Security Defenses are Not Adequate

We have just completed an extensive survey of security and compliance professionals in mid-sized and large organizations, asking about the current state of their cyber security defenses. We will soon be publishing a white paper discussing the results. Here’s a bit of what we found:

  • Fifty-five to 58 percent of organizations admitted that they are not fully protected against security threats like payment scams, spear phishing attacks and email spoofing.
  • Four of the top five concerns that security and compliance professionals have in the context of their organizations’ cyber security are focused on email-related threats.
  • Sixty-five percent of security and compliance professionals admitted that their organization has suffered a successful attack and/or data breach during the past 12 months, with the most common being a phishing attack successfully infecting systems on their network with malware (28 percent), and a targeted email attack launched from a compromised account successfully infecting an endpoint with malware (25 percent).
  • Corporate executives represent 16 percent of the attack surface in the typical mid-sized and large organization, despite the fact that they account for only two percent of the total number of employees.
  • Forty-two percent of those surveyed told us that their anti-ransomware defenses are either not improving the catch rate for ransomware attempts over time or the catch rate is actually going down.
  • Only 28 percent of those surveyed believe that their end-user training regimen focused on web surfing best practices is “very good” or “excellent”; only 39 percent believe that their user training for detecting and addressing phishing and other unwanted emails is this good.
  • The average cyber security budget will increase by 7.4 percent in 2018 compared to last year; 67 percent of organizations are increasing their budget and only two percent are decreasing it.

Please let us know if you’d like an advance copy of the white paper.

Here are some upcoming security conferences that should be on your radar:

  • InfoSecWorld, Lake Buena Vista, Florida (March 19-21)
  • Black Hat Asia, Singapore (March 20-23)
  • RSA Conference, San Francisco, California (April 16-20)

Phishing and Ransomware are the Logical Evolution of Cybercrime

Phishing, which can be considered the delivery mechanism for various types of malware and cybercrime attempts; and ransomware, which is a specialized form of malware that is designed for the sole purpose of extorting money from victims, are critical problems that every organization must address and through a variety of means: user education, security solutions, vulnerability analysis, threat intelligence, good backup processes, and even common sense. The good news is that there is much that organizations can do to protect themselves, their data, their employees and their customers.

Phishing, particularly highly targeted forms of phishing like spearphishing and CEO Fraud/Business Email Compromise (BEC), as well as ransomware, are the logical evolution of cybercrime. Because there have been so many data breaches over the past few years that have resulted in the theft of hundreds of millions of records, there is a glut of this information on the market. The result, as there would be in any other business driven by the economics of supply and demand, is that prices for stolen records are dropping precipitously: a leading security firm estimates that the price of a stolen payment-card record has decreased from $25 in 2011 to just $6 in 2016.

Consequently, cybercriminals are turning increasingly to more direct means of theft. For example, ransomware will extort money directly from victims without requiring stolen data to be sold on the open market where it is subject to economic forces that can reduce its value. CEO Fraud/BEC can net hundreds of thousands or millions of dollars in a short period of time by getting victims to wire funds directly.

We are in the process of writing a white paper on phishing and ransomware, and will be publishing the results of an in-depth survey on these problems. Let us know if you have any questions or would like copy of the white paper when it is published next week.

What Threats Should You Be Concerned About? (Part 1)

Organizations of all sizes face a wide variety of threats, ranging from seemingly innocuous incursions like spam that create storage problems and general annoyance, to highly targeted email attacks that can create major breaches of sensitive or confidential information. Among the range of threats to consider are the following:

Phishing emails: Phishing emails are comparatively unfocused email messages that are designed to elicit sensitive information from users, such as login credentials, credit card information, Social Security numbers and other valuable data. Phishing emails purport to be from trustworthy sources like banks, credit card companies, shipping companies and other sources with which potential victims already have established relationships. More sophisticated phishing attempts will use corporate logos and other identifiers that are designed to fool potential victims into believing that the phishing emails are genuine.

The impact of phishing emails should not be underestimated. An Osterman Research survey conducted in late 2014 found that there have been a variety of security incidents that were attributable to malicious emails, such as 41% of organizations that have lost sensitive data on an employee’s computer and 24% that have lost sensitive data from the corporate network.

Spearphishing emails: A spearphishing email is a targeted phishing attack that is generally directed at a small group of potential victims, such as senior individuals within a company or other organization. Spearphishing emails are generally quite focused, reflecting the fact that a cybercriminal has studied his or her target and has crafted a message that is designed to have a high degree of believability and a potentially high open rate.

One of the reasons that spearphishing is becoming more effective is that potential victims provide cybercriminals with the fodder they need to craft believable messages. For example, Facebook, Twitter, LinkedIn and other social media venues contain enormous amounts of valuable information about travel plans, personal preferences, family members, affiliations, and other personal and sensitive information that can be incorporated into spearphishing emails.

Remote users accessing corporate resources: Employees, contractors and others who access resources on the corporate network, such as those working from home or in another remote site, are a key source of threats. An unprotected user accessing a corporate asset, such as Outlook Web Access that is not accessed via a VPN, or a laptop computer that becomes infected and later is connected to the corporate network, can constitute a serious threat. This is becoming a serious problem for most organizations as users employ personally owned devices like their own smartphones, tablets and other traditionally consumer devices in a workplace setting.

Consumer file sync and share tools: Closely related to the point above is the widespread and growing use of consumer file sync and share tools like Dropbox, Microsoft OneDrive and Google Drive, among many others. These tools are commonly used by employees to make their files available on all of their desktop, laptop and mobile platforms for access when traveling, when they work from home, or when they are otherwise away from the office. While these tools are quite useful and generally work as they are intended, they represent an important incursion point for malware. For example, an employee who accesses his or her corporate files on a home computer, many of which do not have the latest anti-virus updates and whose use is not controlled by any sort of sophisticated security infrastructure, can inadvertently infect these files with malware. When the files are synced back to the employee’s desktop computer, malware can readily infect the network because it may have bypassed corporate email, Web gateway and other defenses. In an alternative infection scenario, an employee working from home can have files infected from their home computer and then send these files to a client or business partner without the files ever having passed through the corporate security infrastructure.

Watering holes: This is a type of social engineering attack in which cybercriminals will identify key Web sites that are frequented by individuals or groups they would like to infiltrate, such as mobile app developers. These targeted Web sites are then infected with malware, the goal of which is to infect members of the affinity group. An example of one such attack was an iOS mobile developers’ forum that hosted malware and was targeted against Apple and Facebook.

I will continue the list in my next blog post. We’re producing a white paper focused on addressing these issues – if you’d like a pre-publication copy of the paper, send us a request at and we’ll send it to you right away.