STE WILLIAMS

Amazon today officially rolled out a new platform for monitoring and prioritizing security issues for Amazon Web Services (AWS) accounts. 

The new AWS Security Hub aggregates security alerts and compliance status of AWS accounts, including alerts from AWS services as well as other security tools from vendors Alert Logic, Armor, Barracuda, Check Point, CrowdStrike, CyberArk, Demisto, Dome9, F5 Networks, Fortinet, GuardiCore, IBM, McAfee, Palo Alto Networks, Qualys, Rapid7, Redlock, Sophos, Splunk, Sumo Logic, Symantec, Tenable, Trend Micro, Turbot, and Twistlock.

“You can also continuously monitor your environment using automated compliance checks based on the AWS best practices and industry standards your organization follows,” the company said in its announcement of the new service. 

Read more here.

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/amazon-rolls-out-aws-security-hub/d/d-id/1333356?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In its 2018 Strategic Security Survey (registration required), Dark Reading polled some 300 IT and security leaders and found that more organizations, not fewer, expect to face data breaches in the coming year compared with the previous year’s survey. Moreover, the companies believe they’re not fully ready to protect their data against intruders.

A large proportion of respondents expect that staffers with privileged access might be the source of a breach, but they’re also wary of attackers from outside mounting one of many sophisticated new attacks. A growing attack surface, distributed denial-of-service extortion, targeted attacks, and ransomware are contributing to the unease that many organizations sense. But concerns about overstaffing and budgets seem to have abated compared to the level of worry expressed in 2017. Almost one in five (19%) respondents said they believe their companies are more vulnerable to data breaches than a year ago, a somewhat higher number than the 17% who felt that way last year. The proportion of respondents who believe their company’s data-breach exposure hasn’t changed has dropped. In Dark Reading’s 2017 survey, 55% of respondents said their vulnerability to data breaches had remained stable over the past 12 months; this year, only 48% made that claim.

These results are worrying. The money poured into cybersecurity has skyrocketed in recent years, yet most companies feel that investment hasn’t translated into the ironclad security they need.

Cybercrime and Targeted Attacks on the Rise
Sixty-one percent of respondents said that the most likely reason for a major data breach next year would be a negligent end user or an employee breaking the company’s Internet-use policy. This gloomy prediction is probably attributable to the hugely disruptive successes that hackers have racked up by targeting corporate end users and executives.

That said, just over half of the survey respondents said cybercriminals are the biggest threat to their security. Twenty-six percent of IT departments expect a serious breach next year stemming from a targeted attack, and 21% have already experienced one, up from 17% who reported having one in last year’s survey. Another reason why targeted threats are a growing problem is simply that more people are aware of them. In the last few years, Western intelligence agencies have uncovered state-sponsored attackers — especially from Russia, China, and North Korea — who are launching laser-targeted assaults on companies with critical infrastructure.

The Cost of an Average Breach: $3.62 million
Last year, the Ponemon Institute estimated the average global cost of a data breach was $3.62 million, or about $141 per record. Costs in the US are nearly twice that. Cyberattacks of any kind can have brutal financial ramifications: 17% of respondents lost between $100,000 and $999,999, 9% lost between $1 million and $4.9 million, and 2% lost more than $5 million.

One might think that with so much money at stake, top executives would be spending more time learning how to make their companies more secure. Some of them are: 25% of the IT and security pros in the Dark Reading survey are satisfied that their corner-office teams are sufficiently security-savvy. But 39% say their top managers understand the business risks of data breaches but aren’t sure how to quantify them. Both numbers are lower than the 29% and 45% reported last year. A quarter of respondents said their top managers don’t really get how breaches might disrupt or even destroy the business, compared with 18% who reported a similar lack of comprehension last year. The numbers suggest that top managers are getting worse, not better, at grasping the potential consequences of data breaches.

App Security Emerges as Weakest Link in the Value Chain
Yet another cyber vulnerability is rooted in applications. Forty-two percent of the survey respondents say bugs in programs are their biggest data security threat, a percentage  in line with the 41% reported in the 2017 survey. These security concerns are familiar: Countless security studies and reports in the past few years have shined a spotlight on the high prevalence of vulnerabilities such as SQL injection and cross-site scripting. More recently, these issues have grown worse because of the rising popularity of software development models such as DevOps and agile, which tend to prioritize speed of development and delivery over security. Experts in the latter sphere also worry about the frequent use of open source code in today’s software because some of it may undergo insufficient security testing.

