Tag: security

Security worries delays Ingram Micro take over

ingram-mico-hqWorries about security have forced the delay of Ingram Micro’s take over by a Chinese outfit.

Ingram says that the deal, which would see it part of the Tianjin Tianhai Investment Company  is  now being delayed until towards the end of the year

The first delay to the deal came last month when the Shanghai Stock Exchange sent a letter to Tianjin Tianhai asking for more details about the takeover. In that case the Exchange was worried about how the deal was being funded.

But now the Committee on Foreign Investment in the United States wants to take a close look at the deal.

“Ingram Micro today announced that the End Date by which the acquisition of Ingram Micro by Tianjin Tianhai Investment Company must be completed has been extended to November 13, 2016,” Ingram said.

Despite the CFIUS activity the expectation from both Ingram and on the Chinese side is that the deal will still close this year.

However it might not be that easy. The US is getting increasingly concerned about the involvement of the Chinese in business. Earlier this week it became clear that the Chinese company that is one of the main investors in the Hinkley Point nuclear power station is facing charges of nuclear espionage in the US.

Cisco warns ransomware scams are targeting enterprises

Cisco Kid Cisco’s Midyear Cybersecurity Report (MCR) is warning that ransomware is a specific threat which is is becoming more widespread and potent.

The report said that the ransomware creators are focusing more than ever on generating revenue and are now targeting enterprise users in addition to individuals.

“These direct attacks are becoming increasingly efficient and lucrative, generating huge profits. Our security researchers calculate that ransomware nets our adversaries nearly $34 million annually,” the report said.

The report said that it is time to improve the odds at handling this type of attack.

At the moment asymmetric attacks are outpacing responses. Attackers’ innovative methods of exploit, persistency, shifting tactics, and ability to operate on a global level create an ominously complex and moving target

“Our research shows that adversaries are now exploiting vulnerabilities in encryption, authorization, and server-side systems, using ‘malvertising as a service’ to infect web users, well as tampering with secure connections like HTTPS. This final example alone has users thinking incorrectly that their connections are secure, leading to a false sense of security and making it increasingly difficult to determine if a connection has been compromised,” the report said.

Security reseller faces hacking charges

acb20792e8439a1d28a1f2cdbd7fdf1cFive employees from cybersecurity outfit Quadsys have admitted to hacking into a rival company’s servers.

The hack was apparently to nick customer data and pricing information and the top Quadsys managers have fessed up and pleaded guilty to hacking charges. Oxfordshire, UK-based Quadsys is a reseller of IT and cybersecurity products, hardware and services. The firm sells software from vendors including Websense, Checkpoint and F-Secure. Customers include Leeds United FC, South Tyne and Wear Primary Care Trust and Derry City Council.

The owner of Quadsys, Paul Streeter, managing director Paul Cox, director Alistair Barnard, account manager Steve Davies and security consultant Jon Townsend all appeared at Oxford Crown Court and admitted to “obtaining unauthorised access to computer materials to facilitate the commission of an offence”.

This could lead to up to 12 months testing the security bars of a prison.

In March 2015, the five men were arrested and then charged in August. The group were originally held on suspicion of conspiracy to commit computer misuse offences, unauthorised PC access and conspiracy to acquire and use criminal property — allegedly, the data belonging to customers of the rival company, as well as the firm’s pricing tiers.

However there are signs that they might not get the full weight of the law pressing upon them. The judge in charge of the case reduced the severity of the charges. All five pleaded not guilty to one count of “securing unauthorised access to computer material with intent,” which is against the UK Computer Misuse Act 1990.

After three plea and case hearings, an additional count of securing access to computer material without criminal intent was added to the list, of which Townsend pleaded guilty. Cox was also charged with blackmail, to which he pleaded not guilty.

They are due to be sentenced on 9 September. A second charge, obtaining unauthorised access to computer materials with intent to commit an offence, will also be heard.

 

Security vendor revenues rising as market contracts

securityBeancounters working for analyst outfit Gartner have added up some numbers and divided by their shoe size and worked out that security software revenues have risen  3.7 percent and were worth  $22.1bn in 2015.

