Attackers cash in on fundamental data handling mistakes, Verizon finds

By Neil Roiter, Senior Technology Editor, Information Security magazine 15 Apr 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

As Forrest Gump said, "Stupid is as stupid does." The 2009 Verizon Business data breach investigation report confirmed what the 2008 report revealed -- attackers usually gain a foothold through stupid, basic errors.

"In virtually all the cases, we found that lots of the things that were simple and straightforward, had they been deployed, would have stopped the attack," said Peter Tippett, vice president of research and intelligence for Verizon Business Security Solutions. "Simple things like changing the password from the word "password" on the system, those basic errors were somewhere, endlessly; they were everywhere."

In fact, the 2009 Verizon Business Data Breach Investigations Report showed that 67% of the 90 confirmed data breaches that Verizon investigated last year revealed that kind of error, usually on a third-party system, often tangential to the heart of the enterprise. But they open the door to the good stuff: thousands or even millions of customer records.

Verizon investigates: Verizon breach study identifies industry specific threats: Financial firms face the biggest threat from insiders, while security configuration flaws and vulnerable Web apps plague the high-tech, retail and the food and beverage industries. Is insider activity or outsider activity a bigger enterprise threat? According to Verizon's 2008 Data Breach Investigations Report, outsider activity is much more likely to be the cause of a data breach than insider activity. Data breaches caused by employee errors, process failures: A study released by Verizon Business investigative unit found that employee errors are a contributing factor in nearly all data breaches.

Most of the damage was against a handful of financial institutions. Financials accounted for 93% of the 285 million compromised records -- more than the four years worth of investigations covered in the 2008 report combined. About a dozen huge breaches accounted for the preponderance, according to Tippett.

The increase in data breaches in financial services reflects cybercrime trends, especially the huge jump in the number of attacks targeting PINs and associated credit card and debit account data last year, according to Verizon.

The report also belied the common perception that the biggest data loss threat comes from insiders. External-only breaches accounted for about 267 million of the 285 million compromised records. Three quarters of the breaches were from external sources, while only one in five were internal.

Most of the insider incidents were the result of employees who were unwittingly exploited by outside attackers through error and/or policy violation. Only 11% were insider-only breaches, resulting in only a little over a million stolen records.

The report breaks attacks into two broad categories: fully targeted and opportunistic. In fully targeted attacks, the victim organization was chosen as the target, and the attackers set out to find a way to exploit them.

"Opportunistic" attacks come in two subcategories. In directed, opportunistic attacks, the target is chosen because they have a known weakness that can be exploited. In random opportunistic attacks, the attackers discover a weakness through, say, a scan of large address spaces, and then exploit it.

Alarmingly, 85% of the 285 million records breached were harvested by custom software designed to circumvent the particular victim's defenses. In some cases, existing malware was repacked to evade antivirus signatures, modified for additional functionality or tailored to the victim's environment.

SearchSecurity radio:

But, most commonly, the malware appeared to be written from scratch to exploit a specific victim organization.

"Targeting is up," said Tippett. "The four years before, almost all that were targeted were targeted by employees. This year, the amount targeted externally was up beyond that by insiders. In particular, the larger attacks were mostly targeted."

Enterprises were slow to discover the breaches -- typically it took a month while the bad guys continued to harvest data. In most cases, third parties reported the problem as they saw it, for example, a pattern of suspicious credit card activity.

The message is clear. Most data breaches are external, and the biggest, baddest attacks are executed by highly skilled criminals who are determined to reap as much data as they can from treasure troves of customer information.

Tags: Identity Theft and Data Security Breaches,  Enterprise Data Governance,  Data Privacy and Protection,  Security Industry Market Trends, Predictions and Forecasts,  Information Security Policies, Procedures and Guidelines,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Theft and Data Security Breaches Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection University data breach exposes 163,000 women to identity theft TJX thrives following breach, bucks sour economy Enterprise Data Governance How to protect distributed information flows Interpreting 'risk' in the Massachusetts data protection law Creating an enterprise data protection framework Analyst DLP study finds maturity, ranks top DLP vendors Voltage, RSA spar over tokenization, data protection Twitter gets condemned by CISOs at Forrester forum PCI DSS compliance requirements: Ensuring data integrity Trustwave acquires data loss prevention vendor Vericept Data has become too distributed to secure, Forrester says Cloud-based security services should start private Data Privacy and Protection Quiz: Compliance-driven role management Interpreting 'risk' in the Massachusetts data protection law Strategies for using technology to enable automated compliance How to prepare for a FERPA audit How to find virtual machines for greater virtualization compliance Quiz: Virtualization and compliance Compliance in the cloud Researchers predict SSNs, crack algorithm putting identities at risk How to write a risk methodology that blends business, security needs PCI compliance requirement 3: Protect data Data Privacy and Protection Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) CISP-PCI  (SearchFinancialSecurity.com) cookie poisoning  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) extrusion prevention  (SearchSecurity.com) identity theft  (SearchSecurity.com) parameter tampering  (SearchSecurity.com) pretexting  (SearchCIO.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary