ISSN 1361-3723/13 © 2013 Elsevier Ltd. All rights reservedThis journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use:PhotocopyingSingle photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use.

NEWS

Study finds major information security skills shortage 1

Organisations losing money because of trust failures 3

FEATURES

Fraud in mobile networks 5When it comes to the mobile world, crime isn’t just about stolen phones. There’s a variety of ways in which people can exploit the technology to make a dishonest income. Some of these fraudulent practices take advantage of weaknesses in the technical nature of the networks. In other cases, fraudsters exploit the competitive nature of the industry. And the techniques can be linked in a chain of fraud that is difficult to detect and prevent. Mark Yelland of Revector details how the frauds work and how to fight them.

Holding back the tidal wave of cybercrime 10Software vulnerabilities are the root cause of many of our security woes, and this is an issue that is still not being properly addressed. Not only are vendors not fixing their code, individual users and organisations are not adopting adequate patching practices. The situation is made worse by employees bringing inadequately patched personal devices into the workplace. Maria Eriksen-Jensen of Secunia discusses how proper patching practices can make you more secure.

The high price of data breaches 17When a breach occurs, the first thing you need to decide is what you’re going to do about it. The answer isn’t always obvious and may vary depending on whether you’re in the public or private sector and, if the latter, whether you’re a listed company. Organisations make their decisions based on risk and damage limitation calculations. But they also have to take account of the laws and regulatory frameworks in which they operate, and those are constantly changing, as Si Kellow of Proact explains.

Employee negligence: the most overlooked vulnerability 18As cyber-criminals turn increasingly to social engineering techniques, they are making greater use of personal information readily found online to make things like spear-phishing attacks more effective. And your employees may be handing out exploitable data on sites such as LinkedIn or Facebook without even being aware of the possible consequences. Bimal Parmar of Faronics argues that education is a key component in combating these attacks.

REGULARS

Editorial 2

News in brief 4

Calendar 20

Contents

computer FRAUD & SECURITYISSN 1361-3723 March 2013 www.computerfraudandsecurity.com

Featured in this issue:Fraud in mobile networks

Most people think about fraud and security in the mobile

industry as having their phone stolen or hacked. However there is an underground industry that Juniper Research believes is worth $58bn a year in revenues that are being lost to fraud and lack of effective revenue protection.

This is an immense problem for mobile network operators, but which

they often struggle to recognise. Fraudsters exploiting weaknesses in mobile networks operate as businesses, often providing services to other fraudsters in a chain of fraud. The combining of multiple fraud practices makes detection difficult and prevention harder. Mark Yelland of Revector details how these frauds work and what can be done about them.

Full story on page 5…

Holding back the tidal wave of cybercrime

While the scale of cybercrime is increasingly being recognised

by business and governments, what to do about it is not quite so clear cut. There are many solutions that companies use to help secure their digital assets. But they often overlook the root cause of security problems, and that is the underlying vulnerability of the software.

There are also some intractable problems, such as poor software patching practices by individuals, and the issue of employees bringing unpatched and vulnerable software into the workplace on their own devices. Maria Eriksen-Jensen of Secunia details the issues raised by poor patching practices and offers some advice.

Full story on page 10…

The high price of data breaches

When a data breach occurs, if you’re in the public sector

then you need to inform your senior information risk owner. Your board and executive team will more than likely face questions about the organisation’s ability to ‘look after’ information, and there will be worries about ‘public trust’.

In the private sector things are a bit different. The risk and damage limitation calculations made by private firms often revolve around regulatory repercussions versus reputational damage. But the laws have changed and are changing still, and there may be smarter ways to deal with the issue, says Si Kellow of Proact.

Full story on page 17…

Study finds major information security skills shortage

Following on from a UK Government report, issued by

the National Audit Office, that

highlighted a lack of information security skills in the country,

Continued on page 3...

NEWS

March 2013 Computer Fraud & Security3

...Continued from front pageprofessional body (ISC)2 has underscored this point with its own report. In it, the organisation asserts that this shortage isn’t just a problem for individual organisations, or just the UK, but is having a direct and significant effect on national economies worldwide.

The sixth ‘Global Information Security Workforce Study’ (GISWS) from (ISC)2, carried out in partnership with Booz Allen Hamilton and conducted by Frost & Sullivan, surveyed more than 12,000 information security professionals worldwide.

There are some serious paradoxes in the report’s conclusions. On the one hand, it finds that around half of organisations are highly concerned with issues such as hacktivism (43%), cyber-terrorism (44%) and hacking (56%). And more than half (56%) believe that the information security function within their organisations is short-staffed. And yet there continues to be a lack of security awareness at senior executive level.

“Now, more than ever before, we’re seeing an economic ripple effect occurring across the globe as a result of the dire shortage of qualified information security professionals we’ve been experiencing in recent years,” said W Hord Tipton, executive director of (ISC)2. “Underscored by the study findings, this shortage is causing a huge drag on organisations. More and more enterprises are being breached, businesses are not able to get things done, and customer data is being compromised. Given the severity of cyber-espionage, hacktivism and nation-state threats, the time is now for the public and private sectors to join forces and close this critical gap.”

Attracting people into the job should be no problem. According to the report, information security is a highly stable career: over 80% of respondents reported no change in employer or employment in the past year, and 58% reported receiving a raise in salary. The number of professionals is projected to grow steadily by more than 11% annually over the next five years.

One issue that remains poorly addressed, however, is exactly where

security skills are located. Application vulnerabilities rank the highest among security concerns, yet most organisations are not prioritising secure software development. Almost half of security organisations are not involved in software development, and security is not among the most important factors when considering an outsourcing provider for software development, yet 69% (66% in EMEA) reported application vulnerabilities as their top concern.

In addition, with some of the areas that ranked as major concerns – such as cloud computing and Bring Your Own Device (BYOD) – much of the application development work is in the hands of people outside the organisation, so building internal skills can only partly address the problem.

Some 28% of respondents (26% in the UK) believe their organisations can remediate from a targeted attack within a day, and 41% (44% in the UK ) said that they could remediate the damage within one week or less. A good portion of the respondents said they don’t know how long damage remediation may take. With regard to being prepared for a security incident, twice the percentage of respondents in the 2013 survey believe their readiness has worsened in the past year, as did respondents in the 2011 survey.

The full study can be found here: https://www.isc2cares.org/IndustryResearch GISWS/.

Organisations losing money because of trust failures

The security technologies that organisations rely on to conduct

critical transactions on the Internet are being undermined in a way that is having a massive financial impact, finds a report conducted by the Ponemon Institute and commissioned by Venafi.

The 2013 ‘Annual Cost of Failed Trust Report: Threats & Attacks’ concludes that what it calls a “failure to control trust in the face of new and evolving security threats” is potentially resulting

in huge losses. In fact, the research – based on responses from Global 2000 organisations based in Australia, France, Germany, the UK and the US – puts the total possible cost exposure over 24 months at $398m per organisation.

Every business and government agency relies on critical security technologies to ensure that communications and transactions conducted across the Internet, as well as within closed networks, remain trusted, private and compliant with regulations. The most essential of these technologies are cryptographic keys and digital certificates, which provide the foundation of trust for secure communications, card payments, online shopping, smartphones and cloud computing.

Yet failing to manage certificates and keys creates vulnerabilities that cyber-criminals exploit to breach enterprise networks, steal data and disrupt critical business operations. Until now, the cost of failed trust from these attacks has not been quantified but is based only on anecdotal evidence, claims Venafi. The new report attempts to assign hard figures to the financial risks.

“We set out to answer for the first time one of the most sought-after questions in information security and compliance: what are the precise financial consequences of failed trust from malicious attacks that exploit cryptographic key and certificate management failures?” said Larry Ponemon, chairman and founder of Ponemon Institute Research. “We rely on keys and certificates to provide the bedrock of trust for all business and government activities, online and in the cloud. Yet criminals are turning our dependence on these trust instruments against us at an alarming rate.”

Many of the problems are easily pre-ventable, the report finds. Exploits of weak cryptography are the most likely type of breach and are costly, averaging $125m per incident, per organisation. Attacks on trusted Certificate Authorities (CAs), leading to man-in-the-middle and phishing attacks, cost an average of $73m per incident, per organisation.

The report is available from: www.venafi.com/ponemon.