When it comes to studies, surveys and reports sent my way that dissect various nuances of the cyber wild, my cup runneth over.
So, I’ve assembled a small grouping of revelatory proof points that convey the rising maliciousness made possible by the way we’ve chosen to live our digital lives–and also highlight specific cyber exposures that concern me greatly.
Some 72 percent of the security pros heading to the Black Hat USA conference in Las Vegas later this summer believe it is likely that they will have to respond to a major data breach in the next 12 months, and 25 percent said it is “highly likely,” according to Black Hat’s annual attendee survey.
Small wonder. Risk Based Security tallied 3,930 incidents for its 2015 Data Breach QuickView. This accounts for more than 736 million records stolen, surpassing the previous peak set in 2012. Clearly, the bad guys are continuing to operate with near impunity while the good guys continue their struggle to resolve a complex problem.
It can take years, and cost multi-millions, for companies to recover from a serious data breach. Deloitte’s Beneath The Surface Of A Cyber Attack study shows how ‘hidden costs’ represent 95 percent of the financial impact of a breach.
The wider fall out–loss of intellectual property, disruption to core operations, destruction of critical infrastructure–tends to play out over a long period of time, making financial modeling difficult, says Emily Mossburg of Deloitte & Touche’s Cyber Risk Services. Company decision makers need to broaden their damage estimating models and consider “peanut butter spreading” of security spending to account for post-breach expenses.
Network breaches that escalate due to an intruder leveraging a privileged account remain all too common. Privileged accounts are the logons that give administrative access to laptops, servers, printers–any device with a microprocessor.
Some 22 percent of companies suffering a data breach reported compromised or abused credentials as the root cause, according to a poll of IT security professionals conducted by the Cloud Security Alliance. Much work needs to be done monitoring and controlling who can access sensitive systems, says John Yeoh, a senior research analyst at CSA.
Meticulously crafting of a spoofed email intended to fool a targeted CEO has become an art form. So-called spear phishing remains a primary way cyber spies get a foothold in networks to probe deeper and pilfer intellectual property. Meanwhile, some 22 percent of spear phishing attacks intercepted by PhishLabs in 2015 were found to be motivated by financial fraud.
One form uses a spoofed directive, purportedly sent by a senior exec, that is crafted to compel a subordinate into executing a large cash transfer into an account controlled by the attacker. This is referred to as a Business Email Compromise. A surge of BEC attacks has resulted in scammers stealing a stunning $750 million from more than 7,000 U.S. companies from October 2013 through August 2015, according to the FBI.
Banks are under no legal obligation to make BEC attack victims whole. “Don’t expect your bank to be behind you,” observes Eduard Goodman, Chief Privacy Officer at my company, IDT911. “It’s caveat emptor. Because this is happening in a business setting, there is no protection … you’re out of luck.””
The opening quarter of this year saw a 7 percent surge in registration of websites set up exclusively to host ransomware campaigns, according the Infoblox DNS Threat Index. Ransomware is cyber extortion. The attacker encrypts the victim’s data, and demands a payment to restore access.
Millions of consumers have been hit with incessant pitches from a bogus antivirus scanning service to unlock their files. But now cyber extortionists have shifted to “industrial-scale, big-money attacks on all sizes and manner of organizations, including major enterprises,” says Rod Rasmussen, Vice President of Cybersecurity at Infoblox.
A new report issued this week (JULY 26) by Solutionary shows that the healthcare industry accounted for 88 percent of ransomware detections in Q2 of this year. Education and financial institutions were also targeted.
It’s all too clear the cyber wild will remain vibrant and dangerous for the foreseeable future. Stay alert.