“Wowee wow wow!”; The Costs Of CyberSecurity; Part II May 15, 2012
Posted by Chris Mark in cybersecurity, Industry News, InfoSec & Privacy.Tags: bloomberg, Chris Mark, cybersecurity, data security, InfoSec, mark consulting group, PCI DSS, ponemon
add a comment
In reading the Ponemon/Boomberg report on the costs of cybersecurity, I was shocked to see that companies would need to increase spending 700% to achieve 95% protection. In reading closer, I was even more shocked to see that financial services companies would need to increase spending over 1,270% to achieve 95% protection. Of the 48 financial services firms surveyed the average annual security investment was $22.9 million. To achieve the 95% goal, security investment would need to increase to $292.4 million per year. You can see the results in an interactive chart here.
As stated in my previous post: “CyberSecurity Cold War; Spend Ourselves Into Oblivion”, it is obvious that companies cannot increase security investment 11 fold or even 7 fold. There must be a better answer.
By the way..the “Wowee wow wow” is from Christopher Walken’ character The Continental 😉
“RSA Doesn’t Dine Alone” – China Suspected In Pipeline Attack May 13, 2012
Posted by Chris Mark in cybersecurity, InfoSec & Privacy, terrorism.Tags: china, Chris Mark, cybercrime, cyberespionage, cybersecurity, data breach, Pipeline Breach, RSA, security, terrorism
add a comment
For background on this story, please read the previous post, as well as an earlier post titled: “Cyberattack underway against US Pipelines”. While the timing of this story is fortuitous for this author, the event is frightening. According to the Christian Science Monitor “Those analyzing the cyberspies who are trying to infiltrate natural-gas pipeline companies have found similarities with an attack on a cybersecurity firm a year ago. At least one US government official has blamed China for that earlier attack.” The referenced security firm is RSA. Again quoting CSM: “Investigators hot on the trail of cyberspies trying to infiltrate the computer networks of US natural-gas pipeline companies say that the same spies were very likely involved in a major cyberespionage attack a year ago on RSA Inc., a cybersecurity company. And the RSA attack, testified the chief of the National Security Agency (NSA) before Congress recently, is tied to one nation: China.”
Anyone who doubt that the US is under attack by China should read about the attacks against Dupont, RSA, Lockheed Martin, and more.
“Doing Time Before Being Convicted?” – Analyist Accuses Merchant of PCI Non-Compliance May 11, 2012
Posted by Chris Mark in cybersecurity, Data Breach, Industry News, InfoSec & Privacy.Tags: bankinfosecurity, Chris Mark, cybersecurity, data breach, Gartner, opening ceremony, PCI DSS, security
add a comment
I wrote this in May 2012. Given the current position in the industry if proclaiming victims of cybercrime to be wholly responsible, I thought it appropriate to publish again.
I was reading a an article on BankInfoSecurity.com titled: “Online Retailer Breached”. I am taken aback at the attitude of the quoted analyst. A Gartner analyst took a very bold step of accusing the merchant of “non compliance” then seemingly qualifying his statement by adding: “The attacker was probably able to attack unencrypted card numbers,” he says. “But given the lack of details, it’s hard to say for certain.” (more…)
“Poisoned Apple?” – OSX Lion Encryption Passwords Insecure May 7, 2012
Posted by Chris Mark in cybersecurity, Industry News, InfoSec & Privacy, PCI DSS.Tags: Apple, Chris Mark, cybercrime, cybersecurity, encryption, FileVault, InfoSec & Privacy, mark consulting group, password, security
add a comment
For years many Apple purists (I used to be one) have been touting the inherent security of the Apple operating system. According to Techcrunch in February, 2012 it was discovered that OSX Lion (the newest OS from Apple) had a major security weakness and released widely within the last few days. It was disclosed that the FileVault encryption passwords are now visible in plain text outside of a computer’s encrypted area. This effectively renders the encryption useless as the keys (the passwords) are not secure. While it was originally believed that the vulnerability as specific to the encrypted File Vault solution, it appears now that the vulnerability is larger…potentially much larger. Sophos Naked Security blog states: “Anyone with access to the disk can read the file containing the password and use it to log into the encrypted area of the disk, rendering the encryption pointless and permitting access to potentially sensitive documents. This could occur through theft, physical access, or a piece of malware that knows where to look.” Key management and password security continue to be the weakest link in most encryption implementations.
ALERT: CyberAttack Underway Against US Gas Piplines May 6, 2012
Posted by Chris Mark in cybersecurity, Industry News, InfoSec & Privacy, Risk & Risk Management, terrorism.Tags: Chris Mark, cybersecurity, Gas Pipeline, ICS CERT, InfoSec, mark consulting group, security, terrorism
1 comment so far
According to stories on MSNBC, CNN, and other major outlets, “A major cyber attack is currently under way aimed squarely at computer networks belonging to US natural gas pipeline companies, according to alerts issued to the industry by the US Department of Homeland Security.” On March 29th, 2012 the US Department of Homeland Security issued 3 confidential Amber Alerts warning that the US was facing a: “gas pipeline sector cyber intrusion campaign” against multiple pipeline companies. The attacks, which began 4 months ago, are ongoing today. The Industrial Control Systems Cyber Emergency Response Team (ICS CERT), which is responsible for helping secure the nation’s industrial control systems said: (more…)
Global Security, Privacy, & Risk Management 