations. Once a cyber criminal has breached a network, they can attack multiple locations with ease. More than one third of the company's investigations were with franchise operations. Things like usb protection are useful in protecting against data breaches.
Unfortunately, self-detection of compromises decreased in 2011 and only 16% of victimized organizations were able to detect the breach themselves. The remaining 84% relied on information reported to them after the breach was discovered by a third party entity: regulatory, law enforcement, or the public.
Using the quick pace of technologies and also the modifications that take location in current technologies, customers frequently buy the following greatest smartphone, tablet or laptop as soon because it hits the marketplace. What's left following the new device is plugged in and operating is the fact that the old telephone, tablet or pc is place away in storage, offered away or maybe sold in to the secondary marketplace.
Nevertheless, what occurs towards the info that was stored on the device. Frequently occasions, the device isn't correctly wiped to be able to shield the sensitive information that would effortlessly be accessible on it. Just lately, Motorola sold refurbished devices that nonetheless contained individual information and info from the prior owners.
Listed here are some actions a consumer can take be particular to shield themselves from a information breach as soon as they no longer use or manage their old device:
1. Alter passwords frequently. If user information is somehow mysteriously intact following each customers and also the manufacturer refreshes a device, an additional tool to assist maintain your self protected would be to alter up your password. For instance, alter your e-mail, bank as well as other on-line account passwords each month. This way, even when somebody gets an old device which has information stored on it, they most likely will not have the ability to access towards the info.
2. Factory reset. This reset will eliminate all of the account information from all of the apps, removes user-downloaded apps, and returns the device's software program to an "as-new" situation.
3. Erase the memory card. This may be simple to forget. There is a bit check box within the factory-reset procedure (but only a few of the time) that asks if you would like to erase the memory card, also. Make certain you check it. That way, apps that you have moved towards the memory card--as nicely as pictures, music files, documents, and so on.--are erased. Much better but, pull the memory card out, stick it into a pc and reformat it.
4. Encrypt your device. Not all devices provide encryption, encrypting the device is accessible via the data security settings. The belief is the fact that even when reset, an encrypted device to factory circumstances, any user information left on the device could be so jumbled as to become unusable.
Recently, a digital forensics company did an investigation and found that it is very easy to obtain sensitive information from old smartphones that are either sold as used or thrown away. This was also true even if the previous owner had utilized the factory reset.
The forensics company, Access Data, provided more details on what they found in an interview. In their estimate, 1 out of every 10 phones that have either been recycled, resold or thrown away still contain data. The company did an in-depth digital forensics review of 5 randomly selected smartphones that were purchased on the secondary or used market. The phones varied by manufacturer and included an iPhone 3G, Sanyo 2300, HTC Wildfire, LG Optimus and an HTC Hero. Of the 5 that were reviewed, 2 had not been reset to the default factory settings. These two phones contain information on active account ids and passwords, contacts, and calendar information, all very easy to locate.
All of the Android phones had been wiped, but four of the five phones included information that was still extractable with the right knowledge and tools. The company noted that all 5 of the used phones had some way to identify the location where the device came from either via the serial number or the old telephone number. Four of the five could easily identify the previous owner. Some of the data that was extracted included user account information, Social Security numbers, geo-location tags, deleted text messages and even a resume.
The forensic experts were able to use the geo-tags to get an exact latitude and longitude for the previous owner and find the street view of their home. Another phone revealed a Yahoo email account that the experts were able to use preset ids and passwords to log into via the handset.
Access Data noted that smartphones and tables have fast become a nightmare for both individuals, but also for businesses that are concerned about data breaches. Even though these devices cannot store a great deal of information, they still contain very sensitive data that can be used to access more and more data and information. Especially since the public at large and the business community have not adopted security measures for their mobile devices.
This is particularly troublesome for a business that has employees who use their own personal mobile devices to access the company’s network. It is one thing for a company to attempt to wipe a company owned asset of all data. However, it is very difficult for a company to ensure that an employee has wiped their mobile device before disposing it whether via the trash, resale or recycle. As well, this is coupled with the rapid churn of devices via incentives from the carriers or the advancement of technology that lures individuals to upgrade their device to the next best thing.
Organizations need to put a plan in place to address the best way to delete data before a device is replaced and to work with their employees to have their old devices wiped before they are disposed of in the secondary market. Utilizing aspects like usb encryption will help to deter data breaches.
The business, Secure Data Sanitization (SDS) has turn out to be the 1st information security business within the United States to create their “Secure Erase” program mobile. In late November, the business took this program literally on the road to Idaho to demonstrate its capabilities. The very first mobile processing units had been tested at no price towards the Idaho Department of Health and Welfare. The program is able to wipe clean an outdated pc system. The test demonstrated that it might be 100% efficient in permanently erasing hard drives for these older computers. It was also able to reset the computers towards the original manufacturers’ settings.
These new mobile units are accessible to travel to any location to be able to assist businesses effectively eliminate information from old pc hard drives. The program will sanitize the drive in order for the gear to be effectively destroyed with out danger of private information becoming taken at some point in the future.
