Saturday, October 30, 2010

Identity Theft: Trends, Patterns and Typologies Report

Identity Theft Reports Jump; Most Attributed to Family

According to a new ID theft report from the
Financial Crimes Enforcement Network, most cases of ID theft are linked to a victim's family members or coworkers.

John Summers, a project officer at FinCEN and a lead in FinCEN's report, "Identity Theft: Trends, Patterns and Typologies Reported in Suspicious Activity Reports", says ID theft perpetrated by family, friends and business partners ranked No.1 among SARs filed by U.S. depository institutions in 2009. "In 27.5 percent of the filings, this was the highest," he says. "It basically means someone close to them was getting access to their files and using their information."

In the FinCEN study, of the 372 depository institutions reviewed - a mix of banks and credit unions of varying assets sizes - the majority of ID theft incidents, not surprisingly, were reported by the largest financial institutions.

Identity theft was the sixth most frequently reported characterization of suspicious activity, trailing money laundering, check fraud, mortgage-loan fraud, credit-card fraud, and counterfeit-check fraud. In the study, FinCEN defines identity theft as involving the theft and misuse of unique identifying information, such as financial account numbers, depository accounts, investments, loans, credit cards, online payment accounts, officially issued federal or state identification documents, and biometric information.

Impersonation of an actual person without consent also fell into the ID theft definition, whether that impersonation occurred in-person or through an electronic form or other medium.

The most important takeaway from the study, Summers says: The narrative section on the SAR, which provides the most critical information. "It is very key to the analysis," he says. "Since we added the identity theft box in 2003, we've used the narrative to tell law enforcement what happened; and the more information the banks can provide in the narrative, the more the regulators and law enforcement can do."

Please refer here to download the report.

Thursday, October 28, 2010

How to bypass iPhone’s passcode-protected lock screen?

Circumventing iPhone Security with the Push of A Button

A tech savvy iPhone user has posted a video demonstrating a new finding; there’s an easily executable and potentially serious flaw in the iPhone password security function. Under the right circumstances, a simple press of the iPhone’s lock button will allow a malicious user to bypass the phone’s password protection and enter into the main phone app. Here, anyone can view the phone’s call history and stored contacts and listen to voicemail.’s Threat Level blog reports that Apple has not yet commented on the bug.

For more details refer here.

Bug no iOS 4.1 from Salomão Filho on Vimeo.

Monday, October 25, 2010

Verizon report connects PCI non-compliance and data breaches

Verizon Business report shows a correlation between non-compliance with the Payment Card Industry Data Security Standard (PCI DSS) and data breaches

A new Verizon Business report released today shows a correlation between non-compliance with the Payment Card Industry Data Security Standard (PCI DSS) and data breaches. The results revealed that organizations that had suffered data breaches were 50% more likely to exhibit PCI non-compliance.

The report also ranked the top attack techniques used to steal payment card data. Remote access to systems via backdoors was the top attack, followed closely by SQL injection attacks. Poor authentication was also a problem, in particular, attackers exploiting default or easily guessable passwords to gain access to systems storing or processing payment data.

Further, 11% of companies met less than half of the requirements, while 22% met 100% of the requirements. The report also covers compensating controls, and determined that Requirement 3.4, which mandates that a primary account number (PAN) be unreadable, is the control most compensated for.

Quick Summary
  • 22% of organizations were validated compliant at the time of their Initial Report on Compliance (IROC). These tended to be year after year repeat clients.

  • On average, organizations met 81% of all test procedures defined within PCI DSS at the IROC stage. Naturally, there was some variation around this number but not many (11% of clients) passed less than 50% of tests.

  • Organizations struggled most with requirements 10 (track and monitor access), 11 (regularly test systems and processes), and 3 (protect stored cardholder data).

  • Requirements 9 (restrict physical access), 7 (restrict access to need-to-know), and 5 (use and update anti-virus) showed the highest implementation levels.

  • Sub-requirement 3.4 (render the Primary Account Number (PAN) unreadable) was met through compensating controls far more often than any other in the standard.

