Identity theft accounts for ‘majority of data breaches’

Security news, views and insight from the ESET experts

Theft of identities along with personal information still accounts for the majority of data breaches, a new global survey by Gemalto has found.

According to the 2015 Breach Level Index (BLI), identity theft accounted for 53% of all data breaches as well as 40% of “all compromised records” last year.

Jason Hart, vice president and chief technology officer for data protection at Gemalto, said of the findings: “In 2014, consumers may have been concerned about having their credit card numbers stolen … however, in 2015 criminals shifted to attacks on personal information and identity theft.”

He was also quick to point out that as organizations and devices continue to collect personal data from their users, trust becomes the most important factor when it comes to deciding whom to go into business with.

The BLI is a database that tracks global data breaches, measuring their significance according to a number of variants including whether or not the data was encrypted, as well as the source of the breach.

The survey also reveals that healthcare and government data breaches have overtaken those in the retail sector.

The government sector accounted for 43% of compromised data records, mainly as a result of several very large data breaches in the US.

The healthcare sector accounted for 19% of compromised data records while retail saw a significant 93% drop in the number of data breaches in 2015.

According to the BLI, 77% of all data breaches occurred in North America while 12% occurred in Europe. The Asia Pacific region accounted for 8% in total.

Mr. Hart also had some words of advice with regards to companies protecting themselves from data breaches, stating that: “Even if a breach occurs, it can be a secure breach if the right security technologies such as encryption are properly in place to protect the most important and sensitive data.”

www.keycommunictions.be                                            www.eset.lu   

Privacy and security ‘war’ must come to an end

 

Cybersecurity experts are joining forces with government officials to try and “end the war between privacy and security”.

The Digital Equilibrium Project, as it’s known, aims to “foster a new, productive dialogue on balancing security and privacy in the connected world”.

It will release its ‘foundational’ paper on this contentious debate, Balancing Security and Privacy in the Connected World, on Tuesday March 1^st at the RSA Conference in San Francisco, US.

The group hopes that the project – and the supporting document ­– will encourage both sides of the privacy/security argument to better discuss the underlying issues they have.

It is intended to “end the kinds of standoffs we are seeing between Apple and the US government,” the authors and project participants explained.

“I’ve had a front row seat in the perceived debate between privacy and security as the author of landmark cybersecurity legislation,” commented Dutch Ruppersberger, a US congressman and cybersecurity advocate.

“I have been disheartened to see government, industry and privacy advocates drawing hard and fast lines in the sand. This can’t continue if we are to make meaningful changes in the way we protect … the rights of private citizens.”

Also speaking on the matter, Art Coviello, former executive chairman of RSA, said that the quarrel between both the US government and Apple are “symptoms of a larger issue”.

More needs to be done to catch up to the digital world we find ourselves in, he continued – laws, policies and “social constructs” need to be updated.

He explained: “We are on a pace to connect another billion people, and a billion devices, to the internet over the next 5-10 years, with no national or global constructs for how privacy, crime, nation-state aggression and corporate responsibility will be addressed.”

The paper will be offered to president Barack Obama, along with current members of both the House and the Senate.

Digital childhoods: How different nations bring up their kids

Most parents think carefully about when to give their children their first set of house keys, or let them go out to play with no adult supervision. Yet in our digitalized world, the same caution should be exercised in the virtual world, such as on social networks or when giving children their first smart gadgets.

ESET has looked deeper into what parents in the United States, Germany, the United Kingdom and Russia regard as the appropriate age for digital activities.

One of the most notable results is that Russian parents are the most strict with their offspring at younger ages. Until boys and girls celebrate their fifth birthday, close to zero (according to ESET’s dataset) have their own mobile gadgets or are allowed to do anything in cyberspace without supervision.

This differs in Western countries, where a significant percentage of kids have access to technology long before passing that ‘milestone’. Surfing online without parental supervision is common for as many as 6% of British, 8% of German and 10% of American under-fives whose parents took part in the survey.

On the other hand, after turning five, things gain momentum in the East, and in the end, Russian children are allowed to explore both the physical and virtual worlds much earlier than most of their western counterparts.

Key or a phone? Nations split on what to give their children first

Can you remember when you got your first set of house keys? The responsibility and pride you felt? According to ESET’s data, Russian children are the first to experience this. At 7 years and 11 months (7.9*) they are ahead of their German peers by 8 months (8.6).

The gap is even greater in comparison with American kids. In the US, children get their own house keys at an average age of 9 years and 5 months (9.4). The most wary are Brits, whose kids get keys only after they turn 10 years and 7 months (10.6).

Similar responsibility comes with mobile phones, as these open ‘doors’ to another risky reality – the virtual one. At least this seems to be the view held by American parents, who give children their first devices only shortly before their 10^th birthday (9.7), just after Germans, at 9 years and 7 months (9.6).

Russians are at the opposite pole, giving kids their first mobiles at an average age of 7 years and 2 months (7.2), 8 months earlier than their house keys. In the UK this gap is even greater, with Brits granting their offspring house keys almost 10 months later (10.6) than their first phone (9.8). A majority of Brits would even be keen to see a minimum age restriction for these types of devices.

Kids start their digital lives before turning 11 years old

An overwhelming proportion of parents surveyed also admitted that their child had his or her first social network account before their 11^th birthday. In this metric, Brits, Germans and Americans showed similar average results – 10 years 8 months (10.7), 10 years 7 months (10.6) and 10 years 5 months (10.4), respectively. Only Russians differed significantly, with an average as low as 8 years and 7 months (8.6).

This is interesting, as many popular networks have significantly higher official age restrictions – 13 for Facebook, Twitter and Snapchat, 16 for WhatsApp and, without parents’ permission, as high as 18 for YouTube.

The most popular Russian social network service VKontakte (VK.ru) only states that its users have to reach “the age acceptable in accordance with Russian legislation for accepting these Terms, and has the relevant powers”, effectively setting the age restriction at 18 years.

We should add that there are many social network platforms in all four countries that are specially designed for younger children. Therefore, we can only assume that the aforementioned rules of all the popular networks were broken by kids whose parents were surveyed.

Milder Russian rules

Another demonstration of the “milder rules” in Russia is the fact that kids are allowed to play outdoors without supervision at an average age of 7 years and 4 months (7.3). In comparison, American children can do so only after they are a year older (8.3), and British children at 8 years and 1 month (8.1). German kids were closer to Russians, playing outside without adult supervision at 7 years and 5 months (7.4).

The parents of all the surveyed nations seem to be aware of the risks lurking online, as they allow their young ones to explore virtual reality later than the sandpit in the playground.

The data collected suggests that surfing the web alone is common for Russian kids after they turn 8 years and 5 months (8.4). On the other hand, distrust is greatest amongst German parents, who won’t allow their offspring to browse independently before they turn 9 years and 9 months (9.8). For children in the UK and US, limits are lifted at around 9 years and 6 months (9.5) and 9 years and 5 months (9.4), respectively.

Our Internet survey was carried out in January 2016 and focused on the attitudes of a demographically representative sample of around 1,000 of the online population in each of four countries: the United Kingdom, the United States, Germany and Russia. The UK, US and German data was provided by Google Consumer Surveys, while Russian data was provided by Merku.

This topic will be addressed at the world’s largest expo for the mobile industry: Mobile World Congress 2016, beginning on February 22^nd in Barcelona, Spain. During the event, ESET will be located in Hall 5, Booth B05. For more information about ESET at the Mobile World Congress, check our special page.

* Average age calculated as arithmetic mean = sum of the age value provided by the parents in the given question divided by the total number of those values. Calculated separately for each country.

Author: Ondrej Kubovič, EMEA Security Specialist

For those of you interested in how the percentages looked for the various questions, age groups and between the four countries polled, please see the breakdown in the tables below.

