Every IT Security Breach Whittles Away at Trust
Insurance Experts' Forum, May 12, 2014
At the end of last year, it was disclosed that tens of millions of credit and debit card numbers had been stolen from the Target store chain. More recently, news of the Heartbleed vulnerability in open-source web servers hit, requiring millions of people to reset their passwords.
Cisco calls it “The Trust Problem.” That is, many of today's IT systems breaches are the result of the “exploitation of trust” — attackers “take advantage of users’ trust in systems, applications, and the people and businesses they interact with.” In its latest annual report on IT security, Cisco takes organizations to task for not doing more to rebuild end-users' trust in doing business online.
The bad actors out there in the wilds of cyberspace keep morphing their methods — or even revive old ones — to wreak havoc on organization's systems and data. They often embed malware in corporate systems, which lie in wait, or leak sensitive information, undetected for long periods of time.
While the gaping holes hackers breach are eventually sealed up, the constant barrage of issues is chipping away at the bond companies worked so hard to establish with their customers online. This quickening erosion of trust is cutting onto corporate reputations, and is making it harder to do business online. For the insurance industry, which now relies on the online delivery and processing of confidential information, the implications are clear. An industry built entirely on trust cannot let customers' confidence erode.
“Today’s networks are facing two forms of trust erosion,” the Cisco report points out. “One is a decline in customer confidence in the integrity of products. The other is mounting evidence that malicious actors are defeating trust mechanisms, thus calling into question the effectiveness of network and application assurance, authentication, and authorization architectures.”
Not good news at all. Here are some of the vulnerabilities Cisco uncovered:
• “Threat alerts grew 14 percent year over year; new alerts (not updated alerts) are on the rise.”
• Mobile is creating new security issues: “Ninety-nine percent of all mobile malware in 2013 targeted Android devices. Android users also have the highest encounter rate (71 percent) with all forms of web-delivered malware.”
• High-profile sites are increasingly fending off attacks: “Malicious exploits are gaining access to web hosting servers, nameservers, and data centers. This suggests the forming of berbots that seek high-reputation and resource-rich assets.” Plus, to add to the mix, malware is being implanted in these corporate sites then results in these sites generating suspicious traffic.
• Good riddance, spam: “Spam continues its downward trend, although the proportion of maliciously intended spam remains constant.”
• Java is targeted: Java, the cross-platform language used across many web sites and applicators, “comprises 91 percent of web exploits.” But don't blame Java's caretakers or the Java Community Process that oversees new releases — an astounding 76 percent of companies Cisco looked at are “running Java 6, an end-of-life, unsupported version.”
• Malicious code goes undetected: “Indicators of compromise suggest network penetrations may be undetected over long periods,” says Cisco. There are cases in which malware keeps pumping out sensitive data for months and even years before it is spotted.
Cisco recommends a holistic approach to security, urging organizations to adopt better ways to achieve visibility across all their systems. “To defend their network, organizations must be aware of what’s on it: devices, operating systems, services, applications, users, and more. Additionally, they must implement access controls, enforce security policies, and block applications and overall access to critical assets.”
While not addressed specifically in the Cisco report, it's also important to be vigilant of insider breaches and attacks. While an IT systems may be hardened against hackers from the other side of the world with all types of mechanisms — sandboxes, firewalls, intrusion detection systems, auditing — there needs to be more vigilance about managing the privileges of internal teams. For example, live production data — with sensitive information — often is sent out for testing new applications, sometimes with outside developers. Many publicly reported data breaches involve third-party contractors, or even not-so-security-savvy staff members, who lose disks or accidentally post such information to public websites.
Joe McKendrick is an author, consultant, blogger and frequent INN contributor specializing in information technology.
Readers are encouraged to respond to Joe using the “Add Your Comments” box below. He can also be reached at firstname.lastname@example.org.
This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.
The opinions of bloggers on www.insurancenetworking.com do not necessarily reflect those of Insurance Networking News.
Add Your Comments...
If you have already registered to Insurance Networking News, please use the form below to login. When completed you will immeditely be directed to post a comment.
You must be registered to post a comment. Click here to register.