by CIO Staff

Data breach report reveals an increase in insider threats, social tactics and malware

Nov 01, 2010
Financial Services IndustryIT LeadershipIT Strategy

Being prepared remains the best form of defence against security breaches, says the 2010 Verizon Data Breach Investigations Report (DBIR).

Surely, this conclusion seems most fundamental to anyone with risk management responsibility for their organisation, but once again, the report illustrates the challenges of keeping pace with the ever-changing data security dynamic. The report­ highlights security management as its key message and explains that despite all astuteness of the perpetrators of cybercrime, there are tools that impede their efforts.

The challenge for companies is ­selecting the right tools for the job at hand and ensuring its ongoing maintenance to avoid data breach. Data breach will be the consequence of any sorts of negligence, implies the report.

The 2010 report is the third instalment in Verizon’s continuing effort to shed light on the ‘how’ of things in the world of computer crime. This latest instalment also marks the first collaboration of its kind bet­ween the Verizon RISK (Response, Intelligence, Solutions, Knowledge) team and the United States Secret Service (USSS), providing an even more robust view into cybercrime happenings.

The DBIR series now, with the addition of Verizon’s 2009 caseload and the USSS contributed data, spans six years, more than 900 breaches and more than 900 million compromised rec­ords. With criminals becoming increasingly adept at circumventing security measures, the task of protection is not getting easier, but as valuable insights are uncovered, new practices can be implemented and more effective measures taken.

The methodology Verizon based its results on first-hand evidence it collected during paid forensic investigations between 2004 and 2009. The 2009 caseload served as the primary analytical focus of the report. The Investi­gative Response team worked on confirmed breaches included in this data set using the Verizon Enterprise Risk and Incident Sharing (VERIS) framework to record case data and other relevant details. This was then submitted to members of the RISK Intelli­gence team for further validation and analysis.

For the purposes of this study, the USSS created an internal application based on the VERIS framework. In alignment with the focus of the DBIR, USSS narrowed the scope from the thousands of cases worked on during 2008 and 2009 to those involving confirmed organisational data breaches.­ It further narrowed it to include only cases for which Verizon did not conduct the forensic investigation.

Of these cases, a sample was taken and requests to input data were sent to USSS agents who worked on each case. These agents used investigative notes, reports from victims or other forensic firms, and their own experience gained in handling the case. This yielded 257 qualifying cases for which data was collected within the set time frame.

The study The study marks an increase in insider threats (48 per cent), which were common in the USSS cases. Cases that involved social­ tactics (28 per cent) more than doubled and physical attacks (15 per cent) like theft, tampering and surveillance moved up several notches.

The report shows that organised groups outside the victim organisation largely perpetrated the majority of breaches and almost stole all data (98 per cent) in 2009, while breaches linked to business partners dec­lined to 11 per cent.

Related to the larger proportion of insiders, misuse (48 per cent) sat atop the list of threat actions that lead to breaches in 2009.

Hacking (40 per cent) and malware threats (38 per cent) ranked a close second­ and third respectively.

Weak or stolen credentials, SQL injection and data-captur­ing, and customised malware continued to plague organisations trying to protect information assets.

As is in previous reports, Verizon’s ­investigative experts pointed out that a defining characteristic between data-at-risk incidents and those that involved actual compromise was that nearly all data was breached from servers and applications. The proportion of breaches stemming from highly sophisticated attacks remained rather low yet again accounted for roughly­ nine out of 10 records lost.

79 per cent of the victims subject to PCI DSS standards had not achieved compliance and 86 per cent of victims had evidence of the breach in their log files.

The data indicates that if security­ basics were followed, most breaches (96 per cent) could have been avoided without difficult or expensive controls.

85 per cent of ­attacks were not considered highly difficult and only four percent of breaches assessed required difficult and expensive protective measures. The report added that organisations remained sluggish in detecting and ­responding to incidents.

Stressing the need for security management, the report cites stolen or weak credentials as the means most likely to gain unauthorised access in 2009. The study ­attributes this to various factors like attackers’ awareness of the user’s over-privilege, or the company’s oversight in monitoring user activities.

Regardless of the reason, this calls for a lot of work. Some of the areas where efforts can be focused on are malware and monitoring. Malware gets increasingly difficult to detect and prevent, especially once the attacker owns the system.

Protection against the damage malware does after the infection is important and much of which can be mitigated if outbound traffic is restricted. Monitoring logs is the other area key area of focus.

The recommendations – Restrict and monitor privileged users: The USSS data shows an increase in insider threats. Even though insiders, and especially highly privileged ones, can be hard to control, the companies could trust but verify. They can use pre-employment screening to eliminate problems before they hit, limit user privileges and use separation of duties.

Put the emphasis on awareness of policies and expectations and subsequently its adherence. Privileged use should be logged and messages generated to management. Unplanned privileged use should generate alarms and be investigated.

– Watch for minor policy violations: The report points to a correlation between minor­ policy violations and more serious abuse. Organisations should cautiously but adequately respond to policy violations. Based on case data, the presence of illegal content such as pornography on user systems is a reasonable indicator of a future breach. Actively searching for such signs rather than just handling them as they pop up may prove even more effective.

– Implement measures to thwart stolen credentials: In 2009, stolen credentials were the most common way of gaining unauthorised access to organisations. The priority here is to keep credential-capturing malware off systems. If need be consider two-factor authentication and if possible, implement time-of-use rules, IP blacklisting and restrict administrative connections.

Another possible option, adds the report, is a last-logon banner and training users to change passwords upon suspicion of theft.

– Monitor and filter outgoing network traffic: At some point during many breaches, something (communications, connections, data) goes out that, if prevented, could break the chain and stop the breach. An organisation will greatly increase its chances of mitigating malicious activity by monitoring, understanding and controlling outbound traffic.

– Change your approach to event monitoring and log analysis: Regular monitoring and log analysis can save time, effort, and money and reap other benefits. Ensure adequate resources and sufficient processes are in place to recognise and respond to anomalies. Use the time to rely on meticulous batch processing and log analysis­.

­Focus on the obvious (the haystacks) rather than the minutiae (the needles). This need not be expensive; a simple script that counts log lines/length and sends an alert if out of tolerance can be effective.

– Share incident information: The success of any security programme depends on the decisions companies make and these decisions depend upon what they believe to be true. These beliefs depend upon what they know, which is based upon the information available to them. And the availability of this information depends entirely upon those willing to collect, analyse, and share it.

If this chain of dependencies holds, then the success of any or all security program­mes depends upon the information the company is willing to share the better equipped we can all be to prevent malicious and threatening activities. This final recommendation concludes the report, and is where a call to action lies.

Download the report in full from the CIO Enterprise Security Zone