  • Organizations do not appear to be prioritizing their compliance efforts based on the PCI DSS Prioritized Approach published by the PCI Security Standards Council.

  • Overall, organizations that suffered a data breach were 50% less likely to be compliant than a normal population of PCI clients.
Please refer here to download the report.

Friday, October 22, 2010

NIST Scientists Offer Tips to Defeat Keyloggers

How to Beat Keyloggers

Keyloggers monitor and record keyboard use, including the information typed into a system, which might include the content of emails, usernames and passwords for local or remote systems and applications, as well as financial information like credit card numbers, Social Security numbers or PINs.

Some keystroke loggers require the attacker to retrieve the data from the system, whereas others actively transfer the data to another system through email, file transfer or other means.

NIST scientists identify three main types of keyloggers:

Hardware -- Tiny inline devices placed between the keyboard and the computer. Because of their size, they can go undetected for long periods of time. These devices have the power to capture hundreds of keystrokes, including banking and email username and passwords. But for the criminal, the threat of being caught breaching the machine is a deterrent.

Software -- This type of keylogging is done by using the Windows function SetWindowsHookEx that monitors all keystrokes. The spyware will usually appear packaged as an executable file that initiates the hook function, plus a DLL file to handle the logging functions. An application that calls SetWindowsHookEx is capable of capturing even autocomplete passwords.

Kernel/driver -- This kind of keylogger is at the kernel level and receives data directly from the input device (typically a keyboard). It replaces the core software for interpreting keystrokes. This type of keylogger can be programmed to be virtually undetectable by being executed when the computer is turned on, before any user-level applications start. Since the program runs at the kernel level, one disadvantage to this approach it that it fails to capture autocomplete passwords, as this information is passed in the application layer.

Defending Against Keyloggers

There are several kinds of defenses that can be used to spot or prevent keyloggers from embedding on machines:

Physical Security -- The physical protection of the computer must be considered. Whether the computer is at home, in an office or during traveling, keeping the computer secure and making sure no one has access to it is a primary concern.

Application whitelisting -- is a way to prevent any software that isn't already approved or on the "white list" from being downloaded on to the computer. This is an emerging approach in combating viruses and malware. Application whitelisting tells the computer a list of software considered safe to run, and the machine is instructed to block all others.

Some experts see this approach as superior to the standard signature-based, anti-virus approach of blocking/removing known harmful software (essentially blacklisting), as the traditional approach generally means that exploits are already in the wild.

Detection Software -- Be careful where you go to on the Internet. Drive-by downloads from ads that have been laced with malware are being found now even on popular news sites - not just on the fringes.

At a minimum, at least have anti-virus and anti-spyware loaded, and make sure they're kept up to date. Again, buy from a reputable vendor.
Consider operating a "virtual" machine environment to browse the Internet.

Virtual machines -- are separated into two major categories, based on their use and degree of correspondence to any real machine. A system virtual machine provides a complete system platform that supports the execution of a complete operating system. The other type, a process virtual machine, is designed to run a single program. An essential characteristic of a virtual machine is that the software running inside is limited to the resources and abstractions provided by the virtual machine -- it cannot break out of its virtual world.

Future Trends

"Moving forward in the next 12-18 months, the major computer manufacturers will begin offering virtual machine technology. "We're going to see more consumer-friendly operating systems being designed by vendors that will limit malware by having the user on a virtual machine while on the Internet, and the 'home' environment separate.

Cloud-based whitelisting will also become more popular, making whitelisting more available.

Another advancement in the fight against keyloggers and other types of malware is the move by anti-virus vendors to set up reputation-based systems, which checks programs and tells the user whether it is legitimate or malicious.

The addition of a third component in the fight against malware is the use of operating systems and browsers that don't allow the malicious programs to be pushed down in the first place. By isolating and "sandboxing" the user's specific browsing session,
no software is downloaded to the user's computer.

Thursday, October 21, 2010

Advanced evasion techniques can bypass network security

After "APT", we now have "AET"

A new hacking technique creates a mechanism for hackers to smuggle attacks past security defences, such as firewalls and intrusion prevention systems.

So-called advanced evasion techniques (AET) are capable of bypassing network security defences, according to net appliance security firm Stonesoft, which was the first to document the approach. Researchers at the Finnish firm came across the attack while testing its security appliance against the latest hacker exploits.

Various evasion techniques including splicing and fragmentation have existed for years. Security devices have to normalise traffic using these approaches before they can inspect payloads and block attacks.

Refer here to read more details.

Wednesday, October 20, 2010

Problems associated with elevated privileges

Least Privilege Security for Windows 7, Vista, and XP - Security

Russell Smith, renowned Windows security expert, discussed how adhering to the principle of least privilege can benefit the security of your environment, including reducing support incidents and improving user productivity. To attend the webinar, register for one of the following dates:

Least Privilege Security for Windows 7, Vista, and XP: Tuesday, November 2, 2010, 9:00 a.m. - 10:00 a.m. PDT

Least Privilege Security for Windows 7, Vista, and XP: Wednesday, December 1, 2010, 8:00 a.m. - 9:00 a.m. PST

In the webinar, Russell notes that running administrator-level privileges on desktop PCs increases total cost of ownership (TCO) by 36.3%. He also discusses the fact that although users tend to view security as restrictive, enforcing proper security measures actually benefits users because it helps meet their expectations for speed, reliability, and productivity.

Problems associated with elevated privileges include the following:
  • Malware—The more users running with elevated privileges, the greater the risk of infection.
  • Data leakage—Having more users with elevated privileges increases the chance of data loss.
  • Help desk costs—Giving users the right to change system configuration can lead to problems.
  • Unlicensed software—Users with admin privileges can install personal software, as well as unwittingly infect their systems by running fake antivirus software.
  • System/network slowdowns—Problems that users create on their own systems affect not only those systems but also the network.
  • Elevated privileges allow users to circumvent the management controls that are designed to protect systems and networks.

Monday, October 18, 2010

Facebook improving its security or increasing users concern on privacy?

Facebook Introduces OTP (One-time Password) Functionality

Facebook began rolling out new service on Tuesday that allows people using public computers to log into the site without having to enter their regular password.

Instead, users can login with a one-time password that, upon request, Facebook zaps to their mobile phones. The temporary access code is good for 20 minutes only. The new feature is designed to prevent account compromises that result when credentials are entered into machines that have been compromised by keyloggers and similar types of malware.

“We’re launching one-time passwords to make it safer to use public computers in places like hotels, cafes or airports,” Jake Brill, a Facebook product manager, blogged here. “If you have any concerns about security of the computer you’re using while accessing Facebook, we can text you a one-time password to use instead of your regular password.”

A lot of banks use a similar system labeled as a TAC (Transaction Authorisation Code) or similar when you want to carry out a transaction which involves moving money out from your account (bill payment, fund transfers etc).

The other new security related features are remote log-out, which Gmail from Google has had forever – if you didn’t know about the feature just scroll to the very bottom of the Gmail window and you’ll see something like this:

This account is open in 1 other location (
Last account activity: 2 hours ago on this computer. Details

To use the service, users must first configure their accounts to work with a designated mobile phone number. When they text “otp” to 32665, they should immediately receive a password that’s good for the next 20 minutes. The feature is available to select Facebook users for now. Over the next few weeks, it will gradually become available to everyone

Saturday, October 16, 2010

Microsoft Security Intelligence Report - Volume 9

Most attackers use social engineering techniques to trick you into installing malware

US leads the world in numbers of Windows PC’s that are part of botnet. More than 2.2 million US PCs were found to be part of botnet. Brazil had the second highest level of infections at 550,000.

