A 2012 Security Incident Recap By The Numbers

Heidi Shey

Before we get too far along into 2013, I’d like to take a moment to reflect back on the events of 2012. Thanks to our friends at CyberFactors*, this is what we saw:

Overall

  • 1,468 (publicly reported) incidents. This includes everything from stolen laptops to external hacks to third party partners mishandling data to employees accidentally disclosing data via email.
  • 274,129,444 (known) records compromised. In the 608 cases where there was a record count reported, this was the total count. 

Types of data lost/compromised

  • Personally identifiable information (PII) was compromised in 53% of cases. This also includes credit card or bank account information, as well as medical or health insurance information.
  • Company confidential information (CCI) was compromised in 4% of cases. This includes things like proprietary intellectual property (IP), compensation data, business plans, corporate financial data, and information subject to a non-disclosure agreement with a third party. These types of incidents may not always be publicly reported, assuming that organizations are even aware that it has occurred or is happening. IP is a valuable asset, and must be protected
  • Governmental information was compromised in 42% of cases. This includes things like address, voting data, driver’s license numbers, state or Federal tax IDs, Social Security numbers, and passport information.
Read more

Security Vendors You Should Know

Heidi Shey

One of the really cool things about this analyst gig is that we get to field client inquiry calls – 30 minutes where we hop onto the phone to speak with our clients and answer their questions about the topics that we cover. As of the week before Christmas, analysts on the security and risk team have jumped onto over 300 inquiries so far this quarter when not on a plane or on site with a client (and this is a slow quarter given all the holidays!). Vendors are one topic that we discuss quite a bit with S&R pros because, let’s face it, there’s are vendors that are really good at marketing and there are also vendors that just haven’t shown up on your radar.

Research report ideas are often born from inquiries as we notice trends in the types of questions that are asked. As we continue to hammer out research agendas for 2013, we’re thinking of adding a new stream of research for our security playbooks: Vendors You Should Know. It would not be the same as a Forrester Wave which compares established vendors, but rather a report which highlights smaller, emerging vendors that are disrupting the existing market with a unique, innovative technology or service to solve a client’s painful challenge or perhaps alter current approaches to information security. It’s a report to recognize emerging vendors who raise the bar, but may not necessarily raise the most buzz. These would be living research documents that are updated periodically as market events and technological developments warrant changes.

S&R pros, does this type of research appeal to you? Which areas would you like for us to identify vendors you should know? What business and security challenges are you grappling with where you would like to see us profile emerging vendors that could help?

Categories:

Shoulder Surfing The Friendly Skies

Rick Holland

FAIL at 30,000ish feet 

When you fly nearly every week, you can get pretty bored on a plane.  When I am sick of working, playing games, or watching movies, my latest distraction is checking out laptop screens. Sometimes I'm curious what movie you are watching but other times I am interested in what type of confidential company information you are displaying for the world to see.  In the past few weeks I have seen the following types of information on my fellow flyer's screens:

  • End of year/end of quarter sales numbers
  • Disciplinary emails regarding employee peformance
  • Pre launch marketing information (which I presumed to be under embargo)
  • Competitive displacement information

Most of the time I suggest that my fellow traveler invest in a privacy screen, and most of the time they are receptive to the suggestion.  It really is astounding how many people don't spend the approximate $30 on one.  If your company doesn't issue them, I suggest you work to change that stance. World readable aren't the permissions you want on your laptop screen, time for chmod (UNIX joke).

Categories:

Expense In Depth And The Trouble With The Tribbles

Rick Holland

You remember the tribbles don't you? The cute, harmless looking alien species from the second season of the original Star Trek that turn out to be anything but benign. They are born pregnant and reproduce at an alarming rate. The tribbles threaten the ship, but fortunately Chief Engineer Montgomery Scott is able to transport all of the furry creatures to a departing Klingon ship.  The tribbles remind me of technology investments:

  • You start out small, but before you realize it the technology is everywhere and you are overwhelmed.  It ends up in places you never intended. 
  • Like the relaxing purr of the tribbles, the flashing lights of racks and stacks of gear gives us warm comfort at night 
  • Tribbles consume everything, just like the operational requirements of much of our technology investment: resources, budget, and productivity are all devoured.
Read more

How Do You Maintain Your Security Edge?

Heidi Shey

Keeping up with the threat and IT landscape, looking ahead to future technology and disruptive technologies, and keeping up with the regulatory landscape to identify what it means to your organization is no small task. It’s also not a technology issue, but one that involves your most valuable asset: people. S&R pros, call it maintaining your security edge: keeping skills fresh, encouraging new ideas to flow, and preventing the security group from getting stale and set in their ways and habits. Fail to invest in your people, and an exodus of talent will the least of your concerns as a new type of internal threat is born. A security team and an organization that maintains their security edge will be better equipped to protect the organization and its assets through better decision making at all levels.

I’m kicking off research on this topic in the coming weeks, and would love to hear what you think it means to maintain your security edge. My initial ideas approach the topic from three angles:

  • Individual security contributors. These are the folks that need to keep their skills fresh and network with peers. Consider opening up opportunities for them to take continuing education courses, achieve certifications, or attend conferences. Encourage participation in online communities or social networks to connect with peers.
  • The security group as a whole. This is where group think may occur, and lead to less than optimal decisions, especially if there hasn’t been much focus given to the development of individual security contributors. Bringing in new blood and a fresh perspective with an external advisor can be beneficial. Or, perhaps, engage in information sharing with other organizations where appropriate.
Read more

Categories:

Yes, Social Media Is Risky — Find A Way To Make It Work

Nick Hayes

We just published a report explaining all the risks inherent in the use of social media and presenting best practice tools and techniques to manage those risks effectively.