Once again, malware and phishing were cited as the top two online problems. While 52% of respondents said they had suffered a malware-related breach, 48% said they’d been phishing targets. Ransomware was the third most-cited reason for a security breach in 2017, but the proportion of respondents (16%) that said they’d been victims of a ransomware attack was down substantially from previous surveys.

Conclusion
Evidently, data breach concerns are higher than ever —although more people are aware of breaches and are spending more money on cybersecurity solutions to prevent them. The growing number of highly sophisticated threats and targeted attacks is not only wreaking financial damage but also leaving many organizations wondering whether they’re capable of doing enough to protect their data. Compared with last year, more organizations expect to suffer a major breach in the next 12 months, and most feel that breach will stem from an employee’s careless actions rather than an outside attacker. Perhaps most troubling, top management seems to be less security-savvy than last year. It’s clear that many organizations will run into some major potholes on the Internet highway in the coming year.

Related Content:

• 7 Real-Life Dangers That Threaten Cybersecurity
• To Stockpile or Not to Stockpile Zero-Days?
• Cybersecurity at the Core
• Consumers Are Forgiving After a Data Breach, but Companies Need To Respond Well

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/data-breach-threats-bigger-than-ever/a/d-id/1333332?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The breach of a supplier’s database may have left the personal information of as many as 2.65 million patients of Atrium Health exposed to hackers, according to a statement released on Tuesday. Atrium Health operates 44 hospitals across North Carolina, South Carolina, and Georgia.

AccuDoc, a company that prepares bills and operates the website where Atrium Health patients can make payments online, became aware that a cyber incident took place on Oct. 1. According to the release, an “unauthorized third party” accessed the patient information between Sept. 22 and Sept. 29. Logs indicate that information was not downloaded, AccuDoc noted.

The information accessed includes first and last names, home addresses, dates of birth, insurance policy information, medical record numbers, invoice numbers, account balances, and dates of service. For roughly 700,000 patients, the accessed information may also include their Social Security numbers.

According to the release, AccuDoc immediately shut down unauthorized access to the database. Both AccuDoc and Atrium Health say they are conducting internal forensics reviews and have contacted the FBI.

Read here and here for more.

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/atrium-health-breach-exposes-265-million-patient-records-/d/d-id/1333357?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Ransomware infections increased by 233% this past year in the Middle East and North Africa as part of a shift toward more savvy and aggressive cybercrime operations in a region where criminals just last year mostly were sharing malware tools, phony documents, and services for free or on the cheap.

Researchers at Trend Micro found that cybercrime in the region has matured rapidly in the past year, with hackers employing the Telegram messaging app for encrypted communications and money-laundering services to replace rudimentary cash-out transaction methods that in many cases converted stolen physical items into cash. “The increase in money-laundering services also shows the demand for monetizing ill-gotten gains has increased over time,” says Jon Clay, global threat communications director at Trend Micro. “This all shows an increase in money-motivated cybercrimes within this region.”

The shift from email, Skype, and Facebook Messenger to Telegram as well as WhatsApp for encrypted communications and money-laundering schemes is about flying under the radar as the cybercrime gangs in the region have evolved into more experienced and lucrative operations. They now offer so-called broker services or “contracts” for moving money, using European banks, PayPal, Western Union, and banks in the region. They offer commissions between 10% to upward of 50% to convert stolen funds into a different currency, preferring to cash out in stronger currencies, such as the US dollar via US banks.

SQL injection tools, keyloggers, port numbers for Internet-connected SCADA equipment, and hacking instruction manuals all had been offered for free in the region’s underground in 2017, according to previous Trend Micro research. The WannaCry ransomware sample was sold for $50. Freely shared tools still exist there today, according to Clay, but the criminals are moving to more stealthy and secure infrastructures to hide their activities.

One of the biggest changes Trend Micro saw was the move from a tool that was “open source (and likely insecure) to a private communications tool,” he says. “This tool encrypts all communications between the members and can ensure law enforcement cannot access. This has provided the underground community with a much more secure and private means of communications.”

Aside from ransomware, distributed denial-of-service (DDoS) attacks and website defacements remain a popular attack by hackers in the region. What was once the domain of hacktivists has become yet another money-making opportunity for cybercriminals to extort their victims with destructive attacks on their websites, for example.

The oil and gas industry remains one of the biggest targets in the region – half of all cyberattacks  hit that sector – due to its pervasiveness and financially lucrative status. These organizations can’t afford a ransomware or DDoS attack to disrupt sensitive operations. “These factors make it more likely that a compromised victim may pay an extortion or ransom fee,” Clay says.

Law enforcement, too, has matured in its fight against cybercrime, which, in turn, has forced attackers to better hide their tracks. So far, Trend Micro hasn’t detected any links between the cybercrime world there and nation-state operations. “In our analysis of the actors themselves, we’re seeing predominately young males with either a high school or college education. As such, they are likely very good with technology, aggressive in their work, but still need more time to build their skillsets,” Clay says.

Going Global
All of this means yet another international cybercrime region is emerging as a threat to nations such as the US. “This is a region that is increasing in their cybercriminal operations and will likely target organizations within the US,” Clay says. “With an increase in the US oil and gas industry, these actors are learning what works within their own region and can take that knowledge and apply it into attacks within the US region.”  

They already are selling tools in both Arabic and English-speaking underground forums, notes Mayra Rosario Fuentes, senior threat researcher at Trend Micro. “They are no longer just targeting their own region.”

The Middle East and North Africa will become a bigger player in global cybercrime. “This should be a call for the regional law enforcement and government to improve their laws and ability to arrest and convict these criminals,” Clay says. “It is also a call for organizations to recognize this region as a threat to their operations and improve their security capabilities to thwart attacks from this region.”

Related Content: 

• Cybercrime Meets Culture In Middle East, North African Underground
• Malware Investigation Leads to Sophisticated Mideast Threat Network
• Report: ‘OilRig’ Attacks Expanding Across Industries, Geographies
• 7 Indicted Iranian Nationals Now Hit with Sanctions by US Treasury

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/middle-east-north-africa-cybercrime-ups-its-game/d/d-id/1333354?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The US Department of Justice has indicted eight people in relation to the takedown of two international cybercrime rings: botnet operation 3ve and data center-based scheme Methbot. The takedown was organized and conducted by the US government along with private sector companies including Google, White Ops, Proofpoint, Malwarebytes, and ESET.

Methbot, an online ad fraud operation run by Russian cybercriminals, was discovered in 2016 by White Ops. The scheme totaled between $3 million and $5 million in daily losses from major US advertisers as attackers pretended to be from major US media platforms: ESPN, Fortune, CBS Sports, and others. At the time it was unveiled, Methbot had been operating for three years.

3ve, another ad fraud scheme, didn’t pose a major threat when it was spotted by Google researchers analyzing Methbot’s effects. It appeared as a low-volume bot operation conducting ad fraud through residential computers, which were infected with unknown malware.

However, 3ve grew in 2017 and later generated billions of daily ad requests. At its peak, researchers estimate it drove between 3 billion and 12 billion (potentially more) daily ad bid requests. 3ve compromised 1 million IPs and had up to 700,000 active infections at a time, and 60,000 or more accounts selling ad inventory. It counterfeited 10,000 websites and had 1,000 or more data center nodes.

“3ve was a global, complex family of fraud operations, each designed to evade detection,” says Tamer Hassan, cofounder and CTO at White Ops. “It took a historic cross-industry alliance to come together to hunt for and dismantle 3ve.”

Inside 3ve

Typical ad fraud operations aim for simplicity by zeroing in on one aspect of digital advertising; for example, creating and selling bot traffic to publishers who want more eyes on their sites. Researchers dubbed this operation “3ve” because it was made up of three sub-operations. All shared similar traits but were built to perform different types of ad fraud.

Across 3ve, operators employed several tactics to look for as many devices and users as possible, increase ad fraud, and avoid detection. It made its money by fabricating two things advertisers demand, Hassan says: prestigious publisher content in programmatic advertising, and visitors to real publishers’ websites.

