The Truth Behind Data Breaches

Thursday, February 16, 2012

Neira Jones

9f19bdb2d175ba86949c352b0cb85572

I was pleased to see the Trustwave 2012 Global Security Report was released recently, as I find it always a very good source of information.

This year’s report analyzes 300 data breach investigations across 18 countries and, unsurprisingly, 89% of the breaches involved the theft of customer records, including payment card data and other personally identifiable information such as email addresses.

Trend alert...

As per previous years, 85% of the caseload originated from the food & beverage (43.6%), retail (33.7%) and hospitality (8%) industries. Disappointingly, and also in line with previous years, criminals continue to focus on these industries due to well-known payment system vulnerabilities and poor security practices.

New for 2011 is the targeting of businesses operating franchise models and these represented more than one-third of breached entities in food and beverage, retail, and hospitality. The use of common infrastructure in such models is widespread and when vulnerabilities are present, they will be duplicated across the entire franchise base. Cyber-criminals took full advantage of this in 2011.

Who, me?... Or the case for incident response

Similarly to previous years, as many as 84% of organisations were notified of the breaches by external entities (e.g. regulatory, law enforcement, third party or public) and within those 84%, attackers had an average of 173.5 days within the victim’s environment before detection occurred. That’s a staggering 6 months in which to harvest valuable information assets.

In addition, the number of self-detected compromises decreased by 4% since 2010 and this may indicate a decline in resources allocated to the detection and management incidents.

By contrast, businesses that detected the breaches themselves were able to identify attackers within their systems 43 days on average after the initial compromise; or one fourth of the time that attackers would have had in the previous scenario; or one fourth of the information that could have been harvested otherwise; or one fourth of whatever the business really cares about.

In any instance, that’s a readymade business case for the development and maintenance of a robust incident response plan and cutting cost in this space really isn’t a good idea... If you’re interested, see my previous post on the subject...

Passing the buck...

76% of the breaches were caused by third parties responsible for system support, development and/or maintenance who introduced the security deficiencies exploited by attackers. The report notes that merchants were unaware of the security best practices or compliance mandates by which their partners were required to abide or that the third party was only responsible for a subset of security controls.

In addition, many third-party IT service providers still use standard passwords across their client base and in one 2011 case, more than 90 locations were compromised due to shared authentication credentials. 80% of the breaches were due to weak and/or default administrative credentials. 

With the prominence of outsourced services and cloud computing, I cannot stress enough the importance of:

  • Selecting the right partners and make sure they have the right security posture and credentials (e.g. compliance with the PCI DSS, etc.)
  • Reviewing contractual clauses (including liability shift) with partners handling any valuable assets.

EMV/ Chip & PIN gets the thumbs up...

In contrast to data compromise trends in the Americas, the report acknowledges that very few data compromises occurred in POS networks in Europe, the Middle East and Africa (EMEA) as a result of higher adoption of Chip & PIN (EMV) which gives fewer opportunities in these markets for the theft of track data used in mag-stripe transactions. Therefore, the majority of data breaches in EMEA occur at e-commerce merchants.

SQL injection again...

Yes, the SQLi was the number one attack vector found in both the Web Hacking Incident Database and the number one Web-based method of entry in incident response investigations. Combined with the potential impact of bulk extraction of sensitive data, the SQL injection was the number one Web application risk of 2011...

And finally...

Criminals are increasingly automating the process of finding victims (through the identification of basic vulnerabilities) and extracting valuable data which lowers the cost of performing attacks, which in turn lowers the minimum yield for a victim to be of interest.

Unsurprisingly therefore, the report’s number one recommendation is the education of employees: “The best intrusion detection systems are neither security experts nor expensive technology, but employees. Security awareness education for employees can often be the first line of defence.”

Until next time...

Cross-posted from neirajones

Possibly Related Articles:
16457
Breaches
Information Security
SQl Injection Data Loss breaches Compliance Cloud Security Enterprise Security Application Security Incident Response report Chip and Pin Trustwave Neira Jones
Post Rating I Like this!
8845ac2b3647d7e9dbad5e7dd7474281
Phil Agcaoili .
I think that you missed a critical element in your analysis:
"the targeting of businesses operating franchise models and these represented more than one-third of breached entities in food and beverage, retail, and hospitality. The use of common infrastructure in such models is widespread and when vulnerabilities are present, they will be duplicated across the entire franchise base."

Franchise models have a base set of standards. What if the vulnerabilities were not covered in the standards? Exploitation of the gaps were perhaps the repeatable vulnerability for attackers. Franchise models (in any business) allows non-standard approaches that may universally open the door for attackers.

This is why I am a fan of standardization and, if warranted, centralization.

It’s much easier to find a systemic issue in a standardized approach that is centralized than do one-off forensics or root cause analysis, then look for systemic duplication of the flaw, and then manage clean up for unique instances.
1335630270
8845ac2b3647d7e9dbad5e7dd7474281
Phil Agcaoili “within those 84%, attackers had an average of 173.5 days within the victim’s environment before detection occurred. That’s a staggering 6 months in which to harvest valuable information assets.”

Add this to the 2012 Verizon Data Breach Investigations Report that found that:

1- 92% Of incidents were discovered by a third party (+6%)
2- 84% Of breaches had available log evidence

"While at least some evidence of breaches often exists, victims don’t usually discover their own incidents. Third parties usually clue them in, and, unfortunately, that typically happens weeks or months down the road."

Sadly, we those compromised had the log evidence.
What are they all doing with respect to detection? Are they even looking? If so, what are they looking for? Do they know what indicators to look for?

3- 97% Of breaches were avoidable through simple or intermediate controls (+1%)
Ouch. Again, controls are not in place.
What controls are people following if any?
ISO 27002 controls or PCI-DSS controls are a start. Why not have those controls in place in the scoped environment?
1335668351
9f19bdb2d175ba86949c352b0cb85572
Neira Jones Hi Phil, many thanks for your comments and additions, I know it takes time. Your point about franchises is well made. Also, please note that this post was produced in February and that the DBIR hadn't been released then. Please see https://www.infosecisland.com/blogview/20967-Verizon-DBIR-2012-Some-Context.html for my other post.
Kind regards,
Neira
1335672336
8845ac2b3647d7e9dbad5e7dd7474281
Phil Agcaoili Thank you.

Great observations. Keep them coming. I think there are too many reports and having someone like you linking them is very helpful.
1335675694
9f19bdb2d175ba86949c352b0cb85572
Neira Jones Thanks Phil! :)
Neira
1335689595
Default-avatar
Fagadha Vhsfhstjt Joss Ticehurst, la défense, a déclaré Telles est susceptible de faire face à plusieurs accusations quand il est expulsé vers les États-Unis à la fin de sa peine.

Il a dit l'homme perdra son entreprise, il sera interdit de vivre à proximité d'une école et a déjà perdu le contact avec ses propres enfants, âgés de 14 et 16.
http://jeuxhack.net/clash-of-clans-hack
1417096678
Default-avatar
grepolis gold don't stop playing grepolis because we have free grepolis hack and cheats at free of cost than join here Http://www.geteasyhacksfree.com/grepolis-hack-cheats and enjoy
1423252202
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.