Tag Archives: financial

What retailers need to know about cybersecurity

Annual global costs tied to destruction of data, intellectual property theft, lost productivity and fraud are on pace to reach $6 trillion by 2021. Here’s how retailers can avoid becoming a statistic. Cybercrime is big business — and retailers are squarely in the crosshairs. Cybercrime — the catch-all term applied to an ever-expanding range of digital assaults from malware to theft of personal data to distributed denial-of-service attacks (DDoS, i.e. coordinated traffic onslaughts on servers, systems or networks designed to make the target difficult or impossible for legitimate users to access) — is rapidly growing more common, more dangerous and more complex. Service interruptions from DDoS attacks alone surged 162% in 2016. Cybercrime is also growing more lucrative: Nearly 90% of all cyberattacks now involve financial or espionage motivations, according to the Verizon 2016 Data Breach Investigations Report. Corresponding annual global costs related to damage and destruction of data, intellectual property theft, lost productivity and fraud are on pace to grow from $3 trillion in 2015 to $6 trillion by 2021. While the second half of 2016 brought to light three of the largest data breaches ever recorded (two raids on web platform Yahoo that impacted at least 1.5 billion accounts combined; the other affecting about 412 million accounts across social network Adult Friend Finder), retailers in fact experience the most cyberattacks of any industry sector — about three times as many as the previous top target, the financial industry — information and communications technology firm NPD Group reports. The list of victims is long and ignominious, and includes Target, Home Depot, Eddie Bauer and Vera Bradley. The question isn’t if and when yet another retailer will fall victim in the weeks and months ahead, experts say, but simply where the wheel of misfortune will land next. “You’ll never be able to put up perimeters and defenses to stop the behavior of malicious attackers. Organizations need to accept the fact that if they’re not breached today, they likely will be breached at some point in the point in the future,” Paul Truitt, vice president of cybersecurity services at managed network solutions firm SageNet, told Retail Dive. “Getting ahead of the criminal and stopping them before they do what they’re going to do is a losing battle. But acting quickly and having the processes in place to respond what it does happen is achievable, and if every organization had that in place, we could significantly shorten the average data breach notification and identification, and also create much less juicy targets for the bad guys.” Threat assessment Retailers are like catnip to cybercriminals because of the wealth of customer data stored on their networks. While hijacking credit card account data has long been the primary objective — about 42 million Target shoppers had their credit or debit information stolen when the retailer was breached in late 2013 — thieves are also keen to acquire personal data like names, mailing addresses, phone numbers and email addresses. “There’s a lot of data around shopping habits and purchasing patterns now being stored by retailers — information they never had before,” Truitt said. “If you’re tying a loyalty program to a mobile payment program, those payment programs are bringing more sensitive data into the retail organization than in the past, and that’s what criminals are looking for.” The threat isn’t lost on retailers. Fully 100% of retail executives surveyed for the 2016 BDO Retail RiskFactor Report cited data privacy and security breaches as major business risks, up from 55% in 2011 and 26% in 2007. But according to Truitt, relatively few retailers have advanced their cybersecurity efforts beyond implementing the basic safeguards necessary to meet payment card industry (PCI) security standards. “[Cybersecurity] varies by retailer,” he said. “We still see a lot of retail organizations putting their eggs into the PCI basket. The feeling is that they’ve secured their organizations by meeting PCI compliance requirements, but in reality, the vectors of attack are outside what PCI mandates needs to be done. When you think about security programs focusing only on PCI at best, we’re going to see a lot of data continue to be exposed.” The media fallout and brand damage associated with past merchant data breaches (not to mention the legal costs and governmental penalties, which can run into the millions) are driving retailer cybersecurity awareness and investment, says Robert Horn, associate director at insurance and risk management solutions provider Crystal & Co. “Retailers have been forced to increase their cybersecurity because of the breaches we’ve had in the last several years. Your public perception takes a hit, there’s customer churn, and the fines