BreachExchange mailing list archives
Software Vulnerabilities Lead to Internal Security Problems: Kaspersky
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 10 Dec 2013 00:36:47 -0700
http://www.eweek.com/security/software-vulnerabilities-lead-to-internal-security-problems-kaspersky.html While malware is a potential hazard for all organizations, security risks within legitimate software applications often lead to internal cyber-security incidents at companies around the world. Flaws in existing software are the leading cause of internal IT security threats, according to a new study from Kaspersky Lab, which surveyed 2,895 IT professionals around the world. The software vulnerabilities are leading to multiple forms of exploits including data breaches. Alexander Erofeev, chief marketing officer at Kaspersky Lab, defines internal incidents as those caused by internal reasons: vulnerabilities in software inside the company infrastructure and mistakes made by employees. "Some internal incidents result in data loss, but not always," Erofeev said. "For example, out of 39 percent of companies which reported incidents involving vulnerabilities, only 10 percent experienced sensitive data loss." The study also found that of those organizations with internal security incidents, nearly 15 percent experienced the loss of nonsensitive data. Only 14 percent had no data loss at all as a result of a vulnerability incident. In contrast, Erofeev explained that external incidents include malware attacks, distributed denial of service (DDoS) attacks, spam and network intrusion. He noted that external incidents can also result in data loss, but not always. "The main difference between external and internal incidents is the reason behind them," Erofeev said. "It could be unknown cyber-criminals with an external incident or company employees with an internal incident." The incidence of software vulnerabilities leading to internal security issues is variable around the world. The highest incident rate is in Russia, at 51 percent, while Japan had the lowest rate, at 29 percent. North American organizations fell right in the middle of the pack, at 38 percent. Beyond identifying the risks from internal security threats, Erofeev said that the same survey provided some unexpected information about how companies perceive daily malware discovery rates. Kaspersky estimates that 100,000 to 250,000 new malware samples are discovered daily; 90 percent of respondents to the Kaspersky study did not correctly identify the current malware rate. "That suggests that companies seriously underestimate current threats and need to pay far greater attention to IT security issues because the number of threats is growing significantly," Erofeev said. Despite average losses from targeted cyber-attacks costing $2.4 million, 40 percent of companies are only making significant investments into IT security after suffering an attack, Erofeev said. In fact, 28 percent of companies believe that the financial costs of cyber-crime will work out to be less than the cost of upgrading their IT systems to prevent an attack in the first place, he added.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: # OWASP http://www.appsecusa.org # Builders, Breakers and Defenders # Time Square, NYC 20-21 Nov o()xxxx[{::::::::::::::::::::::::::::::::::::::::> Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security offers security intelligence, risk management services and customized security solutions. The YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Current thread:
- Software Vulnerabilities Lead to Internal Security Problems: Kaspersky Audrey McNeil (Dec 16)