Financial Services Sector the #1 Target of Cybercriminals*:
- A new report finds the most frequently targeted industry in 2016 was financial services – where attacks increased 29% year-over-year.
- More attackers are launching attacks on financial services institutions, which saw an increase in breached records, vulnerability disclosures, and DDoS attacks in 2016.
- Healthcare and retail targets can be profitable, but attackers targeting financial services are going straight to the source of the money.
- In 2016, financial services companies saw the number of compromised records skyrocket 937% to exceed 200 million.
- More than half (53%) of insider attacks come from are "inadvertent actors" compromised via phishing attacks, or internal attacks from another networked system.
- Denial-of-service attacks and Web attacks are other top concerns; some businesses can afford to have their website go down for a day, but financial services organizations cannot.
- Financial services companies are advised to evaluate their cybersecurity “immune system” to find their weaknesses and are encouraged to ensure everyone only has access to information they really need.
- Businesses should also implement multi-factor authentication for all web applications.
- Employee training is also key – they should be taught to identify suspicious emails.
*Source: Dark Reading, May 01, 2017
Unsuspecting Iowans Fall Into Cyber-Attack Web*:
- Instances in which Iowans’ identities were stolen jumped a whopping 30 percent in one year, from a rate of 56 people for every 100,000 Iowans in 2014 to 73 a year later.
- Thefts via the digital world – most of it happens on the internet – are on the rise as the crime evolves with technology.
- Once inside a computer’s network, hackers can view documents and confidential data and use them for their own greed.
- The rate of thefts per 100,000 people is a standard that considers the population for jurisdictions reporting crime data.
- In 2015, Iowa recorded 2,214 total impersonation reports and it recorded 1,371 impersonations in 2011.
- The vast majority of victims were individuals, but others were businesses, financial institutions, or governments.
- Regaining your own personal information is difficult, and can mean getting new credit cards or even a new Social Security number and changing banking information.
- The problem leaves banks and businesses with plenty of work to do, setting up firewalls and tests that consumers must pass to get into their systems.
- Iowa lawmakers face a challenge when trying to legislate over crime in the internet’s virtual world the same way they legislate over other crime, and bringing online identity thieves to justice is complicated.
*Source: The Gazette, April 30, 2017
Two-Factor Security is so Broken, Now Hackers Can Drain Bank Accounts*:
- Criminals have exploited a known flaw in how calls and text messages travel around the world to redirect a two-factor code for a person’s bank account.
- We’ve known for years that a key protocol that allows global cellular networks to communicate with each other had vulnerabilities (one known as Signaling System 7) – and nobody really took it that seriously.
- Now, financially driven hackers are using the weakness to intercept text messages that deliver two-factor codes to bank customers to break in and empty their bank accounts.
- The attackers would try to get into a person's bank account and armed with their username and password (possibly from a previous breach).
- When a code is sent to a trusted device for two-factor authentication, the attackers intercept the call or text using equipment that costs around $1,000; then the attackers can use the code to get full access to the bank account and send money to any other account they want.
- Any text message based two-factor authentication might be at risk – social networking accounts, banking logins, and email accounts, to name a few.
- Nobody has fixed the vulnerabilities, likely because of the thought-to-be low risk for consumers versus a high cost and difficulty to fix, but that may have to change.
*Source: ZDnet, May 04, 2017
One-Third of Federal Agencies Reported Data Breaches in 2016*:
- One-third of federal government agencies reported experiencing a data breach in the last year, and 65% have experienced one in the past.
- Nearly all (96%) respondents consider themselves "vulnerable" to data breaches; about half (48%) state they are "very" or "extremely" vulnerable.
- Researchers found 61% of US federal respondents are increasing their security spend this year, which is an increase from last year's 58%, but still lower than healthcare (81%), retail (77%), and financial services (78%) industries.
- Federal respondents claim their data insecurity is primarily due to budget constraints and lack of staff.
*Source: Dark Reading, May 01, 2017
Leaked Documents Reveal How the Government Will Demand Your Data Under the Snooper's Charter*:
- Swiftly after the UK’s surveillance laws came into force at the end of last year, a legal challenge was launched by privacy campaigners to challenge bulk data collection allowed under the law.
- The government's expansion of the Investigatory Powers Act is now continuing with a series of proposals for communications firms that would allow for almost real-time surveillance and the removal of encryption.
- Draft technical regulations say telecom companies will have to provide “communications and secondary data” about a person “in near real time, “ if a warrant is obtained for collection of information about an individual.
- There is also the requirement that companies "provide and maintain" the ability to intercept communications from 1 in every 10,000 customers at once.
- UK comms companies will also have to “remove electronic protection” and provide information in “intelligible form” when requested with a warrant, which effectively refers to end-to-end encryption.
- The document containing the information is a draft, and has been provided to companies in the UK as part of a four-week consultation.
*Source: Wired, May 05, 2017
10 Cybercrime Myths that Could Cost You Millions*:
- Cybercrime is all over the place, with damages, according to one estimate by Cybersecurity Ventures, expected to double from $3 trillion in 2015 to $6 trillion by 2021.
- A criminal was supposedly able to pocket $121 million within just six months, netting $94 million after expenses in a prominent 2016 ransom attack.
- Too often people believe in the following myths that prevent them from building effective countermeasures:
- Only large enterprises need to worry.
- Threats are completely overrated.
- Bad guys are always outsiders.
- Companies are prepared to combat cybercrime.
- I’d sign up for an insurance policy if I could.
- All of our PCs are equipped with antivirus and encryption.
- We have great firewalls and network security.
- Millennials are digital natives and more cautious.
- Strong passwords solve the issue.
- We’ll be fine if we hire a few more capable IT security gurus.
*Source: Dark Reading, April 29, 2017
Last Year's ICO Fines Would be 79 Times Higher Under GDPR*:
- Fines from the Information Commissioner's Office (ICO) against Brit companies last year would have been £69m rather than £880,500 if the pending General Data Protection Regulation (GDPR) had been applied.
- As things stand, the ICO can apply fines of up to £500,000 for contraventions of the Data Protection Act 1998.
- Once GDPR comes into force in May 2018, there will be a two-tiered sanction regime – with lesser incidents subject to a maximum fine of either €10 million (£7.9 million) or 2 per cent of an organisation's global turnover (whichever is greater). The most serious violations could result in fines of up to €20 million or 4 per cent of turnover (whichever is greater).
- Using the current maximum penalty as a guide, a model was created to determine what tier the fine would fall into and what a maximum post-GDPR fine would likely be for fines from 2015 and 2016.
- Fines given to small and medium-sized enterprises could have been catastrophic – for example, Pharmacy2U’s fine of £130,000 would balloon to £4.4m, which is a significant proportion of its revenues and potentially enough to put it out of business.
- Most organisations will have to fundamentally change the way they organise, manage and protect data.
- Although the UK is leaving the European Union, compliance with the GDPR will still be mandatory for British firms that handle EU citizens’ data.
*Source: The Register, April 28, 2017