This week saw the release of the annual Verizon Data Breach Investigation Report (DBIR) and among its 80 pages of data from 50 contributing organisations were some genuine gems of insight.
In our story we focused on the major section around point of sale (POS) breaches, while in our Guru article with author Wade Baker, we looked at the bringing together of the data and its development over the past seven years.
Verizon found that of the 100,000 security incidents analysed over the past ten years, there were nine threat patterns: miscellaneous errors such as sending an email to the wrong person; crimeware (various malware aimed at gaining control of systems); insider/privilege misuse; physical theft/loss; web app attacks; denial-of-service attacks; cyber-espionage; point-of-sale intrusions; and payment card skimmers.
Looking in more detail, this year’s report found that cyber-espionage rose three-fold from last year, where it was a significant factor of the 2013 report. Also, for the first time, the report examined distributed denial-of-service attacks (DDoS), which have grown stronger year-over-year for the past three years.
The main way to gain access to information was via stolen and/or misused credentials (user name/passwords), with two out of three breaches exploiting weak or stolen passwords, making a case for strong two-factor authentication.
Scott Goldman, CEO of TextPower, said: “As they correctly point out, using just passwords for protection is useless. In fact, it’s like closing your front door but leaving it unlocked.
“It’s bad enough that hackers get in through back doors and poor security – using a single-factor authentication process is like laying out a red carpet for them. Any website that doesn’t use some form of ‘out-of-band’ authentication – meaning outside of the web browser – is adding an engraved invitation to go along with the red carpet. Websites will either get smart, get secure or get hacked.”
Tom Cross, director of security research at Lancope, highlighted the POS attacks, and how they have evolved. “In the past year we know that POS malware was used in much more sophisticated attacks against larger, better defended retail establishments,” he said. “This process mirrors what we expect to see with other kinds of embedded systems associated with the Internet of Things. If there is a business model associated with attacking devices, it will be pursued, and it will first impact systems that are easy to compromise. If those attacks prove lucrative, we’ll see them replicated in increasingly sophisticated attacks that get at devices that are more heavily defended. What drives all of this activity is the opportunity to make money.”
Meanwhile Doug Mow, CMO at Courion, said that this shone a light on the insider threat, especially as “insider and privilege misuse” is cited as one of the nine patterns. “Within this category, 88 per cent of security incidents were highlighted as privilege abuse; or in other words, an employee or outsider taking advantage of assigned access privileges,” he said.
“The only way to get insight into where and how privilege abuse may be happening is by applying analytics to the big data of identity an
d access. By analysing user access rights and the associated risk on a continuous basis, organisations can identify suspicious behaviour patterns to expose threats of inappropriate access.”
Barry Shteiman, director of security strategy at Imperva, highlighted that of 64,000 reported incidents, six per cent were web attacks, three per cent DoS and 18 per cent insider threats, meaning that Imperva could have protected against 27 per cent of all the reported incidents.
“For us, out of 1,350 reported actual breaches, 35 per cent happened via web application attacks and eight per cent via insider attacks. This means that we could have helped solve 43 per cent of all of last year’s breaches.”
Neira Jones, a long time supporter of the report and payment security consultant, said that the report showed that with the accommodation, finance, retail and management affected by web application attacks, payment card skimmer threats and POS intrusions, all four needed to focus more on payment card security.
Jones said: “99 per cent of POS intrusion related breaches were discovered by external parties, not the breached organisation and in 55 per cent of POS intrusions, the hacking vector was a third party desktop – and in 35 per cent, a shared desktop. The deployment of multi-factor authentication is particularly relevant to this section and will also prepare businesses for the new European Payment Services Directive (PSD 2).”
Key to the data breach is the incident response. Cross said he liked Verizon’s security recommendations which he called “particularly noteworthy”, because they are rooted in a wealth of knowledge about how organisations get compromised.
“Many of these recommendations might seem like table stakes – update your anti-virus, patch your systems, use good passwords or two-factor authentication – but you’d be amazed at how many organisations fail to execute on these basic steps,” he said.
“The report also highlights approaches that are on the leading edge of what IT shops are doing, and probably deserve to be adopted more broadly, including threat indicator feeds, network behavioural anomaly detection, and monitoring of internal networks for lateral movement by sophisticated adversaries and malicious insiders.”
Jones pointed at the gap between “how long it takes the attacker to compromise an asset” and “how long it takes the defender to discover this” as the bad guys seldom need days to get their job done, while the good guys rarely manage to get theirs done in a month of Sundays.
Wendy Nather, research director of security within 451 Research’s Enterprise Security Program, said that security is messy, incidents are more often ambiguous and subject to interpretation than not. “This is the reality that enterprises need the most help with, the reality that isn’t as sexy as the nation-state actor. Our industry needs to stop romanticising APTs and look at the much larger set of security problems that CISOs actually face. No, it probably won’t get you a keynote speaking slot at a hacker conference, but you’ll be making a real difference.”
The report is a great read and a great source of statistics that I will no doubt be looking at and reading references to for months to come. As Baker said: “This is indicative of how criminals are faster than we are and that is a serious problem, and think about how much money we have poured into detection technology and it is depressing on one hand, but on the other if this is what it is we need to change something and figure out how to turn it around.”
The 2014 report can be downloaded in full at: http://www.verizonenterprise.com/DBIR/2014/