Popular Discussions

Malware and financial fraud were among the chief "growth threats" posed to businesses in 2009, according to a new study from the Computer Security Institute that will be published next week.



CSI's 14th annual security survey, which will be distributed in conjunction with a free Dec. 1 Webcast, covers a wide range of issues related to security management, including current threats, data loss statistics, and trends in technology usage.

Respondents reported big jumps in the incidence of financial fraud (19.5 percent, over 12 percent last year); malware infection (64.3 percent, over 50 percent last year); denials of service (29.2 percent, over 21 percent last year), password sniffing (17.3 percent, over 9 percent last year); and Web site defacement (13.5 percent, over 6 percent last year).

The survey showed significant dips in wireless exploits (7.6 percent, down from 14 percent in 2008), and instant messaging abuse (7.6 percent, down from 21 percent).

"The financial fraud was a major concern because the cost of those incidents is so high," says Sara Peters, senior editor at CSI and author of this year's report. Financial fraud costs enterprises approximately $450,000 per incident, according to the study.

While financial fraud costs rose in 2009, average losses due to security incidents of all types are down this year -- from $289,000 per respondent to $234,244 per respondent, CSI says. Those numbers are still higher than 2005 and 2006 figures.

Twenty-five percent of respondents stated the majority of their financial losses in the past year were due to nonmalicious actions by insiders.

For the first time, CSI asked security professionals not only about the technologies they are using, but also about their satisfaction with those technologies. Interestingly, on a scale of 1 to 5, with 1 being the lowest satisfaction level, none of the security product categories received anything lower than a 3.0.

"What that says to us is that people are generally satisfied, if not overjoyed, with the performance of the products they're using," Peters says. "They're not blaming their problems on technology."

When asked which security technologies ranked highest on their wish lists, many respondents named tools that would improve their visibility -- better log management, security information and event management, security data visualization, security dashboards, and the like, CSI says.
Respondents also were generally satisfied with the amount of money their organizations have invested in their security programs, with one exception: security awareness training.

"In the past, when we saw low spending on security awareness programs, we assumed that it was because those programs simply don't cost that much to put together," Peters says. "But now we see that some security departments aren't getting the funding they need to put together the strength and quality of awareness programs that they would like."



Even as they increase corporate efficiency, Internet banking and e-commerce are heaping additional burdens on the financial services industry. As a result, security has become the number one spending priority for many companies.

You’ve seen the worrisome stories. Viruses and worms literally spreading doom through global computer networks; spam clogging personal and corporate email systems; and identity theft, aided by the Web, robbing financial institutions, merchants and their customers. We need to be able to refute those headlines and say, ‘Hey look, this is how we’re addressing security,’ says Robert Blackburn, director, cash management, in the global transaction services unit of Citigroup.
Many bankers and corporate executives grappling with the harrowing security issues of the present day share Blackburn’s view. Security is a hotter topic than ever before for financial institutions, retailers, other corporations and the technology and software providers trying to help them cope with the threats.

The scale of the interest generated by Internet fraud was clear at the annual information technology conference hosted by RSA Security in San Francisco in late February, which drew 10,000 attendees a 20% jump over the preceding year. The need for better security management was the major theme of the confab.

I think there’s concern about security but not enough action.A lot of people are talking about it, but they haven’t figured out what solutions to put forward,” says Tom Miltonberger, senior vice president of product development at Quova, a Mountain View, California- based firm that sells technology services that allow online businesses to pinpoint the location of their Web site visitors to prevent fraud and comply with regulatory requirements.

Anonymity Aids Internet Criminals

All these crimes are flourishing in large part because the Internet allows the hackers and the fraudsters on the whole to remain anonymous while doing the deed. The speed and efficiency of the medium also plays a significant role. Statistics help tell the story. In 2004, malicious code viruses, worms and Trojan horses will cost the worldwide economy $35 billion, according to the Radicati Group, a Palo Alto, California-based technology research firm.

The major technology companies are responding to the hacker threats largely by introducing new versions of their software and hardware products that work better with other security management products.The dominant theme is integration of intrusion detection systems, firewalls, anti-virus programs and authentication technologies to get a single view of network security.

Then there’s the matter of online fraud.A recent study by the Internet Fraud Prevention Advisory Council, a consortium of online merchants, merchant acquirers, credit card associations and credit card issuers, estimated that the occurrence of online fraud, as a percentage of business revenues, might be as much as 40 times higher than for face-to-face transactions offline.

Identity Theft

One scary financial crime made efficient by the Web and rapidly expanding is identity theft.The number of identity theft cases jumped 40% in 2003, according to the US Federal Trade Commission. The crime is expected to have cost consumers, businesses and governments $221 billion in losses worldwide last year, according to the Boston-based research firm Aberdeen Group. Those losses could increase almost tenfold within two years to reach as much as $2 trillion by the end of 2005.

Identity theft can take several forms. Perpetrators can use the Internet to hack into businesses’ servers and databases to steal client and account information. That can then be used to create new accounts, in customers’ names, that can be emptied out. Of course, the perpetrators can simply steal from the existing accounts they tapped into. Firewalls and encryption are the common methods to stop this form of attack.

Another identity theft scheme rapidly gathering steam is called phishing.The fraudsters pretend to be well-known legitimate businesses such as banks or brokerage firms by setting up Web sites using those companies’ names and logos. They then email customers of those firms, encouraging them to give out key personal, financial and account data.That data can be used to take over their identities for the purposes of applying for credit cards, loans and mortgages.

What we’ve seen recently is that identity theft has gained a lot of celebrity, says Tracy Stover, director, client development, in the commercial card services group at Citigroup. She says that the bank has had some cases of corporate customers who became identity theft victims on their personal accounts. In those cases, the bank works with the client and the major credit bureaus to repair their damaged credit records so that they can obtain loans and financing in the future.

However, bank customers are not immune to theft attempts when they are at work.Turner says Citigroup’s commercial card services group recently received calls from some (fewer than 50) upset corporate customers saying they received emails at work from people claiming to be the bank and asking for account information. What’s made people a little more nervous is that pfishing was happening on their corporate email, says Stover. I think people get a false sense of security with corporate email.We all have firewalls so they automatically assume the email is legitimate.”
Identity theft is a crime that often is difficult or timeconsuming to detect, allowing fraudsters plenty of time to do a lot of damage. Like their colleagues the computer hackers, online fraudsters are generally relentless and innovative in pursuing new techniques, technologies and ingenious new schemes.One of these innovations is the automatic credit- or debit-card number generator. These programs, which can easily be found on the Internet, automatically generate thousands of 14- or 16- digit card numbers.

The thief then submits a large number of transactions to test out the number sequences and see if they get a match. However, these attacks are fairly easy to detect and can be blocked with lockout and refusal systems that limit transactions to a set number, or block purchases because of a lack of billing and address information, according to security and fraud experts.

CALL IN THE CYBER-DETECTIVE Software maps location of Internet users

As cyber-criminals become ever more sophisticated, it may seem that heading off fraudulent transactions is almost impossible. Software from companies such as Quova can help, though.

The four-year-old Mountain View, California-based firm’s geolocation technology figures out the physical location of computers by tracking Internet Protocol (IP) addresses, which are like telephone numbers but without the country codes or prefixes to reveal their locations. Quova’s GeoPoint Data Delivery Server uses sophisticated algorithms to process data for Internet gateways, routers and registries of IP addresses.

Our product tells you where the user is, says Tom Miltonberger, senior vice president of product development, noting that the privately held company’s technology maps the IP location down to a specific metropolitan area.
That’s important in preventing fraudulent orders because certain countries, cities and IP addresses are leading sources of fraud. For example, one-quarter of the transactions originating from St. Petersburg, Russia, last year turned out to be fraudulent, as did 38% of the orders placed from one specific IP domain in Indonesia, according to ClearCommerce, a partner of Quova’s. Knowing that the order about to be placed or account about to be opened is originating in one of these places sets off alarm bells for the retailer or financial provider,” Miltonberger says.

However, sophisticated fraudsters can try to get around this by setting up proxy servers in other locations not known for fraud, thereby hiding their true whereabouts. Our solution is not perfect either, concedes Miltonberger. In fact, a simple search of the Internet can yield lists of proxy servers that can be used to set up IP addresses that mask the real location of the fraudster. But we do the same thing and search for these proxies, test them and mark them in our databases, says Miltonberger.

Tiny Transactions, Huge Hauls

Another area that is facing increasing attacks is the Automated Clearing House (ACH) network. Fraudsters are submitting small transactions across the system that can reap large amounts if they succeed in initiating automatic debits against thousands or millions of company checking accounts.Clients can set up a debit block to stop any ACH transactions from debiting the account. We advocate that all of our clients put a block on their account when it is used for any sort of checking going out of it, says Citigroup’s Blackburn.The bank also tells its corporate cash management customers to reconcile their accounts daily. “Make sure you recognize them and the persons who made them,” he says.

Fraud has become a big concern as use of the ACH system has greatly expanded with consumers’ use of debit cards to make Internet purchases.
The system used to be primarily the province of businesses as a way of paying their employees, vendors and suppliers.

Another major problem in Internet commerce is the overwhelming amount of spam, or junk email, increasingly dominating the email servers of most companies. Spam will account for 52% of all email by the end of this year and will cost $41.6 billion in financial losses, more than double the amount in 2003, according to the Radicati Group. The losses stem mostly from increased IT infrastructure costs for bigger servers and more administrators.

SELECTED SECURITY/FRAUD STATISTICS

Identity theft is expected to have cost consumers, businesses and governments $221 billion in losses worldwide last year. Losses could reach $2 trillion by the end of 2005.
* Online fraud incidents, as a percentage of business revenues, may be as much as 40 times higher than in face-to-face transactions.
* Online credit card fraud could cost businesses $60 billion by 2005.
* In 2004, malicious code (viruses, worms and Trojan horses) will cost the worldwide economy $35 billion.
* By the end of 2004, spam will account for 52% of all email and will cost $41.6 billion in financial losses, mostly due to higher IT infrastructure costs.

Sources: US Federal Trade Commission, Aberdeen Group, Internet Fraud Prevention Advisory Council, Financial Insights, and Radicati Group

The Real Cost of Spam

The volume of email you’re dealing with is enormous because of all the garbage you don’t want.Your infrastructure is blown way out of proportion because of the spam, says Sara Radicati, CEO of the Radicati Group. She estimates that companies spend an average of $49 per user mailbox per year in additional administration costs directly caused by the deluge of spam they’re facing. Those costs don’t include the loss of worker productivity in having to wade through and delete spam.

Spam is also a security threat because many of the messages carry computer viruses with them.The email pfishing schemes that have become prevalent over the past year often originate in spam messages. Companies typically combat spam with filters, but they are of limited effectiveness. The filters let a lot through, says Radicati, who estimates that 17% of spam still gets through the filters.

Technology companies are now proposing and devising a number of hardware and software solutions that try to verify the access rights of the email sender. For example, Microsoft is proposing a caller-ID system for email.

There’s no magic bullet. It’s a complex problem, and the solutions will be expensive, says Radicati.