People Weak Link in Security Chain, Says New Report

If you pay any attention to infosec headlines, you’ve likely seen it’s once again that time of year when Verizon releases its Data Breach Investigations Report (DBIR). The 9th annual report was released yesterday and while much of it isn’t surprising, it is entirely disheartening.

A quick review of the findings show cybercrime continues to target what hackers obviously deem the weakest link in the chain,

> Read More

Online extortionists reset Android PINs, take data on virtual drives hostage

In the last few years extortion has hit computer users, big time.

Consumers and businesses alike are finding themselves locked out of their computers, or prevented from accessing their valuable data, by ransomware attacks that demand a payment be made to online criminals.

But normally when these malicious attacks are described,

> Read More

Ransomware – Now for Websites

Over the last several weeks I’ve written about ransomware primarily as it relates to individual machines or mobile devices. There is another very sneaky variant of ransomware which you should be aware of. It’s specifically crafted to hold websites hostage. It’s called RansomWeb. It’s methodology is slow and diabolical, and I believe it’s out there silently working on websites today.

> Read More

How Do You Protect Your Systems From Ransomware?

In my previous two posts How Does Ransomware Work? Part 1 and Part 2 I described the process ransomware goes through to get on your systems, encrypt your files, and collect your money. Like any malware, all of the steps in the process need to be successful in order for ransomware to work.

> Read More

Sloppy password-less security left 1.25 million Japanese pension records exposed

Despite have rules and compliance regulations in place, Japan’s pension system has been hit by hackers who made off with over 1.2 million records containing personally identifiable information.

According to reports, staff weren’t obeying the rules – making it far too easy for criminals to access sensitive database records.

Infosec Haiku

Anata no joho sekyuritei konshu no haiku

Cardinals v Astros
Moneyball Databases
Need Protection Too!


### Notes ###
* The Infosec Haiku has been on travel, so apologies for the inconsistent posts of late.
* Thanks to Ms. Etsuko vdH for the translation.

> Read More

Gambling website Paddy Power took four years to tell 650,000 customers their data had been stolen

Yesterday, popular gambling website Paddy Power found itself admitting that it had suffered a serious data breach – the kind of position that no company ever wants to find itself in.

Not that you would know if you visited their website, of course. Because there’s no mention of the issue on the front page that their customers visit.

> Read More

Data Breach Costs are Real, Not Unicorns

Recently ran across an interesting commentary by Heidi Shey, a Forrester analyst, entitled Pet The Unicorns And Think Of Protecting Customer Data As A Corporate Social Responsibility. Her main point is that relying on data breach cost numbers to justify security investments is “pretty useless.” She writes:

We do need to change our expectations for how we use [breach cost data] by understanding what we’re actually looking at (and what may be missing from this) when we see these types of numbers.

> Read More

What Does the Target Breach Tell Us About DSS and POS?

In the final analysis, it is going to be Target’s customers that pay the price for this winter’s breach. OK, CIO Beth Jacob has fallen on her sword and departed; but that could hardly be avoided, and “this is a good time for a change” is hardly contrition. Apart from that, the innocent will pay while the guilty will escape.

> Read More

POS System Pwnage

Perhaps there have been bigger breaches, but the Target breach in late-2013 certainly seems to set off a firestorm. There are literally thousands of new online articles and posts everyday covering the event – the who, what, where, when, and especially the how and “what now” aspects of the case – and we’re certainly not done with it.

> Read More

Global Trends in Data Protection Maturity

The other day, coinciding with Data Privacy Day, we presented the results of our 3rd annual Data Protection Maturity survey. Here’s a quick recap.

In late 2013 we conducted an online worldwide survey of IT professionals to find out how much progress is being made in data protection. We had almost 400 completed responses from folks in all sizes of organizations (the 100-499 and 5000+ categories were better represented at~20% and ~25% respectively) and from across the world (with a majority in North America and EMEA).

> Read More