Ping Service
Feedback Forms

Risk Based Security’s 2013 Data Breach QuickView Report

The following was provided by my friend Jake Kouns of Risk Based Security, a leading-edge security and threat intelligence company. that provides comprehensive vulnerability and data breach intelligence services.   Thanks Jake.

Rick

Risk Based SecurityWe  are pleased to release our Data Breach Quick view report that shows 2013 broke the previous all-time record for the number of exposed records caused by reported data breach incidents.  The 2,164 incidents reported during 2013 exposed over 822 million records, nearly doubling the previous highest year on record (2011).

Although overshadowed by the number of exposed records, 2013 is also ranked #2 in total reported  data breach incidents, just behind 2012. “When you analyze the data breach activity in 2013 it’s hard to  find any bright-side, said Barry Kouns, CEO of Risk Based Security. “Four of the “Top 10” data breaches all time, were reported in 2013, including the top spot. “

Read the rest of this entry »

Cyber Liability Insurance: The Value of an Educated Broker in the Age of E-Commerce

Introduction: Insurance Products for Cyber Risks

Media reports of cyber intrusions, data thefts and computer system malfunctions involving large, high-profile companies such as Sony PlayStation, Citigroup and Lockheed’s Security Vendor, RSA, have led a rapidly growing number of companies to consider the necessity of insurance coverage for technology and cyber privacy risks. As these businesses become more reliant on electronic communication and data storage, they are also developing a heightened awareness that an unauthorized intrusion could endanger their tangible and intangible assets (including their intellectual property) and, in many cases, their reputations and abilities to conduct business. Consequently, prospective policyholders are becoming more cognizant of the necessity for insurance covering these exposures.

Read the rest of this entry »

Canadians More Exposed Than One Would Think

canada-flag-stereotypesOkay. Let’s start with the obvious. No, this has nothing to do with Canadian citizens and immigrants behaving badly, although that may be a topic for a future post.

What we’re talking about is the prevalence of cyber-related incidents and the resulting fallout among Canadian-based companies. And the numbers may surprise you.

Read the rest of this entry »

Identity Theft: A Christmas Poem Revisited

Regular Cyberinquirer readers may recall the following holiday poem by Amanda Lorenz. Like the Yule Log, we here at Cyberinquirer Central have decided to republish Amanda’s poem on an annual basis at holiday time, barring extenuating circumstances. Hope you agree that it remains fresh and timely. In any event, enjoy! And happy holiday season from your friends at Cyberinquirer.

Twas the month before Christmas and all through the house,
All the children were networking with the click of a mouse.
Cyber thieves were nestled all snug in their chairs,
Waiting for shoppers to unknowingly share.
As I shopped for him and he shopped for me,
The thieves stole our money and our financial history.
We did not even realize that this information was taken,
And we thought the denial of our credit card was mistaken.
Using Phishing or SMiShing and hacking the links,
Our private information was retrieved in a blink.
Perhaps we should have shopped on a network that was secure,
Or at least checked our credit reports monthly to be sure,
That thieves were not using our names and our faces
To purchase plane tickets to tropical places.
So to all of the shoppers who like to avoid the crowd,
Protect your info this season and make CyberInquirer proud!

Wish You a Merry Christmas cartoons image illustration picture

Happy Holidays from CyberInquirer!

PDF Printer    Send article as PDF   

State Privacy Laws Evolve While Congress Campaigns

New legislation governing data breaches and privacy issues is popping up in states across the country. Most recently, Connecticut, Vermont, and Illinois have enacted new laws in these areas.

Connecticut

At long last, the proposed legislation requiring a data breach to be reported has become law in Connecticut. Section 369-701b was unable to move its way through the 2012 General Session of the Connecticut Legislature, but it was recently passed as part of the Connecticut General Assembly’s Special Session as an attachment of the Budget Bill.

Read the rest of this entry »

What is Corporate and Business Identity Theft and What Are the Risks and Damages Associated with It?

The yellow fever outbreak of summer 1798 was the worst in Philadelphia’s history. Over 5,000 residents were infected, and nearly 1,300 died, causing even President Washington to flee. On the night of September 1st, 1798, the vault at Carpenter Hall was breached and the then-massive amount of $162,821 went missing. This first bank robbery in the United States, attributed as an “inside job”, ushered in an era of robberies that turned criminals into celebrities. Jesse James, Bonnie and Clyde, and John Dillinger have become legends. At present, the risk of yellow fever has been mitigated due to vaccines. The risk of bank vaults being physically robbed similarly has been reduced.

Read the rest of this entry »

Cyber Liability Insurance for Universities: Incentivizing Best Practices as a Condition to Coverage (a.k.a “Reverse Underwriting”)

Computer hacking is a constantly evolving and growing threat. While recent high-profile network security breaches at companies such as Epsilon and Sony (with crisis management and other costs estimated to range from $1 billion to multiples thereof in the case of Sony) have helped raise awareness about the need to adequately protect personal identifiable information, the problem has existed for decades.

Yet the situation has only recently begun to receive proper attention from the media, government officials, businesses, and certain segments of the insurance industry. Of course, the cost of a security breach may have something to do with that. According to a study from Marsh and the Ponemon Institute, the typical data breach in FY 2010 resulted in companies and their insurers have to pay an average of $7.2 million to deal with and remedy the situation.

One particularly alluring target for hackers has been educational institutions. While schools and universities may not immediately appear to be obvious targets, the statistics confirm that attacks against educational institutions are on the rise.

In 2007, educational institutions accounted for 25% of all reported data breaches. This number jumped to 33% in 2008. See Sarah Stephens & Shannan Fort, Cyber Liability & Higher Education, Aon Professional Risk Solutions White Paper (December 2008) Read the rest of this entry »

The White House’s “Progress” Report on Cybersecurity: There’s A Long Road Ahead

Lest one question the severity of the evolving challenges in our rapidly growing cyber world, President Obama has crystallized it succinctly: (1) “cyber threat is one of the most serious economic and national security challenges we face as a nation;” and (2) “America’s economic prosperity in the 21st century will depend on cybersecurity.” In other words, President Obama has declared cybersecurity to be a national security priority.

While that’s obviously good news, the follow-up question is “how are we doing in meeting the associated demands?” Regrettably, not so well, it seems.

Speaking before cybersecurity and privacy experts from government, law enforcement, the private sector, academia and privacy and civil liberties groups, President Obama, Homeland Security Secretary Janet Napolitano, Commerce Secretary Gary Locke, Cyber Coordinator Howard Schmidt and other Administration officials uniformly acknowledged that far more work needs to be done to protect digital communications and information infrastructure and make it more difficult and costly for cybercrimimals.

Read the rest of this entry »

Cyber/Tech Underwriters Build Their Portfolios…As Corporate Executives Fret

j0283561The risk of cyberattacks is real and growing. While many of us theorize and speak in hypotheticals about the possibility of a major and potentially devastating cyberattack (or twenty), those considered most “in the know” are taking these risks seriously. And for good reason.

A January 29, 2010 study commissioned by McAfee, Inc and authored by the Center for Strategic and International Studies (CSIS) reports that over one-third (37%) of the IT security executives surveyed believe that critical infrastructure such as electrical grids, oil and gas production, water supply, telecommunications and transportation networks has become increasingly vulnerable to a cyberattack. Moreover, 40% of the 600 executives from 14 countries who responded predict a major security incident in their sector within the next year. Only 20% believe their sector is secure and will successfully avoid a serious cyberattack over the next five years.

The respondents work in critical infrastructure enterprises across seven sectors in 14 countries (including the US, UK, Japan, China, Germany, France, Italy, Russia, Spain, Brazil, Mexico, Australia and Saudi Arabia). Most problematic, over half of the respondents admitted that their concerns are not without foundation. Indeed, 54% acknowledged that their companies already have experienced infiltrations or large-scale cyberattacks from terrorists, organized crime gangs, and/or nation-states. The average cost of resultant downtime is estimated to be $6.3 million per day. Not chump-change by any means.

