In early March, the State of New York’s Department of Financial Services (DFS) adopted a new set of rules in support of the state’s Financial Services Law. Normally, this is not something that would be particularly news-worthy, as the DFS is chartered to implement rules of governance and management for financial services companies all the time; over the past few years, the DFS has issues rules regarding financial dispute resolution, debt collection, and even the use of Bitcoin and other virtual currencies. What makes the March resolution – titled “23 NYCRR 500” – so interesting is that, for the first time, it defines specific cybersecurity governance requirements for all financial services companies operating in the state. As you might expect, as New York City is one of the top three financial centers of the world, this ruling has a substantial impact.
The old adage goes, “there are only two certain things in life: death and taxes”. Increasingly, however, it looks like identity theft needs to get added to that list. Earlier this week, security blogger Brian Krebs reported that TALX, a division of Equifax (one of the “Big Three” credit bureaus), experienced a significant data breach of personally identifiable information (PII). As is often the case in mass data theft scenarios, TALX was unable to identify the exact number of records or the scope of PII compromised.
Recently, social media giant Facebook announced that they are providing, free of charge, code to allow app developers to implement delegated account recovery. This is effectively a more elegant replacement for the traditional “security questions” approach to resetting a password, which historically has required the user to setup a series of questions that (ostensibly) only they know the answer to. However, a Microsoft survey from several years ago already identified that over 10% of those supposedly “secret” questions could be answered within five guesses by nearly anyone, and that participants forgot 20% of their security question responses within six months.
Recently, management consulting firm Deloitte identified that cybersecurity insurance, while currently only a small fraction of the overall market of insurance underwriting, is poised to dramatically increase over the next few years, potentially even tripling by 2020. This is backed up by insurance giant Allianz, which has predicted that cybersecurity insurance will increase from its current $1.5-$3 billion in annual premiums to over $20 billion just a few years after that, in 2025.
For those of you who have been reading the EiQ Networks blog on a regular basis, you know that one of the most fundamental and unyielding tenets of the security world that we frequently point out is this: functionality and performance always – and we mean always – trump security. For developers of new software products, hardware technologies and the emerging world of IoT, the ability to get to market as quickly as possible is the most important thing a company can do, because it gets them a market position that turns into revenue. Because security isn’t generally perceived by companies that make commercial software and hardware as something on which people make buying decisions, it’s usually relegated to a last-minute “bolt-on”, or simply addressed after vulnerabilities are discovered by users and security analysts after the product is released. Even after disclosure of vulnerabilities, many companies either ignore these findings or back-burner patches and fixes until the next major release of their product. One of the “dirty little secrets” of the industry is that certain, specific vendors (we won’t name names here… but they know who they are) have had gaping holes in their products for months and sometimes even years. Sadly, this behavior among many companies is not likely to change.
Over the past two weeks, the security industry has seen some disclosures (or in one case, a half-disclosure) of vulnerabilities within their products. In at least two of these cases, we know that these vulnerabilities could have led to a significant compromise of data and systems. But what’s really interesting about these two vendors is how they responded to the discovery.
In the story of David and Goliath, an underdog managed to win a contest against a much larger, stronger foe. Looking at the state of information security today, a David-and-Goliath scenario is very much present; except David is the small and midsize business (SMB) market, and Goliath is the marauding horde of attackers, malware and other bad actors trying to break their systems and steal their data. And just like in the biblical tale, SMB organizations are dealing with an opponent who seems impossible to defeat.
Cybersecurity is an ever-changing field. A threat that was huge ten years ago might not even be on the radar today. While it's impossible to predict the future, there are certain trends that will most likely continue into 2017. Let's take a look at some predictions for the new year.
1. IoT-based DDoS attacks
One major threat that is looming on the horizon for 2017 is the use of distributed denial-of-service attacks. While these kinds of hacks have been around for quite some time now, the reason there will likely be a surge in 2017 has to do with the introduction of the Internet of Things.
When planning out a budget for the new year, finding a place for cybersecurity can be difficult. You want to put that money toward new ventures, but you also know that a major breach can forever damage your reputation.
To help those waffling between how much to put into digital defenses, let's review some of the biggest reasons having a plan is worth the time and money.
While credit and debit cards are extremely convenient, they've also opened up a whole new world of fraud. This makes the systems that retailers use to process these payments seem like great targets for hackers, and organizations from every corner of the globe are scrambling to secure themselves against these threats.
One big solution to this has been the Payment Card Industry Data Security Standard. The PCI DSS is a regulatory code that tells companies how they can better defend themselves against attacks levied to steal card data. It's an important tool in the fight against fraud and should be strictly followed.