Infections were highest in South Korea where 14.6 out of every 1000 machines were found to be enrolled in botnets

Key Findings Current Threat Overview

The Microsoft Security Intelligence Report (SIR) is a comprehensive evaluation of the evolving threat landscape and trends. The information can help you make sound risk-management decisions and identify potential adjustments to your security posture. Data is received from more than 600 million systems worldwide and internet services.

Volume 9 of the Security Intelligence Report covers the first half of 2010 (January 1 - June 30)
and is divided into five sections:
  • Featured Intelligence for Volume 9 focuses on botnets and how to combat the threat.
  • Key Findings reveals data and trends analysis captured by Microsoft security analysts.
  • Reference Guide provides definitions for discussion points covered in the Key Findings.
  • Managing Risk recommends techniques to protect your organization, software, and people.
  • Global Threat Assessment looks at botnet and malware infection rates worldwide.
  • Infection rates for Windows 7 are lower than its desktop predecessors.
  • Most attackers use social engineering techniques to trick you into installing malware.
  • Stolen equipment remains the most frequent type of security breach incident.
Please refer here to download the report.

Wednesday, October 13, 2010

Security of Infrastructure Control Systems for Water and Transport

Audit finds Vic SCADA systems vulnerable

The auditor criticised (PDF) the state's water organisations for failing to secure critical water infrastructure against network threats.

Unprotected Supervisory Control and Data Acquisition (SCADA) systems are at risk from network attacks that may target critical infrastructure including electricity and water supplies. The still active and now infamous Stuxnet worm.

The report stated that Victoria's water agencies lack an effective means to manage or avert the risks posed to central infrastructure control systems. It says the security of SCADA systems is inadequate and must be upgraded to meet the threats posed by networked environments, which had not previously been a consideration when the systems were offline and isolated.

I recommend all control systems's operator to download this report, as this report have some interesting findings and recommendations which can be applied in other control systems environment as well.

Read more details from here.

Tuesday, October 12, 2010

Mobile platform can also be the next Advanced Persistent Threats (APT) target?

OR part of the factor/contributor in the cyber ecosystem?

Mobile malware that affects Symbian Series 60 handsets is being used to create a botnet.

Pirated versions of 3D Anti-terrorist action, a first-person shooter developed by Beijing Huike Technology in China, and uploaded onto several Windows Mobile freeware download sites, come with a nasty add-on courtesy of Russian virus writers.

Compromised phones start attempting to silently make expensive international calls without user involvement, as reported in a thread on the XDA-Developers' forum, featuring the experience of a UK victim of the Trojan.

Read this interesting news here.

Monday, October 11, 2010

440 million new hackable smart grid points

How to Hack the Power Grid for Fun and Profit

By the end of 2015, the potential security risks to the smart grid will reach 440 million new hackable points. Billions are being spent on smart grid cybersecurity, but it seems like every time you turn around, there is yet another vulnerability exposing how to manipulate smart meters or power-grid data.

At the IEEE SmartGridComm2010 conference, Le Xie, Texas A&M University's assistant professor of electrical and computer engineering, gave examples of how attackers could hack the power grid for fun and profit. I quote from the reference:

According to the Lockheed Martin smart grid expert, there are three worst case scenarios for the 3,200 utilities in the U.S:

  1. Someone, a neighborhood kid or a person in another country, might turn off the power to a hospital or neighborhood in the middle of night.

  2. Voltage control devices could be hacked, turned up and down so that the voltage zaps computers, high-definition TVs or other voltage-sensitive equipment.

  3. "If you can cause rapid problems in the grid to occur in the right places at scheduled times, you could destabilize the whole grid, black out whole cities or states and cause massive damage." He added that some devices aren't available in the U.S. and could take two years to get a replacement.

Refer here to read more.

Sunday, October 10, 2010

Protect Yourself from Migration Fraud

Online help for immigrants

IMMIGRANTS planning a move to Australia have been warned of scams that leave them broke and without a visa. Immigration Minister Chris Bowen has launched a new online tool to help keep potential immigrants on the right path.

"It is vital that people are aware of fraudsters' tricks before handing over money for immigration assistance which is never provided," quote from his statement.

The Protect Yourself from Migration Fraud information kit includes victims' stories, tips for staying safe online, help with identifying non-genuine websites and fake emails and links to other resources. Mr Bowen said the most widespread scam involved online registration and the provision of a credit card number.

Saturday, October 9, 2010

A government-produced worm that may be aimed at an Iranian nuclear plant?

The Story Behind The Stuxnet Virus

Stuxnet is an Internet worm that infects Windows computers. It primarily spreads via USB sticks, which allows it to get into computers and networks not normally connected to the Internet. Once inside a network, it uses a variety of mechanisms to propagate to other machines within that network and gain privilege once it has infected those machines. These mechanisms include both known and patched vulnerabilities, and four "zero-day exploits": vulnerabilities that were unknown and unpatched when the worm was released. (All the infection vulnerabilities have since been patched.)

The Stuxnet computer worm that appears aimed at undermining Iran's nuclear program is part of a worsening phenomenon. Half of all companies running "critical infrastructure" systems worldwide say they have sustained politically motivated attacks.

A global survey of such attacks – rarely acknowledged in public because of their potential to cause alarm – found companies estimated they had suffered an average of 10 instances of cyber war or cyber terrorism in the past five years at a cost of $US850,000 ($880,000) a company.

After going through quite few articles and news, here are some interesting and useful links I would like to share which help you to understand the Stuxnet Worm.

F-Secure - Stuxnet Questions and Answers
ICSA Labs - Stuxnet Worm: Facts First
Bruce Schneier's Commentary - The Story Behind The Stuxnet Virus
Sydney Morning Herald - Mystery computer worm part of a global cyber war

Ralp Langner - Stuxnet Logbook *Updated*

Thursday, October 7, 2010

Smart grid security: Critical success factors

Security is paramount in any smart grid deployment and should be embeded into the end-to-end architecture and deployment of intelligent networks

Threats to the smart grid can be classified into three broad groups: System level threats that attempt to take down the grid; attempts to steal electrical service; and attempts to compromise the confidentiality of data on the system.

It’s often assumed that security threats come exclusively from hackers and other individuals or outside groups with malicious intent. Staff and other “insiders” also pose a risk, however, because they have authorised access to one or more parts of the system. Insiders know sensitive pieces of information, such as passwords stored in system databases, and have access to a secure perimeter, cryptographic keys, and other security mechanisms that are targets of compromise. And not all security breaches are malicious; some result from accidental misconfigurations, failure to follow procedures, and other oversights.

An effective security strategy for smart grids needs to be end-to-end. This means that security capabilities need to be layered such that defence mechanisms have multiple points to detect and mitigate breaches. These capabilities also need to be integral to all segments of intelligent network infrastructure and address the full set of logical functional requirements, including:

Physical security

Examining the security of SCADA Networks, we always found lack of evidence in regards to physical security. The first thing to consider for securing a smart grid is keeping the intruders off the premises. A physical security solution needs to include capabilities for video surveillance, cameras, electronic access control, and emergency response. These functions need to be flexible enough to integrate and converge onto the IP backbone. The secure and smooth interoperability enables centralized management and control, monitoring and logging capabilities, and rapid access to information. This reduces the amount of time it takes facilities personnel and operations teams to respond to incidents across the grid.

Indentity and access control policies

Knowing who is on the grid is a vital element to the overall security strategy. Today, we see various user groups that have a reason to be on the network, including employees, contractors, and even customers. Access to these user groups, be it local or remote, should be granular, and authorization should only be granted to 'need to know' assets.

For example, an employee can have access to a specific grid control system, while a contractor only has access to a timecard application, and a customer has Internet-enabled access that allows that customer to view energy consumption and bills online.

Identity should be verified through strong authentication mechanisms. Passwords must be strong, attempts must be logged, and unauthorised attempts should be logged. We should implement a 'default deny' policy whereby access to the network is granted only through explicit access permissions. Furthermore, all access points should be hardened to prevent unauthorised access, and only ports and services necessary for normal operation should be enabled.

