With security and cloud-computing both hot-button topics, Verizon Communications and McAfee are joining forces to offer customers a combination of the two.
Verizon's business unit and McAfee announced Thursday a new joint venture to sell cloud-based security products and services to large businesses and government agencies. With more companies tapping into the "cloud" to lower costs and outsource administration, McAfee and Verizon will sell a new suite of cloud-based security products, expanding on Verizon's current lineup.
Managed by Verizon, the new cloud-based services will offer an array of security products, including firewalls, intrusion prevention, anti-malware, and Secure Socket Layer (SSL) virtual private networks (VPNs).
"This strategic agreement with McAfee enables us to drive even more complete and integrated IT solutions to enterprises across the world," said Kerry Bailey, senior vice president of Verizon Business global solutions. "Our newly expanded and next-generation cloud capabilities will enable organizations to better use security as a strategic tool and business enabler."
The team-up will also allow Verizon and McAfee to tap into each other's portfolio of products and services.
Verizon will offer its customers McAfee's entire line of security software and will soon provide McAfee's PCI (Payment Card Industry) compliance services to banks and other organizations that need to secure credit card data.
The PCI services will be targeted to "Level 4" merchants--businesses that manage up to 1 million credit card transactions each year. Verizon said this business class is at the highest risk for security breaches and accounts for one-third of all credit card transactions. In April, Verizon released a report showing that more payment card records were breached in 2008 than in the previous four years combined.
McAfee's customers will now be able to contact Verizon's network of 1,200 security professionals for assistance on setting up and managing in-house security.
Finally, Verizon will help McAfee consolidate its data centers, so that McAfee can better offer 24/7 management for its own Web hosting and cloud-based services.
Verizon and McAfee will target the new products and services to small-to-medium companies, large enterprises, and government entities.
McAfee has been pushing to grow beyond the consumer market through a series of deals and acquisitions. In July, the company said it would buy MX Logic, which provides cloud-based e-mail and other services. In May, McAfee bought white-listing vendor Solidcore.
More records were breached in 2008 than in the previous four years combined as a result of a few large breaches involving payment cards, according to a report released on Wednesday.
Last year, 295 million records were compromised and there were 90 confirmed breaches, the Verizon Business 2009 Data Breach Investigations Report (PDF) found.
The top five breaches accounted for 93 percent of total records compromised and as a percentage of caseload, 80 percent were payment card breaches while payment card data represented 98 percent of all records compromised last year.
PIN data was increasingly targeted in 2008 in attacks in which magnetic-stripe data and PIN data was used for identity fraud. For example, criminals used the data to make ATM withdrawals from victim's accounts.
PIN data stolen in a breach at payment processor RBS WorldPay was used to clone cards and withdraw millions of dollars from victim bank accounts last year. Meanwhile, payment processor Heartland had a huge data breach of its own last year that it reported in January and there have been reports of another breach at an unidentified institution.
More than three-fourths of organizations suffering payment card breaches were found to be not compliant with PCI data security standards or had never been audited. The typical organization had met less than a third of the requirements in the standards, the report found.
This chart shows threat categories by percent of breaches (black) and records (red).
(Credit: Verizon)Of the total breaches, 75 percent came from external sources, 39 percent involved multiple parties, 32 percent involved business partners and in 20 percent of the cases insiders were implicated. Three-fourths of the breaches were undiscovered and uncontained for weeks or months.
As far as types of breaches, 64 percent resulted from malicious hacking, 38 percent used malware, 22 percent involved privileged misuse, and 9 percent used physical attacks such as equipment theft or tampering.
In about four of 10 hacking-related breaches, an attacker gained unauthorized access to the victim via one of the many types of remote access and management software, typically provisioned to third-parties for remote administration.
During 2008, malware was involved in more than one-third of the cases investigated and contributed to nine out of 10 of all records breached.
"Malware is now an essential component to nearly all large-scale data breach scenarios," the report said. "Hacking gets the criminal in the door, but malware gets him the data."
Verizon Wireless is being criticized (again) by customers for its policy of requiring them to opt out or have their information shared with other Verizon-owned businesses.
The company began notifying customers in 2007 that they had 45 days to opt out. David Weinberger, a fellow at Harvard's Berkman Center for Internet & Society, received the "small legalistic pamphlet" from Verizon recently and wrote a blog posting on Friday detailing how difficult it was to opt out online, even with customer support help.
"The whole thing sucks," Weinberger concluded.
Verizon posted a note on its public policy blog on Monday that said nothing has changed since the policy was first implemented in 2007 and that no personal information is sold to third parties.
"We are keeping all the data in question in the family--unless you tell us not to," Verizon said in an October 15, 2007, statement that was re-posted on Monday.
I called Verizon and got more information. First off, customers can opt out at any time by calling 1-800-333-9956, said Verizon spokeswoman Debi Lewis.
Secondly, the information shared does not include name, address, and wireless phone number, but includes phone usage, billing information, and location information, she said.
Failing to opt out means a Verizon Wireless customer could receive marketing materials from Verizon Telecom, which is the landline business, or conceivably from Vodafone, a U.K. company that has wireless businesses around the world and which owns a 45 percent stake in Verizon, according to Lewis.