and penalties are increasing,” Horn told Retail Dive. “Cybersecurity is getting much more attention from the C-suite. Before, just the IT director was involved. Now you’ve got legal, you’ve got corporate governance, you’ve got the CFOs and the CEOs wanting to know what’s going on.” But knowing what’s going on is easier said than done, because cybercrime evolves with mind-boggling speed. What began two decades ago with relatively simple viruses and website attacks hatched by malcontents seeking internet notoriety has rapidly mutated into discrete, laser-targeted and highly sophisticated offensives masterminded by thieves, hackers and extortionists motivated by financial gain. “There isn’t a single organization that can say they’re 100% secure,” Maarten Van Horenbeeck, vice president of security engineering at content delivery network Fastly, told Retail Dive. “But there are organizations that have the maturity and the smart people to say, ‘We understand what is happening, and we believe we know how to defend against it and how to protect our customer data.’” Personnel and protection Understanding what’s happening begins with identifying potential cracks in your armor. Verizon found that most attacks exploit known vulnerabilities that businesses failed to patch, despite software providers making patches available months or even years prior to the breach taking place. In fact, the top 10 known vulnerabilities account for about 85% of all successful exploits each year. Avoiding disaster also depends on recognizing the warning signs and criminal patterns: 95% of breaches and 86% of security incidents fall into nine established exploit patterns. Building a more secure retail business begins with smart personnel decisions. “The single biggest thing an organization can do today is hire the right people. There are so many technologies out there,” Van Horenbeeck said. “It’s like putting together a puzzle of the correct pieces to make sure you’re defending yourself against attack. You need to hire the right people who understand that puzzle, and who know how to make the organization as safe as possible.” Perhaps no retail security solution has generated more headlines and discussion than the fall 2015 shift from traditional “swipe-and-signature” credit and debit cards to chip-enabled EMV cards, a move designed in part to better protect consumers from escalating transaction fraud. While EMV (which takes its name from Europay, MasterCard and Visa, the three companies that created its chip-integrated standard) effectively blocks card cloning and other commonplace criminal tactics, its security innovations are limited to transactions where the physical card is present, meaning many cyberthieves are shifting their focus from brick-and-mortar stores to the web. That means retailers dependent on e-commerce must embrace software solutions including end-to-end software encryption, a method of secure communication that prevents hackers, internet service providers or any other third party from accessing, stealing or damaging cardholder data or other information during its transfer from one system or device to another. “Organizations that have made investments in EMV but did not invest in end-to-end encryption have a risk misperception,” said SageNet’s Truitt. “They believe they are secure, but they’ve only accomplished authentication of credit cards. They’ve accomplished nothing related to the security of the actual transaction. Many retailers that don’t have security teams internally, or that outsource their security fully and don’t have anyone with that knowledge in-house, has misinformed themselves about what EMV is doing. We’re going to see more organizations put fewer security controls in place and reduce some spend, because they think they have put the right security in place. But they’ve left themselves more exposed than they used to be.” Beyond the basics, retailers should also consider adopting data loss prevention solutions to help monitor, manage and protect confidential data wherever it’s stored or used, as well as emerging tools like advanced behavioral authentication (methodologies that monitor headquarters and store employees’ attributes and behaviors to prevent imposters from accessing infrastructure and data), data-mining and visualization techniques, and security response automation. There’s no time to waste. Experts anticipate cybercrime to continue to increase in the months to come, and warn that emerging technologies like the Internet of Things and advances in artificial intelligence present a multitude of new opportunities for attack. Only the strong will survive. “It’s hard to predict what new threats will come about,” said Horn. “[Security] all comes down to putting resources into cybersecurity teams. A bad breach can put you out of business.” Source: http://www.retaildive.com/news/what-retailers-need-to-know-about-cybersecurity/435567/

Original post:
What retailers need to know about cybersecurity

Trump must focus on cyber security

When Donald Trump takes the oath of office on Jan. 20, he’ll face an urgent and growing threat: America’s vulnerability to cyberattack. Some progress has been made in fortifying the nation’s digital defenses. But the U.S. is still alarmingly exposed as it leaps into the digital age. If the 45th president wants to make America great again, he needs to address this growing insecurity. Three areas — energy, telecommunications and finance — are especially vital and vulnerable. The government must commit itself to defending them. And it must recognize that the risks posed to all three are increasing as more and more parts of our lives are connected to the Internet. Start with energy. There is already malware prepositioned in our national power grid that could be used to create serious disruptions. It must be cleaned up. Last December, three of Ukraine’s regional power-distribution centers were hit by cyberattacks that caused blackouts affecting at least 250,000 citizens. The U.S. is just as vulnerable, because the malware used in that attack is widespread and well placed here. It would be a federal emergency if any region or city were to lose power for an extended period, and it could easily happen — taking down much of our critical infrastructure in the process. The government historically has taken steps to ensure the availability of communications in an emergency (for instance, the 911 system). It should do the same for power. In particular, Trump should direct the Federal Emergency Management Agency to use the Homeland Security Grant Program to improve cyber resilience at state and local power facilities. These efforts must be focused on removing malware and fielding better defenses, beginning with the highest-risk facilities crucial to the centers of our economic and political power. Next, protect telecommunications. The integrity our telecommunications system is essential for the free flow of goods, services, data and capital. Yet the U.S. is home to highest number of “botnets,” command-and-control servers and computers infected by ransomware in the world. Compromised computers are being used to launch paralyzing distributed denial of service (or DDoS) attacks against a wide range of companies. In October, such an attack knocked numerous popular services offline, including PayPal, Twitter, the New York Times, Spotify and Airbnb. Thousands of citizens and businesses were affected. To address this problem, the next president should start a national campaign to reduce the number of compromised computers plaguing our systems. This campaign should be managed like the Y2K program — the largely successful effort, led by the White House in tandem with the private sector, to fix a widespread computer flaw in advance of the millennium. With the same sense of urgency, the government should require that internet service providers give early warning of new infections and help their customers find and fix vulnerabilities. Just as water suppliers use chlorine to kill bacteria and add fluoride to make our teeth stronger, ISPs should be the front line of defense. Third, the U.S. must work with other countries to protect the global financial system. In recent years, financial institutions have experienced a wide range of malicious activity, ranging from DDoS attacks to breaches of their core networks, resulting in the loss of both money and personal information. In the past year, a number of breaches at major banks were caused by security weaknesses in the interbank messaging system known as SWIFT. The entire financial system is at risk until every connected institution uses better security, including tools to detect suspicious activities and hunt for the malicious software that enables our money to be silently stolen. The U.S. should work with China and Germany — the current and future leaders of the G-20 — to deploy better cyberdefenses, use payment-pattern controls to identify suspicious behavior and introduce certification requirements for third-party vendors to limit illicit activity. The Treasury Department should work with its global partners and U.S. financial institutions to set metrics and measure progress toward improving the trustworthiness and security of the financial ecosystem. All these problems, finally, may be exacerbated by the rise of the Internet of Things. As more and more devices are connected to the internet, it isn’t always clear who’s responsible for keeping them secure. Without better oversight, the Internet of Things will generate more botnets, command-and-control servers, and computers susceptible to ransomware. Flawed products will disrupt businesses, damage property and jeopardize lives. When medical devices can be subject to serious e-security flaws, and when vulnerable software in security cameras can be exploited to knock businesses off-line, government intervention is required. Manufacturers, retailers and others selling services and products with embedded digital technology must be held legally accountable for the security flaws of their wares. We need to put an end to the “patch Tuesday” approach of fixing devices after they’re widely dispersed. A better approach is an Internet Underwriters Laboratory, akin to the product-testing and certification system used for electrical appliances. Such a system could help ensure that internet-connected devices meet a minimum level of security before they’re released into the marketplace. Trump should make it clear in his first budget proposal that these four steps are vital priorities. The digital timer on our national security is ticking. Source: http://www.postandcourier.com/opinion/commentary/trump-must-focus-on-cyber-security/article_0bc1d57c-c88f-11e6-840b-13562fd923b9.html

Continued here:
Trump must focus on cyber security

Four evolved cyber-threats APAC organisations must pay attention to in 2017

US$81 million stolen from a Bangladesh bank. 500 million Yahoo! accounts swiped. A DDoS attack that brought down much of the internet. 2016’s cyber-attack headlines proved more than ever that companies have a visibility problem – they cannot see what is happening beneath the surface of their own networks. Based on Darktrace’s observations, the following predictions demonstrate the need for a new method of cyber defence – an immune system approach, to keep up with the fast-evolving threats that await us in 2017. 1. Attackers Will Not Just Steal Data – They Will  Change  It Today’s most savvy attackers are moving away from pure data theft or website hacking, to attacks that have a more subtle target – data integrity. We’ve seen ex-students successfully hack college computers to modify their grades. In 2013, Syrian hackers tapped into the Associated Press’ Twitter account and broadcasted fake reports that President Obama had been injured in explosions at the White House. Within minutes the news caused a 150-point drop in the Dow Jones. In 2017, attackers will use their ability to hack information systems not to just make a quick buck, but to cause long-term, reputational damage to individuals or groups, by eroding trust in data itself. The scenario is worrying for industries that rely heavily on public confidence. A laboratory that cannot vouch for the fidelity of medical test results, or a bank that has had account balances tampered with, are examples of organisations at risk. Governments may also fall foul of such attacks, as critical data repositories are altered, and public distrust in national institutions rises. These ‘trust attacks’ are also expected to disrupt the financial markets. An example of this is falsifying market information to cause ill-informed investments. We have already glimpsed the potential of disrupted M&A activity through cyber-attacks – is it a coincidence that the recent disclosure of the Yahoo hack happened while Verizon was in the process of acquiring the company? These attacks even have the power to sway public opinion. Hillary Clinton’s election campaign suffered a blow when thousands of emails from her campaign were leaked. An even graver risk would not be simply leaked emails but manipulation to create a false impression that a candidate has done something illegal or dishonourable. 2. More Attacks and Latent Threats Will Come from Insiders Insiders are often the source of the most dangerous attacks. They are harder to detect, because they use legitimate user credentials. They can do maximum damage, because they have knowledge of and privileged access to information required for their jobs, and can hop between network segments. A disgruntled employee looking to do damage stands a good chance through a cyber-attack. But insider threats are not just staff with chips on their shoulders. Non-malicious insiders are just as much of a vulnerability as deliberate saboteurs. How many times have links been clicked before checking email addresses? Or security policy contravened to get a job done quicker, such as uploading confidential documents on less secure public file hosting services? We can no longer reasonably expect 100 percent of employees and network users to be impervious to cyber-threats that are getting more advanced – they won’t make the right decision, every time. Organisations need to combat this insider threat by gaining visibility into their internal systems, rather than trying to reinforce their network perimeter. We don’t expect our skin to protect us from viruses – so we shouldn’t expect a firewall to stop advanced cyber-threats which, in many cases, originate from the inside in the first place. Just in the past year, immune system defence techniques have caught a plethora of insider threats, including an employee deliberately exfiltrating a customer database a week before handing in his notice; a game developer sending source code to his home email address so that he could work remotely over the weekend; a system administrator uploading network information to their home broadband router – the list goes on. Due to the increasing sophistication of external hackers, we are going to have a harder time distinguishing between insiders and external attackers who have hijacked legitimate user credentials. 3. The Internet of Things Will Become the Internet of Vulnerabilities According to IDC, 8.6 billion connected things will be in use across APAC in 2020, with more than half of major new business processes incorporating some element of IoT. These smart devices are woefully insecure in many cases – offering a golden opportunity for hackers. 2016 has seen some of the most innovative corporate hacks involving connected things. In the breach of DNS service Dyn in October, malware spread rapidly across an unprecedented number of devices including webcams and digital video recorders. In Singapore and Germany, we saw smaller but similar incidents with StarHub and Deutsche Telekom. Many of this year’s IoT hacks have gone unreported – they include printers, air conditioners and even a coffee machine. These attacks used IoT devices as stepping stones, from which to jump to more interesting areas of the network. However, sometimes the target is the device itself. One of the most shocking threats that we saw was when the fingerprint scanner that controlled the entrance to a major manufacturing plant was compromised – attackers were caught in the process of changing biometric data with their own fingerprints to gain physical access. In another attack, the videoconferencing unit at a sports company was hacked, and audio files were being transferred back to an unknown server in another continent. Want to be a fly on the wall in a FTSE100 company’s boardroom? Try hacking the video camera. 4. Artificial Intelligence Will Go Dark Artificial intelligence is exciting for many reasons – self-driving cars, virtual assistants, better weather forecasting etc. But artificial intelligence will also be used by attackers to wield highly sophisticated and persistent attacks that blend into the noise of busy networks. We have already seen the first glimpses of these types of attack. Polymorphic malware, which changes its attributes mid-attack to evade detection, has reinforced the obsoleteness of signature-based detection methods. What is emerging is a next generation of attacks that use AI-powered, customised code to emulate the behaviours of specific users so accurately as to fool even skilled security personnel. In 2017, we can expect AI to be applied to all stages of a cyber-attacker’s mission. This includes the ability to craft sophisticated and bespoke phishing campaigns that will successfully dupe even the most threat-conscious employee. Next year’s attacker can see more than your social media profile – they know that your 10am meeting with your supplier is being held at their new headquarters. At 9:15am, as you get off the train, an email with the subject line ‘Directions to Our Office’ arrives in your inbox, apparently from the person that you are meeting. Now, do you click the map link in that email? Source: http://www.mis-asia.com/tech/security/four-evolved-cyber-threats-apac-organisations-must-pay-attention-to-in-2017/?page=3

