Security

SPOTLIGHT ON SECURITY

Report: Big Biz Shakes Off Hack Attacks

A lot of noise has been made about the consequences of data breaches for companies, but a recent survey of some of the largest U.S. businesses may have wrapped those noisemakers in a muffler.

Of the 27 largest companies reporting cyberattacks in their most recent filings with the U.S. Securities and Exchange Commission, none said they sustained any major financial losses from those net assaults, according to an analysis of SEC documents by Bloomberg.

Everything on the breach front, though, many not be as sanguine as corporate America would like its customers to believe.

Breach reporting in SEC filings are subject to guidelines, which can be applied more loosely than hard-and-fast regulations. Because of that, companies may be reticent about reporting losses from data breaches, according to Larry Ponemon, founder and chairman of the Ponemon Institute, which has conducted studies on the cost of information loss.

“What we’re starting to see is some hesitancy on the side of companies in reporting a loss number,” he told TechNewsWorld.

Saving Face?

Pegging a number to a data loss isn’t easy, Ponemon noted. It takes a lot of effort to understand the cost implications of a cyberattack.

“That’s a legitimate reason,” he said. “But another reason, which is less legitimate, is the idea that disclosure is negative and might lead investors to question the value of a company’s stock. A lot of organizations really don’t know how to get their arms around the issue and aren’t capable of disclosing the economic impact in way that’s objective.”

In order to extract the cost impact, Ponemon noted, “you have to consider factors that are off the balance sheet or off the income statement. It takes a lot effort and a lot of companies don’t know where to start.”

That will improve as companies get better at assessing losses. If that improvement is slow to come, however, they risk intervention by regulators or Congress.

“Then they could be facing fines or lawsuits or worse than that,” he said.

Google Spring Cleaning

The Android world has a reputation for being infested with low-quality and often insecure apps.

Android developers have a problem making a profit with paid apps, so they resort to producing free programs financed with advertising. Some of those advertisers often show a disregard for the privacy of anyone using an app they’re backing.

Many of those apps are in Google’s online store, Google Play. Although Google management style for the store is hands-off, it recently took a more active role in its Google Play app inventory.

In February, Google went on a cleaning spree at its online outlet and removed 60,000 apps from it, according to TechCrunch.

More Management Needed

While Google deserves credit for its cleaning efforts, it will make little difference in the long run, according to Liviu Arsene, a mobile threat researcher with Bitdefender.

“Removing 60,000 apps is only a small step towards Google Play harboring quality apps,” he explained to TechNewsWorld.

“Google has had past attempts at weeding out spammy or shady apps, but so far had no success at coming up with a viable solution other than manually removing them,” Arsene said.

“Perhaps a more practical approach would be to analyze submitted apps with more scrutiny before reaching end users, or enforcing some new submission guidelines that discourage developers from pursuing shady practices.”

Two-Factor Complacency

More and more cloud service providers are jumping on the bandwagon of two-factor authentication to protect their users’ online accounts.

Google has had it for awhile. Dropbox and Apple have adopted it. Rumors are that Microsoft is ready to roll it out, too.

While the technology can improve a user’s security, it’s no Kevlar vest against hackers. “It’s a positive step,” OneID CEO Alex Doll told TechNewsWorld. “It helps foil phishing and makes some attacks more difficult.”

Users and cloud companies need to avoid the perception that they are now immune to attacks, he added. “Some of the more sophisticated elements of the underworld have already begun to prey on users’ false sense of security around two-factor authentication.”

Breach Diary

  • April 9. Federal Reserve accidentally leaks minutes of its March 19-20 policy meeting to congressional staffers and trade lobbyists five hours ahead of schedule. The Federal Open Market Minutes has the potential to move markets, so getting an early peek at it would be very valuable to a trader.
  • April 9. Three members of hacker group LulzSec plead guilty to cyberattacks on NHS, Sony and News International. The hackers, including Ryan “Kayla” Ackroyd, will be sentenced in May, along with a fourth hacker who earlier pleaded guilty to six connected charges.
  • April 10. Chief Defense Counsel Col. Karen Mayberry orders all defense counsel representing detainees facing charges before the military commissions in Guantanamo Bay to cease using computer systems at Pentagon because a data breach has caused confidential defense files to appear on prosecution servers, and vice versa. In addition, a significant amount of defense work was lost from a common drive, along with over 500,000 emails containing attorney-client privileged communications.
  • April 10. Video streaming service and Walmart subsidiary Vudu announces it is resetting customer passwords after data breach in March. Breach occurred when thieves broke into the company’s Santa Clara, Calif. offices and departed with several hard drives containing customer records. Company assured users no complete credit numbers were stored on the hard drives.
  • April 12. Attorneys for consumers in data breach lawsuit against grocery store chain Hannaford ask federal judge to reverse ruling that prevents case from proceeding as a class action. Breach occured in 2008, and it’s estimated that 4.2 million debit and credit cards were exposed. Some 1800 cases of fraud connected to the incident have been reported.

Upcoming Security Events

  • April 17. Automating CSIS 20 Critical Controls. 11:30 a.m. ET. An RSA Conference webinar. Free.
  • April 18. A Tale of Mobile Threats. 2 p.m. ET. Black Hat webcast. Free.
  • April 23-24. Black Hat Embedded Security Summit. McEnery Convention Center in San Jose, Calif. Registration: Before Feb. 9, US$999; Feb. 9-Apr. 18, $1,099; Apr. 19-25, $1,199.
  • April 23-25. Infosecurity Europe. Earls Court, London, UK. Registration: By Apr. 19, free; After Apr. 19, Pounds 20.
  • May 15-16. NFC Solutions Summit. Hyatt Regency San Francisco Airport. Registration $760-$1,020.
  • June 11. Cybersecurity Brainstorm. 8 a.m.-2:30 p.m.ET. Newseum, Washington, D.C. Registration for non-government attendees: Before March 3, $395; Mar. 3-Jun. 10, $495; Onsite, $595.
  • June 14-22. SANSFIRE 2013. Washington Hilton, 1919 Connecticut Ave. NW,Washington, D.C. Course tracks range from $1,800-$4,845.
  • July 24. Cybersecurity Brainstorm. 8 a.m.-2:30 p.m. Newseum, Washington, D.C. Registration: government, free; non-government $395, before April 10; $495, April 10-July 23; $595 July 24.

John Mello is a freelance technology writer and former special correspondent for Government Security News.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Security

Technewsworld Channels