Article

Verizon report goes deep inside data breach investigations

Neil Roiter

SearchSecurity.com:

To get security news and tips delivered to your inbox, click here to

    Requires Free Membership to View

sign up for our free newsletter.

Hackers are using a variety of weapons and exploiting errors such as default passwords and weak or misconfigured access control lists (ACLs), according to the latest Verizon Business Data Breach Investigations Report.

The follow-up to April's 2009 Data Breach Investigation Report looks under the hood of the company's probes, analyzing how breaches happen and how to protect sensitive data.

"Customers who read the 2009 Data Breach Investigation Report said they wanted to know how these attacks take place, give some examples from our caseloads and see if those circumstances can happen to them," said Wade Baker, Verizon Business research and intelligence principal.

Data breaches and identity theft:

April 2009 - Attackers cash in on fundamental data handling mistakes, Verizon finds: Large data breaches are the result of sophisticated, targeted external attacks that exploit basic errors, according to the latest data breach investigation report from Verizon. 

Oct. 2008 - Verizon breach study identifies industry specific threats: Financial firms face the biggest threat from insiders, while security configuration flaws and vulnerable Web apps plague the high-tech, retail and the food and beverage industries.

June 2008 - Data breaches caused by employee errors, process failures: A study released by Verizon Business investigative unit found that employee errors are a contributing factor in nearly all data breaches.

A quick assessment of the most common attack factors show that hackers use a combination of tools and techniques to crack into target enterprises' networks and steal millions of records. The 2009 Data Breach Investigations Supplemental Report reveals that a combination of keyloggers and spyware, backdoor command/control tools, SQL injection and packet sniffers were typically used in the attacks that yielded the richest data harvests. More often than not, the bad guys were able to take advantage of default authentication credentials and weak or misconfigured ACLs.

"If you are an attacker, you've got to figure out how to get into the network; find critical data systems," Baker said. "Then exploit those systems and get that data out. All those steps require a different approach and that's why you see these things working in tandem."

The report breaks down each of 15 threat types, describing what they do, how they gain access, what security personnel should look for and how to mitigate the risk. Each entry includes a case study of a Verizon Business investigation in which the threat type was a key factor.

Take for example, the impact of deficient access control at a consumer bank that called Verizon in to investigate card numbers and PINs being stolen through their ATM systems.

The investigators confirmed the breach in which the intruders gain initial entry through a SQL injection attack on the bank website, but that was just the start. After installing malware, the attackers located the ATM hardware security modules (HSMs), which -- jackpot! -- had no access control mechanisms. As a result, the HSMs could be accessed from hundreds of systems on the network. The attackers moved data out of the network via FTP connections for months before the breach was discovered.

The failure to detect the breach underscores a key finding of the original report -- that the data drains typically go undetected and are often discovered by third parties that notice, for example, fraudulent credit card activity. Each threat type has telltale indicators -- unauthorized access via weak/misconfigured ACLs, for example, can be uncovered through routine log monitoring or user behavioral analysis, according to Verizon. The conclusion is that enterprises aren't always paying attention.

"Most of these companies have some means of detecting events, such as log files," said Baker. "Evidence there had been a breach could have been identified.

"My sense is there is more aggregation of log data and network events than there is actual analysis and digging into and inspection of events."


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: