Malware Incidents Go Unreported, Particularly in Large Businesses

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.eweek.com/small-business/malware-incidents-go-unreported-particularly-in-large-businesses.html

Enterprises in the United States are facing mounting cyber-security
challenges, with nearly six in 10 malware analysts reporting they have
investigated or addressed a data breach that was never disclosed by their
company.

Moreover, the largest companies, those with more than 500 employees, are
even more likely to have had an unreported breach, with 66 percent of
malware analysts with enterprises of that size reporting undisclosed data
breaches.

These are just two of the troubling findings of an independent blind survey
of 200 security professionals dealing with malware analysis within U.S.
enterprises, which was conducted by Opinion Matters on behalf of
ThreatTrack Security in October.

These results suggest that the data breach epidemic–totaling 621 confirmed
data breaches in 2012, according to Verizon’s 2013 Data Breach
Investigations Report–may be significantly under-reported, leaving
enterprises’ customers and data-sharing partners unaware of a wide array of
potential security risks.
When asked to identify the most difficult aspects of defending their
companies’ networks from advanced malware, more than two-thirds (67
percent) said the complexity of malware is a chief factor, while 67 percent
said the volume of malware attacks, and 58 percent cited the
ineffectiveness of anti-malware solutions.

"While it is discouraging that so many malware analysts are aware of data
breaches that enterprises have not disclosed, it is no surprise that the
breaches are occurring," ThreatTrack CEO Julian Waits said in a statement.
"Every day, malware becomes more sophisticated, and U.S. enterprises are
constantly targeted for cyber-espionage campaigns from overseas competitors
and foreign governments."

More than half (52 percent) of all malware analysts said it typically takes
them more than rwo hours to analyze a new malware sample. Conversely, only
4 percent said they are capable of analyzing a new malware sample in less
than one hour.

More than one-third (35 percent) said one of the most difficult aspects of
defending their organization from advanced malware is the lack of access to
an automated malware analysis solution.

"This study reveals that malware analysts are acutely aware of the threats
they face, and while many of them report progress in their ability to
combat cyber-attacks, they also point out deficiencies in resources and
tools," Waits continued.

Four in 10 respondents reported that one of the most difficult aspects of
defending their organization’s network was the fact that they don’t have
enough highly skilled security personnel on staff.

Installing a malicious mobile app, allowing a family member to use a
company-owned device, clicking on a malicious link in a phishing email and
visiting adult Websites were among the top routes that senior leadership
teams infected the business with malware.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.