Q1: How old was your child when you allowed him/her to play at a playground without supervision?

Q1 Playground Unsupervised	1 year	2	3	4	5	6	7	8	9	10	11	12	13	14
UK	1.00%	2.00%	3.00%	5.00%	10%	7%	7%	16%	10%	18%	9%	8%	1%	1%
DE	3.00%	1.00%	3.00%	5.00%	11%	17%	13%	16%	8%	12%	4%	5%	1%	1%
US	2.00%	5.00%	3.00%	4.00%	7%	7%	7%	12%	10%	22%	5%	10%	4%	3%
RU	0.00%	0.00%	0.00%	0.00%	1%	17%	37%	37%	5%	2%	0%	0%	0%	0%

Q2: How old was your child when you first gave them keys to your home?

Q2 House Keys	1 year	2	3	4	5	6	7	8	9	10	11	12	13	14
UK	1.00%	2.00%	2.00%	3.00%	2%	2%	1%	1%	3%	12%	28%	25%	11%	7%
DE	2.00%	2.00%	1.00%	2.00%	3%	11%	11%	19%	9%	17%	5%	12%	3%	3%
US	2.00%	4.00%	2.00%	1.00%	5%	3%	5%	10%	6%	19%	12%	22%	6%	3%
RU	0.00%	0.00%	0.00%	0.00%	0%	8%	27%	47%	8%	7%	3%	0%	0%	0%

Q3: How old was your child when you allowed him/her to surf the web unsupervised?

Q3 Internet Unsupervised	1 year	2	3	4	5	6	7	8	9	10	11	12	13	14
UK	1.00%	2.00%	2.00%	2.00%	3%	4%	8%	12%	12%	14%	14%	17%	7%	3%
DE	4.00%	1.00%	1.00%	2.00%	3%	3%	4%	9%	7%	18%	7%	24%	6%	9%
US	3.00%	4.00%	1.00%	2.00%	2%	3%	6%	10%	8%	20%	9%	18%	8%	5%
RU	0.00%	0.00%	0.00%	0.00%	1%	2%	23%	36%	19%	7%	9%	0%	2%	1%

Q4: How old was your child when he/she first received a mobile phone?

Q4 First mobile phone	5	6	7	8	9	10	11	12	13	14
UK	7.00%	1.00%	1.00%	6.00%	5%	15%	14%	22%	21%	6%
DE	12.00%	2.00%	3.00%	3.00%	3%	10%	7%	23%	18%	19%
US	12.00%	1.00%	3.00%	4.00%	6%	11%	13%	21%	20%	10%
RU	7.00%	11.00%	45.00%	27.00%	8%	1%	1%	0%	0%	0%

Q5: How old was your child when he/she first opened an account on a social network?

Q5 First social network account	1 year	2	3	4	5	6	7	8	9	10	11	12	13	14
UK	2.00%	1.00%	1.00%	2.00%	2%	1%	1%	6%	5%	15%	14%	22%	21%	6%
DE	5.00%	2.00%	1.00%	1.00%	3%	2%	3%	3%	3%	10%	7%	23%	18%	19%
US	5.00%	4.00%	1.00%	1.00%	1%	1%	3%	4%	6%	11%	13%	21%	20%	10%
RU	0.00%	0.00%	0.00%	0.00%	0%	0%	34%	22%	13%	17%	8%	3%	1%	1%

Q6: How old was your child when you allowed them to install apps on their smart devices (smartphone, tablet) without supervision?

