Data Loss: The Ultimate Cluestick
One of the most clueful and well-informed reports on how hackers are stealing company data these days was published this week by Verizon, which examined more than 500 data breaches that they investigated over the past few years.
In a nutshell, Verizon found that when it comes to security, companies are too trusting of their core business partners, far too complacent with their own internal security, and too willing to violate their own security policies.
Graphic: Verizon BusinessWhile those high-level conclusions may seem obvious, some of the numbers behind those findings bear highlighting. For example, Verizon found that in nearly half of the attacks, it took the bad guys between hours and days to reach the data they were after. In addition, Verizon found that 63 percent of the victims didn't realize they'd been hacked until months after the compromise.
Peter Tippett, vice president of risk intelligence for Verizon Business, said these stats highlight both an endemic problem and a positive development.
"Just three to four years ago, almost all the attacks we saw were done in a minute or two, a single step. In those days, your managed service provider or [intrusion detection system] would tell you that an attack had just happened and that the ship is about to sink," Tippett said. "The good news is that all we need to do is trip up the bad guy at any one stage of the attack to stop it."
The fact that organizations may have more time to detect today's attempted cyber intrusions breaches may be good news, but really only if the target is actually looking for signs that someone is trying to break in. Verizon notes that in 82 percent of the cases examined in the study, the raw evidence for the break in was sitting unheeded in the company's network traffic and activity logs.
So if victims aren't paying vigilant attention to the warning signs, how do they ever figure out they're hacked? Usually, it's when their data shows up on online forums that cater to identity theft. The report notes that in 70 percent of the cases, victims first learned of the compromises from third-parties, such as affected customers, banks or law enforcement agencies.
In 79 percent of the cases, Verizon found that a contributing factor to the data breach was a violation of the victim's own security policies -- such as weak/nonexistent passwords -- where the company failed to follow its own rules.
The report also concluded that while victims are often compromised via weaknesses in defenses at third-party business networks, the long-held notion that insiders are responsible for the majority of data thefts is simply no longer true.
In 39 percent of intrusions examined in the report, the point-of-entry implicated some security weakness in the victim's business partner - a less secure partner that was granted some kind of network or system access to the victim. While the threat from business partners was significant, Verizon also found that data compromises were considerably more likely to result from external attacks than from any other source: Nearly three-quarters of the cases yielded evidence pointing outside the victim organization as the source of the breach.
From the report:
"It is widely believed and commonly reported that insider incidents outnumber those caused by other sources. While certainly true for the broad range of security incidents, our caseload showed otherwise for incidents resulting in data compromise. This finding, of course, should be considered in light of the fact that insiders are adept at keeping their activities secret. For others, the real surprise may be that the ratio of external to internal is so slim. In days long past when mainframes ruled the computing world, internal threats were the predominant concern. Ever since outsiders joined the network, however, external attacks (not incidents) have vastly outnumbered those from insiders."
While the security news media (present company included) often focuses on the latest and scariest techniques that cyber crooks can use to break into systems, Verizon found that the methods used in most of the data breaches it examined were mind-numbingly boring and not terribly sophisticated.
In nearly 85 percent of the data breaches, the attackers broke in either by searching randomly for entities with specific application or network weaknesses, or they were targeted because they were known to be running a certain class or configuration of vulnerable software or hardware that the attackers knew how to exploit. More than half of the exploits used fell into Verizon's low sophistication category.
"If you asked us several years ago about the complexity of these cases, by and large every new case showed us something new...we almost looked forward to every case," said Bryan Sartin, director of investigative response at Verizon Business. "Now, we're getting to the point where [determining the method of break-in] is the most boring part of the job, where we can take a look at the victim's network diagram and can reasonably conclude where the point of compromise lies. And it's usually the path of least resistance."
There is plenty more depth and detail in the full report, available here (PDF).
By Brian Krebs |
June 13, 2008; 3:46 PM ET
Fraud
,
From the Bunker
,
Misc.
,
Safety Tips
Previous: Opera 9.5 Offers Anti-Malware Protection |
Next: Anonymous Domain Sales: A Spammer's Delight
Posted by: antibozo | June 13, 2008 4:17 PM
Great article about a very interesting study! Hasn't someone invented a log analysis algorithm that alerts admin types when a certain behavior or trends of behavior would trigger an alert? I'm sure the human perusal of endless server logs is mighty tedious. Ain't that why we have computers in the first place? And if they haven't, I wish I had the skills to do so.
Posted by: Pete from Arlington | June 13, 2008 4:18 PM
It is time to turn on the hardware security in evey corporate PC. It is time for IT to do it and It is time for Verizon to do it. Hardware on the motherboard call the Trusted Platform Module will hold keys that enable access to the network in a way that they can't be stolen by users, Admins, Or malware. These Keys, like the keys held in your Phone, will ensure that only authorized PCs are physically on the network. While this will not solve all of the problems it will dramatically reduce the vectors of attack as a corporate machine will have to be stolen to gain access. With millions of units of hardware deployed it is time everyone leverages the security advantages it provides. ASK Verizon if their business services support the TPM.
Posted by: steven sprague | June 13, 2008 8:17 PM
@antibozo - to your point...
"Loss" has the connotation of negligence which there surely is in many of the cases; "Theft" has the connotation of something valuable being stolen by a capable outsider. I'm still trying to figure out the best combination of the two to motivate company management attention and commitment to the issue.
Verizon may have used a better term in Data Breach, but that makes it sound like a technical issue and not a problem of management inattention.
Posted by: OhioMC | June 14, 2008 9:05 AM
OhioMC,
The problem is that "data loss" very simply means what happens when, for example, a disk crashes and you have no backup. The term is commonly used for that kind of scenario. The headline therefore miscues the reader, especially in the recent context of stories such as the Gpcode ransomware story.
And while I agree that "loss" has a connotation of negligence, here it is the privacy of the data, not the data itself, that is lost. The company still has the data, and someone else does too. That's not loss of the data by any stretch of the imagination. If someone broke into your doctor's office and photocopied your medical records, you wouldn't say those records had been lost, would you?
As for "data breach", that is more confused gobbledygook. Data cannot be breached; its containment can. If someone breaks into a vault and steals the money, it was not the money that was breached; it was the vault. You wouldn't say the money was breached, or call the situation a "money breach".
These situations are compromises or breaches of privacy, containment, or security, that result in unauthorized disclosure of private, personal, or proprietary information. There are numerous ways to combine those various terms to arrive at an intended meaning.
Posted by: antibozo | June 14, 2008 2:01 PM
'in 82 percent of the cases examined in the study, the raw evidence for the break in was sitting unheeded in the company's network traffic and activity logs'
Holy jesus. On a stupidity scale of 1 to 10 I'd call that 'colossal'. What's the matter with people? I hope the aliens aren't watching. This would be the perfect time for them to attack ;)
The rest of this report is just sickening. Good on you for highlighting this.
'In nearly 85 percent of the data breaches...'
Boring yes but this is the way the work is done.
Posted by: Rick | June 14, 2008 8:27 PM
BUT THE ALIENS ARE ALWAYS WATCHING LOL
Posted by: BRUCEREALTOR | June 15, 2008 3:08 AM
NO THE ALIENS AREN'T WATCHING. YOU PUNY HUMANS ARE PARANOID. WHO IS LOL? WHY SHOULD THE ALIENS WATCH HIM? DOES HE CONTROL HUMAN DEFENSES? JUST CURIOUS.
Posted by: KODOS | June 16, 2008 12:25 AM
I have to agree with the level headed posters. It is not a loss if it is being stolen. I didn't lose my car; it was stolen.
And Krebs meant to write "Yard Stick" not "Cluestick." See the definition for cluestick at the link below.
Krebs must have been tired when he write the headline.
Posted by: Peter B | June 16, 2008 1:28 PM
I just got a blast from a company saying they are going to save my computer from the trojon of the world. Said I had
Worms, etc.
The site name was AntursInstall.exe
After Google it, I was glad I did not load it in. Its a spoof to get records (thats what I thought I read. Sure would like your thoughts on this .exe
My email is SuntreeCprC@aol.com
Posted by: C. Cooper | June 16, 2008 9:20 PM
Connected business partners can be a point of weakness in a company's security posture. One common scenario similar to "insider threat" yet even more complex is with outsourced operations. Outsourced employees often have trusted access to sensitive data, whether employee info, customer data, or even IP, yet these users may support several customers and therefore have less loyalty to the end company. With high turnover and the opportunity to sell valued data on the net there is the need to closely monitor these partners. A different type of insider, yet one nonetheless.
Pete from Arlington, there are technologies that monitor logs, run algorithms, and alert when patterns of potential breaches occur. This is what SIEM vendors do and according to Gartner last week one of the fastest growing segments of Security software. Full disclosure, that is the business I work in.
Posted by: TReilly - ArcSight | June 20, 2008 5:43 PM
There are companies that do real-time log aggregation, correlation and analysis - please feel free to contact Secureworks.com for more information - we currently protect over 2100 companies nationwide from these types of violations.
Posted by: amporten | June 23, 2008 10:04 AM
KIrXIa Blogs rating, add your blog to be rated for free:
http://blogsrate.net
Posted by: Nancy Barness | June 23, 2008 9:04 PM
KIrXIa Blogs rating, add your blog to be rated for free:
http://blogsrate.net
Posted by: Nancy Barness | June 23, 2008 9:05 PM
The comments to this entry are closed.
I think what you are talking about here is not "data loss"; it's data theft and exfiltration.