The Green Sheet Online Edition
November 28, 2011 • Issue 11:11:02
The cost of cyber attacks
The Ponemon Institute LLC's 2010 Annual Study: U.S. Cost of Data Breach found the average total per-incident cost of data compromises and similar attacks was about $7.2 million. Data breach incidents cost U.S. companies on average more than $4 million in lost business. Brand damage and customer loyalty and trust can be compromised beyond repair.
Unfortunately, too many companies are still unaware of this activity. The 2010 Verizon Data Breach Investigations Report found that weeks or months often go by before an initial attack is discovered. Around 34 percent of incidents take months to discover. Most companies find out from third parties.
Symantec Corp., sponsor of the Ponemon report, discovered 286 million new and unique threats in 2010 from malicious software, up from 240 million in 2009. In 2007, the company found the volume of harmful software in the world surpassed that of beneficial software.
Chinks in the armor
Issues constantly debated at security conferences are outsourcing and content management software (CMS). As publishers look for cost-cutting opportunities, outsourcing is often an attractive option.
Even when doing something as simple as hiring an email marketing firm, users should exercise caution, as these services are not immune to cyber attacks.
Stolen email addresses become problematic when combined with other stolen information that gives fraudsters the basics to steal identities. This can lead to phishing attacks to retrieve Social Security numbers, user IDs, passwords and PIN numbers.
Companies work hard to build quality customer service. While outsourcing is always an option, it is rarely successful. Many businesses do not realize that customer support is the Achilles' heel of a company. Customers will leave a business when they have been misguided by the support team.
Companies will undoubtedly see a decline in customers if they outsource customer support. They have more frustrated customers, reduced sales and an increase in cancellations.
Public Broadcasting System's website was hacked earlier this year through a security flaw in the site's content management system - one of many open source systems that have come under question. The use of open source CMS is appealing because of its low cost and flexibility.
The main issue with CMS is not the code but the fact that developers don't keep up with regular security updates and patches to correct bugs in the software. Hackers need only a slight vulnerability to be successful.
RSA breach update
In March 2011, a massive cyber attack on RSA, the Security Division of EMC Corp., exposed vulnerabilities in RSA SecurID tags. Some 300 command and control networks were used in this attack, nearly all of which were located in China. Many large companies may have been victimized as well.
On Oct. 24, 2011, computer security journalist and blogger Brian Krebs made public a list of 760 organizations that security experts reportedly said may have been compromised by the same control infrastructure used against RSA.
Krebs wrote that these experts shared their findings with congressional lawmakers and staffers. He noted, however, that many Internet service providers are on the list likely because their subscribers were hit. It is not known how many systems - if any - inside each company were breached, or if any information was stolen. And some of the companies listed have since denied that their systems were compromised.
The list supplied by Krebs included companies whose networks had been communicating with the same China-based control infrastructure that was used in the attack on RSA.
The list includes Cisco Systems Inc., Facebook, Google Inc., IBM Corp., the Internal Revenue Service, Massachusetts Institute of Technology, and the VeriSign division of Symantec.
The RSA data breach was a shock to the industry and received worldwide attention because it showcased the challenges organizations face in detecting and blocking intrusions from targeted attacks. The breach was followed by an attack in May on military contractor Lockheed Martin Corp.
Industry officials said Lockheed made the necessary security changes suggested by RSA after its attack. This included increased monitoring and the addition of another password to its remote login process. However, the hackers still were able to breach the network, prompting security experts to say the tokens themselves needed to be reprogrammed.
Since the RSA incident was disclosed, lawmakers have taken a renewed interest in Advance Persistent Threat (APT) attacks. APTs typically refer to routine attacks carried out by a group - usually a foreign government - over a long period. The attacks can be under the radar of the target companies and exploit system vulnerabilities.
Companies can resist APTs by training staff to recognize "social engineering" ploys - for example, emails that strive to convince employees to open attachments - and above all by quickly patching vulnerabilities as they become known.
Nicholas Cucci is the Director of Marketing for Network Merchants Inc., a graduate of Benedictine University and a licensed Certified Fraud Examiner. Cucci is also a member of the Advisory Board and Anti-Fraud Technology Committee for the Association of Certified Fraud Examiners. NMI builds e-commerce payment gateways for companies that want to process transactions online in real time anywhere in the world. Contact him at email@example.com.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.