STE WILLIAMS

A database breach at the popular U.K Racing Post site has exposed customers’ personal data and caused trouble with site operations, the newspaper warns.

In a blog posted Monday, Racing Post states that “our site was the subject of a sophisticated, sustained and aggressive attack on Friday and Saturday, in which one of our databases was accessed and customer details were stolen.”

The site, which enables customers to bet on horse and greyhound racing, said that no credit card information was hacked, nor were betting accounts, which are maintained by a third party.

However, the breached database contains user names, first and last names, “encrypted passwords,” email and street addresses, and dates of birth, the site says.

Racing Post editor Bruce Millington said the publication believes the breach “may be part of a wider attack on a number of companies,” though he offered no details on the nature or origin of the attack. The site has turned off its registration and log-in pages, but states that its racing information and betting pages are “completely safe to use.”

The site suggests that all users change their passwords.

Have a comment on this story? Please click “Add a Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/privacy/hack-of-racingpostcom-puts-users-persona/240164276

Disaster recovery protection level self-assessment

Australian embedded systems designer Redfish is hoping to attract funding from the crowd to market a secure routing platform that open-sources both the hardware and software to protect users from unwanted snooping.

Speaking to The Register ahead of the launch, Redfish managing director Justin Clacherty said the project is designed to get security in front of ordinary users – those who don’t have the skills or confidence to set up complex crypto schemes or dive into the world of TOR.

And, he said, open sourcing both the software and hardware means the security of the implementation can be verified by others.

Redfish developed the ORP-1 to prototype stage on its own coin. It’s now seeking crowd-funding via Indiegogo to go from prototype to manufacturing.

Based on a Freescale processor with embedded hardware routing, the ORP-1 has a five-port gigabit switch, a gigabit DMZ port, and a gigabit WAN port (just in case Australia ever gets a network able to support gigabit end-user connections).

Clacherty told The Register the system can currently ship traffic at about 700 Mbps, and he hopes to achieve line speed when the system goes to manufacture.

The software is based on a custom Linux distribution.

The full list of capabilities is at the Indiegogo page, but the basic capabilities are that the ORP-1 will provide security via built-in IPsec VPN, firewalling, and TOR. Other built-ins include the normal DHCP and DNS that you’d expect in a consumer router, IPv6 support, and a SIP proxy.

The basic design of the ORP1 secure router

As far as The Register can remember, ORP-1 would be the first new face on the Australian networking hardware scene in quite a while. In an industry that once boasted not one but several modem makers (Netcomm being the sole brand to survive from that era), more than one local router manufacturer (one was an arm of what is now a major ISP, TPG; another was Datacraft), it’s hard to remember the last time someone took a crack at the network hardware market here. ®

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/26/oz_developer_crowdfunding_open_secure_router/

Email delivery: Hate phishing emails? You’ll love DMARC

Vid Application developer and part-time security researcher Evan Booth has produced a series of videos showing how an array of supposedly deadly weapons can be MacGyver’d from stuff on sale in airport shops.

His inventions can be built from things bought after walking through the usual security checks; we’re told they include a remote-controlled suitcase bomb made using a child’s toy, a Zippo lighter and cans of Axe body spray; a potentially lethal set of nunchucks; a club capable of smashing apart a coconut; and a fragmentation grenade that he assembled in less than eight minutes.

“If we’re trying stop a terrorist threat at the airport it’s already too late,” Booth told Fast Company, saying he started the Terminal Cornucopia project after the introduction of nudie body scanners at US airports.

“It just seemed so invasive and really expensive. And if you’re going to go through all that trouble getting into the terminal, why is all this stuff available in the terminal?”

One of his most worrying creations is a blunderbuss-like, breech-loaded shotgun-ish weapon capable of firing $1.33 in coins through fiberboard. The device is just as dangerous to the user as to what’s in front of the muzzle, but when did that thinking stop a jihadi? Take a look below.

