BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

New Report Says Cyberthreats Multiplying Like Tribbles

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 11 Oct 2013 22:39:12 -0600
http://spectrum.ieee.org/riskfactor/computing/it/new-report-says-cyberthreats-multiplying-like-tribbles

Hackers have proven time and time again that they’ll eventually find a way
to defeat any single digital security method. Their motivation to do so is
evident in the fact that, on average, more than 150 000 new, unique malware
strainsare unleashed each day. That’s one of the startling conclusions
drawn by analysts from the Aite Group in the report “Cyberthreats:
Multiplying Like Tribbles” that was released earlier this week.

Tribbles were fictional creatures featured on the TV series Star Trek. They
multiplied so rapidly that their consumption of resources grew
exponentially. The same appears to be true of cybercrime. Julie Conroy,
research director at Aite’s banking division and coauthor of the report,
told IEEE Spectrum that last year, hackers were pumping out 72 000 new
malware strains per day, less than half of the current level of cybercrime
activity.

So, what’s the upshot? According to the report, “The username/password
combination as an authenticator is officially broken…the sole relevant use
of this combination is now that of a database look-up mechanism.” More than
half of computer users don’t follow security experts’ advice to choose
different, strong passwords for each of their online sign-ups—which allows
a blaze in a small thicket to engulf a person’s entire online forest, so to
speak. But what if you do follow best practices? “Nobody is ever 100
percent secure,” is the report’s sobering conclusion.

It does, however, point out steps that businesses such as banks, which are
the primary targets of cybercrime, are taking to make a hacker’s job harder.

Among them are new ways to prevent a hacker from pretending to be an actual
customer. Technology is available that will allow your bank to generate a
“device fingerprint” for the computer, tablet, or smartphone you regularly
use to conduct transactions. Business conducted from an unknown device
automatically triggers more authentication steps.

Firms are also looking to use behavioral analytics. The vendor would
collect data about how the customer interacts with, say, his or her
smartphone. If the person using the handset owned by John Q. Smith
(confirmed by the device fingerprint) doesn’t press the keys or swipe the
touch screen the way Mr. Smith usually does, red flags would be raised.

Asked whether these security measures might be considered too intrusive,
Conroy says they’re built into the process so that the average customer
doesn’t even know it’s happening. “The aim is to perform a balancing act,”
she says. “Businesses are asking themselves: How do we enable a secure
environment without appearing to be Big Brother?”

Striking that balance may be impossible—especially in light of the fact
that the U.S. government has and continues to force companies to turn over
customer data. Conroy,whose research focuses on fraud, data security, and
preventing money laundering, acknowledges that these new strategies may be
implemented at the cost of a little privacy. But, she says, the alternative
may be the loss of online and mobile channels for conducting business as
the benefits of e-commerce are devoured by the rising tide of Tribbles. How
much is being consumed? The report predicts that businesses worldwide will
suffer more than half a billion dollars in losses from corporate account
takeovers. Cyberthieves will take nearly US $800 million in 2016, say the
analysts.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Previous By Date Next
Previous By Thread Next

Current thread: