Information security awareness training is more important now for IT Professionals than ever. Why? In November 2009, SC Magazine released an article titled “Cyberattacks against the U.S. ‘rising sharply.’” The article focused on the rise of cyber attacks from 2008 to the first half of 2009 – the numbers were startling. “During 2008, there were 54,640 total Cyberattacks against the U.S. Department of Defense (DoD), according to the report, citing data provided by U.S. Strategic Command officials.”
A brief breakdown of information from the report:
First noticed on January 26, a new attack targeted 10 federal agencies. The most startling discovery made about this recent attack is that it wasn’t fresh.
This specific Cyberattack, nicknamed Kneber Botnet (after the e-mail from which it started and the type of attack), has affected the following:
Information breached by the Kneber Botnet was login and personal information associated with social networking, e-mail and financial Web sites. Due to privacy disclosure issues, the company that discovered Kneber, NetWitness, will not name the affected companies or individuals at this time.
On one hand it can be argued that it took trained professionals 18 months to discover this attack, but on the other hand… if these professionals did not have information security awareness training, the Cyberattack could have gone unnoticed.
MSNBC reported back in 2007, discount retail giant T.J. Maxx (TJX) discovered a major information security breach. Beginning in January 2003 and ending November 23 of that year, 45.7 million credit and debit card numbers had been stolen by hackers. The number for total numbers from November 24, 2003 to June 28, 2004 remains unknown. An additional 455,000 customers who had made returns to the store, also had their driver’s license number compromised.
Technology has come a long way since 2007. If TJX’s IT team had better information security awareness training and processes in place, it’s entirely possible that this breach would not have taken so long to be discovered.
Critical information is compromised on a daily basis. It’s everyone’s job from government entities to our insurance companies, etc… to protect personal information from falling into the wrong hands. This is why information security awareness training is stressed so much in the IT world. Especially after the Privacy Rights Clearinghouse reported that over 345 million records containing sensitive data have been involved in incidents within the United States since January 2005. Yes, it gets worse. Sometime in 2009, one breach alone compromised 130 million records.
70 computers went missing from the labs, including at least 13 PCs that were verified as lost or stolen, and one BlackBerry was left in an undisclosed “sensitive” country. A data breach has not been reported, however their awareness and asset management practices were off.
Responsible for licensing health care professionals and enforcing standards of practice, this agency reported that its database of prescription drug records for over 500,000 patients was hacked in April of 2009. To make matters worse, a thief posted a ransom note on their Web site asking for $10M.
In March 2009, hackers were able to steal 573,000 debit and credit card accounts by hacking into the Web Hosting provider’s server. They did this by planting malware that had the ability to intercept all transactions processed by over 4,000 hosted e-commerce merchants. This all took place in just a matter of three months.
An archive tape containing 807,000 records containing criminal background checks that were performed over a 12-year period went missing.
A parked car was the victim of a smash and grab. Stolen from the vehicle was a laptop containing the names, social security numbers, and birthdates of approximately one million clients – the data was unencrypted.
It took six months before the health plan carrier admitted that a portable storage drive was missing. The information on the drive was compressed, but not encrypted.
Victim of a malicious phishing scheme, CheckFree’s domains were hit by DNS hijacks. Customers were redirected to a similar looking page and their information was stolen.
A flaw in SQL programming exposed 32 million user e-mail addresses and clear text passwords in December 2009. E-Security Planet said, “this enormous breach of its entire customer account list can really be attributed to a failure to apply basic security best practices like storing hashed rather than clear text password(s).” In this case, information security awareness training and planning would have been key in preventing this scenario from occurring.
A broken disk drive used by eVetRec, an online health record and discharge paper systems, was sent to recycling without being wiped clean. Approximately 76 million U.S. Veterans had their records breached as a result. It’s unclear as to whether anyone got their hands on the information.
The largest reported cardholder data breach in history was reported. Hackers were able to exploit a SQL injection vulnerability and plant a sniffer software. As a result, over 130 million credit and debit card numbers were stolen.
The examples listed throughout the article should be compelling argument enough that when it comes to information security awareness training, a company cannot take a risk. Ranked as the #1 Master’s University in the Northern Region by U.S. News & World Report for 20 years, Villanova offers a variety of information security courses, 100% online. These courses will not only help you protect your clients better, but can help prepare you for certifications as well.
For more information about Villanova University’s IS/IT programs, contact us now!