Blunderbussiness Class

Subtle, no? Booth’s videos show that you can at least get a big bang from materials found in airport shops. Lithium from batteries, for example, when mixed with water, can act as an explosive when coupled with an aerosol can, while consumer electronics goods can be adapted in a variety of lethal ways.

All the weapons were assembled using a Leatherman PS Style multi-tool that had been specifically designed by the company to be allowed past TSA checkpoints without breaking any rules. Most of the weapons are cobbled together using Scotch tape and dental floss, but hold together well enough in testing, it seems.

“I think people have kind of been suspecting that the type of things I’ve built are possible,” says Booth, “I just don’t think anyone’s ever taken the time to do it.”

Booth said that he informed both the TSA and the FBI about the devices, sending them all the details of the build process along with the chemicals and tools used. He said he hadn’t heard back from the TSA, but that the FBI did make an unscheduled visit to his home in North Carolina and conducted an interview.

Thankfully for Booth, the agents didn’t arrest him. Instead, the Fibbies just wanted to check that he hadn’t actually assembled the weapons in an actual airport. Booth showed them the garage where he tests his designs, and they left satisfied that no laws had been broken.

Before everyone panics, these aren’t blueprints for immediate attack. The sort-of shotgun takes long seconds to ignite and looks about as accurate as a darts player after the seventh pint.

It’s also telling that the only timed video is on how to build the grenade and not the other devices that require more structural reinforcement that could take hours. And try smelting a pewter bolt using a can of burning Axe body spray in an airport (or worse, an airline) toilet and see how far you get.

But some smarter thinking on airport security would be very nice. As Bruce Schneier and others have pointed out, current airport security practices have more to do with theater than with keeping people safe. ®

Free Regcast : Managing Multi-Vendor Devices with System Centre 2012

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/26/madcap_macgyver_builds_shotgun_grenade_from_airport_shop_parts/

Email delivery: Hate phishing emails? You’ll love DMARC

IT’s funnest guy, John McAfee, is making news again for things that have very little to do with technology.

McAfee-watchers will recall that he last year found himself in all sorts of trouble after being accused of murder, fleeing Belize before being deported from Guatemala to the USA. He later washed up in the hipster city of Portland, where he busied himself issuing conspiracy theories and shooting bizarre videos featuring guns, lots of guns, and scantily-clad models.

Other antics now seem to have upset his landlord and neigbours so much that, according to local outlet The Oregonian, he’s been evicted from his rented party pad in an apartment block called 20 Hawthorne, which helpfully publishes a rate card that tells us he was shelling out at least $US1200 a month for his digs.

Whatever he was paying, The Oregonian reports the building’s manager has taken out a “protective order” against McAfee, who has been asked to leave.

McAfee has told Bloomberg he wasn’t evicted but chose to leave for his current digs in Montreal. News of the protective order therefore came as a surprise, as did allegations he “stalked” the building manager. ®

Free Regcast : Managing Multi-Vendor Devices with System Centre 2012

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/26/john_mcafee_punted_from_portland_party_pad/

In many respects the breach trends of 2013 have borne out some good news for the security industry. Unlike the past four to five years, this one has not been awash with mega database breaches of tens of millions of records containing personally identifiable information (PII). And, according to statistics compiled by the Privacy Rights Clearinghouse, both the number of breaches publicly reported and the volume of records breached has declined. Last year at this time the running count already totaled approximately 27.8 million records compromised and 637 breaches reported. This year, that tally so far equals about 10.6 million records compromised and 483 breaches reported. It’s a testament to the progress the industry has made in the fundamentals of compliance and security best practices. But the record this year is clearly far from perfect.

When comparing year-to-date numbers, the volume of records breached went down a drastic 61.7 percent, while the number of reported breaches was only reduced by about 24.2 percent. This shows that breaches are still occurring at a fast clip—it’s just now the distribution of theft and compromise has spread out. Breaches are smaller, and according to security insiders, they’re far more targeted. And frequently the theft is of IP or other digital property that could be even more damaging than customer records when stolen, but which are more difficult to quantify and which don’t make the statistical headlines.

