Big Businesses Walloped With Climbing Cybercrime Costs
In just two years the number of successful cyberattacks has doubled, said Michael Callahan, vice president for product and solution marketing for HP Enterprise Security. "You might expect the number of attacks to increase with the proliferation of botnets, but it's amazing that so many are successful, given the amount of attention that's being paid to security."
Oct 8, 2012 5:00 AM PT
Cybercrime costs continued to climb in 2012 according to a report released Monday by the Ponemon Institute.
The study of 56 large organizations showed that the average annualized cost of cybercrime for the businesses was US$8.9 million a year compared to $8.4 million a year ago. Losses for the firms ranged from one $1.4 million to $46 million.
Cyberattacks have become common occurrences, said the study. On a weekly basis, the businesses in the study were subjected to 102 successful attacks per week, or 1.8 successful attacks per company per week.
"In just two years the number of successful attacks has doubled, which is pretty incredible when you think about it," Michael Callahan, vice president for product and solution marketing for HP Enterprise Security, which sponsored the study, told TechNewsWorld.
"You might expect the number of attacks to increase with the proliferation of botnets but it's amazing that so many are successful, given the amount of attention that's being paid to security," he said.
One reason for the increase in successful attacks may be the sophistication of the attackers, according to Larry Ponemon, founder and chairman or the Ponemon Institute. "Some of the attacks have become much more complex to identify, much more stealthy," he told TechNewsWorld.
In addition, malicious insider attacks are occurring more frequently, he added. "Malicious insiders, working with external parties, can cause enormous amounts of damage and when they're detected, they're hard to contain and remediate."
Hackers Attack White House
A spear-phishing attack on a White House computer network that did not contain classified information came to light last week. "These types of attacks are not infrequent and we have mitigation measures in place," an unnamed White House official was quoted as saying.
"In this instance the attack was identified, the system was isolated, and there is no indication whatsoever that any exfiltration of data took place," the official continued. "Moreover, there was never any impact or attempted breach of any classified system."
News of the attack broke on Sep. 30 when the Washington FreeBeacon, a conservative online news outlet, reported that hackers linked to the Chinese government broke into a computer network used by the White House military office for nuclear commands.
Citing an official familiar with the incident, the FreeBeacon maintained that the breach was one of China's "most brazen cyberattacks against the United States and highlights a failure of the Obama administration to press China on its persistent cyberattacks."
One security analyst, however, didn't find the spear phishing attack on the White House that bold all. "I don't think it's a sign they're getting bolder," Ira Victor, a digital forensics analyst with Data Clone Labs told TechNewsWorld. "They've been this bold before."
It's going to get worse, he contended. "There are hundreds of thousands of fledgling keyboard hawks now being groomed by the Chinese government to break into systems," he said.
A major international crackdown on scareware scammers was launched last week by the U.S. Federal Trade Commission. The agency targeted six companies in India selling phony technical support services to English-speaking countries, including the United States, Canada, Australia, Ireland, New Zealand and the United Kingdom.
According to the FTC, some of the scammers cold-called consumers posing as representatives from legitimate companies, such as Dell, Microsoft, McAfee and Symantec. They told the consumers that malware had been detected on their computers and then offered to remove it for fees ranging from $49-$450.
In addition to the "boiler room" tactic used by five of the firms, a sixth used ads placed on Google search pages to sell their bogus services.
To elude scam fighters, the phony malware removers used 80 different domain names and 130 different phone numbers, the FTC said.
"The FTC has been aggressive -- and successful -- in its pursuit of tech-support scams," FTC Chairman Jon Leibowitz said in a statement. "And the tech-support scam artists we are talking about today have taken scareware to a whole other level of virtual mayhem."
- Oct. 1: McAfee and the National Cyber Security Alliance released survey in which 26 percent of Americans say they've been told that their personal information may have been exposed by a data breach.
- Oct. 1: California attorney general announces that Blue Cross of California agrees to pay $150,000 to settle lawsuits resulting from data breach that compromised the personal healthcare information of 33,756 of its members.
- Oct. 2: Cybersecurity company Prolexic reports that widespread DDoS attacks on U.S. financial institutions in September were powered by a toolkit called "itsoknoproblembro." According to the company, use of the tool in conjunction with sophisticated attack methods shows that the attackers are familiar with common DDoS mitigation methods.
- Oct. 3: Web security firm Blue Colt reports that malicious botnets have increased 200 percent in the last six months. It also predicted that two thirds of all malicious cyberattacks this year will be perpetrated by such malnets.
- Oct. 3: Researchers at Trusteer reveal new type of Man-in-the-Browser attack that is website independent. According to the researchers, the new form of attack speeds up how data is stolen and allow cybercriminals to inflict more damage before they're discovered.
- Oct. 3: Computerworld reports a hacker group calling itself Team GhostShell breached the servers of more than 100 major universities around the world and published 120,000 records from those computers on the Internet. Hackers said their action was aimed at focusing attention on failing education standards around the world.
Upcoming Security Events
- Oct. 7-13: Forensics Prague 2012. Angelo Hotel, Prague, Czech Republic. Sponsored by SANS. Course prices range from Euro 650 to Euro 3,895.
- Oct. 9-11: Crypto Commons. Hilton London Metropole, U.K. Discount registration (by Sept. 12): Pounds 900. Standard registration: Pounds 1,025.
- Oct. 16-18: ACM Conference on Computer and Communications Security. Sheraton Raleigh Hotel, Raleigh, N.C.
- Oct. 18: Suits and Spooks Conference: Offensive Tactics Against Critical Infrastructure. Larz Anderson Auto Museum, Brookline, Mass. Attendance Cap: 130. Registration: Standard, $395 (by Oct. 17).
- Oct. 18: NAC-As-A-Service: What, Why and How. 12 noon ET. Webcast. Sponsored by ForeScout Technologies.
- Oct. 18: Defensive Tools Workshop: ModSecurity Quick-Start Overview. 3 p.m. ET. Black Hat webcast. Free. Sponsored by FireEye.
- October 20-21: Ruxcon 2012. Melborne, Australia. Registration: AUS$350.
- Oct. 21-24: FS-ISAC Summit. Lansdowne Resort, Leesburg, Va. Limited to actual financial services practitioners. registration ranges from US$165-$1750.
- October 22-23: Cybersecurity Conference. Grand Hyatt, Washington, D.C. Managed by 1105 Media. Expo Admission: Free. Conference Registation: US$295 for government employees; US$495 for others.
- Oct. 22-25: eCrime 2012. El Conquistador Resort & Conference Center, Las Croabas, Puerto Rico. Sponsored by the Anti-Phishing Work Group (APWG). Registration US$575.
- Oct. 25-31: Hacker Halted Conference 2012. Miami, Fla. Sponsored by EC-Council. Registration: $2,799-$3,599.
- Nov. 3-6: Information Security Forum Annual World Congress. Chicago.
- Nov. 14: How to choose the right authenticator to meet the CJIS requirement for advanced authentication. 1-2 p.m. ET. Free webinar. Sponsored by Entrust.
- Dec. 3-7: Annual Computer Security Applications Conference. Orlando, Fla. Registration is now open.