Originally posted here:
Four evolved cyber-threats APAC organisations must pay attention to in 2017

How to protect your business from DDoS attacks

Increasingly, IT teams find themselves on the front lines of a battle with an invisible enemy. Cyber-threats and attacks continue to increase, with the anonymous intruders breaching large and small enterprises alike. Even with the most robust security strategies in place, continuous vigilance is required just to keep up with the ever-evolving tactics of intruders. A report by Imperva states that the UK is now the second most popular target in the world for DDoS attacks. With attacks increasing both in frequency and complexity, what do security professionals need to know when it comes to DDoS? Mitigate and minimise damage At least once a week, there is news about successful businesses being disrupted by these attacks and those are only the ones that are reported – many smaller companies suffer from DDoS offenders that we just don’t hear about. The number of attacks rose by 221 percent over the past year – underlining the need for an active DDoS defence. DDoS attacks work by flooding a website or domain with bandwidth until it breaks down under the weight of traffic. The best way for companies to mitigate against these sort of attacks is to have an accurate overview of the traffic and data feeds in the network. By using real-time data analytics, threats can be detected at an early stage and re-routed to scrubbing centres – thereby neutralising the attack before it has had the chance to do any real damage. Long-term protection and prevention It is crucial that security professionals not only think about the short term tactics to minimise cyber-attacks but also consider long term infrastructure protection when it comes to managing security and preventing future DDoS attacks. Cloud-based managed security services are an important tool to protect against cyber-attacks as they are used by a multitude of services and Internet service providers – providing extra levels of security and making it harder for the DDoS attack to reach their intended targets. In most cases, it is best to err on the side of caution when it comes to cyber-security. Adopting a “zero trust” approach to threats minimises the risk of a potential breach. Earlier this year, we saw the reputational damage caused to a major UK bank when one of their payment websites was brought down by a suspected DDoS attack. The UK’s position as a global leader in financial services makes it a high-profile and potentially very rewarding target for would-be cyber-criminals. However, it is not just financial services companies who are at risk. The UK has a sophisticated and fast growing digital economy, it is expected to account for 12.4 percent of GDP in 2016 – a substantial amount of money and traffic across all industries with an online presence at risk of DDoS attacks. It is now more important than ever for security professionals to have real-time data analytics in their defensive arsenal to detect and neutralise threats early on. The shared aspects of cloud technology can benefit companies with their multiple layers of security in place that can deter potential future attacks. We have seen the financial and reputational losses that can arise from it and how these attacks can affect major UK businesses. Real-time data and a sophisticated infrastructure network, capable of re-routing and quelling dangerous activity is the best way of mitigating against this increasingly prevalent threat. Source: http://www.scmagazineuk.com/how-to-protect-your-business-from-ddos-attacks/article/526297/

Read the article:
How to protect your business from DDoS attacks

Group using DDoS attacks to extort business gets hit by European law enforcement

On 15 and 16 December, law enforcement agencies from Austria, Bosnia and Herzegovina, Germany and the United Kingdom joined forces with Europol in the framework of an operation against the cybercrimin…

More here:
Group using DDoS attacks to extort business gets hit by European law enforcement

NBN vaults Australia into global top-10 … DDoS attack sources

Or not, if you look at the numbers Australia has won the dubious honour of being named in the global top-10 DDoS sources, and in its quarterly State of the Internet report, Akamai reckons our tiny number of high-speed fibre broadband users are the cause.…

Visit link:
NBN vaults Australia into global top-10 … DDoS attack sources

Greater Manchester plod site targeted by nuisance DDoS attack

‘There will be more attacks today,’ attacker proudly tells El Reg The website for Greater Manchester Police was targeted by two Distributed Denial of Service (DDoS) attacks yesterday, which rendered the site unavailable for more than two hours. The operators of two Twitter accounts have claimed responsibility.…

Original post:
Greater Manchester plod site targeted by nuisance DDoS attack

NCA targeted by Lizard Squad in apparent DDoS revenge attack

There’s no skill in this, agency sneers The National Crime Agency’s website has been hit by a DDoS attack, in an apparent act of revenge for the body’s recent crackdown on users of Lizard Squad.…

See the article here:
NCA targeted by Lizard Squad in apparent DDoS revenge attack