Delving deeper into the specifics of breaches occurring this year, it is evident there’s still work to do. As evidenced by the 2013 track record, valuable databases are still left unprotected and unencrypted, applications are still riddled with vulnerabilities and users are still allowed to download huge quantities of information from sensitive databases and store them on poorly protected endpoints. To plead our case, Dark Reading has cherry-picked a few helpful examples and offered up some valuable lessons the industry can learn from these incidents.

Company Compromised: CorporateCarOnline.com

Breach Stats: 850,000 records stolen

The Details: Personal details, credit card numbers and other PII from some of the biggest American names in professional sports, entertainment, Fortune 500 business and politics were all stolen in this juicy heist of a plain text archive held by this company that develops a SaaS database solution for limo services across the country. Some of the big names on the list include Tom Hanks, Sen. Tom Daschle and Donald Trump

Lessons Learned: A key lesson in how the ingenuity of attackers knows no bounds when the most valuable financial and social-engineering-fueling information is at stake. According to KrebsOnSecurity.com, a quarter of the compromised card numbers were high- or no-limit American Express cards and other information would prove a treasure trove for corporate spies or tabloid media players. Meanwhile the company at hand paid absolutely no regard to the security of the information, without even trying to take the most basic of cryptographic measures to protect it.

[How do you know if you’ve been breached? See Top 15 Indicators of Compromise.]

Company Compromised: Adobe

Breach Stats: Nearly 3 million PII records stolen, over 150 million username/password combos stolen and source code from Adobe Acrobat, ColdFusion, ColdFusion Builder and other unspecified products.

The Details: This is the breach that just keeps unraveling as the hits keep coming more than a month after the compromise was first disclosed. Originally just though a compromise of 3 million PII records, it’s now clear that Adobe is contending with the loss of a vast trove of login credentials, and more startlingly, its source code.

Lessons Learned: Not only is the still-unfolding Adobe story a good teaching moment for how thoroughly a company can be owned by attackers once they’ve established a foothold in a corporate network, it’s also a lesson on how dependent the entire enterprise ecosystem is on the security of its software supply chain. The potential ramifications could ripple out for a long while yet as a result of this breach.

Company Compromised: U.S. Department Of Energy

Breach Stats: PII stolen for 53,000 former and current DOE employees

The Details: Attackers targeted DOEInfo, the agency’s outdated, publicly-accessible system built on ColdFusion for the office of its CFO. DOE officials say the breach was limited to PII about employees.

Lessons Learned: There were two big lessons here. First, patching always has been and always will be paramount. Second, organizations must think about reducing their attack surfaces by reconsidering which systems connected to sensitive databases should be left open on publicly-facing websites.

Company Compromised: Advocate Medical Group

Breach Stats: 4 million patient records stolen

The Details: The theft of four computers from offices owned by this medical company exposed more than 4 million patient records in what officials are calling the second-largest loss of unsecured health information since notification to the Department of Health and Human Services became mandatory in 2009.

Lessons Learned: Healthcare breaches are dominating the 2013 breach disclosure list thusfar, but this one in particular is the most egregious. With patient records dating back to the 1990s compromised from a physical computer theft, it is clear that the basics in physical security, endpoint security, encryption and data protection were all deficient here. In particular, endpoint theft and loss in healthcare issues seems to come up time and time again. It may be time for these organizations to reconsider how much data an endpoint is allowed to download and store from centralized databases.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/database/learning-lessons-from-2013-data-breaches/240164264

Email delivery: Hate phishing emails? You’ll love DMARC

America’s NSA had established an army of “sleeper cells” – malware-infected, remote-controllable computers – on 50,000 networks by the middle of 2012. That’s according to the latest leaks from whistleblower Edward Snowden.

