Immediate Vault Immediate Access

Cost of Cyber Crime Up 19% For U.S. Businesses

In its annual Cost of Cyber Crime study, the Ponemon Institute found that the average annual cost of cyber crime per large company is now $15.4 million in the United States. That figure has increased 19% from last year’s $12.7 million, and presents an 82% jump from the institute’s first such study six years ago. This year, losses ranged from $307,800 to $65,047,302.

Globally, the average annual cost of cybercrime is $7.7 million, an increase of 1.9% from last year. The U.S. sample had the highest total average cost, while the Russian sample reported the lowest, with an average cost of $2.5 million. Germany, Japan, Australia, and Russia experienced a slight decrease in the cost of cyber crime over the past year.

To try to benchmark the complete cost of cyber crime, the Ponemon Institute examines the total cost of responding to incidents, including detection, recovery, investigation and incident-response management. While it is virtually impossible to quantify all of the losses due to reputation damage or business interruption, the researchers did look at after-the-fact expenses intended to minimize the potential loss of business or customers.

Check out more of the study’s findings in the infographic below:

global cost of cyber crime ponemon institute

The Rise of Malvertising

malvertising cyber security

LAS VEGAS—One of the hottest topics in cyberthreat detection right now is the rise of malvertising, online advertising with hidden malware that is distributed through legitimate ad networks and websites. On Monday, Yahoo! acknowledged that one of these attacks had been abusing their ad network since July 28—potentially the biggest single attacks, given the site’s 6.9 billion monthly visits, security software firm Malwarebytes reported.

In the first half of this year the number of malvertisements has jumped 260% compared to the same period in 2014, according a new study released at the Black Hat USA conference here today by enterprise digital footprint security company RiskIQ. The sheer number of unique malvertisements has climbed 60% year over year.

“The major increase we have seen in the number of malvertisements over the past 48 months confirms that digital ads have become the preferred method for distributing malware,” said James Pleger, RiskIQ’s director of research. “There are a number of reasons for this development, including the fact that malvertisements are difficult to detect and take down since they are delivered through ad networks and are not resident on websites. They also allow attackers to exploit the powerful profiling capabilities of these networks to precisely target specific populations of users.”

How does malvertising work—and why is it taking off right now? “The rise of programmatic advertising, which relies on software instead of humans to purchase digital ads, has generated unprecedented growth and introduced sophisticated targeting into digital ad networks,” the company explained. “This machine-to-machine ecosystem has also created opportunities for cyber criminals to exploit display advertising to distribute malware. For example, malicious code can be hidden within an ad, executables can be embedded on a webpage, or bundled within software downloads.”

The study also noted that, in 2014, there was significantly more exploit kit activity (which silently installs malware without end user intervention) than fake software updates that require user consent. In 2015, however, fake software updates have surpassed exploit kits as the most common technique for installing malware. Fake Flash updates have replaced fake antivirus and fake Java updates as the most common method used to lure victims into installing various forms of malware including ransomware, spyware and adware.

Last week, enterprise security firm Bromium also released a new study focused on the rising threat of malvertising, finding that these Flash exploits have increased 60% in the past six months and the growth of ransomware families has doubled every year since 2013.

“For the last couple of years, Internet Explorer was the source of the most exploits, but before that it was Java, and now it is Flash; what we are witnessing is that security risk is a constant, but it is only the name that changes,” said Rahul Kashyup, senior vice president and chief security architect at Bromium. “Hackers continue to innovate new exploits, new evasion techniques and even new forms of malware—recently ransomware—preying on the most popular websites and commonly used software.”

One of the riskiest aspects of these exploits is that users do not have to be accessing sites that seem remotely suspect to be exposed. According to Bromium’s research, more than 58% of malvertisments were delivered through news websites (32%) and entertainment websites (26%). Notable websites unknowingly hosting malvertising included cbsnews.com, nbcsports.com, weather.com, boston.com and viralnova.com, the firm reported.

With that in mind, IT and cybersecurity teams have to adapt to meet these new threats, which are evolving far faster than detection tools, including antivirus, behavioral analysis, network intrusion detection, and the basic safe browsing guidelines issued to employees regarding their use of work devices.

“The key takeaway from this report is that, at large, the Internet is increasingly becoming ‘untrustworthy.’ Attackers are now using popular websites to launch malware via online ads, which makes things difficult for IT security teams,” explained Rahul Kashyup, SVP and chief security architect at Bromium. “This risk should be well understood and factored in for any organization while building a ‘defense-in-depth’ security stack. Regular patching and updates definitely help to limit the exposure to potential attacks, but that might not be feasible for large organizations. It is advisable to evaluate non-signature based technologies that can thwart such attacks in a reliable way and prevent infections on end-user devices.”

According to Bromium, the websites that most frequently serve as malvertising attack sources are:

malvertising attack sources

Should You Track Down Your Cyberattacker?

By and large, organizations tend to invest in preventative cybersecurity measures and they also concentrate their resources on detecting and stopping cyberattacks, rather than on painstaking “who did it?” investigations. They want to close the gap, manage the public opinion fallout, learn from the episode and move on.