“While all three sub-operations shared common characteristics and infrastructure, they varied in size, monetization strategy, and launch points,” he continues. “3ve had remarkable ability to shapeshift, churning up [30,000 to 40,000 IPs per day] and deploying sophisticated evasive detection measures. The result was that if one aspect of its operation was disrupted, the other could flourish.”

3ve was designed to infect users’ machines, remotely control hidden browsers, steal corporate IP addresses, and run fake websites. It generated revenue by selling ad space on fake premium sites and sending fake viewers to real sites, White Ops researchers explain in a report.

Further analysis led experts to two malware families: Boaxxe/Miuref and Kovter.

Boaxxe malware, as explained by US-CERT, is spread via email attachments and drive-by downloads. The operation using Boaxxe is located in a data center, where hundreds of machines browse counterfeit websites. When fake webpages are loaded in a browser, requests are made to place ads on those pages. Data center devices used Boaxxe to make requests for ads; a command-and-control (C2) server told infected machines to make ad requests to hide the data center’s location.

Kovter malware is also spread via email attachments and drive-by downloads, and uses the Kovter botnet, which runs a hidden Chromium Embedded Framework (CEF) browser on infected machines. A C2 server instructs devices to visit fake webpages in the hidden browser and requests that ads be placed on those sites. Infected devices receive and upload ads.

“The malware used here – Kovter – has been around in various incarnations for some time,” says Chris Dawson, threat intelligence lead at Proofpoint. “It is most significant for its anti-analysis features, as well as its ability to replicate human clicks and interactions on both fake and legitimate ad-hosting pages.” Anti-analysis features, he says, make it hard to observe.

Google researchers say the malware used anti-forensics to scan hardware, processes, username, and IP address to detect and avoid security software. It was receiving and executing fraud instructions on computers with certain ISPs, in certain geographical areas. Operators created an infrastructure of C2 servers to monitor infected machines and check for security.

“By using this infrastructure, the defendants accessed more than 1.7 million infected computers, belonging to ordinary individuals and businesses in the United States and elsewhere, and used hidden browsers on those infected computers to download fabricated webpages and load ads onto those fabricated webpages,” explains the DoJ in a statement.

3ve employed several techniques to bypass detection. In addition to its anti-forensics technique, it mimicked human behavior (fake clicks, mouse movements), evaded tags, quickly regenerated its residential IP addresses, and did not have a single point of failure.

How the Takedown Went Down

Some bots are taken down when all their known IP addresses are blacklisted. However, 3ve was so aggressive, and could so quickly acquire new IP addresses, that they determined a blacklist would only temporarily disrupt its activity. A full takedown would involve better understanding of 3ve’s structure and broader industry collaboration, Google researchers explain.

In all, nearly 20 companies spanning ad tech, cybersecurity, and Internet infrastructure worked together to bring down 3ve. To prevent the threat from recurring, players had to collectively investigate the operation and map out its infrastructure and monetization strategy. They spent months observing 3ve’s activities, understanding its malware, and evaluating its impact.

The coordinated takedown disrupted as much infrastructure as possible to prevent rebuilding the botnet. Analysis shows traffic has declined, a sign the disruption has been successful – within 18 hours of starting, the takedown had brought the ad bid request traffic close to zero.

While certain elements of the takedown can’t be shared publicly, says Dawson, a key component was the sinkholing of command-and-control domains used by 3ve to direct botnet and server-side operations. This blocked communication between nodes and the C2 infrastructure, especially between 700,000 infected machines in its second sub-operation.

“3ve was a first of its kind in its global reach and continuous innovation,” says Hassan. “It won’t be the last.” The way to win the war against bot operators, he explains, he to reduce profitability, increase costs, and create consequences that increase risk and deter criminals.

Don’t Do the Crime If You Can’t …

Eight defendants were indicted today in relation to the 3ve and Methbot operations. Charges include wire fraud, computer intrusion, aggravated identity theft, and money laundering. Most of those indicted are from Russia; two are from Kazakhstan. At the time of writing, three of the alleged perpetrators have been arrested and five remain at large.

“Because we involved law enforcement, this is the first time consequences of this magnitude have been created for ad fraud,” says Hassan. “Fraudsters, when discovered but not caught, can go underground, only to pop up across the street later. This time it was different.”

He hopes fraudsters will think twice before building operations of this magnitude in the future.

Google has published guidance on how to prevent more attacks like this from happening in the future. First up is to create and adopt industry standards like ads.txt, which prevents domain spoofing by letting publishers create public records of “Authorized Digital Sellers.” The idea is to make it easy to learn which parties can sell a certain publisher’s ad inventory, and which aren’t.

Beyond that, there are measurements advertisers can use to make sure the ad fraud solution in place is working. “If it seems too good to be true, it probably is,” Google researchers point out. Advertisers and publishers should take a layered approach and use in-house defenses and third-party verification to watch for bot traffic and ad fraud.

Related Content:

• Who’s the Weakest Link in Your Supply Chain?
• 8 Tips for Preventing Credential Theft Attacks on Critical Infrastructure
• 7 Real-Life Dangers That Threaten Cybersecurity
• 2018 Hacker Kids Gift Guide

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/google-white-ops-industry-players-dismantle-3ve-ad-fraud-operation/d/d-id/1333359?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Two men — Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, both of Iran — have been indicted in a criminal conspiracy around the creation and distribution of the SamSam ransomware campaign. The indictment, unsealed today, was handed down by a federal grand jury in New Jersey.

According to the six-count indictment, Savandi and Mansouri hit more than 200 victims, mostly in the government, critical infrastructure, and healthcare sectors. The victims included the City of Atlanta; the City of Newark, N.J.; the Port of San Diego; the Colorado Department of Transportation; the University of Calgary in Calgary, Alberta; and six health care-related entities: Hollywood Presbyterian Medical Center in Los Angeles; Kansas Heart Hospital in Wichita, Kan.; LabCorp; MedStar Health, headquartered in Columbia, Md; OrthoNebraska Hospital, in Omaha, Neb.; and Allscripts Healthcare Solutions, headquartered in Chicago.

The indictment alleges that Savandi and Mansouri have collected over $6 million dollars in ransom payments to date, and caused over $30 million dollars in losses to victims. In a statement at the indictments’ announcement, Deputy Attorney General Rod J. Rosenstein said, “The defendants chose to focus their scheme on public entities, hospitals, and municipalities. They knew that shutting down those computer systems could cause significant harm to innocent victims.”

That point was farther driven home by Assistant Attorney General Brian Benczkowski at the same event when he said, “The defendants did not just indiscriminately ‘cross their fingers’ and hope their ransomware randomly compromised just any computer system. Rather, they deliberately engaged in an extreme form of 21st-century digital blackmail, attacking and extorting vulnerable victims like hospitals and schools, victims they knew would be willing and able to pay.”

Professional attacks

Researchers and law enforcement officials point to a number of characteristics that distinguished the SamSam attacks. “One of the starkest deviations between SamSam operations and traditional ransomware is the departure from more traditional infection vectors,” said Kimberly Goody, manager of cyber crime analysis at FireEye, in a statement given to Dark Reading. She pointed out that the threat actors first compromised the victims’ systems and only later delivered the attack payload. “Deploying ransomware post-compromise allows attackers the ability to better understand victim environments and to both deploy ransomware payloads more broadly and to identified high value systems -– putting additional pressure on organizations to pay,” she said.

Chester Wisniewski, principal research scientist at Sophos, explained in a statement, “Cybercriminals target weak entry points and brute-force Remote Desktop Protocol (RDP) passwords. Once in, they move laterally, working one step at a time to steal domain admin credentials, manipulate internal controls, disable back-ups and more to hand-deliver the ransomware.” Those hand-delivered ransomware payloads, he said, “…strategically happened when victims were asleep, indicating that the attacker carries out reconnaissance on victims and carefully plans who, what, where and when attacks will happen.”

Continuing fallout

While the indictments mean that Savandi and Mansouri are now fugitives, it is believed that they are operating in Iran, which makes it unlikely that they’ll be turned over to U.S. authorities unless they travel internationally. And SamSam may not be their only criminal enterprise.

