8 February 2012

THE TRUTH BEHIND DATA BREACHES...

Google
I was pleased to see the release of the Trustwave 2012 Global Security Report as I find it always a very good source of information! This year’s report analyses 300 data breach investigations across 18 countries and, unsurprisingly, 89% of the breaches involved the theft of customer records, including payment card data and other personally identifiable information such as email addresses.

Trend alert...
As per previous years, 85% of the caseload originated from the food & beverage (43.6%), retail (33.7%) and hospitality (8%) industries. Disappointingly, and also in line with previous years, criminals continue to focus on these industries due to well-known payment system vulnerabilities and poor security practices. New for 2011 is the targeting of businesses operating franchise models and these represented more than one-third of breached entities in food and beverage, retail, and hospitality. The use of common infrastructure in such models is widespread and when vulnerabilities are present, they will be duplicated across the entire franchise base. Cyber-criminals took full advantage of this in 2011.

Who, me?... Or the case for incident response
Similarly to previous years, as many as 84% of organisations were notified of the breaches by external entities (e.g. regulatory, law enforcement, third party or public) and within those 84%, attackers had an average of 173.5 days within the victim’s environment before detection occurred. That’s a staggering 6 months in which to harvest valuable information assets!!! In addition, the number of self-detected compromises decreased by 4% since 2010 and this may indicate a decline in resources allocated to the detection and management incidents. By contrast, businesses that detected the breaches themselves were able to identify attackers within their systems 43 days on average after the initial compromise; or one fourth of the time that attackers would have had in the previous scenario; or one fourth of the information that could have been harvested otherwise; or one fourth of whatever the business really cares about. In any instance, that’s a readymade business case for the development and maintenance of a robust incident response plan and cutting cost in this space really isn’t a good idea... If you’re interested, see my previous post on the subject...

Passing the buck...
76% of the breaches were caused by third parties responsible for system support, development and/or maintenance who introduced the security deficiencies exploited by attackers. The report notes that merchants were unaware of the security best practices or compliance mandates by which their partners were required to abide or that the third party was only responsible for a subset of security controls. In addition, many third-party IT service providers still use standard passwords across their client base and in one 2011 case, more than 90 locations were compromised due to shared authentication credentials. 80% of the breaches were due to weak and/or default administrative credentials.  With the prominence of outsourced services and cloud computing, I cannot stress enough the importance of:
  • Selecting the right partners and make sure they have the right security posture and credentials (e.g. compliance with the PCI DSS, etc.
  • Reviewing contractual clauses (including liability shift) with partners handling any valuable assets.

EMV/ Chip & PIN gets the thumbs up...
In contrast to data compromise trends in the Americas, the report acknowledges that very few data compromises occurred in POS networks in Europe, the Middle East and Africa (EMEA) as a result of higher adoption of Chip & PIN (EMV) which gives fewer opportunities in these markets for the theft of track data used in mag-stripe transactions. Therefore, the majority of data breaches in EMEA occur at e-commerce merchants.

SQL injection again...
Yes, the SQLi was the number one attack vector found in both the Web Hacking Incident Database and the number one Web-based method of entry in incident response investigations. Combined with the potential impact of bulk extraction of sensitive data, the SQL injection was the number one Web application risk of 2011...

And finally...
Criminals are increasingly automating the process of finding victims (through the identification of basic vulnerabilities) and extracting valuable data which lowers the cost of performing attacks, which in turn lowers the minimum yield for a victim to be of interest. Unsurprisingly therefore, the report’s number one recommendation is the education of employees: “The best intrusion detection systems are neither security experts nor expensive technology, but employees. Security awareness education for employees can often be the first line of defence.” If all else fails, remember that suffering a data breach is not necessarily the end of the world, and you might just be able to recover from it very nicely, but that's the subject of another post...

Until next time...