Maria Korolov
Author Archives: Maria Korolov
- Home → Author's archive:
Maria Korolov
0
10 companies that can help you fight phishing
According to the most recent Verizon data breach report, a phishing email is often the first phase of an attack. That's because it works well, with 30 percent of phishing messages opened, but only 3 percent reported to management.But when employees are trained on how to spot phishing emails, and then get tested with mock phishing emails, the percent who fall victim decreases with each round.Of course, it's impossible to get to a zero response rate. The criminals are becoming extremely clever with their messages. Fortunately, it's not necessary. If enough employees forward phishing emails to security, then the company becomes aware that it is the target of a campaign, and be prepared to deal with those messages that do slip through.To read this article in full or to leave a comment, please click here
0
10 companies that can help you fight phishing
According to the most recent Verizon data breach report, a phishing email is often the first phase of an attack. That's because it works well, with 30 percent of phishing messages opened, but only 3 percent reported to management.But when employees are trained on how to spot phishing emails, and then get tested with mock phishing emails, the percent who fall victim decreases with each round.Of course, it's impossible to get to a zero response rate. The criminals are becoming extremely clever with their messages. Fortunately, it's not necessary. If enough employees forward phishing emails to security, then the company becomes aware that it is the target of a campaign, and be prepared to deal with those messages that do slip through.To read this article in full or to leave a comment, please click here
0
DDoS costs, damages on the rise
Peak-time distributed denial-of-service attacks cost organizations more than $100,000 per hour, said half of the respondents to a new survey of mid-sized and large corporations in the U.S. and Europe.And for a third of respondents, the average peak hourly revenue loss was more than $250,000.However, shutting down attacks took time. Only 26 percent said it took them less than an hour, while 33 percent said it took between one and two hours, and 40 percent said it took more than three hours.MORE ON CSO: How to respond to ransomware threats By comparison, a year ago, only 32 percent of companies said that they would lose more than $100,000 an hour, and 68 percent said it took them less than two hours to respond to an attack.To read this article in full or to leave a comment, please click here
0
DDoS costs, damages on the rise
Peak-time distributed denial-of-service attacks cost organizations more than $100,000 per hour, said half of the respondents to a new survey of mid-sized and large corporations in the U.S. and Europe.And for a third of respondents, the average peak hourly revenue loss was more than $250,000.However, shutting down attacks took time. Only 26 percent said it took them less than an hour, while 33 percent said it took between one and two hours, and 40 percent said it took more than three hours.MORE ON CSO: How to respond to ransomware threats By comparison, a year ago, only 32 percent of companies said that they would lose more than $100,000 an hour, and 68 percent said it took them less than two hours to respond to an attack.To read this article in full or to leave a comment, please click here
0
Enterprises fall behind on protecting against phishing, detecting breaches
The ninth annual Verizon Data Breach Report came out this morning with bad news on multiple fronts, including click-through rates on phishing messages, how long it takes companies to detect breaches, and even whether companies spot the breaches at all.Phishing emails continued to be a primary starting point for attacks, said Bryan Sartin, executive director, global security services at Verizon.The number of phishing email messages that were opened hit 30 percent in this year's report, up from 23 percent last year.In addition, 12 percent of users don't just open the email but open the attachment as well, while 11 percent follow links in the email to online forms where they then input sensitive data such as login credentials.To read this article in full or to leave a comment, please click here
0
Enterprises fall behind on protecting against phishing, detecting breaches
The ninth annual Verizon Data Breach Report came out this morning with bad news on multiple fronts, including click-through rates on phishing messages, how long it takes companies to detect breaches, and even whether companies spot the breaches at all.Phishing emails continued to be a primary starting point for attacks, said Bryan Sartin, executive director, global security services at Verizon.The number of phishing email messages that were opened hit 30 percent in this year's report, up from 23 percent last year.In addition, 12 percent of users don't just open the email but open the attachment as well, while 11 percent follow links in the email to online forms where they then input sensitive data such as login credentials.To read this article in full or to leave a comment, please click here
0
CEO targeted by fraud twice a month
Every couple of weeks or so, Tom Kemp's company gets hit by ever-more-sophisticated attempts to trick them out of large sums of money.It started two years ago, before business email compromise -- also known as CEO fraud -- became as widely-known as it is today.The email came in addressed directly to the company's controller, asking for a wire transfer of more than $350,000. The email seemed to come from the CFO and was part of a longer chain of emails between the CFO and the CEO discussing the transfer."If you looked at the email thread, it looked legitimate," said Kemp, CEO at security firm Centrify. "And there was a real bank account and a real company name associated with it."To read this article in full or to leave a comment, please click here
0
CEO targeted by fraud twice a month
Every couple of weeks or so, Tom Kemp's company gets hit by ever-more-sophisticated attempts to trick them out of large sums of money.It started two years ago, before business email compromise -- also known as CEO fraud -- became as widely-known as it is today.The email came in addressed directly to the company's controller, asking for a wire transfer of more than $350,000. The email seemed to come from the CFO and was part of a longer chain of emails between the CFO and the CEO discussing the transfer."If you looked at the email thread, it looked legitimate," said Kemp, CEO at security firm Centrify. "And there was a real bank account and a real company name associated with it."To read this article in full or to leave a comment, please click here
0
Symantec: Zero-days doubled in 2015, more companies hiding breach data
Fifty-four zero-day vulnerabilities were discovered last year, according to a report released this morning by Symantec, more than double that of 2014, and the number of mega-breaches of more than 10 million records also hit a record high.In fact, the number of newly-discovered vulnerabilities stayed between eight and 15 a year since 2006, then jumped to 23 in 2013 and 24 in 2014, leading researchers to hope that it had reached a new plateau.Instead, last year's 125 percent increase in zero-days was a sign of the increasing professionalization of the industry.INSIDER: Traditional anti-virus is dead: Long live the new and improved AV "People figured out that they could make money by finding zero-day vulnerabilities and selling them to attackers," said Kevin Haley, director of security response at Symantec. "So there became a marketplace, and these things started to have value, and people started to hunt for them."To read this article in full or to leave a comment, please click here
0
Symantec: Zero-days doubled in 2015, more companies hiding breach data
Fifty-four zero-day vulnerabilities were discovered last year, according to a report released this morning by Symantec, more than double that of 2014, and the number of mega-breaches of more than 10 million records also hit a record high.In fact, the number of newly-discovered vulnerabilities stayed between eight and 15 a year since 2006, then jumped to 23 in 2013 and 24 in 2014, leading researchers to hope that it had reached a new plateau.Instead, last year's 125 percent increase in zero-days was a sign of the increasing professionalization of the industry.INSIDER: Traditional anti-virus is dead: Long live the new and improved AV "People figured out that they could make money by finding zero-day vulnerabilities and selling them to attackers," said Kevin Haley, director of security response at Symantec. "So there became a marketplace, and these things started to have value, and people started to hunt for them."To read this article in full or to leave a comment, please click here
0
Millions of child support records stolen, D.C. officials want answers
In early February, a thief broke into several offices in Olympia, Washington to steal anything he could grab that was worth selling. In one locked drawer, the thief found a couple of external hard drives that he added to his haul of cash, cameras, electronics and laptops.The hard drives belonged to the local office of the Administration for Children and Families, part of the Department of Health and Human Services, and contained between two and five million records related to child-support audits.As of Thursday morning, the City of Olympia police department did not know what happened to the drives, even though two people have been arrested in connection with the theft.To read this article in full or to leave a comment, please click here
0
Millions of child support records stolen, D.C. officials want answers
In early February, a thief broke into several offices in Olympia, Washington to steal anything he could grab that was worth selling. In one locked drawer, the thief found a couple of external hard drives that he added to his haul of cash, cameras, electronics and laptops.The hard drives belonged to the local office of the Administration for Children and Families, part of the Department of Health and Human Services, and contained between two and five million records related to child-support audits.As of Thursday morning, the City of Olympia police department did not know what happened to the drives, even though two people have been arrested in connection with the theft.To read this article in full or to leave a comment, please click here
0
Feds tackle open source code quality
Even as the White House is calling on federal agencies to make more use of open source projects, there's also a federal effort under way to reduce the number of vulnerabilities in those products via better code review tools and bug bounties.By the end of September, the Cyber Security Division at the Department of Homeland Security plans to award funding for a project designed to improve the performance of static code analysis tools."We're in the process of approving proposals now from academia and small businesses," said Kevin Greene, the division's software assurance program manager.[ ALSO ON CSO: Romancing development: How to avoid feeling vulnerable with open source ]To read this article in full or to leave a comment, please click here
0
Merging firms appealing targets for attackers
Companies going through a merger or acquisition, as well as their lawyers, financial advisers, and other associated firms are all tempting targets for cyberattackers, according to a new report from Digital Shadows.The attackers use public sources for the first round of information gathering, then spearphishing and malware campaigns against targeted individuals. They are often undetected because many companies still ignore cybersecurity when doing due diligence, the report said.ALSO ON CSO: How to respond to ransomware threats The attackers are "apex predators" said Rick Holland, the company's vice president of strategy.To read this article in full or to leave a comment, please click here
0
27% of US office workers would sell their passwords
In a survey released today, 27 percent of of U.S. office workers at large companies would sell their work password to an outsider, compared to a global average of 20 percent.And despite all the recent media attention on data breaches, password hygiene is actually deteriorating, said Juliette Rizkallah, CMO at SailPoint Technologies, which sponsored the survey.The study itself was conducted by Vanson Bourne, an independent research firm. The same survey was conducted last year as well, but then only one in seven employees were willing to sell their passwords.To read this article in full or to leave a comment, please click here
0
FTC orders nine PCI auditors to share assessment details
The FTC is on a data breach enforcement roll. Last summer, the courts allowed it to fine companies with weak cybersecurity practices. Now, the FTC is taking a closer look at payments processing, checking to see how auditors measure compliance with industry rules.Specifically, the FTC has requested information from PricewaterhouseCoopers, Mandiant, Foresite MSP, Freed Maxick CPAs, GuidePoint Security, NDB, SecurityMetrics, Sword and Shield Enterprise Security, and Verizon Enterprise Solutions, which is also known as CyberTrust.The nine companies, a mixture of large and small compliance vendors, have 45 days to respond to detailed questions about how they measure compliance with the Payment Card Industry Data Security Standards.To read this article in full or to leave a comment, please click here
0
VTech not backing down on terms change after data breach
Despite widespread public condemnation, Hong Kong toy maker VTech is not backing down from a change in its Terms and Conditions ducking its responsibilities in the event of a breach.European customers now have to agree to a Terms of Service that includes the following sentence: “You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorized parties."MORE ON NETWORK WORLD: 26 crazy and scary things the TSA has found on travelers This was in response to a data breach the previous fall which affected about 5 million parent accounts and more than 6 million children's' accounts. The children profiles included names, genders, birthdates, headshots and chat logs while the parent accounts included email addresses, passwords, secret questions and answers, IP addresses, and mailing addresses.To read this article in full or to leave a comment, please click here
0
IBM’s X-Force team hacks into smart building
As buildings get smarter and increasingly connected to the Internet, they become a potential vector for attackers to target.IBM's X-Force ethical hacking team recently ran a penetration test against a group of office buildings using building automation systems that controlled sensors and thermostats.In this particular case, a building management company operated more than 20 buildings across the United States, as well as a central server.Without any social engineering, or online data gathering about employees, the team targeted one building."We did it old-school, just probing the firewall, finding a couple of flaws in the firmware," said Chris Poulin, research strategist for IBM's X-Force. "Once we had access to that, we had access to the management system of one building."To read this article in full or to leave a comment, please click here
0
Survey: Average successful hack nets less than $15,000
The majority of cyber attackers are motivated by money, but make less than $15,000 per successful attack, according to a survey of hackers in the U.S., U.K. and Germany released yesterday by the Ponemon Institute.The hackers, who were promised anonymity, netted, on average, less than $29,000 a year."In the more established countries, that is not a lot of money," said Scott Simkin, senior threat intelligence manager at Palo Alto Networks, which sponsored the study. "They're making a quarter of what a cybersecurity professional makes."To read this article in full or to leave a comment, please click here
0
Telephonic DoS a smokescreen for cyberattack on Ukrainian utility
The late December telephonic denial-of-service attack against a Ukrainian power company was a smokescreen to cover up a cyber attack, experts say."This is one of the more common reasons why these attacks are done," said Rene Paap, product marketing manager at security vendor A10 Networks.According to Paap, telephonic DoS attacks have been around for a while, but don't get as much attention as the big DDoS attacks.Just like a regular DDoS attack, telephonic DoS works by overwhelming the victim's call center with so many fake phone calls that legitimate calls can't get through.[ ALSO ON CSO: Ukrainian power companies are getting hit with more cyberattacks ]To read this article in full or to leave a comment, please click here