The report said that security information and event management  remained the fastest-growing sub segment of the cybersecurity market and saw a 15.8 per cent growth. Consumer security software recorded a 5.9 percent year-on-year decline.

The top five vendors were Symantec, Intel, IBM, Trend Micro and EMC and they accounted for 37.6 percent of the security software revenue market share, down.

These vendors saw a collective decline of 4.2 percent in 2015, while the rest of the market grew strongly at 9.2 percent year on year. In fact, of the top five only Biggish Blue grew and increased its revenue by 2.5 percent to reach $1.45billion.

Both Symantec and Intel Security both suffered from the long-standing decline of the consumer market for anti-virus products and services. But Symantec still remained on top despite suffering a third consecutive year of revenue decline and its highest decline in revenue over a three-year period.

Still at least it did better than Intel which saw revenues fall from $1.83bn to $1.75bn between 2014 and 2015.

Cisco writes a cheque for cloud-lock

Cisco Kid Networking Tsar Cisco has written a $293 million cheque for cloudy security outfit CloudLock.

CloudLock provides cloud access security tech, and analytics on user behaviour and sensitive data for cloud services.  Cisco said that the acquisition will close in the first quarter of fiscal year 2017 and the  CloudLock team will join Cisco’s Networking and Security Business Group.

It will be ruled by Senior VP and general manager David Goeckeler.

Cisco Corporate Development’s Rob Salvagno said the acquisition will boost security for companies seeking to migrate to the cloud. In fact Cisco is buying rather a lot of cloudy security outfits lately.

It bought Lancope for $452 million, the Portcullis Computer Security for an undisclosed sum, and OpenDNS for $635 million.

 

 

Exclusive poaches Arrow and Computerlinks’s David Ellis

dave-ellis-arrow-formerly-computerlinks-2014-320x320French-based Exclusive Group has poached Arrow executive David Ellis to head up the distributor’s global services.

Exclusive says Ellis will use his experience in supporting new and disruptive technologies to roll out new services offerings for the cybersecurity marke, which probably means the outfit’s cloud services.

Barrie Desmond, COO of Exclusive Group, said that the company was  seeing  more global deals and our ability to support these will add even more value to our vendor and channel partners.

“Global services are a key part of our growth strategy over the next three to five years and Ellis will play a crucial role in achieving this. I’m pleased to welcome him on board and looking forward to working with him for what promises to be an exciting journey ahead.”

Ellis  was a key manager for Arrow in EMEA, responsible for vendor business development and the roll-out of new propositions. Before that, he was director of New Technology and Services at Computerlinks before its acquisition by Arrow. In his 13 years with Computerlinks he built and grew an e-Security offering before assuming responsibility for services, emerging technology and market sectors.

He said that Exclusive has built an enviable reputation for disrupting traditional value-add distribution and I’m really excited to now be part of this.

“In my time within the industry I’ve identified and brought to market a number of new technologies and services, and have seen the cybersecurity market evolve at breakneck speed. I can’t wait to start helping our vendor and channel partners achieve even more value from their relationship with Exclusive Group through new global service offerings.”

 

IT Security budgets increase

BouncerFoxFeatureCompanies have more money to spend on IT security, according to the latest figures from the Institute of Information Security Professionals (IISP)

The outfit has released the findings from its 2016 member survey which reveals 0that for over two thirds of members, information security budgets have increased. Only 15 per cent said that they had stayed the same.

However the report suggests that over 60 percent of respondents felt that budgets were still not keeping pace with the rise in the level of threats. Only seven per cent felt their budgets were rising faster than the level of threat.

Piers Wilson, Director at IISP said that in times of financial pressure or instability as we have seen in recent years, security is often seen as a supporting function or an overhead.

“Security budgets are hard won because they are about protection against future issues, so are a good indication of the state of risk awareness in the wider business community. While it is good news that businesses are increasing investment, it is clear that spending on security is still not at a level that matches the changing threat landscape.”

The survey also found that when it comes to recruitment, there is still a skills shortage but the problem doesn’t just lie in the number of people. Respondents point to a shortfall in the level of skills and experience, making staff training, development and retention crucial to the future of the industry.

The survey shows that there are growing challenges from more types of attack, more sources of threats, greater reliance on increasingly complex IT systems, shortage of effective security staff and a regulatory environment that is both fluid and challenging. However, the heightened awareness of security risks and the impacts of a breach are driving an increase in investment, skills, experience, education and professionalism.

“While there is clearly much more to be done, the results of the IISP Member survey are encouraging,” concludes Piers Wilson.

IT security market worth $170 billion by 2020

BouncerFoxFeatureThe IT security market will be worth $170 billion by 2020, which means growing by $100 billion from now.

India-based firm MarketsandMarkets says the 2020 total includes security technologies like data leak prevention, denial of service attack mitigation, and compliance, along with security services.

“MarketsandMarkets expects the global cyber security market to grow from US$106.32 billion in 2015 to US$170.21 billion by 2020, at a compound annual growth rate of 9.8 percent,” MarketsandMarkets said.

Gartner  said something similar its latest November figures predicted security spend pegged at $75 billion are reckoned be worth $91 billion by the end of the year. Big G said the security industry will be worth some $116 billion by 2019 with security services including consulting, hardware support, and outsourcing adding a further $73 billion by 2019.

Most of the cash appears to be being spend in North America  while significant revenue growth is expected from Latin America and Asia-Pacific regions. The most popular is expected to be managed security services.

 

Security vendor sued for poor security

courtroom_1_lgSecurity resellers will be a bit nervous about the outcome of a court case in the US where an anti-virus software maker has been sued after a casino became infected with malware.

If the case against Trustwave succeeds it could mean that security companies could be sued if they fail to stop serious breaches.

US casino chain Affinity Games is suing Trustwave, a cyber-security vendor that was brought in to investigate a card breach but failed to detect and stop a malware incident on Affinity’s servers, which led to the escalation of a previous card breach.

In October 2013 Affinity Games was notified of fraudulent credit card activity on the bank accounts of numerous victims and it hired Trustwave to sort out what was believed to be malware on its system.

Trustwave was hired to investigate and stop a credit card breach. In January 13, 2014, Trustwave reassured the casino chain that the incident “has been contained” and that a “backdoor component appears to exist within the code base, but was inert.”

Trustwave also said that the malware’s author became aware that he was detected, and stopped all activity on October 16, 2013, also removing and deactivating some of the malware’s components.

In April 2014 the server and the application from where the suspicious activity was coming were previously tested and deemed safe in Trustwave’s report.

On April 19, 2014, Affinity hired another cyber-security investigator, Mandiant, a FireEye subsidiary, to investigate these new findings in depth. It found that the breach thought shut down by Trustwave had continued to be open until April 27, 2014, when Mandiant security experts shut it down.

Affinity says that Trustwave failed to remove the malware it discovered, failed to find all pieces of the malware, and also failed to identify evidence in some logs it looked at.

In its lawsuit, Affinity claims that “Mandiant’s investigation and remediation confirmed that Trustwave’s representations were clearly inaccurate, and its efforts woefully lacking.”

Affinity is looking for damages in excess of $100,000.

Execs go as Kaspersky loses business

40153923-1-kaspersky1Two of Kaspersky Lab’s top US executives have cleaned out their desk after they failed to convince US government officials that not everyone in Russia is a pawn in Tsar Putin’s game.

The company’s leader of its North American operations and the head of a Washington-area office went as it struggles to win US government contracts.

Company Chief Executive Eugene Kaspersky confirmed the changes in an interview with Reuters during a visit to China but claimed the two personnel changes were unrelated.

Kaspersky said the North America head Christopher Doggett had gone to a competitor while Kaspersky “decided to change leadership in DC,” where the two-year-old office pursues work protecting government agencies and critical infrastructure.

Doggett and former Washington-area head Adam Firestone are not saying anything.

But the shakeup comes at a time when Kaspersky says it is hard for non-American security companies to win bids for federal jobs and big US corporate contracts. The Americans were not really loyal to any non-American products and only British companies are treated in the same way as the Americans.

Kaspersky has been the foremost researcher uncovering Western government spyware for the past several years. Earlier this year, it said it had itself been attacked by one of the most sophisticated strains uncovered to date, with an intrusion it hinted came from U.S. ally Israel.

Kaspersky has also come under US. scrutiny for other reasons after claims that it distributed malware samples that were designed to trigger false positives by rival companies, prompting them to isolate legitimate software on users’ computers. Kaspersky denied it.

But the stories apparently drew attention in the White House and intelligence agencies and decreased Kaspersky’s chances of getting significant government contracts.

Security breaches are the kiss of death for companies

wargames-hackerCustomers are walking away from companies who have experienced a data loss due to hacking, according to a new survey.

Data security outfit Gemalto said that more than 64 per cent of consumers surveyed worldwide say they are unlikely to shop or do business again with a company that had experienced a breach where financial information was stolen.

Almost half – 49 per cent – had the same opinion when it came to data breaches where personal information was stolen.

Gemalto surveyed 5,750 consumers in Australia, Brazil, France, Germany, Japan, United Kingdom and United States.

It found that 60 percent of consumers thought that threats to their personal information increases during the festive season, and nearly 20 percent believe that they are likely to be a victim of a breach during the holiday season.

Only a quarter of all respondents feel that companies take the protection and security of customer data very seriously. More than twice as many respondents feel that the responsibility of protecting and securing customer data falls on the company (69 percent) versus the customer (31 percent). Of the employed respondents, only around two fifths (38 percent) feel that their employer takes the protection and security of employee data seriously.

A third of respondents have already been affected by data breach in the past. Around 40 percent were though visiting a fraudulent website (42 percent), phishing attacks (40 percent) or clicking a fraudulent web link (37 percent).

The survey found that customers were getting increasingly impatient with breached companies.

Around a quarter who have been a victim of a data breach, either have, or would, consider taking legal action against the breached company involved in exposing their personal information. Almost half of respondents said they would take or would consider taking legal action against any of the parties involved in exposing their personal information.

Microsoft spends a billion on holistic security

Holistic-Health1-590x400Software king of the world Microsoft has invested a billion dollars to come up with an integrated security approach across its software and services.

According to Dark Reading,  Microsoft has spent the cash coming up with a new “holistic” type of security which apparently does not involve crystals, spangley music or poisons diluted by lots of water.

Vole’s chief information security officer Bret Arsenault wants his company’s strategy to appear in the company’s internal network and across its Windows, Office, and cloud offerings to customers.

To do that Vole will gather threat intelligence from sensors and customers and then uses it for detection, protection, and responding to security events.

Microsoft’s $1 billion in security spending this year includes Microsoft’s “organic” investments and three security firms. These have included behavioural learning and Active Directory security firm Aorato, cloud security firm Adallom, and most recently, data and file protection firm Secure Islands.

Arsenault said that Microsoft had always done a good job in caring about writing secure code and making secure services.

“We needed to do more to protect endpoints and get intelligence from the cloud … so we’re making investments in a number of areas,” he said.

Microsoft Enterprise Cybersecurity Group (ECG), focuses on sales and services in “nothing but cyber defence,” he said. This group will work with Microsoft’s security partners and the Office 365 and Azure teams, too, for example, he said.

ECG will provide security assessments, monitoring, threat detection, and incident response to Microsoft customers.

Microsoft has also opened a state-of-the-art Cyber Defence Operations Centre (CDOC) which co-locates members of the company’s internal security team, Microsoft Security Response Centre, security experts in Azure, Windows, Office 365, security analysts, as well as its Digital Crimes Unit and other groups, for detecting and responding to threats in real-time.

The idea is to have all the different bits of the glorious Volish empire working together to  create security features in Windows 10, Office 365, Azure, and Enterprise Mobility Suite work together to prevent password-related attacks, data loss, and malware.

Symantec pledges itself to the Channel

symantecSymantec talked up its channel plans even if its global sales boss, dubbed a “channel champion” has exited the company.

In a second-quarter conference call Morgan Stanley analyst Keith Weiss said he was concerned about the exit of Adrian Jones as Symantec’s head of global sales. Weiss called Jones a “channel champion”.

Symantec chief executive Mike Brown said Jones’ leaving will not put the brakes on Symantec’s channel momentum.