Social media is one of the top three concerns for enterprises in 2012, according to our recent Forrsights Security Survey, and it’s easy to see why: Malware, social account hijacking, data leakage, HR concerns, regulatory compliance — these are just some of the most frequently cited challenges. And with new social media gaffes coming up all the time, like KitchenAid’s offensive tweet during one of the US presidential debates, American Apparel’s Hurricane Sandy Sale, and news of Twitter user accounts getting hacked recently (as well as LinkedIn accounts earlier this year), companies have good reason to worry about their workforce having free, unrestricted access to social networks.

Here’s the problem: You can’t stop it. Sure, you can institute a zero-use policy and completely forbid your workforce from using social media at your company, but we found this is an impractical and ineffective solution.

Read more

The Forrester Wave: Email Content Security

Rick Holland

It is with great pleasure that I announce the completion of my first Forrester Wave™: Email Content Security, Q4 2012. I’d like to thank the research associates (Jessica McKee and Kelley Mak) who assisted me with this project. We performed a 47-criteria evaluation of nine email content security vendors. Given my background as a practitioner and solutions engineer, one of the key requirements to participate was unsupervised access to a demo environment. I had access to the environments throughout the evaluation process and found them to be a great option for validating features and “getting to know” the user interfaces. Here are some of the key findings:  

Email security is a critical component of your portfolio
Email is a key component of business processes within enterprises and must be secured. Despite the fact that email security is low on the spending priority list, it’s critical that organizations safeguard email. Email is a popular attack vector for targeted attacks, and HIPAA and PCI mandate that emails containing confidential data be secured.
 
Advanced capabilities differentiate vendor offerings
Vendors are delivering enhanced capabilities in response to the threat and compliance landscape. Big data analytics are leveraged to combat targeted attacks. Encryption capabilities have been improved and simplified. Channel DLP is now robust and feature-rich.
 
The delivery model is shifting
Read more

The Elephant And The Internet

Andrew Rose

A little while ago I bumped into a journalist friend at a trade conference. We chatted about the event to try and identify hot topics and trends from our discussions and supplier meetings, and both sat there deflated when the stories that came to the surface were the same old ones of fear-mongering around APT and “cyber” threats.

CISOs have a habit of missing the boat,” I said, thinking of how virtualization, social media, and consumerization had all crept into wide-scale adoption before many security teams had managed to turn their attention to them, “so, what topic should we be looking ahead to that CISOs are not talking about?” This question was much more interesting and we came to realize that the elephant that is currently pushing its way into the room is the Internet of Things (IoT).

My friend pointed out that he had raised this topic with several CISOs and was surprised at their lack of appreciation for the potential change that the IoT could bring to industry, consumers, and the Security & Risk (S&R) role — as the digital and physical world entwine, for example, we can envisage huge safety risks that the CISO would be best placed to address. We also decided that the stakes were surprisingly high, as the IoT has the potential to revolutionize technology innovation to such an extent that the eCommerce and social media bubbles will appear both sluggish and trivial by comparison.

Read more

InfoSec, Structural Engineering, And The Security Architecture Playbook

John Kindervag

Last year the country of Japan suffered a devastating disaster of unspeakable proportions. A massive earthquake on the eastern coast of the country triggered a deadly tsunami that caused the flooding of the Fukushima nuclear power plant. Three dominos fell at once, resulting in a significant and tragic loss of life and property. I visited Japan earlier this year. As I traveled throughout the Tokyo area, I couldn’t see any evidence of these disasters. I asked several residents of the city and all told me that the earthquake did not affect the rest of Japan very much. They all discussed how ready Japan was for earthquakes, having suffered many over the centuries. It was in Tokyo that I learned that not many people actually died as the result of the earthquake. Most of the deaths were the result of drowning in the flood waters created by the tsunami. Over and over again, the people I met wanted to talk about how well their buildings were designed to resist the destructive force of earthquakes.

In 2003 a much smaller earthquake struck Iran. Measuring 6.6 on the Richter scale, the Bam earthquake had much less energy but was more destructive than the 2011 Japanese earthquake, which had a magnitude of 9.0. (Data provided by United States Geological Survey.)

 

Date

Location

Magnitude

Deaths

12-26-2003

Southeastern Iran

6.6

31,000

03-11-2011

Read more

Risk Management & Business Technology Resiliency – What’s Changed Since 2009

Chris McClean

Guest post from Researcher Nick Hayes.

Take a second to think back to the year 2009. The US was in the thick of the financial crisis; companies were slashing budgets, and the unemployment rate was in double-digits. And do you remember a little thing called the “swine flu”? The World Health Organization (WHO) deemed the H1N1 strain of the swine flu influenza a global pandemic in June 2009. These were just some of the events top of mind for much of the nation and the broader global community three years ago.

2009 was also the year that the annual Forrester And Disaster Recovery Journal (DRJ) Survey focused on the role of risk management in business technology (BT) resiliency and crisis communications programs. Needless to say, the survey was fairly timely. Forrester found risk management was becoming a more common practice for business continuity teams, but that there was still more room for further collaboration with their risk management counterparts.

Fast forward three years, and the 2012 Forrester/DRJ survey is again focusing on the role of risk management in BT resiliency and crisis communications (you can take the 2012 survey by clicking here). A lot has changed since 2009 with a number of new events, technologies, and organizational challenges currently plaguing business continuity and risk management professionals.

Read more