The Game Plan
Microsoft Research Reveals New Trends in Cybercrime
by: Jerry Liao
Microsoft Corp. released research showing an acceleration in the number of security attacks designed to steal personal information or trick people into providing it through social engineering.
Microsoft’s most recent Security Intelligence Report, a comprehensive analysis of the threat landscape, shows that attackers are increasingly targeting personal information to make a profit and are threatening to impact people’s privacy. The report found that during the first half of 2007, 31.6 million phishing scams were detected, an increase of more than 150 percent over the previous six months. The study also shows a 500 percent increase in trojan downloaders and droppers, malicious code used to install files such as trojans, password stealers, keyboard loggers and other malware on users’ systems. Two notable families of trojans detected and removed by the Microsoft Malicious Software Removal Tool are specifically targeted at stealing data and banking information.
The study for the Microsoft Trustworthy Computing Group, titled “Microsoft Study on Data Protection and Role Collaboration Within Organizations,” found that organizations with poor collaboration were more than twice as likely as organizations with good collaboration to have suffered a data breach in the past two years.
As more people communicate, access and share information online and the delivery of services and information becomes more personalized, organizations are collecting larger amounts of personal information to provide services to customers. Increasingly, organizations need to share information and conduct business across borders and devices, and with a wide range of internal and external stakeholders. For cybercriminals, these factors represent greater opportunities to steal personal information.
“As the security of the operating system improves, we are seeing cybercriminals becoming more sophisticated, diverse and targeted in their methods of stealing personal information,” said Ben Fathi, corporate vice president of development for the Windows Core Operating System Division at Microsoft. “Personal information is the currency of crime, and malicious attackers are targeting it to make their cyberattacks and other scams more authentic, credible and successful, and to make a profit.”
The research indicates there are tensions within organizations over how data should be managed. Security and privacy professionals see customer data as an asset to protect, while in functions such as marketing where personal data is collected and used, employees are more likely to see it as a resource to achieve business objectives. Conversely, representatives from all three functions agree that the theft or loss of customer data has a potentially damaging impact on brand value and organizational reputation.
One finding in particular from the survey provides evidence that some organizations struggle to align security, privacy and marketing functions. According to the research, 78 percent of security and privacy executives said they were confident that their marketing colleagues consult them before collecting or using personal information. However, only 30 percent of marketers said they actually do so.
Another key finding from the research found that preserving or enhancing an organization’s reputation and trust is important, especially for marketing professionals. More than 65 percent of marketers who collect and use data reported that preserving or enhancing the organization’s reputation and trust was among the most important business drivers for data protection. Avoiding threats is the top business driver for security professionals, and regulatory compliance is the top driver for privacy and compliance professionals. This finding suggests that when approaching data protection issues with marketers, security and privacy professionals will benefit from communicating the reputation and trust impacts associated with a lack of focus on avoiding threats of managing compliance.
Security breachers are continuously thinking of ways on how to penetrate systems, slowly turning to financial gains reasons. Let this be a challenge to security providers to come up with better and more effective solutions to further assist users to protect corporate computing infrastructure.