“The good news is, we have a pretty deep bench of folks with experience with the channel,” he said. “Symantec always have been a channel company. We’ve been a channel company for 30 years.

“So I think those partners who work with us for a long time know that our commitment is unwavering there. And it’s great that we’ve now introduced Secure One, our new channel programme, which now for the first time can be focused on security partners.”

He said that previously Symantec’s channel was previously more geared towards our Veritas business.

Symantec is spinning off its information management arm Veritas on 1 January but the duo split operationally on 3 October.

Veritas unveiled its new partner programme this week and apologised for some technical issues thrown up by the split last month.

Brown insisted when questioned that Jones’ leaving will not put the brakes on Symantec’s channel

“At our October partner event, the feedback was overwhelmingly positive as we laid out our strategy with the launch of Secure One, an enhanced channel partner programme tailored specifically for security-focused channel partners. The new programme consists of training, deal registration, technology support and incentives to drive the results for successful long-term relationships.”

Financial services offer rubbish security

BouncerFoxFeatureKaspersky Lab and B2B International have worked out that a third of financial services don’t offer customers a secure channel for all their online payments.

This is despite the fact that 62 percent of these organisations have noticed a significant rise in their customers making financial transactions online, and 50 per cent believe online financial fraud is increasing.

The survey found that many banks and payment companies are struggling to fully protect themselves and their customers from financial fraud at a time when customers are using an ever-wider range of devices to conduct a growing number of financial transactions online.

Two-thirds say that customers are increasingly using different devices to make online payments, yet just half have implemented two-factor authentication and only a half  have introduced a specialised, real-time anti-fraud solution.  This is despite the fact that 22 percent believe this is the most effective form of protection available.About 42 percent extend such a solution to customer devices and only 67 per cent implement a secure connection for all online payments.

About half admit that they are only mitigating risk rather than removing it altogether and 29 percent say it is cheaper to deal with online financial fraud incidents as they arise rather than to try to prevent them from happening.

Kirill Slavin, general manager UK and Ireland, Kaspersky Lab said that the study shows that banks and payment organisations are finding it difficult to manage online financial fraud in today’s connected, omni-channel consumer landscape.

“About 38 percent of the organisations we spoke to admit that it is increasingly difficult to tell whether a transaction is fraudulent or genuine, with a worrying one in three opting for a ‘we’ll deal with it as it happens’ approach to fraud protection,” he said.

“If you consider that our own research uncovered 22.9 million financial malware attacks in 2014, targeting 2.7 million customers worldwide, it is clear that dealing with each incident individually is not a viable, long-term option. Customers deserve better and so do the financial services,” Slavin said.

The study found that general Internet-security software solutions are not widely regarded as an effective method for preventing the increasingly well-disguised phishing and malware attacks that can lead to financial fraud. Less than ten percent of respondents favoured this option.

The IT Security Risks Survey 2015, conducted by Kaspersky Lab and B2B International, involved more than 5,000 company representatives, including 131 banks’ and payment services’ representatives, from 26 countries.

[That’s enough percents, Nick. Ed.]

Cyber Insurance market to triple

Republic_Fire_Insurance_Company_certificateThe cyber insurance market will triple in size to $7.5 billion in annual premiums by 2020 according to a new consultant’s report.

But PwC said insurance companies would not be laughing all the way to the bank as the insurance industry could face competition from disruptors such as Google.

Insurers and reinsurers are charging high prices for cyber cover and putting a ceiling on potential losses, deterring companies from buying cyber polices, in the report. Some insurers have kept out of the market, wary of the risks.
PwC’s Paul Delbridge said that if the industry takes too long, there is a risk that a disruptor could move in and corner the market by aggressively cutting prices or offering much more favourable terms.

Millennials – people in their 20s and 30s – are more likely to trust brands such as Google than conventional insurers and Google would be very creative.

Technology companies may also be better equipped than insurers to price cyber risk, he added.
Most of the $2.5 billion written in cyber insurance last year was in the United States, where requirements to notify data breaches have focused attention on cyber protection.

But the European Union is expected to follow suit, contributing strongly to growth in cyber insurance, Delbridge said.