Hypothetically, Lewis said, Verizon Telecom could offer voice-to-text or landline voice-mail services to wireless customers, "services that interact and cross over."
Asked why Vodafone would want data on Verizon Wireless customers in the U.S., Lewis said: "What they do with it, it's hard for me to say."
This is the FAQ from the pamphlet notice to customers about opting out of data sharing with other Verizon businesses. (PDF)
(Credit: Verizon)President-elect Barack Obama's cell phone billing records were improperly accessed by employees of Verizon Wireless, CNN reported late on Thursday.
Obama's transition team was informed of the breach by Verizon Wireless representatives on Wednesday, team spokesman Robert Gibbs told the news agency. The Secret Service has been informed, Gibbs said.
The phone, a voice flip-phone with no e-mail access, is no longer active or being used by Obama, the report said. Lists of phone numbers and calls made by Obama could have been accessed, but "nobody was monitoring voicemail," Gibbs is quoted as saying.
Verizon Wireless has notified federal law enforcement authorities, Verizon Wireless President and Chief Executive Lowell McAdam wrote in an internal company e-mail distributed on Wednesday that CNN obtained. In a press statement, McAdam wrote:
"This week we learned that a number of Verizon Wireless employees have, without authorization, accessed and viewed President-Elect Barack Obama's personal cell phone account. The account has been inactive for several months. The device on the account was a simple voice flip-phone, not a BlackBerry or other smartphone designed for e-mail or other data services."
"All employees who have accessed the account - whether authorized or not - have been put on immediate leave, with pay. As the circumstances of each individual employee's access to the account are determined, the company will take appropriate actions. Employees with legitimate business needs for access will be returned to their positions, while employees who have accessed the account improperly and without legitimate business justification will face appropriate disciplinary action."
"We apologize to President-Elect Obama and will work to keep the trust our customers place in us every day."
Employees who viewed the records without authorization could be fired, McAdam said in the internal e-mail.
This is the latest in a string of technology-related security incidents to hit this election season. Earlier this month, Newsweek reported that PCs used by the campaigns of Obama and former Republican presidential candidate John McCain were compromised last summer.
In September, McCain's running mate Alaska Governor Sarah Palin had her Yahoo e-mail account broken into. And back in April, someone exploited a weakness in the Web site for Obama's campaign and redirected some visitors to then-Democratic presidential hopeful Hillary Clinton's site.
Risks factors for data breaches vary industry to industry and defy a "cookie cutter" approach to security, according to a report released Thursday by Verizon Communications.
The new report (PDF) builds on data released in June. The initial report spanned four years and included more than 500 forensic investigations involving 230 million compromised records.
(Credit:
Verizon Business)
In the initial report, Verizon found that 73 percent of the data breaches were the result of outside sources, with only 18 percent from insider threats. Of the outside sources, 39 percent were attributed to business partners. But that's an average.
The new report drills down within four key industries: financial services, tech, retail, and food and beverage. The four constitute 82 percent of all the attacks in the original Verizon report.
"The nature of the threat being faced by each of these industries is somewhat unique," said Bryan Sartin, co-author of the report and director of investigative response for Verizon Business security solutions. Verizon Business is the company's unit dedicated to enterprise and government customers.
The other 18 percent of attacks noted in the June data target manufacturing, hospitality, government, entertainment, education, and "other."
The attacks on the financial industry tend to be sophisticated, Sartin said. A majority come from outside hackers, although a healthy amount could also be attributed to insiders who have been granted access to the data.
"If it's someone using or abusing a legitimate level of access granted to them for the purposes of a security breach, they don't need fancy hacking tools to get access to these systems. They just need anti-forensics tools to cover their tracks on the way out," he said.
Tech industry attacks are similar to those seen in financial services.
Sartin suggests that retail and food and beverage, which includes restaurants and grocery stores, are the polar opposite. In both retail and food, less sophisticated attacks are used and are often the result of a compromised third-party vendor.
In retail and food, the establishment may own the user name and password to the computer system, but someone else actually provides the point of sale (POS) service for them. In environments that rely upon external support, Sartin said, "we also see more and more where these third parties are specifically misusing that level of access granted to them."
Verizon Business investigators will often see a dozen restaurant chains citing the same problem and the same complaints from their customers, Sartin said. "You'll see that they have the same fraud patterns and the same fraud spend (illegitimate purchases), all within the same time frame. So it's compelling circumstantial evidence that it's the same perpetrator doing the same things we've seen elsewhere. And we can get good insight into how they did it. It always suggests that it was a vendor."
Sartin also outlined a scenario in which organized crime members go to "individuals inside the call centers and support centers and say, 'Hey, if you need money' or 'If you hate your job, we're your solution. Just give us access to the data. Better yet, just give us the data. Give us the keys to your customers, and we'll make it worth your while.'"
The goal of the two reports, Sartin said, is to give detailed insight into how data breaches occur, so that companies can address the problems within their specific industry.
- prev
- 1
- next
