Security Pros Struggle With Cyberthreat Angst
Security pros are worried that cyberthreats are falling through the cracks in their enterprise security systems, a recent survey suggests. However, the C-level execs in their companies don't seem to share their concerns. Seventy-five percent of the survey respondents said their companies' leaders didn't equate the loss of confidential data with a potential loss of revenue.
05/05/14 10:02 AM PT
As the volume and sophistication of cyberattacks increase, system defenders in the trenches are losing confidence in their ability to protect their organizations' information assets, suggests a survey released last week by Websense and the Ponemon Institute.
The survey of almost 5,000 global IT security pros found that more than half of them (57 percent) felt their organizations were unprotected from sophisticated cyberattacks and nearly two-thirds of them (63 percent) doubted they could stop the exfiltration of confidential information from their systems.
"These findings are eye-opening," Jeff Debrosse, director of security labs at Websense, told TechNewsWorld.
Although the organizations participating in the survey had security systems in place to fight threats, the security pros didn't have a lot of faith in their effectiveness. More than two-thirds of them (69 percent) said cyberthreats were falling through the cracks in their systems.
"That speaks volumes for where their confidence factor is today," Debrosse said.
What Worth Data?
The survey also found that nearly half the companies (44 percent) had experienced one or more substantial cyberattacks in the last year.
A majority of the organizations, though, had very little information about the nature of the attacks. Fifty-nine percent of the companies said they lacked adequate intelligence or were unsure about the impact of the attacks. Almost as many -- 51 percent -- noted their security solutions either couldn't tell them what the root cause of an attack was or were unsure what it was.
The security pros' concerns over data loss didn't seem to be shared by the brass in their organizations, based on the survey. More than three-quarters of the respondents (75 percent) said their companies' leaders didn't equate the loss of confidential data with a potential loss of revenue.
"There seems to be a disconnect here between the value the cybersecurity folks and their leaders are placing on data," Debrosse observed.
Easy Pickings in the Cloud
While data is often described as the family jewels of a company, many of them aren't treating it that way, according to another survey released last week by Thales E-Security on data encryption in the cloud.
That survey of 4,275 global business and IT managers found that 59 percent of their organizations store their sensitive or confidential information in the cloud without protecting it by encryption or any other means.
The high number could be explained by a misperception of the data's owners, Moulds noted.
"There's a slightly misguided view about responsibility. There's a sense that if you're using a cloud provider, then somehow that cloud provider is responsible for protecting your data," he said. "That's a bit misguided," continued Moulds, "because at the end of the day -- because of data breach laws and customer perception -- it's going to come back down to you."
Fear of encryption also may be contributing to why companies shy away from it.
"It can scare people," Moulds observed. "It can be complicated in some cases. It can slow things down, and if you lose the means to decrypt your data, it will remain scrambled forever."
Microsoft Breaks Cadence
With Patch Tuesday only two weeks away, Microsoft decided to trump efficiency with caution and release a patch for a bug discovered in all versions of its Internet Explorer Web browser April 27.
The flaw in some browser code that hasn't changed for close to a decade had been spotted by FireEye being exploited in the wild in a number of targeted attacks by a group skilled in the use of advanced persistent threats.
In making the atypical move, Microsoft heeded the advice of security experts who urged rapid action.
"While this zero-day threat is not widespread yet and is only being used in targeted attacks, we can be confident that the developers of exploit kits are sharpening their pencils and that it won't be long before the exploit is widespread," Roger Thompson, chief emerging threats researcher at ICSA Labs, told TechNewsWorld before the patch was released.
Still, the release of the patch is no reason for a sigh of relief, added Lucas Zaichowsky, enterprise defense architect at AccessData.
"Undoubtedly, this vulnerability will go mainstream with mass malware once the patch is released and can be dissected to reveal the vulnerability," he told TechNewsWorld.
When it released the IE fix, Microsoft also showed some empathy for Windows XP users, who lost support for their version of the OS on April 8. It included a version of the patch for XP -- along with a reminder that maybe it was about time to upgrade to Windows 7 or 8.
- April 28. AOL confirms that its internal network was compromised the week of April 21, giving hackers access to about half a million email accounts. The accounts were used to send spam and malicious links to the contacts of the accounts' owners.
- April 28. John Hopkins University alerts 2,166 students who attended the school from 2007 to 2009 that files containing their names and Social Security numbers were stored on a server accessible by anyone on the Internet. Students are being offered a year of credit monitoring.
- April 30. Facebook announces it will allow users to limit the amount of information they give to websites or mobile apps when they use their Facebook credentials to log in to those sites or apps.
- April 30. Google announces it has stopped scanning the email accounts of students using its Google Apps for Education service. Google stopped pushing ads to students through the service in 2006, but it continued to scan their email to target ads at the students elsewhere online.
- April 30. Boston Medical Center fires transcription service after discovering records of about 15,000 patients were posted to the service's website, which is used by physicians, without password protection.
- April 30. Bob DeRodes appointed by Target to be its CIO. His predecessor, Beth M. Jacobs, resigned her post in March in the aftermath of a mammoth data breach at the retailer in which personal and payment card information of some 110 million customers was compromised.
- April 30. Canadian Privacy Commissioner releases report revealing that more than a million requests for customer information are made annually to the country's telcos by law enforcement agencies.
- May 1. White House releases report on Big Data recommending government regulation of how private companies use the data gathered from their online customers. Report also recommends adoption of a national data breach reporting law.
- May 1. Microsoft releases out-of-band patch for Internet Explorer zero day vulnerability discovered earlier in the week by FireEye.
- May 1. Electronic Frontier Foundation files lawsuit against U.S. Department of Justice demanding government disclose key Foreign Intelligence and Surveillance court opinions and orders to learn more about the government's mass surveillance programs.
- May 2. Wang Jing, a Ph.D. student at the Nanyang Technological University in Singapore, discovers vulnerability in two popular open source software programs, OAuth and OpenID. Flaw allows attacker to steal credentials and redirect visitors to a malicious website when they log in to their intended destination.
Upcoming Security Events
- May 7. The Security of Things Forum. 8 a.m.-4 p.m. ET. Sheraton Commander Hotel, 16 Garden St., Cambridge, Mass. Registration: $125, plus $4.12 fee.
- May 7. Introduction to FIDO standards. Noon, ET. Webinar. Free.
- May 9-10. B-Sides Boston 2014. New England Research & Development Center, Kendall Square, Cambridge, Mass. Fee: $20.
- May 9-10. B-Sides Algiers 2014. Ecole Nationale Supérieure d'Informatique, Oued Smar, Algiers. Free.
- May 10. B-Sides San Antonio 2014. Texas A&M, San Antonio-Brooks City Base. Fee: $10.
- May 13. Kansas City SecureWorld Expo. Kansas City Convention City, 301 West 13th Street #100, Kansas City, Mo. One Day Pass: $165; SecureWorld Plus, $545; exhibits and open sessions, $25.
- May 15. Applying Machine Learning to Network Security Monitoring. 2 p.m. ET. Black Hat webcast. Free with registration.
- May 17. B-Sides Nashville 2014. Lipscomb University Camps, Nashville, Tenn. Free.
- May 17. B-Sides New Orleans 2014. Hilton Garden Inn, New Orleans Convention Center, 1001 South Peters Street, New Orleans. Fee: $10.
- May 17. B-Sides Cincinnati 2014. Main Street Theater, Tangeman Hall, University of Cincinnati, Cincinnati. Free registration, pizza and beer.
- May 20. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
- May 21. Houston SecureWorld. Stafford Centre, 10505 Cash Road, Stafford, Texas. One Day Pass: $165; SecureWorld Plus, $545; exhibits and open sessions, $25.
- June 3. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
- June 5. Cyber Security Summit. Sheraton Premiere, Tysons Corner, Va. Registration: $250; government, $50.
- June 5. Portland SecureWorld. DoubleTree by Hilton, 1000 NE Multnomah, Porland, Ore. One Day Pass: $165; SecureWorld Plus, $545; exhibits and open sessions, $25.
- June 6-7. B-Sides Asheville. Mojo Coworking, Asheville, NC. Fee: NA.
- June 6-7. B-Sides Cape Town. Dimension Data, 2 Fir St., Cape Town, South Africa. Fee: NA.
- June 14. B-SidesCT. Quinnipiac University-York Hill Campus, Rocky Top Student Center, 305 Sherman Ave, Hamden, Conn. Fee: NA.
- June 18. Cyber Security Brainstorm. Newseum, Washington, D.C. Registration: Government, free; through June 17, $495; June 18, $595.
- June 20-21. Suits and Spooks New York City. Dream Downtown hotel, 355 West 16th St., New York City. Registration: Before May 6, $299; after May 6, $549.
- June 21. B-Sides Charlotte. Sheraton Charlotte Airport Hotel, 3315 Scot Futrell Dr., Charlotte, NC. Free.
- June 21-30. SANS Fire. Hilton Baltimore, 401 W. Pratt St., Baltimore. Courses: by April 30, $1,249-$4,695; by May 14, $1,249-$4,845; after May 14, $1,249-$5,095.
- June 24. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
- June 27-28. B-Sides Manchester (UK). Reynold Building, Manchester University (M1 7JA). Free.
- Aug. 2-7. Black Hat USA. Mandalay Bay, Las Vegas. Registration: through June 2, $1,795; through July 26, $2,195; after July 26, $2,595.
- Aug. 7-10. Defcon 22. Rio Hotel & Casino, Las Vegas. Registration: $220.
- Sept. 17-19. International Association of Privacy Professionals and Cloud Security Alliance Joint Conference. San Jose Convention Center, San Jose, Calif. Sept. 18. Cyber Security Summit. The Hilton Hotel, New York City. Registration: $250; government, $50.
- Sept. 29-Oct. 2. ISC2 Security Congress 2014. Georgia World Congress Center, Atlanta. Registration: through Aug. 29, member or government, $895; non-member, $1,150. After Aug. 29, member and government, $995; non-member, $1,250.