Hardened network devices and systems

The foundation of effective security architecture is the protection of the infrastructure itself. A system is only as strong as its weakest link and core elements—the routers and switches—can represent vulnerabilities and access methodologies if not properly protected. If these devices are compromised, they can be used to disrupt grid operations through denial-of-service (DoS) attacks or worse used to gain access to more vital control systems.

For example, routers can be shipped with factory default passwords and basic remote access such as Telnet and HTTP services turned on. Network administrators might neglect to change these settings, unknowingly providing an easy entry point into their domain. These best practices address the steps that keep intruders off the devices and help to make sure of a secure environment.

Threat defence

A comprehensive threat defence strategy is required to broadly cover the different vulnerabilities that a smart grid network can face. Despite discrete functional zones and clear segmentation, it is often difficult to anticipate what form a new threat might take. Care should be taken to apply security principles broadly across the entire infrastructure to build an effective, layered defence:

DoS attacks can debilitate the functionality of the grid. DoS attacks sourcing from the Internet should not have any effect on the control systems due to network segmentation and access control.

Host protection in the form of antivirus capabilities along with host-based intrusion prevention is required to protect critical client systems, servers, and endpoints. Host protection should be kept up to date with patch management controls to make sure that the latest threat intelligence and signature updates are in place.

Network intrusion prevention system (IPS) technologies should augment the host-based defenses. An IPS should be used to identify external threats attempting to enter the infrastructure, as well as stop any attempts at internal propagation.

Vulnerability assessments must be performed at least annually to make sure that any elements that interface with the perimeter are secure.

In some instances, user action can open potential vulnerabilities to the system. As such, awareness programs should be put in place to educate the network users—employees, contractors, and guests alike—about security best practices for using network-based tools and applications.

Data protection for transmission and storage

Because of the different entities that make up a grid, it is important to think about how data is protected as it is transmitted and stored.
  • Implement firewall functionality that enforces access policies between different network segments, either logical or physical
  • Support VPN architectures that apply encryption algorithms to make sure of secure and confidential data transmission
  • Allow for host encryption and data storage security capabilities to protect critical assets on servers and endpoints
  • Provide granular access control to sensitive data at the application level
  • Provide ubiquitous security across both wired and wireless connections in a consistent manner
Real-time monitoring, management, and correlation

For ongoing maintenance and tighter control, it is important to have the ability to monitor events at a granular level. Over the lifespan of any complex system, events occur. Some of these events might be the result of a security incident, and some might simply be 'noise', but it is important for the system to detect those events, generate alerts, and apply intelligence so that more informative and intelligent decisions can be made.

This level of visibility can show which network elements are being targeted, which network elements might be vulnerable, and what type of corrective action needs to take place. This is a requirement for any successful security strategy.

Tuesday, October 5, 2010

Phishing has always been attractive to criminals

Zeus-Based Scam

Last week arrests of 19 people in London has Scotland Yard's special electronic crimes unit unraveling what appears to be a online banking scheme that stole at least $9 million from thousands of banking customer accounts.

Police say that for the last three months the accused criminals, 15 men and four women, infected the customers' computers with a Trojan computer virus known as Zeus, designed to steal banking credentials from unsuspecting users. The $9 million taken may go higher as the investigation continues. Another 37 arrests in the U.S. happened on Thursday.

In November, Scotland Yard arrested a man and a woman in Manchester after they were accused of infecting computers with malware similar to Zeus. At the time, police said the two were the first people to be arrested on suspicion of using this type of malware to steal money from bank accounts. Police and malware researchers warn that Zeus, also known as Zbot, is a worldwide threat. It's attacks have increased in number, and the sophistication of attacks is increasing as well.

In May, the Anti Phishing Working Group released a report showing that Avalanche, the same electronic crime syndicate behind two-thirds of the phishing attacks detected in the last half of 2009, was linked to a rash of incidents targeting small and mid-size businesses. Avalanche successfully targeted some 40 banks and online service providers, as well as vulnerable or non-responsive domain name registrars and registries.

The individuals and businesses were hit with the Zeus Trojan, which was embedded in the phishing e-mails. Businesses that were attacked then became victims of fraudulent automated clearing house and wire transactions, as the criminals posed as employees of the business, moving thousands of dollars to overseas locations.

Banks must implement a dual strategy: increased controls and detection at their servers and deployment of secure endpoints and strong authentication to customers.

Saturday, October 2, 2010

Maltego 3 - Quick and Effective Information Gathering Tool

Maltego is a one-stop resource for carrying out foot-printing and passive analysis

Maltego is a premier information gathering tool that allows you to visualize and understand common trust relationships between entities of your choosing.

Currently Maltego 3 is available for Windows and Linux. There is also an upcoming version for Apple users that has yet to be released.

Information gathering is a vital part of any penetration test or security audit, and it’s a process that demands patience, concentration and the right tool to be done correctly. In our case Maltego 3 is the tool for the job.
  • Maltego can be used for the information gathering phase of all security related work. It will save you time and will allow you to work more accurately and smarter.

  • Maltego aids you in your thinking process by visually demonstrating interconnected links between searched items.

  • Maltego provide you with a much more powerful search, giving you smarter results.

  • If access to "hidden" information determines your success, Maltego can help you discover it.

Please refer here for detailed explanation, here for its documentation and here to download.

Friday, October 1, 2010

Securing our Confidential Information

How to protect confidential information?

Even when an organisation has state-of-the-art technology, strict security policies, and a highly skilled IT staff to manage policies, some organisations are not as secure as they could be. In fact, a recent survey conducted at Interop New York 2010 showed 40 percent of IT managers surveyed reported that their organisation had experienced at least one security breach in the last year.

Protecting confidential information plays a key part in suitability of any organization. With the proliferation of critical information in digital format, the risks of a security breach have increased, both to the company and individuals.

We've all seen media reports highlighting a leak of customer personal information like ID numbers, account data, credit-card information, addresses, customer information etc. The identity theft can be devastating to the individual and both embarrassing and costly to the company where the confidential data leak occurred.

The 2009 Australian Cost of a Data Breach study, conducted by US-based Ponemon Institute on behalf of data encryption specialist PGP, examined the actual financial losses incurred by 16 organisations from different industry sectors following a data loss, with breaches ranging from around 3300 to 65,000 lost or stolen records.

Other key findings in the study:

Ø Organized crime is now going after corporate data.

Ø Data breaches are now being caused by malware.

Ø Increased use of mobile devices is leading to increasing data security issues.

Ø Third-party mistakes with outsourced data were involved in 42% of the breaches.

Confidential information is not only restricted to customer or employee personal information, though that is important. It also applies to intellectual property that generates the tactical and strategic competitive advantage.

Employees can unknowingly pose security risks to the organisation they work for in a number of ways:

Ø Poorly designed passwords may increase the risk of network attack.

Ø Improper handling of confidential documents can lead to the loss of proprietary information.

Ø Leaving the confidential documents unattended on the desk and photo copier.

Ø Sharing the confidential information with friends, relatives and sometimes strangers knowingly or unknowingly.

Ø Falling prey to a social engineering attack may lead an employee to divulge confidential information.

How to protect confidential information?

Ø Never leave documents out even if they will only be away from your desk a short time. Just open the secure drawer and lock it. It is a habit every employee needs.

Ø If you are shipping sensitive data off-site use a secure package and a shipping method that allows you to track the package.

Ø Employees with company laptops should secure them in their car and in their home.

Ø Encourage employees to use strong passwords, the longer and more sophisticated the better.

Ø Never open an email attachment from someone you do not know. Even if they know the person employees should always be wary of attachments.

Ø A study last year found that 67% of employees use removable media such a personal USB thumb drives at work. Not only does this put our IT systems at risk from a potential virus but also increase the risk of data-leakage.