When it comes to choosing which organizations to steal from, cybercriminals are not fussy. They're not particularly bothered about what an organization does, but only whether the organization is an easy target and has valuable data.
The considerable value that personal and proprietary corporate information has on the black market makes every business a potential target.
Yet a common mistake many organizations make is not appreciating that they may have data attackers covet. Personally identifiable information (PII), customer records, payment card data, and verified customer email addresses are all valuable targets for a cybercriminal. Even data that seems like nobody outside a given organization would value can often be sold for a significant profit in well-established black markets.
In one recent incident, last year the US Secret Service caught Lin Mun Poo with approximately 413,000 stolen credit card account numbers in his possession. The card data had a combined estimated value of $206 million. Not all data is worth that much, but the considerable value that personal and proprietary corporate information has on the black market makes every business a potential target. For example, stolen email addresses can be used in phishing campaigns or for targeted spear phishing attacks. Financial data, such as legitimate account routing numbers and merchant identification numbers, can be used to configure fraudulent payment systems so transactions appear to originate from a legitimate business. They can also be used to launder money through an unsuspecting merchant by making purchases and then applying chargebacks (claiming they never received the purchase and having the credit card company refund the purchase amount).
Organized crime sees the retail industry as an easy target because of card payment system vulnerabilities. Many retail businesses are either unaware of or fail to mitigate these vulnerabilities. Franchised businesses in particular are targeted because computer systems tend to be standardized across all the franchisees. Once a vulnerability has been identified at one location, it can often be exploited at every other business within the franchise.
In short, the opportunities for attackers to exfiltrate data are many, and nearly all businesses have data of value, whether they realize it or not. For businesses of any size, there are five important information security controls to protect against automated attacks by cybercriminals looking for an easy profit.
Strong passwords -- The use of simple passwords continues to be one of the main weaknesses attackers exploit. In particular, attackers look for default system passwords that have not been changed, as they can be used to devastating effect across an entire franchise. Systems using shared administrative username and password combinations also enable attackers to gain administrative access across multiple devices. Common usernames and passwords also make it harder to audit who did what on a system. Unique usernames and passwords are an essential control in order to identify and tie every user-initiated action to an individual.
Data encryption -- Encrypted data is intrinsically protected because it is unreadable. This is why it is required in so many compliance guidelines and industry standards. Furthermore, encryption allows the separation of roles and data as encryption keys control access to the data. Enforcing encryption when data is being transferred, either over a network using SSL or IPSEc or copied onto a CD or thumb drive, will avoid many potential problems associated with lost data. Point-to-point encryption products can also lower the risk of point-of-sale (POS) system breaches when payment data is sent between merchants and their payment processing banks, or across the merchant's own internal systems.
Security-aware employees -- Employees and their workstations are the primary targets for attackers when phishing for network account credentials. It's important to keep staff informed of the latest phishing techniques being used and to stress the importance of being vigilant about opening email and following links. Employees should be instructed to report any suspicious emails to IT, as they may be an early warning of an attack and provide an opportunity to warn other employees. Simple safeguards such as checking that someone has actually sent an email with an attachment are invaluable.
Theft of proprietary information
Proprietary information, such as the blueprints for a new aircraft, is clearly of value for an attacker, but it also requires a highly sophisticated attacker to steal it. This is why theft of proprietary information accounts for only a small of proportion of stolen data.
Firewall egress filters -- Firewalls must be in place to ensure outgoing data is being sent to the proper location, over the proper port, using an authorized protocol. Many organizations only configure their firewalls to monitor traffic coming into the network. But to prevent malware sending data back to its controller, egress traffic must also be monitored. This is a sensible, pre-emptive measure that erects an additional barrier that an attacker must overcome in order to successfully extract data from an organization.
Secure third-party services -- Incident investigations have shown that, when a third party is responsible for system support, development or maintenance, it is often that third party who created the hole the attacker exploited. It's essential for organizations to know which party is responsible for the secure configuration of any equipment or services when a third party supplies them. Find out the security best practices for a particular service, and ensure the supplier can show how they are implementing those best practices.
Those responsible for safeguarding digital data within an organization have to think like a criminal in order to realize the black market value of their organization's data. Ensuring everyone involved in maintaining or using an organization's network knows the value of the data, and thus how important it is to secure that data, will help make certain the organization is not an easy target for attackers.
About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 15 years of experience in the IT industry and another 16 years of experience in finance. He is the founder and managing director of Cobweb Applications Ltd., a consultancy that helps companies to secure their networks and websites, and also helps them achieve ISO 27001 certification. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Michael is also a Microsoft Certified Database Administrator and a Microsoft Certified Professional.
This was first published in August 2012