The recent cyberattack on Google is just one example. According to CSIS’s report, however, there have been scores more. With additional attacks to come. Of most concern, perhaps, over half of those surveyed believe that the U.S., China and Russia as the three most vulnerable countries.

The report, entitled “In the Crossfire: Critical Infrastructure in the Age of Cyberwar,” goes on to state that more than one-third of the executives who responded feel their respective sectors are unprepared for a major attack and that two-thirds believe the ongoing recession has caused companies to reduce resources devoted to cyber protection.

This situation harkens back to the adage “one man’s suffering is another man’s gain.” The opportunities for cyber/tech underwriters are there. Go get ‘em, ladies and gentlemen.

Fax Online    Send article as PDF   

FBI Warns that Hackers are Spear-Phishing for US Law Firms

Phishing” refers to the fraudulent process of attempting to acquire sensitive information such as usernames and credit card details by masquerading as a trustworthy entity by way of e-mail, instant messaging or some other electronic communication. The communciation will often directs users to enter details at a fake website that is almost identical to the legitimate one.

To illustrate, in a recent example of spear-phishing launched from a web server in China, CEOs received an email message purporting to be from a federal court stating that a subpoena was being directed to the CEO with a link to a web address ending in “uscourts.com”. More than 1,800 CEOs clicked on the link. Once the victims arrived at the bogus site, they were asked to view court documents by downloading a browser plug-in, which was actually malware used to gain access to the victim’s computer.

On November 17, 2009, the FBI issued a cyber advisory warning that hackers appear to be targeting law firms and public relations firms. Here’s a not-so-clever example:

Subject: Attn: Pamela Pengelley

Alexander JLO – Solicitors
11 Lanark Square
Glengall Bridge
London E14 9RE
United Kingdom.
TEL:+44 794 4145 981
Fax:+44 794 4416 262

Good day: Pamela,

This is a personal E-mail directed to you and I request that
it be treated as such.

I am Barrister Wilson Baker, a solicitor at law. I am the personal attorney/sole executor to the late Engr Gerald Pengelley herein after referred to as’my client’ who worked as an independent oil magnate in my country and who died in a plane crash with his immediate family in December 2003.

Since the death of my client, I have written several letters to the embassy with an intent to locate any of his extended relatives whom shall be claimants/beneficiaries of his abandoned personal estate and all such efforts have been to no avail.

More-so, I have received official letters in the last few weeks suggesting a likely proceeding for confiscation of his abandoned personal assets in line with existing laws by the bank in which my client deposited a notably high amount of money.

On this note i decided to search for a credible person and finding that you bear a similar last name, I was urged to contact you, that I may with your consent, present you to the “trustee” bank as my late client’s surviving family member so as to enable you put up a claim to the bank in that capacity as a next of kin of my client.

I find this possible for the fuller reasons that you bear a similar last name with my client making it a lot easier for you to put up a claim in that capacity.

I propose that 35% of the net sum will accrue to you at the conclusion of this deal in so far as I do not incure further expenses.

Therefore, to facilitate the immediate transfer of this funds, you need, first to contact me via my private email:(wilsonbaker3@yahoo.co.uk) for better confidentiality, signifying your interest and as soon as I obtain your confidence I will immediately appraise you with the complete details as well as fax you the documents, with which you are to proceed and i shall direct you on how to put up an application to the bank.

However, you will have to accent to an express agreement which I will forward to you in order to bind us in this transaction.

Upon the receipt of your reply,I will send you by fax or E-mail the next step to take.I will not fail to bring to your notice that this proposal is hitch-free and that you should not entertain any fears as the required arrangements have been made for the completion of this transfer.

Like I said, I require only a solemn confidentiality on this.

Best regards,
Wilson Baker Esq

A word to the wise – proceed with caution before clicking on a link in an e-mail, even if the message appears to be from a reliable source. Better to seek confirmation from your information systems resources than fall victim to a spear-phishing scam. For more information, check out Microsoft’s webpage, “How to Recognize Phishing Emails and Links”.

Free PDF    Send article as PDF