Dutch newspaper NRC Handelsblad reports that the elite NSA TAO (Tailored Access Operations) hacking squad had used malware to establish a zombie army with tentacles all across the world.

The malware serves as a sleeper agent on compromised PCs, waiting months or longer before it activates and begins harvesting data. This stolen information is covertly fed into the NSA’s voracious data processing apparatus. The malware (or “implants” in the lexicon of the NSA) is slung onto compromised machines using Computer Network Exploitation, or hacking, tactics.

The methodology of the attacks carried out by the NSA is probably similar to the Belgacom hack blamed on GCHQ, which used fake LinkedIn and Slashdot pages to serve malicious code to targeted system engineers at the Belgian telco. The malware variant featuring in the latest NSA leaks is unknown, although we do know it established backdoor access to systems in Brazil, one of the countries that has been most vocal in complaining about US cyber-espionage antics, and Mexico. Similar malware-based tactics have reportedly been a feature of the NSA’s playbook for 15 years since 1998.

Previous leaks from Edward Snowden have revealed the detailed methodology for the NSA’s deployment of malware, so the latest leaks only really put one operation under the microscope rather than helping to uncover a previously unknown tactic. The latest leak illustrates that state-sponsored cyber espionage is far from the sole preserve of the Chinese, who are routinely blamed for so-called Advanced Persistent Threat-style attacks featuring custom malware and phishing. ®

Free Regcast : Managing Multi-Vendor Devices with System Centre 2012

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/25/nsa_botnet/

Last week, we wrote about how a UK blogger named DoctorBeet became suspicious that his LG Smart TV was phoning home with more information about his use of the TV than he might have liked.

Some investigation with Wireshark followed – that’s a free, powerful and highly recommended network packet sniffer – and his suspicions were confirmed.

Even after he expressly turned off the clumsily but unambiguously named “Collection of watching info” option, his TV continued to send back information (or to steal it, if you want to call a specialised earth lifting leverage tool a spade) that any reasonable person would consider none of the TV maker’s business.

LG’s initial response, reports DoctorBeet, was pretty much to disown all resposibility for the firmware in its device:

The advice we have been given is that unfortunately as you accepted the Terms and Conditions on your TV, your concerns would be best directed to the retailer. We understand you feel you should have been made aware of these T’s and C’s at the point of sale, and for obvious reasons LG are unable to pass comment on their actions.

When in doubt, blame the merchant!

If you think that is the worst excuse you’ve ever heard for a privacy breach, you’re not alone.

In fact, LG itself must have thought so (or the company decided to take a second opinion from another lawyer), because it soon changed its tune, sending our good friend and former Naked Security colleague Graham Cluley a PR statement that beat a different drum:

At LG, we are always aiming to improve our Smart TV experience. Recently, it has been brought to our attention that there is an issue related to viewing information allegedly being gathered without consent. Our customers’ privacy is a very important part of the Smart TV experience so we began an immediate investigation into these claims. Here’s what we found:

Information such as channel, TV platform, broadcast source, etc. that is collected by certain LG Smart TVs is not personal but viewing information. This information is collected as part of the Smart TV platform to deliver more relevant advertisements and to offer recommendations to viewers based on what other LG Smart TV owners are watching. We have verified that even when this function is turned off by the viewers, it continues to transmit viewing information although the data is not retained by the server. A firmware update is being prepared for immediate rollout that will correct this problem on all affected LG Smart TVs so when this feature is disabled, no data will be transmitted.

It has also been reported that the names of media files stored on external drives such as USB flash devices are being collected by LG Smart TVs. While the file names are not stored, the transmission of such file names was part of a new feature being readied to search for data from the internet (metadata) related to the program being watched in order to deliver a better viewing experience. This feature, however, was never fully implemented and no personal data was ever collected or retained. This feature will also be removed from affected LG Smart TVs with the firmware update.

LG regrets any concerns these reports may have caused and will continue to strive to meet the expectations of all our customers and the public. We hope this update clears up any confusion.

Graham already did a blow-by-blow dissection of this statement, and he wasn’t impressed.

You shouldn’t be, either.

The elevator pitch/lift summary is simple:

• The “collection of watching info” option collects viewing information, which LG defines as “not personal”, so stop moaning.
• LG collects that data even when you tell it not to, but it doesn’t actually do anything with it, so stop moaning.
• OK, so LG will alter the software so it tells the truth about collecting the info.
• OK, LG also collects data off your own storage devices, like filenames, but that was just a coding error, so stop moaning.
• OK, so LG will alter the software to remove the code that wasn’t supposed to have been released in the first place.
• LG is sorry if you somehow got confused and formed the opinion that it was helping itself to data that it shouldn’t have.

We wondered over the weekend why the statement sent to Graham wasn’t more widely circulated by LG.

We didn’t receive a copy, for example, and most stories covering this isasue ended up linking to Graham’s article, presumably lacking a primary source of their own.

We now seem to know why: LG must have been a bit less than sure of its facts, and has changed its tune again since telling Graham that this whole thing was really just a pile of confusion.

Its official on-line statement is different in an intriguing but subtle way.

LG told Graham that it collected viewing info “as part of the Smart TV platform to deliver more relevant advertisements,” but apparently it doesn’t do that.

In fact, says LG’s new statement, the company unequivocally if ungrammatically states that it “does not, or has ever, engaged in targeted advertisement using information collected from LG Smart TV owners.”

Clear as mud.

With a second blogger confirming and extending DoctorBeet’s findings, I wouldn’t be surprised if LG has a fourth go at explanining itself.

We’ll have to wait and see whether LG’s next statement starts with the words, “Dear customers, we made a mistake and we apologise,” or with, “Dear Information Commissioner’s Office…”

What do you think?

Would a proper apology still do the trick, or is it too late for that now?

Follow @duckblog

Image of old school TV courtesy of Shutterstock. The static on the TV picture is inspired by the Happy Hour Virus, imagined in the era before NTSC.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/q9riIkaX3dQ/

Don’t want the entire Facebook-using and -abusing population to see your friends list?

You can always change the setting to private – a setting labeled, for some strange reason, “only me”, chosen in response to the “who can see your friends list?” setting.

Fat lot of good it will do you, though.

Irene Abezgauz, a vice president of product management at the security software company Quotium, has discovered a way for any casual visitor, stranger, stalker or troll to see friend lists that their users have set to be private, and that includes any friends who’ve also set their lists to be private.

To access anybody’s friend list, all someone has to do is to create a fake Facebook account and send a friend request to his or her target.

Even if the targeted Facebook user doesn’t respond to the friend request, they’ll get to see a list of his or her friends, courtesy of Facebook’s People You May Know feature.

According to VentureBeat, Abezgauz revealed the vulnerability at the recent AppSec USA 2013 security conference in New York.

Abezgauz told VentureBeat that Facebook’s playing fast and loose with this on-again, off-again approach to privacy:

It’s all about privacy and people trusting that Facebook is making the best effort to protect the privacy of users. … It’s not about protecting the privacy of users as long as it stays out of the way of Facebook growing and expanding.

Facebook’s People You May Know feature, introduced in 2008, helps people discover new connections, be they long-forgotten school chums or colleagues.

It both helps people to build out their Facebook networks and enables Facebook to build a treasure trove of valuable data about us and the people with whom we associate.

(That daisy-chaining analysis, of course, enables people like NSA agents to pull the communications of innocent people into far-reaching surveillance dragnets that snare friends of friends of actual targets, as was shown in recently revealed documents from whistleblower Edward Snowden.)

To exploit the privacy hole, an attacker creates a new user account on Facebook and sends a friend request to the victim.

Even if the intended victim declines the request, Facebook begins to suggest to the attacker people he or she may know, with the option of clicking a “see all” button for convenience.

The people suggested in that list are friends of the target who received the friend request, even when the friends list of the victim is set to private and the other suggested users also have their friends list set to private.

