A lack of careful log monitoring and the use of default, guessable or stolen credentials continue to be the most prevalent security issues among large enterprises and small businesses, despite simple and inexpensive solutions that address them, according to the 2012 Verizon Data Breach Investigations Report (DBIR) (.pdf).
You have to have some sort of monitoring within your environment ... The question is what kind of a tool can help you do that.
Rich Mogull, analyst and CEO, Securosis
This year’s Verizon 2012 DBIR, based on information from 855 separate breach incidents in 2011 and collected by Verizon and government agencies in the U.S., the Netherlands, Australia, Ireland and England, includes recommendations for both large and small companies.
For larger companies, defined as those with 1,000 or more employees, the report highlights the need for log monitoring and adherence to compliance standards, two topics that go hand in hand. To attain compliance, companies often have to record activity logs.
The report stated that 96% of victims subject to PCI DDS had not achieved compliance, up 7% from last year. Coincidentally, the number of compromised records is also up from last year, jumping from four million to 174 million.
According to Verizon, “it’s not surprising that most breaches were avoidable (at least in hindsight) without difficult or expensive countermeasures. Low levels of PCI DSS adherence highlight a plethora of issues across the board for related organizations.”
The amount of companies that record and keep logs ranges year-to-year from 60% to 80%, according to Verizon RISK team Director Wade Baker, but that majority is not monitoring their logs closely enough or often enough to catch the breaches themselves.
“Logging is in place in many of these places, but people aren’t looking at the logs. That’s just something you have to do.” said Christopher Porter, a principal with Verizon’s RISK team.
The question, it seems, is not if log monitoring should be a priority; it’s how to handle the task.
“You have to have some sort of monitoring within your environment,” said Rich Mogull, analyst and CEO at security research firm Securosis. “The question is what kind of a tool can help you do that.”
Mogull suggested that larger companies with more resources can afford to buy security information management (SIM) systems and train employees to use them correctly. It has to be a regular part of someone’s job and they need the time to do it, he said. If not, it’s a waste of money.
Porter did say that there are signs of larger organizations using SIM technology, as 8% of breaches in the Verizon 2012 DBIR were discovered internally.
More on Verizon DBIR 2012
The Verizon DBIR says cybercrime groups automate attacks against SMBs with lax controls on remote access services and point-of-sale systems.
The Verizon DBIR says hacktivists conduct opportunistic attacks targeting mainly large businesses using tactics akin to a smash-and-grab burglary, stealing any data they can access.
Weak and default passwords are at the root of many data security breaches investigated by Verizon in 2011.
The number of countries contributing to the 2012 DBIR increased as three more nations added information about breaches in their countries.
According to Porter, the technology is still too expensive for many smaller companies, but there is another way for SMBs to handle the heavy log workload. Mogull suggested they look at automation or working with a service provider.
“You either need to do the monitoring yourself or you need to pay someone to do it,” he said, because in all likelihood, your organization will be breached.
“Pretty consistently we see breaches are being discovered by outsiders,” Mogull said. “If you’re not even working for it you certainly have no chance of detecting it.”
This year 92% of breaches were discovered outside of a victim organization, usually by customers, partners or law enforcement, according to the Verizon 2012 DBIR. As a result of that trend, a majority of breaches weren’t discovered for weeks or months after they occurred, the report stated.
Smaller organizations have different problems to attend to. The danger for those in industries like hospitality or retail is they often don’t think they’re big enough to be a target. In reality, however, the 2012 DBIR stated that attacks are becoming more automated and opportunistic. And those attacks of opportunity target small- or medium-sized businesses with fewer resources.
Verizon reported that 85% of targets of opportunity are businesses with less than 1,000 employees, and nearly three-quarters of opportunistic attacks hit the retail and hospitality industries.
“These observations would seem to support … that large-scale automated attacks are opportunistically attacking small- to medium-sized businesses, and point-of-sale (POS) systems frequently provide the opportunity,” the report stated.
Point-of-sale (POS) systems are often targeted for the payment information they contain. While that would seem to be something businesses would want to protect, many are more focused on the bottom line rather than security for their customers, Porter said. For that reason, POS systems are often deployed without changing the default password. That simple fix is free and could help deter a breach.
Using default, stolen or guessable passwords and the use of malware, including keyloggers, form-grabbers, or spyware, to steal account credentials were the top two threat actions recorded in the Verizon 2012 DBIR. Forty-eight percent of attacks utilized keyloggers, while 44% exploited guessable or stolen credentials.
The use of keyloggers was prevalent in combination with other tactics as well, such as backdoor exploits, and was included in 98% of malware used to exfiltrate data, the report stated.
To mitigate the use of keyloggers, the DBIR recommends large organizations restrict user administrative rights, use code signing, use live boot CDs and one-time passwords, have updated antivirus and antispyware, implement personal firewalls, Web content filtering and blacklisting, and more. They also recommend using two-factor authentication and changing passwords to mitigate the use of stolen or guessable credentials.
The report reminds readers that these risk mitigation technologies are available and could be implemented at a minimal cost.
“The challenge for the good guys lies in selecting the right tools for the job at hand and then not letting them get dull and rusty over time. Evidence shows when that happens, the bad guys are quick to take advantage of it,” according to the report.