Tag Archives: companies

[ISN] Survey: Nearly 1 in 4 IT firms suffered security breach

http://www.crainsdetroit.com/article/20150726/NEWS/307269992/survey-nearly-1-in-4-it-firms-suffered-security-breach By TOM HENDERSON Crain’s Detroit Business July 26, 2015 Twenty-three percent of executives at technology companies say their firms have suffered a security breach in the past 12 months, according to the national annual Technology Industry Business Outlook survey conducted by KPMG LLP, the audit, tax and advisory firm. Three-fourths of executives surveyed say their companies will spend between 1 percent and 5 percent of annual revenue on IT security in the next 12 months. “The survey findings on security are an important marker, since tech companies are the pacesetters in IT security. How much and where tech companies spend on IT security, and how successful they are, can serve as guides for all other industries,” Gary Matuszak, global chairman of KPMG’s technology, media and telecommunications practice, said in a release. The KPMG survey was of upper managers at 111 U.S.-based technology companies. Of the respondents, 54 percent were in companies with revenue of more than $1 billion a year, with the rest at companies with annual revenue between $100 million and $1 billion. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Privacy talk at DEF CON canceled under questionable circumstances

http://www.csoonline.com/article/2947377/network-security/privacy-talk-at-def-con-canceled-under-questionable-circumstances.html By Steve Ragan Salted Hash CSO July 12, 2015 Earlier this month, several news outlets reported on a powerful tool in the fight between those seeking anonymity online, versus those who push for surveillance and taking it away. The tool, ProxyHam, is the subject of a recently canceled talk at DEF CON 23 and its creator has been seemingly gagged from speaking about anything related to it. Something’s off, as this doesn’t seem like a typical cancellation. Privacy is important, and if recent events are anything to go by – such as the FBI pushing to limit encryption and force companies to include backdoors into consumer oriented products and services; or the recent Hacking Team incident that exposed the questionable and dangerous world of government surveillance; striking a balance between law enforcement and basic human freedoms is an uphill struggle. Over the last several years, reports from various watchdog organizations have made it clear that anonymity on the Internet is viewed as a bad thing by some governments, and starting to erode worldwide. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Meet the hackers who break into Microsoft and Apple to steal insider info

http://arstechnica.com/security/2015/07/meet-the-hackers-who-break-into-microsoft-and-apple-to-steal-insider-info/ By Dan Goodin Ars Technica July 8, 2015 In February 2013, Twitter detected a hack attack in progress on its corporate network. “This attack was not the work of amateurs, and we do not believe it was an isolated incident,” a Twitter official wrote when disclosing the intrusion. Sure enough, similar attacks were visited on Facebook, Apple, and Microsoft in the coming weeks. In all four cases, company employees were exposed to a zero-day Java exploit as they viewed a website for iOS developers. Now, security researchers have uncovered dozens of other companies hit by the same attackers. Alternately known as Morpho and Wild Neutron, the group has been active since at least 2011, penetrating companies in the technology, pharmaceutical, investment, and healthcare industries, as well as law firms and firms involved in corporate mergers and acquisitions. The developers of the underlying surveillance malware have thoroughly documented their code with fluent English, and command and control servers are operated with almost flawless operational security. The take-away: the threat actors are likely an espionage group in a position to profit on insider information. “Morpho is a skilled, persistent, and effective attack group which has been active since at least March 2012,” researchers from security firm Symantec wrote in a report published Wednesday. “They are well resourced, using at least one or possibly two zero-day exploits. Their motivation is very likely to be financial gain and given that they have been active for at least three years, they must be successful at monetizing their operation.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Healthcare Vendor Risk Management Programs Lagging, Says Study

http://healthitsecurity.com/news/healthcare-vendor-risk-management-programs-lagging-says-study By Elizabeth Snell healthitsecurity.com July 8, 2015 Healthcare vendor risk management programs can have a huge impact on a healthcare organization’s ability to keep sensitive data – such as patient PHI – secure. However, if a recent study is any indication, healthcare vendor risk management programs have room for improvement. The 2015 Vendor Risk Management Benchmark Study, conducted by The Shared Assessments Program and Protiviti, found that vendor risk management programs within financial services organizations are more mature than companies in other industries, such as insurance and healthcare. “Even the more optimistic assessments of the current state of vendor risk management indicate that significant improvements may be needed,” the report’s authors explained. “The time for progress and improvements in vendor risk management capabilities is now, particularly when considering that cyberattacks and other security incidents are very likely to continue increasing.” The survey interviewed more than 460 executives and managers in various industries. Respondents were asked to rate their organization’s maturity level in different areas of vendor risk management on a 0 to 5 scale, with 0 equal to “Do not perform” and 5 equal to “Continuous improvement – benchmarking, moving to best practices.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Why an Arms Control Pact Has Security Experts Up in Arms

http://www.wired.com/2015/06/arms-control-pact-security-experts-arms/ By Kim Zetter Security Wired.com June 24, 2015 SECURITY RESEARCHERS SAY a proposed set of export rules meant to restrict the sale of surveillance software to repressive regimes are so broadly written that they could criminalize some research and restrict legitimate tools that professionals need to make software and computer systems more secure. Critics liken the software rules, put forth by the US Commerce Department, to the Crypto Wars of the late ’90s, when export controls imposed against strong encryption software prevented cryptographers and mathematicians from effectively sharing their research abroad. At issue is the so-called Wassenaar Arrangement, an international agreement on which the proposed US rules are based. Other countries are in the process of developing their own rules around the WA, potentially putting researchers overseas in the same troubled boat as ones in the US. To clarify why people are alarmed about the WA and the proposed US rules, we’ve compiled a primer on what they are and why they could harm not only researchers and security companies but the state of computer security itself. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Why Cyber War Is Dangerous for Democracies

http://www.theatlantic.com/international/archive/2015/06/hackers-cyber-china-russia/396812/ By MOISÉS NAÍM The Atlantic June 25, 2015 This month, two years after his massive leak of NSA documents detailing U.S. surveillance programs, Edward Snowden published an op-ed in The New York Times celebrating his accomplishments. The “power of an informed public,” he wrote, had forced the U.S. government to scrap its bulk collection of phone records. Moreover, he noted, “Since 2013, institutions across Europe have ruled similar laws and operations illegal and imposed new restrictions on future activities.” He concluded by asserting that “We are witnessing the emergence of a post-terror generation, one that rejects a worldview defined by a singular tragedy. For the first time since the attacks of Sept. 11, 2001, we see the outline of a politics that turns away from reaction and fear in favor of resilience and reason.” Maybe so. I am glad that my privacy is now more protected from meddling by U.S. and European democracies. But frankly, I am far more concerned about the cyber threats to my privacy posed by Russia, China, and other authoritarian regimes than the surveillance threats from Washington. You should be too. Around the time that Snowden published his article, hackers broke into the computer systems of the U.S. Office of Personnel Management and stole information on at least 4 million (and perhaps far more) federal employees. The files stolen include personal and professional data that government employees are required to give the agency in order to get security clearances. The main suspect in this and similar attacks is China, though what affiliation, if any, the hackers had with the Chinese government remains unclear. According to the Washington Post, “China is building massive databases of Americans’ personal information by hacking government agencies and U.S. health-care companies, using a high-tech tactic to achieve an age-old goal of espionage: recruiting spies or gaining more information on an adversary.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] A disaster foretold — and ignored

http://www.washingtonpost.com/sf/business/2015/06/22/net-of-insecurity-part-3/ By Craig Timberg The Washington Post June 22, 2015 The seven young men sitting before some of Capitol Hill’s most powerful lawmakers weren’t graduate students or junior analysts from some think tank. No, Space Rogue, Kingpin, Mudge and the others were hackers who had come from the mysterious environs of cyberspace to deliver a terrifying warning to the world. Your computers, they told the panel of senators in May 1998, are not safe — not the software, not the hardware, not the networks that link them together. The companies that build these things don’t care, the hackers continued, and they have no reason to care because failure costs them nothing. And the federal government has neither the skill nor the will to do anything about it. “If you’re looking for computer security, then the Internet is not the place to be,” said Mudge, then 27 and looking like a biblical prophet with long brown hair flowing past his shoulders. The Internet itself, he added, could be taken down “by any of the seven individuals seated before you” with 30 minutes of well-choreographed keystrokes. The senators — a bipartisan group including John Glenn, Joseph I. Lieberman and Fred D. Thompson — nodded gravely, making clear that they understood the gravity of the situation. “We’re going to have to do something about it,” Thompson said. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Cybersecurity: A Global Legal Perspective For Hedge Funds

http://risktech-forum.com/news/cybersecurity-a-global-legal-perspective-for-hedge-funds Hedgeweek 11 June 2015 The House of Representatives passed a new cybersecurity bill – the Protecting Cyber Networks Act (PCNA) – to allow file sharing between government intelligence agencies and private companies and raise the overall awareness of hacking. This is just the latest chapter in what is fast becoming a key narrative within the US, where cybersecurity legislation is being rolled out to address the growing sophistication of cyber attacks. Hedge funds are now becoming a more pronounced target and to that end, lawyers are requiring to get on top of the issues to advise their clients accordingly. Ed McNicholas is a partner at Sidney Austin LLP in Washington DC. He confirms that he has just finished a treatise for the Practicing Law Institute, the aim of which is to provide a legal guide on cybersecurity. It is due to be published in June. “The law here is developing rapidly and one of the biggest things that hedge funds need to do is to ensure communication between their lawyers and their IT staff on this issue. The lawyers have, for a long time, considered it to be an IT issue but they need to get up to speed on this,” says McNicholas. McNicholas sees three big tasks facing lawyers. The first relates to managing the information assets of a hedge fund. These are highly specialised vehicles and as such an intellectual step needs to be taken by law firms in realising that this is not an issue that pertains solely to personal data. Hedge funds have significant intellectual property – trading algorithms, investor details, proprietary research etc. In relation to cybersecurity, it is important to identify those assets and understand where and with whom the manager shares those assets. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail