In the wake of undiscovered data breaches and subsequent public exposure, regulatory compliance and security audit standards are becoming ever more important to protecting critical assets.

Despite the increase in the number of data breaches via illicit means, internal controls seem to fail when it comes to the assurance that critical assets remain uncompromised.

According to the Identity Theft Resource Center a total of 336 breaches have been reported in 2008 alone, putting the overall number at 69% greater then this time last year . This is a concern for security teams especially given the fact that a lack of dedicated resources exist to combat and revert this trend.

This is significantly important to take into consideration when going through the formal audit process to certify adherence to Sarbanes-Oxley (SOX), Graham Leach Bliley (GLBA), Payment Card Industry (PCI), or Health Insurance and Portability and Accountability Act (HIPAA).

With the significant increase in data exposure corporations can’t afford to take short-cuts when it comes to information assurance. Otherwise it is almost certain that one will become a victim of a serious exposure of sensitive information. This paper will explore the several disconnects between established and accepted security audit framework and the variable of hidden infections.

The problem as it exists today – hidden threats from within

The variable of hidden and unidentified infections will almost certainly introduce a degree of unknowingness and concern when it comes to the protection of sensitive information and adherence to regulations.

More and more malware seen on the market today is designed to target specific platforms and the users that interact with them. Banker Trojans for example are an increasing concern for the financial and e-commerce communities; as a result malware is targeting specific payment or banking platforms advertently stealing credentials, therefore; fueling a rise in financial and economic fraud.

According to a recent study, annual revenue loss due to online fraud in 2007 amounted to $3.6 billion and is a trend that is to be consistent for 2008 and beyond.

Online fraud and the use of targeted phishing campaigns have evolved in parallel to each other and are expected to continue to steadily increase. Furthermore, these tactics have become very popular amongst the hacker elite and have taken an evolutionary step forward in sophistication and complexity.

What’s more of a concern is when tailored malware is involved in a targeted attack against a corporation’s intellectual property. These threats most often will remain under the radar for long extended periods of time, thus, going undetected by resident security software until it’s too late. The number one reason as to why these undiscovered or hidden threats exist is due to the limited distribution and the complexities involved with the attack – always targeting a few key individuals. Therefore, resulting in malcode that researchers never see nor analyze, thus, no signature defense is created.

Targeted Phishing Campaigns

Targeted phising scams on the other hand against corporate executives or better known as whale phishing, recently has been seen as a means of introducing malicious code into the environment. As the target is often intellectual property, financial records & personal employee data, these attacks are well thought of and planned ahead to ensure the highest possible success rate.

According to MessageLabs in a recent quarterly phishing and spam report , an increasing number of smaller state-level banks and credit unions continue to receive attention from hackers. In addition in another MessageLabs report, targeted attacks have gone from what used to be 2 per day to over 900 in less then a 24hr period.

These attacks are using a wide variety of social engineering tactics that consist of fake subpoenas, tax complaints and many other types

You do not have flash or javascript support.

Average (2 votes)

Reply