When Abezgauz brought the privacy issue to Facebook’s attention, it replied that No, everything’s fine, given that you don’t know if the suggested friends represent someone’s complete friend list:

If you don’t have friends on Facebook and send a friend request to someone who’s chosen to hide their complete friend list from their timeline, you may see some friend suggestions that are also friends of theirs. But you have no way of knowing if the suggestions you see represent someone’s complete friend list.

But Abezgauz writes that research has shown that most of the friends list – which often includes hundreds of friends – is available to the attacker.

“In any case,” the researcher said, “even a partial friends list is a violation of user-chosen privacy controls.”

I checked with Facebook to see if private friend lists were still being pushed into People You May Know feeds. A spokesperson got back to me, and it doesn’t look like Facebook is planning to change anything any time soon:

Our policies explain that changing the visibility of people on your friend list controls how they appear on your Timeline, and that your friends may be visible on other parts of the site, such as in News Feed, Search and on other people’s Timelines. This behavior is something we’ll continue to evaluate to make sure we’re providing clarity.

Is Facebook privacy only an illusion, designed to lull us into sharing more than we would if we knew what the company really did with our data?

I agree with Abezgauz on this issue: Facebook has no right to siphon our friends off of a list putatively set to be private.

Hands off, Facebook, and please, fix this privacy hole.

Follow @LisaVaas

Follow @NakedSecurity

Screenshot courtesy of Flickr user FactoryJoe.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/DnMK_vQuIt8/

China’s infamous Great Firewall, the massive surveillance and censorship system sitting between China’s internet and the rest of the world, has been circumvented and bypassed by numerous techniques over the years with varying degrees of success and longevity.

The latest trick, carried out by activists at Great Firewall monitoring site Greatfire.org, is to upload mirrored copies of blocked sites to cloud hosting services, challenging the Great Firewall operators to block major brands like Amazon and Google cloud hosting, or allow freer access to banned material.

The move came in response to further blocking by the Great Firewall, with Chinese versions of the Reuters and Wall Street Journal news sites added to the blocklist in mid-November. The Reuters site was mirrored to the Amazon cloud service within a few days of the new blockages.

China is notorious for filtering all sorts of web traffic, both blocking specific sites and services (including Facebook and Twitter) and monitoring for a long list of keywords, ready to cut connections as soon as they become suspect.

Freedom of speech activists have pointed to the Great Firewall, officially referred to as the “Golden Shield Project“, as a clear example of repression, while economists have suggested the filtering of the internet is impeding China’s potential for economic development.

The “inventor” of the internet, Sir Tim Berners-Lee, recently made clear his belief that China’s government would be forced to gradually slacken their control over the internet, and that the Great Firewall will eventually be dismantled, citing mainly economic reasons.

For now, residents of China are stuck with limiting themselves to the government’s approved list of sites and subjects, or trying various means of bypassing the controls, from technical methods like proxies and VPNs to more human tricks like using codewords to replace banned terms, or sending images rather than text.

This latest technique offers the promise of access to all manner of proscribed information, but it doesn’t really break the Great Firewall. The internet is about much more than simply viewing information, and the interactivity and opportunities to join forces offered by sites like Facebook and Twitter are what make them seem so dangerous to the Chinese government.

A mirrored version of a website can never be much more than a one-way viewing experience; even news sites are highly interactive and public-driven these days, so if the commenting and forum systems are not integrated into those of the official site, there remains a divide between China and the rest of the world.

Worse, if people within China start treating such mirrored sites as the real thing, it will make life much easier for criminals. Websites that look right but have the wrong address should always be a warning sigh to internet users. Anything that makes it normal for users to see websites at the wrong addresses robs them of a simple and important safeguard against things like phishing.

So, let’s hope that the Chinese government starts thinking of the advantages of opening up its internet to the rest of the world, which should be good for its economy, its people’s happiness and its nation’s reputation. Let’s hope it starts that process soon.

In the meantime, if Chinese citizens do feel obliged to try to find ways around the censorship, let’s hope they can do it safely and cautiously, and not start picking up any bad habits.

Follow @VirusBtn
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/lMbORDHdZIk/

US financial companies are the best protected against the risk of cyberattack, with the energy and retail sectors not too far behind. In contrast, technology businesses consistently rate far lower, according to a study by risk analysis firm BitSight.

The study is based on the firm’s security risk rating system, measured by analysing factors like data breaches, but also including levels of spam and botnet traffic observed coming from within a company’s IP space and how long it takes to mop up breaches and infections.

It looked at 70 Fortune 200 companies, over the 12 months leading up to September 2013. The results show a noticeable dip around April this year, apparently coinciding with a general uptick in the threat level at around that time.

This wave hit the energy sector hardest, dropping its rating to below that of retail where it stayed for the rest of the year, but finance maintained a clear lead throughout, and technology lagged well behind for the entire period.

Financial institutions are clearly the choicest of targets for cybercrooks, combining the potential for huge one-off digital heists with access to customer data which can be leveraged into similarly huge sums through multiple smaller frauds.

Banks have also been subject to numerous hacktivist attacks in recent years, although perhaps not so much in the last year.

It seems they are doing a reasonable job of maintaining their security borders, mainly thanks to taking such things more seriously, it is suggested.

The BitSight report cites a survey, conducted in 2012 by Carnegie Mellon University’s CyLab, which found that financial firms are far more likely to employ high-level executives with explicit responsibility for security and risk (CSOs, CISOs, and Chief Risk Officers).

Simply employing people to fill these roles isn’t enough, of course; they have to be properly skilled and informed as well as empowered and incentivized to maintain the best possible security levels. But even just by having the role, companies can send a clear message that they are giving the proper weight to security and privacy issues.

Other sectors are also serious targets for cyberattack too, with retail, like finance, a big draw for cybercriminals looking to get access to precious card numbers.

Retail has of course been hit by both large- and small-scale data breaches in the last year.

Meanwhile the energy sector is more likely to be threatened by the potential for terror and extortion attacks, and while security in this sector should be bolstered by government spending, it has still seen its share of breaches and compromises.

The tech sector is something of an outlier in many ways, being largely outside direct government control and not subject to many of the data-handling requirements that banks and retailers have to meet. It is worrying though that security in this sector is so lax, given the combined dangers of industrial espionage and leakage of client information.

This sort of leakage seems to have contributed heavily to the sector’s poor ratings, with massive breaches like the Adobe leak of tens of millions of user login details, made worse by sloppy cryptography, cited as a major factor.

But it’s not just data leakage. It seems that tech firms are also slowest to deal with malware infections, something of a surprise given that there should be more skilled technical people on hand to help clean things up.

By this metric the difference is less pronounced, with energy and retail not far ahead of tech in terms of velocity in dealing with botnet infestations, but finance again does well. In terms of spam seen emerging from company networks, retail just scrapes ahead of finance, with tech and energy on level pegging not too far behind.

For the most part, the duration of a breach is of minor importance; if hackers can get hold of your entire customer database the moment they get in, they won’t gain much by waiting around for a few days to add any new names to their lists.

Still, knowing how long it takes to spot and clear up an infection gives a good indicator of how strong a firm’s security is in general.

In the end it’s all about attitude. At a corporate level we’re just not giving security the importance it merits, unless forced to do so by strict regulation.

Until all companies, whatever sector they are in, realise that the data they hold is a potential target and that they must take proper measures to ensure it is kept safe, we’ll keep on seeing our info regularly being scooped up by the bad guys.

Perhaps the banks are working harder because our info can be converted so directly into their money. Other businesses need to learn that nowadays all information is valuable, and should be treated as such.

Follow @VirusBtn
Follow @NakedSecurity

Image of lock on digital screen courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/0c9soKFsrYw/