As President Obama promised rescue and humanitarian efforts that would result in the send-off of U.S. military and civilian emergency teams to Haiti last month, cybercriminals hastily moved to turn some profits from the ruinous earthquake that shocked the country.Vulgar gouging of despairing individuals during times of devastation is nothing new, neither in the cyber realm or real world. But, the quickness with which web domains relating to the massive earthquake of a magnitude seven – which, by the way, equals the energy of several nuclear bombs – hit the internet was notable. Experts said last month, that just like with the resulting travesty that was (and, sadly, lingers still) Hurricane Katrina, voracious opportunists undoubtedly would use the domains to speedily establish fake charity sites to phish those looking to lend a hand, ultimately resulting in the theft of loads of credit card numbers. As well, cyberattackers probably would lure the curious into viewing fake video of the catastrophe to install malware on PCs and networks.
The problem with these and other attacks is how much more sophisticated they have become. For instance, cybercriminals looking to make a buck from fake charity sites often have obtained SSL certificates to make them appear legit to visitors. While some domain registrars try to monitor this activity, they fail to catch them all.
And malware is viewed by most information security experts as a continually rising threat in 2010. While there are plenty of ways cybercriminals can get malware onto systems, web browsers, with their slew of vulnerabilities, are a top target, according to Perimeter eSecurity's recently released list of top threats. Additionally, last year saw the first time that the FBI reported cyberthieves were trumping drug traffickers in their revenues, making a billion dollars annually, according to the information security service provider's report.
Along with these types of threats, there are plenty of others that will make news in 2010 – from vulnerability exploits or careless staff to zero-day exploits or mobile security attacks. And while layered security approaches adopted by companies can go some way in thwarting these, there are other considerations CISOs and their colleagues must think about.
Security, as we all know, is about not only the technologies deployed and managed, but also the processes put into place and the people who play roles in ensuring the safety of critical data. And because security and awareness training, even now, often is viewed by many organizations as consisting of some introductory and/or annual job training with a few posters or emails mixed in, we thought it a good idea to offer up a cover story on the subject this month. As a critical component of an overall risk management plan, now even federal politicians (gasp!) are looking to understand the ins and outs of data protection.
Security training is nothing new, but, unfortunately, it's still lower on priority lists – a fact that becomes more rampant during tough economic times. However, with a little time and investment, awareness training really can help to make security a part of corporate cultures…and, perhaps, get a bit more money to the people of Haiti who actually need it.
Illena Armstrong is editor-in-chief of SC Magazine.