Q6 Apps Unsupervised	1 year	2	3	4	5	6	7	8	9	10	11	12	13	14
UK	2.00%	1.00%	1.00%	3.00%	4%	3%	6%	10%	7%	13%	15%	20%	11%	5%
DE	3.00%	2.00%	1.00%	2.00%	5%	4%	2%	6%	6%	11%	11%	24%	9%	16%
US	4.00%	4.00%	3.00%	2.00%	3%	4%	5%	6%	6%	12%	11%	18%	13%	9%
RU	0.00%	0.00%	0.00%	0.00%	0%	10%	9%	35%	16%	17%	7%	4%	1%	1%

Integration in 2016: How to Deal with Digital Disruption

        

Software AG (Frankfurt TecDAX: SOW) today shared its view of trends in integration, API (application program interface) and MDM (master data management) technologies based on its interactions and observations from more than 4,000 customers.

Navdeep Sidhu, senior director, Integration & API Management Product Marketing for Software AG, noted: “Digital transformation cannot happen quickly enough. In 2016, we will continue to see this digital trend as consumer behavior further drives change and puts a question mark on every business model. I believe there are eight key trends that we will see arise through the year.” 

1. Everything will be Hybrid

The complexity of cloud adoption and the need for increased innovation to build digital apps will force IT to explore different cloud options. Companies will want hybrid cloud, hybrid integration and even managed cloud. Companies will move away from just cloud solutions to real hybrid solutions. Instead of just focusing on public and private cloud options, IT will increasingly explore other models for flexibility and control.

2. APIs will get their SWAGGER back

The Swagger API framework is becoming the de facto standard and initiatives like Open API are further standardizing the role of Swagger in API development. We predict that Swagger will gain further traction and over time become the most widely used standard for APIs. Vendors will rally behind the Open API initiative and give Swagger a much-needed boost to become the dominating API standard and RAML (RESTful API modeling language) will fade over time.

3. APIs will Enable ‘Self-Service’ Integration

Imagine a world where everything is an API and all your data is immediately accessible to you and those you choose. That includes your customers, partners, suppliers, banks and just about everyone in your ecosystem. How will you manage this complicated world of data access? APIs will provide the answer and self-service style on-boarding for APIs will drive integration.

4. Bimodal goes Mainstream

Citizen developers and citizen integrators will co-exist peacefully with IT teams to deliver new applications and interfaces to speed the overall innovation quotient of the organization. Different integration models will come together under IT and thrive. 

5. Integration will Capture Big Data’s Hidden Value

Companies have been adopting Hadoop platforms for storing data sets without actualizing the full value. Increased integration of existing systems with newly acquired Hadoop platforms will unlock the hidden value, enabling Big Data to finally be used to make smart decisions to improve customer satisfaction.

6. Microservices will Demolish Monolithic Architectures

The microservices movement will gain strength and slowly keep drilling away at the foundation of monolithic architectures. As organizations speed up digital transformation, they will realize that the biggest roadblock to faster innovation is the legacy monolithic architectures—and will find ways to adopt more “DevOps” friendly microservices-based architectures.

7. IoT will Meet MDM

The expanding definition of Customer-360 means MDM will incorporate data about customer buying preferences, linking that data to standard MDM data quality processes, such as cleansing and matching. Synchronizing and enriching the customer master record through device-generated sensor data will become a more common requirement for MDM’s customer consolidation process.  

8. MDM Will Get Prettier – and Smarter

MDM solutions will continue to increase support for business data stewards by simplifying work views, creating more application-oriented interfaces, and integrating business intelligence tools and “dash-boarding” to understand the value and impact of superior data quality on business processes.  

Navdeep Sidhu concluded: “This year the focus will be on finding the necessary IT capabilities for faster transformation, as organizations realize that existing models are not capable of supporting it. At the end of the day, all of our predictions point to how organizations can build better business applications—as those will be the manifestation of how they will become digital enterprises.”

###

The security review: The state of security in companies in the EMEA region

Welcome to this week’s security review, which includes a detailed report from ESET on the state of information security in companies in the EMEA region, helpful advice on support scams and the rise of Android ransomware.

The state of information security in companies in the EMEA region

For this extensive report, ESET spoke to 1,700 experts and managers about the state of information security in companies that operate in the EMEA region. The paper found that malware infection is reported as the most frequent security incident (59% of respondents), followed by social engineering, scams fraud and phishing. Interestingly, it was found that most (98%) have invested in at least one cybersecurity solution.