From an enterprise perspective, this makes sense, as resources dealing with cybersecurity are usually overstretched and the organization does not stand to gain much from determining, with a certain degree of certainty, who was behind a cyberattack. The incentive equation, of course, is different if the target of the attack is a government or a large organization that is part of a country’s critical national infrastructure.

Attack attribution has traditionally been approached from the perspective of enabling the target or victim entity to pursue the attacker either for damages in a court of law; or from a national, military or intelligence “strike back” perspective.

While dishing out some form of retribution has always been instinctual, however, only governments and very large corporations have historically had the technical toolbox, the economical means and the long-term view to pursue a cyber retribution strategy.

online pharmacy albenza with best prices today in the USA

But should commercial and non-commercial organizations also care about cyberattack attribution?

online pharmacy amoxil with best prices today in the USA

Yes, within measure.

The first question ought to be: why? What does the target organization stand to gain from investing in cyber-attack attribution? The answer is that, the better it understands the attackers tools and techniques, the more likely the organization is to direct its limited resources to the right areas of defense.

As we know, each attacker or attacker group has certain preferred tooling and attacking methods. Also, they have their own motivation, speed, operational capability and discipline.

Assuming that an organization can safely concentrate only on patching, employee awareness programs, scanning, pen testing, log monitoring and other traditional defensive security measures, would be a mistake. These measures are, of course, necessary but they can no longer be the entire apparatus of cyber defense. Organizations need to invest a certain proportion of their resources in understanding their cyber adversaries, and their motivations, modus-operandi, credibility and capabilities, in order to better tailor their defensive resources.

What would be the “adequate” amount of time and effort for an organization to spend on seeking to attribute a cyberattack, successful or not, to a malicious actor or group? The effort should be proportionate with what is at risk and what resources the company has, either in house or via its suppliers and industry. Knowing at least how some of their enemies attack, however, can help companies to better leverage their resources when defending.

online pharmacy abilify with best prices today in the USA

Travelers Stages Live Hack to Examine Realities of Cyberrisk

NEW YORK—Yesterday, Travelers hosted “Hacked: The Implications of a Cyber Breach,” a panel of the insurer’s top experts and outside consultants drilling down into the realities of the cyber threat.

According to Travelers’ brand new 2015 Business Risk Index, cybersecurity rose from the #5 threat in 2014 to the #2 threat perceived by business leaders, with 55% most concerned about malicious and criminal attacks.

In an exercise to show just how valid that concern it is, panelists Kurt Oestreicher, a member of the cyber fraud investigative services team at Travelers, and Chris Hauser, former Silicon Valley FBI agent and current member of the cyber fraud investigative services team at Travelers, successfully carried out a live hack. Using a fake website created for this demonstration, the experts staged an SQL injection attack—the same kind of attack as Heartbleed, these are still responsible for 97% of breaches. Using an open-source penetration testing program that Hauser described as “point and click hacking,” they easily found a way to tunnel into the site’s SQL database. The process of scanning for vulnerabilities and acting on a known exploit—in other words, conducting the actual, successful “hack”—took about two minutes, including the time Hauser spent talking the audience through the process.

The program used to conduct this hack was free, and the number of resources readily available for free or very low cost means that more everyday businesses will become victims as malicious actors face very few obstacles to attempt a hack. “As tools and techniques like this become more common, it becomes far easier to target small- and medium-sized businesses and that exposure increases, especially because there are such low costs up front,” said Oestreicher.

Every day in the United States, 34,529 of these known computer security incidents take place. Yet many go undetected, and a lot are willfully unreported. While larger breaches impact more records, the preponderance of breaches strike Main Street businesses, not Wall Street corporations. In fact, of those that are identified and reported, 62% of breaches impact small and medium-sized businesses, Travelers found. Increased awareness among this group has yet to translate into increased coverage, however. According to a survey by Software Advice, insurance penetration among this group hovers at just over 2%, a trend Mullen has seen in the field as well. “Only about 10% of those who should have that coverage actually do,” he said.

According to data from NetDiligence, those incidents that are covered by insurance break down as follows:

NetDiligence Cyberinsurance Claims by Business Sector

NetDiligence Cyberinsurance Claims by Data Type

With hefty fines, costly investigation and notification requirements, and possible lawsuits and class actions, the true costs rapidly spiral. According to Mark Greisiger, president of data breach crisis services and security practices company NetDiligence, the average cost of a breach is $733,000 for SMBs—before any possible lawsuits or fines. Per record, the cost ranges from 1 cent to $1,000, based on the type of information contained. The average legal settlement after such breaches is currently about $550,000. Yet these numbers primarily reflect incidents where insurance was in place. Without the trusted vendor agreements, for example, the cost of retaining forensic investigation services in the midst of a crisis can be up to three times higher, he reported.

Recovering from these incidents varies wildly by the type of records exposed, and the resources available to aid in the effort. “It’s a wild pain in the butt with insurance,” said breach coach John Mullen, a managing partner of the Philadelphia Regional Office and chair of the U.S. Data Privacy and Network Security Group at Lewis Brisbois Brisgaad & Smith. “Without insurance, it’s a small- and medium-sized business killer. The Main Street story is a $2 million bill and no business.”

In the 2015 Business Risk Index, Travelers also shared a more detailed view of preparedness among specific industries:

Business Risk Index Cyber Preparedness