There’s always chatter about the sophistication of malware and the advanced hacking techniques attackers use to steal payment information or sensitive corporate data. While that may be true for targeted attacks against high-value targets such as government agencies, the defense industrial base or financial institutions, the majority of victims, according to the 2012 Verizon Data Breach Investigations Report (DBIR) (.pdf), are smaller companies that fall prey to commodity attacks that expose shortcomings in basic information security best practices. The innovation is in the automation and process refinement behind attacks, and not necessarily in the sophistication of the malware involved, the report suggests.
Small businesses are worried about the bottom line. It’s a matter of expertise, time and resources that they’re not able to defend themselves.
Christopher Porter, principal, Verizon RISK team
The Verizon DBIR 2012, released publicly today, said attackers have found a particular soft spot by attacking point-of-sale (POS) and remote access systems, many of which lack a firewall or other security controls, using large-scale automated attacks. Labelling these as “opportunistic attacks,” the DBIR data suggests, as it did a year ago, that small- and medium-size organizations are in the crosshairs of attackers, particularly those in the food services and hotel industries.
Accommodation and food services accounted for 54% of breaches investigated by Verizon’s RISK team; retail was next at 20%. By contrast, most targeted attacks that led to data breaches were carried out against the financial and insurance sectors, most of which were larger businesses (more than 1,000 employees); more than 50% of attacks against larger organizations were targeted versus opportunistic.
Christopher Porter, principal with Verizon’s RISK team, said organized cybercrime groups have automated attacks end to end. These groups will scan the Internet looking for exposed PoS or remote administration services, such as remote desktop management, and will use brute force attacks against the logins to gain access. Since many use easy-to-guess, or default passwords on these systems, gaining access can be trivial. Once inside, malware—usually a keylogger—is installed and begins collecting data. The malware is also preconfigured to send data outbound, either via FTP or email, to a Web server under the attacker’s control. The data is then sold on the black market, or, if credentials are stolen, deeper attacks are carried out against bank accounts or other systems within an enterprise.
More on Verizon DBIR 2012
The 2012 DBIR highlights prevalent problems with simple, relatively inexpensive recommendations.
The Verizon DBIR says hacktivists conduct opportunistic attacks targeting mainly large businesses using tactics akin to a smash-and-grab burglary, stealing any data they can access.
The number of countries contributing to the 2012 DBIR increased as three more nations added information about breaches in their countries.
“We joke that there must be some sort of old crime groups that have gotten their MBAs,” Porter said. “In the last several years of these types of industrialized attacks, we’re seeing innovation in the process and methodology used. The whole process is end to end and it’s massive in scale. Typically, it’s smaller businesses that are getting hit with this because small businesses are worried about the bottom line. It’s a matter of expertise, time and resources that they’re not able to defend themselves.”
Porter said often times prevention means changing a default or existing password to something complex and putting an access control list in front of a remote access service. These tactics would buffer potential victims from commodity attacks that scale easily for an attacker who would rather not customize malware for each victim. The DBIR points out that customization is almost exclusively in targeted attacks where malware is written from scratch or existing code is modified.
“In these large-scale, multiple-victim compromises, attackers simply don’t need to bother with customizing malware since they can successfully use ‘canned’ attacks against thousands of victims,” the report said.
Attackers are also less likely to spend a lot of time inside a smaller organization, the DBIR said. Unlike large organizations rich in data and system interdependencies, all the data stored on servers inside smaller organizations is usually stolen and attackers then move on. In attacks against larger organizations, they’re more likely to carry out quieter attacks usually involving backdoors that are used to gain repeated access.
“These are relatively easy attacks that require little in-depth knowledge or creativity. They are usually scripted, aimed at many targets, and, if unsuccessful, exhibit little persistence,” the report said. “In fact, the thief often doesn’t even know what he’s stolen until checking the remote server to which his scripts have been sending the captured data. The targets simply are not worth much effort to the attacker, since few records are stolen in such incidents; scale of targets is what matters.”