AN INSIDER attack against a large company's database could result in an average loss of $2.7 million in damages, according to information from New Horizon Computer Learning Centers, Anaheim, California. At the same time, statistics also indicate that 80% of identified information security breaches are caused by human error.
“The single biggest weakness in the nation's critical infrastructure is people,” according to Martin Bean, chief operating officer, New Horizons.
And the threat isn't letting up. Websense Inc, San Diego, California, reports that the company's research indicates a dramatic rise in fraud-based Web sites designed to trick users to submit confidential information.
“The Internet continues to evolve as an attack vector for hackers by employing tactics that trick both casual and corporate Web users into being victims of identity theft,” according to Dan Hubbard, Websense director of security and technology research. “We predict this problem only to worsen as hackers become more advanced in their scams. New techniques to dupe users are being developed, and the accuracy, creativity, and sophistication are rising.”
According to recent congressional reports, approximately 85% of the nation's critical infrastructure is owned or controlled by the private sector. Although the government has taken steps to protect its own information security, mandatory security training requirements do not carry over into the private sector, New Horizons, an independent IT (information technology) training company, said.
New word
A word used to describe these threats, phishing, defines actions taken by hackers to invade e-mails. Similar invasions come from fraudulent Web sites. Both are designed to trick users into giving up various kinds of data.
Resembling phishing sites, the new category of fraud-based sites collect similar information along with the promise of merchandise or a service.
Phishing scam Web sites have increased by roughly 50% month to month. As phishing sites continue to grow exponentially, the newer breed of advanced fraud-based sites also is proliferating, raising the stakes of Internet scams, Websense, a provider of employee Internet management solutions, said.
The newest type of fraud-based sites discovered by Websense appear to be legitimate, unique online e-commerce sites, veering away from the more common phishing practice of replicating the look of established institutions.
Several commonalities have been identified by Websense concerning fraud-based sites, including:
-
Fraudulent pharmacy, banks, mortgage and loan Web sites are the most popular scams.
-
Most fraud-based sites have fake contact information, don't have contact information (except occasional e-mail), or the sites are out of service.
-
Fraud-based sites usually last an average of 8.5 days, which is longer than phishing sites.
-
The fraud-based sites are linked to high traffic spammer networks.
-
The majority of fraud-based sites are hosted outside the United States.
Employee training
To contend with these threats, New Horizons noted that studies indicate that when a company trains at least one in every four IT employees in security fundamentals, it is 20% less likely to suffer a departmental security breach.
In addition to employee training, a process should be utilized that includes protecting key digital assets and capabilities, detecting attacks and malicious actions, responding with rapid notification and reaction, and recovering with disaster and business continuity planning, New Horizons added.
Training should include a program that enhances security skills at all levels within a corporation. The training company offers courses that teach students to identify security threats, analyze network security risks, monitor the network for security breaches, and respond to network and software-based attacks.
Websense Enterprise offers software programs that allow organizations to manage their employee Web access. For example, at the Internet gateway, when a block policy for the category is implemented by an organization, employees that click on a fraud-based site URL will be blocked from accessing the counterfeit site.
The company also offers programs that alert customers to the threat of outbreaks.