Software Vulnerabilities Lead to Internal Security Problems: Kaspersky

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.eweek.com/security/software-vulnerabilities-lead-to-internal-security-problems-kaspersky.html

While malware is a potential hazard for all organizations, security risks
within legitimate software applications often lead to internal
cyber-security incidents at companies around the world.

Flaws in existing software are the leading cause of internal IT security
threats, according to a new study from Kaspersky Lab, which surveyed 2,895
IT professionals around the world. The software vulnerabilities are leading
to multiple forms of exploits including data breaches.

Alexander Erofeev, chief marketing officer at Kaspersky Lab, defines
internal incidents as those caused by internal reasons: vulnerabilities in
software inside the company infrastructure and mistakes made by employees.

"Some internal incidents result in data loss, but not always," Erofeev
said. "For example, out of 39 percent of companies which reported incidents
involving vulnerabilities, only 10 percent experienced sensitive data loss."
The study also found that of those organizations with internal security
incidents, nearly 15 percent experienced the loss of nonsensitive data.
Only 14 percent had no data loss at all as a result of a vulnerability
incident.

In contrast, Erofeev explained that external incidents include malware
attacks, distributed denial of service (DDoS) attacks, spam and network
intrusion. He noted that external incidents can also result in data loss,
but not always.

"The main difference between external and internal incidents is the reason
behind them," Erofeev said. "It could be unknown cyber-criminals with an
external incident or company employees with an internal incident."

The incidence of software vulnerabilities leading to internal security
issues is variable around the world. The highest incident rate is in
Russia, at 51 percent, while Japan had the lowest rate, at 29 percent.
North American organizations fell right in the middle of the pack, at 38
percent.

Beyond identifying the risks from internal security threats, Erofeev said
that the same survey provided some unexpected information about how
companies perceive daily malware discovery rates.

Kaspersky estimates that 100,000 to 250,000 new malware samples are
discovered daily; 90 percent of respondents to the Kaspersky study did not
correctly identify the current malware rate.

"That suggests that companies seriously underestimate current threats and
need to pay far greater attention to IT security issues because the number
of threats is growing significantly," Erofeev said.

Despite average losses from targeted cyber-attacks costing $2.4 million, 40
percent of companies are only making significant investments into IT
security after suffering an attack, Erofeev said. In fact, 28 percent of
companies believe that the financial costs of cyber-crime will work out to
be less than the cost of upgrading their IT systems to prevent an attack in
the first place, he added.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.