Study: Attacks Designed To Steal Personal Information Increasing

Microsoft Corp. recently released research showing an acceleration in the number of security attacks designed to steal personal information or trick people into providing it through social engineering.

 Microsoft’s most recent Security Intelligence Report, a comprehensive analysis of the threat landscape, shows that attackers are increasingly targeting personal information to make a profit and are threatening to impact people’s privacy. The report found that during the first half of 2007, 31.6 million phishing scams were detected, an increase of more than 150 percent over the previous six months. The study also shows a 500 percent increase in trojan downloaders and droppers, malicious code used to install files such as trojans, password stealers, keyboard loggers and other malware on users’ systems. Two notable families of trojans detected and removed by the Microsoft Malicious Software Removal Tool are specifically targeted at stealing data and banking information.

Microsoft also released findings from a recent survey of more than 3,600 security, privacy and marketing executives across a variety of industries in the United States, the United Kingdom and Germany, including financial services, healthcare, technology and government. Conducted by the Ponemon Institute LLC, the study found that as security threats increasingly target personal information, more collaboration among security and privacy officers is critical to avoid costly compromises or breaches of personal information.

The study for the Microsoft Trustworthy Computing Group, titled "Microsoft Study on Data Protection and Role Collaboration Within Organizations," found that organizations with poor collaboration were more than twice as likely as organizations with good collaboration to have suffered a data breach in the past two years.

Ben Fathi, corporate vice president of development for the Windows Core Operating System Division at Microsoft, presented the research in a keynote address to information security professionals at the RSA Conference Europe in London. Scott Charney, corporate vice president of Microsoft’s Trustworthy Computing Group, also shared the results in his recent keynote address at the International Association for Privacy Professionals Privacy Academy in San Francisco.  

High-Tech Hackers

 By Mike Paquette · November 2007

 Driven by the age-old lure of easy money, many of today’s criminals are using high-tech cyber crimes and sophisticated building entry methods to commit identity theft and financial fraud. Organizations need to invest in information management and security technology to protect themselves against the evolving threat landscape.

 Security has long focused on preventing break-ins to physical facilities and the IT infrastructure. However, instead of a reactive approach to improving security in the face of experienced threats, organizations are now being more proactive in establishing security policies. Companies are building systems that integrate all of an organization’s physical and logical security to better defend the business and protect the privacy of customers and employee data.

 Contrary to conventional wisdom, these culturally and technologically disparate worlds of physical access control and IT network protection are closely linked, and existing assets are currently being leveraged in a converged solution.

 Data Leakage
The role of security is changing dramatically. As technological capabilities have finally caught up with security theory, many organizations are experiencing the convergence of physical and IT security for unified enterprise security management. And as these companies are realizing its benefits, the industry is beginning to redefine the role of security. Why the renewed push for convergence in security structures? How are physical and IT security related, and how will one affect the other in the long run?

 The driver behind today’s movement toward converged IT and physical security is the realization that a data breach can be extremely costly to an organization. Hardly a day goes by when a high-profile data breach that has compromised the personal information of employees, citizens or customers isn’t in the headlines. A recent study shows that the majority of these breaches are enabled by the theft or loss of physical property, such as laptop computers and portable storage devices (e.g., USB drives). However, computers compromised by malicious software, called malware, are another leading cause of a data breach. Organizations must create a unified security policy that addresses the physical security of computing systems and portable storage media and the IT security policy for the kind of data that can reside on these media.

 On the IT security side, organizations must decide whether to require hard-drive encryption on all employee laptop computers or to install software that prohibits the use of USB drives on company computers. In addition, information control policies should specify clearly what kind of information may be stored on laptop computers.

 On the physical security side, traditional and new loss protection steps must be employed. Laptop cable locks should be used not only in hotels and meeting spaces, but also when the laptop is locked in the car. USB drive use should be prohibited or, at least, controlled. It’s possible for organizations to install RFID systems on USB drives for employees who are authorized to use them.

 Within the organization’s IT infrastructure, network security issues are changing daily, and it is often difficult to keep up with the current threat landscape. Attacks are becoming more sophisticated, and organizations are facing new and increasingly dangerous security threats. Random threats that once plagued the enterprise are not what they used to be—as attacks are evolving into clever, targeted schemes that are finding ways to compromise computers, steal data and seriously affect network systems. To combat these new threats, security strategies need to evolve at the same rate—with organizations being more proactive in their security strategies, moving beyond simple detection to implementing technologies and techniques that proactively block malicious traffic—without degrading network quality.

 Security Siblings
Both sides of security each strive for greater, tighter controls across an enterprise while still enabling business. The physical aspect protects organizations by preventing entry from unauthorized users and by protecting the loss of property. The IT side protects intellectual property and customer data by deploying technologies such as firewalls, network admission control and intrusion prevention systems to prevent network attacks. It only makes sense that these two seemingly different systems can work together to not only enhance a company’s security posture, but also protect the continued operation of the enterprise.

 Network security and physical security are similar in nature, so much so that they can be characterized as siblings separated at birth.

 IT network security almost always starts with a network firewall, which provides controls of whose computer can access which systems. The firewall is like a receptionist with a door buzzer in the physical realm. The receptionist “signs you in” if you don’t look like a bad guy (authentication), “buzzes you in” afterward (access control), but then doesn’t know what you’re doing while you’re behind the closed door. If you appear to be untrustworthy, or do not have your badge, then the receptionist does not allow you access to the facility.

 The IT network intrusion detection system is very much like a closed-circuit video camera system. It’s useless for protection unless there is a diligent and insightful staff to watch it all the time. Such staff can see activity—who’s coming or going and if they’re trying to pick the lock or break down the door.

 Organizations are now deploying network IPS in their IT infrastructures. These devices operate similarly to a firewall, but with much more thorough inspection of the traffic coming into and out of the network.

 In the physical security world, the IPS would be best represented by the previously-mentioned receptionist followed by a metal detector, a bomb-sniffer, an X-ray machine and a pat-down searcher. Only after a thorough inspection is the visitor allowed to gain access into the facility. In addition, visitors are scanned upon exit of the facility, as well.

 The Need to Converge
As the threat landscape changes, the critical threat of the data breach is driving a need to converge physical and network security. No longer is it sufficient to make sure that physical property is not stolen from the facility. It also is important to help employees secure laptops at home, in transit and at remote office locations.

 Securing company data requires proactive steps from both the IT security and the physical security elements of an organization. A unified security policy, covering both IT and physical security, is the effective way to reduce risks and losses associated with a data breach.

 About the author

Mike Paquette is the vice president and chief security officer for Top Layer Networks.  

Compliance News from the IT Compliance Institute