Support scams: What do I do now?

ESET’s David Harley returned to the question of what to do once a scammer has gained a foothold in your system. “There is no single clear-cut answer to that question,” he remarked. “[This is] because there is no single ‘support scam’ …” In terms of what you can do, the expert offered some solutions, highlighting the fact that it’s a “question best answered on a case-by-case basis”.

The rise of Android ransomware

Ransomware attacks aimed specifically at Android platforms are on the rise, a collaborative effort by ESET’s Robert Lipovsky, Lukas Stefanko and Gabriel Branisa revealed in a white paper. They explained that it is part of a wider trend, whereby cybercriminals are focusing their efforts on mobile devices. With more data being stored on these devices, they are a lot more lucrative, the authors highlighted.

How is cryptography incorporated into PoS terminals?

ESET’s Lucas Paus discussed the different types of cryptographic solutions available to PoS (Point of Sale) terminals. “In payment terminals, largely speaking, there are three groups of cryptographic algorithms that are used in a variety of technologies, where they are combined with each other and with various types of architecture inside PoS devices,” he said. These are symmetric-key algorithms, asymmetric-key algorithms and one-way hash algorithms.

VTech warns users that sensitive information ‘may not be secure’

VTech, which suffered a major data breach towards the end of 2015, announced that its online service Learning Lodge – which was specifically attacked – is now back online. However, what most media outlets picked up on was the interesting update to its terms and conditions. The company’s Limitation of Liability section now states that customers agree that “any information [they] send or receive during [their] use of the site may not be secure and may be intercepted or later acquired by unauthorized parties”.

How to bypass this LG smartphone’s fingerprint security in just 30 seconds

The independent security analyst Graham Cluley drew attention to a “troubling vulnerability” on LG’s V10, which makes it possible for someone to gain access the smartphone easily. “Normally, to add a fingerprint to the phone, you would have to enter a security PIN to prove that you are authorised to do so,” he explained. “However [through the] Nova Launcher app [you can]gain access to the fingerprint screen without any need [for authentication]”.

Major vulnerability found in GNU C Library

Researchers at Google announced that they had comes across a major vulnerability in GNU C Library (glibc), which has been present since 2008. The bug puts hundreds of thousands of devices and apps at risk, the tech company stated. The full implications of this flaw are yet to be understood, but the fact that it was found in the so-called building blocks of the internet is nevertheless troubling. A patch has since been released.

http://www.welivesecurity.com/2016/02/22/security-review-state-security-companies-emea-region/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

Average cost of cybercrime rises by 200% in just five years

Cybercrime is costing the global economy up to $450 billion annually, a new report by Hamilton Place Strategies reveals.

The paper, entitled Cybercrime Costs More Than You Think, opens by stating that: “In an increasingly interconnected world fueled by the expansion of digital technology, cybercrime has become a big business.”

The document finds that the median cost of cybercrime has actually increased by approximately 200% in the last five years alone, and that it is very likely to continue in that vein.

One of the more intriguing revelations was that while cybercrime is often attributed to a significant financial cost, the “reputational damage can be even more impactful to the bottom line”.

The concept of a “ricochet effect” was also revealed, whereby merely sharing an industry with a victim of cybercrime can have a detrimental effect on a business.

One key example being the Target data breach, which brought into question the vulnerability of other similar retailers across the country.

The report also reveals that had cybercrime been a ‘legitimate’ enterprise US industry, it would have been the second largest behind Apple.

Hamilton Place Strategies suggest a number of safeguards to help minimize losses in the unfortunate case of a cyberattack.

One recommendation is to “create a playbook”. The idea centers on organizations putting in place a cybersecurity plan.

The report also warns that “if you’re in business today, it’s nearly a guarantee you’ll be hacked at some point over the next couple of years”, which makes these findings all the more significant.