The mobile program initiates the “secure erase” aspect or “electronic data shredding” activity. This procedure then permanently erases difficult drives, resets them and offers proof in a report format. This new mobile system has attracted an excellent deal of attention, particularly amongst businesses that shop big amounts of information. The business has already secured contracts to make use of the mobile program at businesses all over the world.
The Idaho Department of Health and Welfare was anxious to make use of the program stated Michael Farley, the IT administrator for the department. "In order to meet federal guidelines and regulations concerning HIPAA, IRS and SSA information, it's crucial that we've a secure and sound procedure for eliminating information from our pc systems before donation or destruction," stated Farley. "Being in a position to have hard drives securely erased or destroyed on website is essential since it provides us 1 much more layer of protection."
The business is poised to be extremely active within the coming years with new federal and state laws that need businesses to securely erase private information. If not carried out properly, businesses in violation could face millions of dollars in fines, lawsuits and cleanup expenses. SDS provides Certificates of Sanitization and Destruction, printed on-site, which guarantee compliance with state and federal laws. These certificates are backed by a $2 million insurance policy. Usb protection is one way to ensure that data is safe.
As part of the service that SDS offers, they also give their customers the choice after erasing the information to either remarket the old system or donate them to the non-profit organization Computers for Kids.
The consulting firm, Forrester Research lately released a report that has some shocking suggestions to businesses that suffer from a data breach. The firm’s report advises corporate security experts to not immediately fix a security vulnerability following a data breach. The report suggests that just like other crime scenes, you will need to not destroy evidence that might be needed and extremely useful within the prosecution of cyber criminals.
The report, “Planning for Failure” was written by Forresters analysts. The research team makes a solid argument that rushing to fix security after a breach could be unhelpful within the long run. The report suggests, “You should determine if you wish to prosecute prior to you remediate. Things function differently in real life than it does on your favorite crime investigation show. Too often, companies clean up a breach and then determine later they wish to find and prosecute the perpetrator.”
The researchers explained within the report that in the majority of beach instances, the IT security managers should “make an investigation and prosecution decision instantly. You might need to keep a breached program operating in order to preserve evidence.” The report does point out that data breach forensics is really a fairly new fielc and specialization. Discovering a good cyber crime investigator is in high demand. The specialists should be brought in who've the skill sets.
The report went on to describe and outline how you can establish an incident response team, the kinds of information technology, business managers and legal aid who should be part of the procedure. The research firm recently did a survey of 341 enterprise IT choice makers in North America and Europe. They discovered that 25% of the choice makers said their company had suffered from a information breach in the past year.
A few of the crime comes from inside the organization. If an employee steals information they've access to, there is little that may be done to quit it. Downloading files, sending by way of e-mail, printing and even screenshots can collect the information the criminals want and may easily passed onto the highest bidder. Of specific interest is the fact that 25% of criminals stole information that they don’t have authorization to access.
Within the case of encrypted USB flash drives, the way a criminal would steal the info on another employee’s encrypted flash drive could be to gain the employee’s password by way of insertion of undetectable keylogging malware on the employee’s Pc. All encrypted USB flash drives that use software authentication rather than hardware authentication are prone to this type of insider crime.
Oliver David writes and contributes to Lok-it.net and other websites and has highlighted usb flash drive review and also secure usb flash drive review.
The White House is urging Congress to create and complete legislation that would defend the country's energy grids, economic networks and transportation systems from cyber hacker attacks.
Harold Schmidt, the White House Cyber Security Coordinator recently wrote that considering that a legislative proposal was sent to Congress in May of 2011, there happen to be many information breaches and hacks cited. He mentioned, "The time is ripe to create proposal into law, and give the government and private sector the added tools necessary to fight people who would harm us."
The President's proposal outlined specifications for firms and state and neighborhood governments to report information breaches based on a brand new national common. Furthermore, the proposed law would enhance penalties for cyber crimes. It also would direct the Homeland Security Department to perform with banks, utilities and transportation operators to generate and implement plans to handle data/cyber security.
The U.S. Congress hasn't acted on the proposed legislation but is in search of other approaches to bring corporations as well as other agencies about to getting far more diligent in protecting sensitive data and supplies. There happen to be advised infrastructure protections against hack attacks by utilizing market standards, delivering incentives and to limit the quantity of government oversight and regulation.
The White House is concerned that with no a federal requirement to alert government officials when a serious intrusion takes place, there is certainly a genuine possibility that each national and financial security is going to be at threat. The White House believes that the Federal government need to and ought to know what exactly is happening when a firm or government agency is hacked as a way to take measures to bring the criminals to justice and to defend Americans.
Government officials in each the Congress along with the White House see the urgency of safeguarding sensitive and secure information, but disagree on the quantity of government monitoring and regulation which is necessary to help keep the country's economic, utilities and transportation systems and infrastructure protected from external cyber hackers.
Guaranteeing Information Safety: Probably The Most Difficult Work For Information Technology Experts
A ruined marriage or even an accident might be the most disastrous thing that might affect any individual. Yet a good many Information technology experts believe that their inability to safeguard the information of the firm may be lot more irritating for them than an unpleasant breakup or perhaps a small car accident. This is revealed in a current study done by Websense.
More than a 1000 IT experts from different international locations took part in this study and their replies reveal that information security is among the greatest problems confronted by businesses today. Around 60 % of participants thought that their business information is not very safe and may be jeopardized in the foreseeable future. More than 18 % of the participants thought that starting off a brand new career might be less demanding for them compared to being accountable for the safety of the business information.
Even though big institutions take safety steps to safeguard the information, there's always a possibility of information fraud. This may end up being really damaging for the success of the business and may make life of Information technology experts really unpleasant. This type of a scenario may be lot more hard to deal with for any person than dealing with any personal problem. Hence, around 10 % of participants of this study thought that information protection problems may be lot more demanding to deal with than dealing with a divorce process or broken relationships.
Previously, a lot of individuals and institutions had to deal with significant loss because of the thievery of the data. This is why sizeable institutions have independent IT groups to strengthen information safety in business. A lot of institutions also make use of sophisticated resources as well as applications to observe their devices and regulate their system data. This may reduce the potential risks of data thievery.
Data security is an extremely significant issue and it is so imperative that institutions around the globe are prepared to invest a lot of funds in guaranteeing the information as well as network system safety. These days, the funds allocated to safeguarding the company information is viewed as a good investment instead of a pointless expenditure. This USB flash drive review references a helpful encrypted flash drive to assist in these challenges.
In an interesting discussion at this year's Gartner Symposium, Gartner professional McGee provided some invaluable information regarding how various organizations should think in a different way and try to bring the required change inside their companies. McGee mentioned that Chief nformation officers must take daring measures and alter the way in which things are done in the past. McGee pointed out lots of activities that must be removed from the regular Information technology system to help make it more productive.
Let's discuss these activities in more detail. McGee stated that CIOs need to make certain that Information Technology finances are used in line with the CEO’s strategic aims. If certain IT plans aren't contributing to business success, then they must be identified as well as removed right away.
CIOs should make certain that their IT perspective is based on the goals established by the Chief executive officer of the enterprise. McGee pointed out that many Chief information officers use plenty of resources for huge plans that don't contribute to organizational growth for the long term. Today's IT budgets include money for new hardware, software and software licenses, upgrades to hardware, training, data security (such as hardware authentification and usb encryption).
Thus, CIOs must ensure right accountability for Information technology spending. They must take actions to find as well as remove existing software that doesn't provide any kind of quantifiable benefit. For instance, quite a few establishments use lots of funds on central management systems that don't do any good to the firms. McGee pointed out that IT must offer proper support to firms and stop causing disruptions in the business venture environment. He explained that instead of offering weaker help in the form of level 1 or 2 IT support,IT teams must concentrate on giving good quality service to organizations.
He also stated that IT teams must eliminate the chargeback programs that aren't practical. He said that Chief nformation officers must stop delaying critical IT assignments and direct their time and efforts in making a positive contribution inside the enterprise. McGee’s recommended alterations are certainly required by today’s business enterprise setting where every single sector of the organization has to strengthen its output. Many firms have lowered their Information technology spending budgets and IT divisions have the additional job of giving extended support within reduced operating budgets. This particular objective could only be attained if CIOs take drastic actions to enhance IT productivity.
Article highlights the need for IT budget review processes in today's economic environment. Today's IT budgets include money for upgrades to hardware training, data security (such as hardware authentification and usb encryption). Reviews of various IT products such as flash drives would help IT budgeting.
A word of warning to those of you who rely on hardware-based encrypted USB flash drives. Security firm SySS has reportedly cracked the AES 256-bit hardware-based encryption used on flash drives manufactured by Kingston, SanDisk and Verbatim.
The crack relies on a weakness so astoundingly bone-headed that it’s almost hard to believe. While the data on the drive is indeed encrypted using 256-bit crypto, there’s a huge failure in the authentication program. When the correct password is supplied by the user, the authentication program always send the same character string to the drive to decrypt the data no matter what the password used. What’s also staggering is that this character string is the same for Kingston, SanDisk and Verbatim USB flash drives.
Cracking the drives is therefore quite an easy process. The folks at SySS wrote an application that always sent the appropriate string to the drive, irrespective of the password entered, and therefore gained immediate access to all the data on the drive.
This is a big deal also from a point of certification. These drives are sold as meeting security standards making them suitable for use with sensitive US Government data (unclassified rating) and have a FIPS 140-2 Level 2 certificate issued by the US National Institute of Standards and Technology (NIST).
Vendors have had a mixed reaction to the news. Kingston has done the right thing and issued a recall. Verbatim and SanDisk has issued a statement and have updates available, but the threat is downplayed.
Bottom line, check your flash drives!
source : zdnet