FireEye’s Goody explained, “It is important to note that while the actors named in the indictment are associated with the SamSam ransomware, this may just be their most lucrative operation. We have some evidence to suggest that they were investigating the possibility of stealing card payment data, and we have also seen the deployment of cryptocurrency miners in victim environments.”

In order to guard against future attacks, Benczkowski turned his attention to US organizations. “We want to get the word out that every sector of our economy is a potential target of malicious cyber activity,” he said. “The events described in this indictment highlight the need for businesses, healthcare institutions, universities, and other entities to emphasize cyber security, increase threat awareness, and harden their computer networks.”

Related content:

• Worst Malware and Threat Actors of 2018
• New Threats, Old Threats: Everywhere a Threat
• 3 Keys to Reducing the Threat of Ransomware
• Cybercrime Gang Ramps up Ransomware Campaign 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/federal-indictments-in-samsam-ransomware-campaign/d/d-id/1333360?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Many information security groups are undermining data availability and security by incorrectly estimating the true value of their enterprise information assets, a new survey shows.

The Ponemon Institute conducted the survey on behalf of document security vendor DocAuthority. A total of 2,820 professionals from seven different functional areas — IT security, product and manufacturing, legal, market, IT, finance and accounting, and human resources — were asked to value 36 different information types on a per record basis. The information types included research and development documents, source code, customer records, merger and acquisition data, and personally identifiable information.

The results showed IT departments overestimating the value of certain information types, such as PII, while grossly underestimating the value of other information, such as financial reports and RD data. On average, IT security departments tended to be as much as 50% off the true value of data assets as perceived by the data owners.

IT security departments, for instance, estimated on average that it would cost their companies $306,545 to reconstruct an RD document compared to the $704,619 that RD professionals themselves estimated it would cost. Similarly, IT security estimated the cost of a financial report leakage to be around $131,570 versus the $303,182 value that accounting and finance professionals assigned to the information asset.

Conversely security professionals perceived certain other data types to be worth more to the business than they actually do. Security groups estimated the monthly salary lists of 1,000 employees to be worth over $94,100 to the business while HR professionals pegged the value at a substantially lower $57,477.

The perception gap matters because it impacts how security organizations protect different types of data and how they make the data available across the enterprise, says Steve Abbott, CEO of DocAuthority. Incorrect data value assessments can result in the wrong types of controls being implemented. 

“Right now IT security and business see the value of business data significantly differently,” Abbott says. “IT security doesn’t understand or appreciate the value of data the same way that business does.”

Many security organizations apply security and access controls on data using broad and often static classification schemes. The DocAuthority survey revealed the need for a more nuanced approach to handling enterprise data assets, Abbott says.

The survey for instance showed that not all information asset types have the same value. Some datasets like RD data, pricing models, source code, MA documents and signed employment agreements are worth substantially more to organizations that other assets such as product manufacturing and engineering workflows, signed customer contracts, budget and accounting data and network design documents.

The survey also showed that data value — for certain types of data — decreases over time because of a decline in relevancy. For instance, RD documents in the manufacturing function that are less than one year old are valued at more than $873,380. The value of the same data declines to about $492,700 if it is older than a year.

Similarly, fresh legal documents that are less than a year old are valued at some $508,640 and those that are older than one year at $120,911.

The cost of recreating data and of dealing with the consequences of a breach varies by type and function as well. In marketing groups, pricing models and customer lists are the costliest data types to recreate; for human resources organizations it is pension data.

Similarly, the cost associated with a data leak involving RD documents, at $661,400, is substantially higher than the costs of a breach that involves product-manufacturing workflows ($106,520). Interestingly, the data values that the different sets of business users in the survey arrived at for different data types were more or less consistent across industry vertical and location.

The data shows that organizations need to manage data as an asset and not just as a liability, Abbott says. IT security groups need to be thinking about assigning values to data types based on factors like business use, age, how much it would cost to reproduce, how much it would cost if lost or in the wrong hands, Abbott says.

Related Content:

• A Data Protection Officer’s Guide to GDPR ‘Privacy by Design’
• The Data Security Landscape Is Shifting: Is Your Company Prepared?
• The Best and Worst Tasks for Security Automation
• 7 Data Classification Tips 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/incorrect-assessments-of-data-value-putting-organizations-at-risk/d/d-id/1333362?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple