Infosecurity Europe bucks economic recession, as does cybercrime

By Ron Condon, U.K. Bureau Chief 02 May 2009 | SearchSecurity.co.uk

Security UK News Digg This!     StumbleUpon     Del.icio.us

LONDON -- If the Infosecurity Europe show is a true barometer of economic health, then it looks as if the security industry is in good shape, and bucking the recession. The show, which took place in London last week, attracted 12,445 visitors over three days, a 5% increase from the 2008 attendee numbers, and exhibitors reported brisk trade from people with real requirements to meet.

New infosec studies Security professionals should care about the growing threats, if we are to believe the stream of new surveys that appeared during Infosecurity Europe this week. * Spam makes a comeback, reaching 85.3% of all traffic in April, and much of the unwanted messages contain links to infected websites.  There is an average of 3,561 new websites per day harbouring malware or other unwanted programs such as spyware. (MessageLabs Inc.)  * 285 million records were compromised in 2008, with 74% of attacks coming from outside the organisation, only 20% from insiders, and 32% from business partners. Nine out of 10 breaches were considered avoidable if security basics had been followed.  Most of the breaches investigated did not require difficult or expensive preventive controls (Verizon Communications Inc.)   * 62% of businesses have experienced a security breach in the last year due to vulnerabilities in critical applications. While 57% of companies outsource software development, only 30% of them specify security standards (Forrester Research, on behalf of Veracode, Inc.).   * The half-life of a vulnerability (the time it takes for an industry to patch half of its systems after an advisory is issued) remains at just under 30 days. Companies need to pay more attention to patching Microsoft Office, Adobe Acrobat and Sun Java Plug-in, which are being increasingly targeted. (Qualys, Inc.)   * Just 14% of U.K. network managers claim their networks have been unaffected by the increase in Web threats, and 34% say their networks have suffered significant problems. Their U.S. counterparts claim to be doing better, with 24% saying they are unaffected, and 18% admitting significant problems. (Blue Coat Systems, Inc.).

The growing threat of organised cybercrime cases was the conference's main focus, but exhibitors reported that the main drive among prospective purchasers still appeared to be regulatory compliance, whether it is PCI DSS for those handling credit card data, or the new Code of Connection (CoCo) that all local authorities and public-sector bodies will need to meet before September in order to connect to the government's secure extranet.

While exhibitors on the show floor were keen to demonstrate value to suit tighter budgets, there was little sign of any new technological breakthroughs. One analyst, Graham Titterington of Ovum, a research firm acquired by Datamonitor plc in 2006, described the general level of technology as "incremental," and pointed out that biometric devices were notable by their absence.

The conference sessions spent much time looking at the culprits -- the cybercriminals -- and how to prevent, punish and prosecute. In an opening keynote speech, former Home Secretary David Blunkett bemoaned a general lack of government awareness of cybercrime, and poor coordination between the plethora of different agencies and bodies that are supposed to be dealing with the problem.

A later session on e-crime featured Howard Schmidt, a previous advisor on cybersecurity at the White House and a former FBI agent. He said cybercriminals were able to avoid detection often by stealing small amounts from millions of people. "Who is going to report the theft of a pound or a dollar?" he asked. "It's only the most brazen criminals who boast of their exploits who risk getting caught."

But Schmidt noted that at least in the U.S., the authorities have a better chance of assessing the true level of crime and cybercrime cases through the Internet Crime Complaints Center, a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center, where victims can easily report an e-crime. In the U.K., by contrast, the promised National Fraud Reporting Centre, an organization pushed by the Attorney General's Office for England and Wales (AGO) to report fraud trends, has yet to materialise.

A member of the audience brought a personal perspective to the problem. Steve Howorth, a detective constable with the recently formed Police Central e-crime Unit (PCeU), explained why so little is done. "I am one of just two intelligence officers at PCeU, and the other one is a detective who is still learning the subject," he said. "We badly need to recruit an analyst as well, but we don't have the budget."

He called on members of the audience to lend any kind of help they could offer in order to help the PCeU do its job. But there was also some good news related to the crime unit's efforts: the PCeU had recently notched up a major success in early April with the arrest of nine people allegedly involved in an online banking scam that aimed to use Trojan malware to defraud banks. The investigation was done with active collaboration of bank security professionals.

Tags: Security Policies and User Awareness,  Compliance Regulation and Standard Requirements,  Threat and Vulnerability Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Policies and User Awareness Risk management in information technology Prevent data leakage with secure media reuse policies Information security awareness lacking in laptop users, according to study Kent company offers 'low-tech' hard disk destruction product Survey: Compliance efforts drive security, but may not produce results Using resource allocation management to prevent DoS and other attacks Cloud-based services require stalwart business continuity plans Preventing phishing attacks: Enterprise best practices CISOs take measured steps to reduce social media risks Increasing information security awareness in the enterprise Compliance Regulation and Standard Requirements PCI compliance UK: The future of European merchant PCI compliance ISO 27001 SoA: Creating an information security policy document Ministry of Justice asks for input on UK privacy laws Exclusive PCI DSS news: EU regional director rallies UK merchants PCI PTS: Understanding PCI PIN security requirements PCI call centre: Understanding PCI DSS call recording requirements NuBridges update enables simultaneous data center tokenisation PCI-compliant POS: Retail chain nears PCI compliance in the UK SSC announces PCI-certified internal auditor course for PCI assessment Varied QSA assessment quality causes PCI compliance issues Threat and Vulnerability Management Microsoft issues temporary fix for Windows Shell zero-day Attackers target Windows Shell zero-day via USB sticks How to stop Conficker: Anti-Conficker patch management, defense Trojan virus attack using hijacked Web browser sessions hits UK banks Law firm security gets positive verdict with UTM device IBM to acquire BigFix for configuration, vulnerability management Perimeter defenses deemed ineffective against modern security threats Critical Adobe Reader, Acrobat update due today Twitter settles with FTC over security issues, careless policies Frustration growing over limited ability to shut down botnets

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Financial Services Authority  (SearchSecurityUK.com) IISP (Institute of Information Security Professionals)  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary