Share

Related Stories

  • Almost half of employees admit to bypassing security controls
    Security shouldn’t get in the way of doing business and closing sales, but many organizations are wrestling with data protection strategies that block employees' ability to get the information they need to do their jobs. Almost half of all employees in a recent survey admitted to bypassing security regulations in order to get their job done. That's breeding apathy, too: 40% admitted that if they were breached no one would notice.
  • Poor disclosure means poor security standards in Japan
    The ‘lack of public disclosure reflects lack of government-wide standards’ warns the Daily Yomiuri. It is, it suggests, symptomatic of a wider malaise in Japan’s attitude towards cyber defense.
  • Pre-emptive cyberwar, breach notification and trusted organizations: the people speak
    Pre-emptive cyber strikes can be justified, breach notification should be mandatory with more severe penalties across the board, and we don’t trust social networks to keep our data safe: some of the views of the UK consumer.
  • Zero-day attacks circulate for 10 months on average before detection
    Hackers have about 10 months on average to exploit security vulnerabilities in software before the public becomes aware of the holes, because such threats are exceptionally difficult for researchers to uncover. However, after disclosure, malware instances skyrocket.
  • That Java vulnerability and the full disclosure debate
    The Java exploit made public last weekend and added to Metasploit by Monday was almost immediately included in the Blackhole exploit pack – and in less than a week it has become a major threat to internet users.

Top 5 Stories

News

Companies slow in reacting to breach notifications

20 May 2013

Most corporate security incidents are uncovered by a third party, like a security firm, that picks up on evidence of nefarious activity being carried out by infected machines. However, many of the victim organizations don’t have processes in place to react quickly when they’re notified of an incident. And some are simply not discharging their corporate duty, argues one security firm.

According to TaaSERA CEO Scott Hartz, it’s a very mixed bag when it comes to how companies react when faced with evidence of criminal activity on their networks – to the point, he said, of some of them “being in denial.”

Hartz said that TaaSERA has notified companies of hundreds of machines trying to infect others, and some have cleaned up those machines within a matter of days or weeks.  Some investigated the issue and asked for additional information, and others have deployed software or requested our full data set to track external connections themselves. However, “some have not been as prone to act quickly,” he noted. “In some cases, we have received a more skeptical response along the lines of ‘we deploy all commercially reasonable security tools and practices and adhere to PCI DSS,’ or ‘TaaSERA who?’”

In many cases there’s simply a process issue. Unfortunately, while most companies have setup an abuse@companyname.com email alias for reporting of external threats, they may not have processes in place to expeditiously deal with these external notifications. “If a company is notified by an agency with a three-letter acronym, they marshal all their resources to deal with the situation,” said Hartz. “In those cases, the breach or theft has already occurred. Most of those notifications are of PII [personally identifiable information] or IP beaches, and a majority of companies have a plan in place to deal with breaches, or at a minimum they know who to call. But if the notification is of a threat at an earlier stage of infection, ‘pre-breach,’ it may not be given the same level of importance or urgency.”

But then there are concerning cases of denial. One company (unnamed) that provides ATM, check cashing and personal check guarantee terminals has more than 25 IP addresses that are acting as malware control sites, Hartz said, of which a number are communicating with the Russian Business Network, a known cybercrime organization.

“They have been handling it internally for almost two months now, with no change to the number of malicious IPs we’re monitoring,” Hartz said.

TaaSERA looks to ensure computers under its control are not infecting an external party’s computer, either via links on its website that are infected with malware, or that redirect a user to a malware site, or worse: hosting systems that have been taken over by cybercriminals and are being used to launch other attacks from within a reputable company. As a result, it typically gathers evidence when it notices computers that are attacking and attempting to infect the computers of its customers.

“These are not just a company’s internal machines that are infected with advanced malware for which there are no signatures yet, but machines where we have observed communication outside their company’s infrastructure in an attempt to infect another company’s systems,” Hartz continued. “If a company has internal computers infected with malware or viruses, this falls under corporate risk, but if you are attacking other computers outside your infrastructure, there is a shared responsibility to eliminate the threat.”

He added, “We don’t call out these companies in order to embarrass them, but we believe companies need to act with the same urgency to eliminate pre-breach threats as they do post-breach, and create a safer cyber security environment for all.”

 

This article is featured in:
Data Loss  •  Industry News  •  Internet and Network Security  •  IT Forensics  •  Malware and Hardware Security  •  Security Training and Education

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×