Data Breach Security From A To Z4:00 PM EST Tue. Feb. 05, 2013
Companies face daily threats from cybercriminals, hacktivists and nation-state-sponsored hacking groups. Financially motivated cybercriminals typically use automated tools to spread a wide attack campaign, gaining as many victims as possible. Hacktivists are politically motivated and often use distributed Denial-of-Service attacks as a weapon to cripple or bring down a website. Nation-state-sponsored hacking groups choose a specific target and stealthily conduct cyberespionage activities on a network over extended periods of time. Their aim is to steal intellectual property, email and other sensitive documents.
Security experts say focusing on basic security controls can greatly reduce risk. Cybercriminals typically target the lowest-hanging fruit, such as unpatched software and common configuration weaknesses, to gain a foothold in an organization, establish a communication channel with a remote server and quickly steal sensitive data. To keep up to speed with the changing security landscape, here's a look at data breach security from A to Z.
Successful attacks often use stolen or guessed passwords to gain access with backdoor Trojans and retain access on systems with those legitimate account credentials, according to the 2012 Verizon Data Breach Investigations Report. The firm, which analyzed 855 data breaches involving more than 1.7 million stolen records, urges organizations to change default passwords on point-of-sale systems and other Internet-facing devices. Stolen login credentials were used in 32 percent of the firm's analyzed breaches. In 2012, cybercriminals posted nearly 6.5 million LinkedIn passwords on the Internet, further highlighting the problem of failing to provide account credential protection. Exploitation of default or guessable credentials took place in 44 percent of breaches.
Encourage employees to use strong passwords by setting up a strong password management policy and enforcing it, Verizon said. The most common password used by businesses is "Password1" because it satisfies Microsoft Active Directory default complexity settings.
Credit card and other customer information is the most frequently targeted data type, making up 89 percent of breach data investigated by the Trustwave SpiderLabs' forensics investigators in its 2012 Global Security Report. According to the report, industries with franchises, such as the food and beverage and hotel industries, had the highest percentage of breaches. Those firms typically lacked IT teams, making satellite locations especially vulnerable, Trustwave said. Credit card data should be protected by end-to-end encryption and never be stored, according to the Payment Card Industry Data Security Standards (PCI-DSS).
Data loss prevention systems are designed to keep track of credit card data, Social Security numbers and other personally identifiable information, as well as to enforce security controls to ensure that the data is protected before it leaves the network. A DLP system can be set to block sensitive data from leaving endpoint systems via email or thumb drive. DLP systems have been commonly deployed as part of compliance initiatives in the health-care or retail industries. More advanced DLP systems can tag and keep track of identified intellectual property to prevent it from being mishandled.
Businesses deploy encryption to protect sensitive data, keeping cybercriminals from gaining access to the encrypted information if it is properly deployed. Data can be protected in transit or at rest to protect access to the data if a laptop or storage device is lost or stolen. Most data breach notification regulations do not require an organization to make a public notification of a breach if the data is properly encrypted and the encryption keys haven't been exposed.
Software security experts urge software vendors to add fuzz testing to their software development life cycle to find security problems that can be exploited by attackers. Using a fuzzing tool, testers typically input random data into a computer program to see if it crashes or contains other common errors targeted by attackers, such as SQL injection or cross-site scripting. For example, Microsoft said it uncovered 1,800 coding errors in Office 2010 by running millions of fuzzing tests as part of its software development life cycle.
Operation Aurora was uncovered in 2009 when Google and dozens of other companies fell victim to an attack originating from China that targeted human rights groups and individuals of interest to the country. The cybercriminals used the Hydraq Trojan, delivered using an Internet Explorer vulnerability, to carry out the attacks. More than 30 tech firms were infiltrated using spearphishing email messages containing malicious PDF files. The attackers continue to be active today, and in a report issued by Symantec, the so-called Elderwood gang is believed to be behind a number of targeted attacks with the goal of intellectual property theft.
Hactivists had a serious impact on data breaches in 2011, according to the Verizon Data Breach Investigations Report. Hacktivists are motivated for political or personal reasons and attempt to hack a target to shame or embarrass the organization. Denial-of-Service attacks are a common weapon used by hacktivists to cripple or take down a website and sometimes find coding errors in the targeted organization's website in an attempt to take it down and deface it. Members of the Anonymous collective were responsible for a spate of attacks that resulted in stolen data. LulzSec, a loosely connected Anonymous hacking group, was responsible for hacking into Sony Pictures in 2011, stealing user account data and forcing Sony to halt its gaming platform. The group also gained access to HBGary Federal, stealing research and email information and posting the information to the Pirate Bay file-sharing service.
A good incident response plan will help reduce the time it takes for threat detection, threat containment and system restoration. Verizon investigators say speed and execution are equally critical. Acting quickly without conducting full incident mitigation can result in mistakes and increase the costs of a breach. Having an incident response plan and conducting thorough training reviews help organizations be prepared. An incident response plan can help organizations anticipate a potential breach, identify individuals who should be part of a response team and ensure that a communications plan is in place when a problem happens. It also provides a structure, identifying the roles and responsibilities of people throughout the incident process. A thorough incident response plan should be revisited often and carefully assessed and adjusted when corporate systems and policies change.
Security holes in Java appear to be the leading cause of Black Hole infections, according to the Sophos 2013 threat report. In 2012, more than 600,000 Mac users were infected by the Flashback botnet as a result of a Java vulnerability left unpatched on OS X. Sun Microsystems, which developed Java and was acquired by Oracle in 2010, put security in place to protect the Java virtual machine, but the fact that it is so widely deployed makes it an attractive target for attackers. Java's complexity and age make it difficult to protect. It is widely used at enterprises, but security experts say IT teams can use registry zones to implement tighter restrictions, controlling where Java is running in the environment.
Keylogger Trojans help cybercriminals capture credit card numbers, account credentials and other sensitive bank account data by recording the keystrokes of a victim's system. Most keylogger programs run covertly to avoid alerting the user that their actions are being monitored, according to the Verizon Data Breach Investigations Report. Verizon recommends businesses restrict user administrative rights, issue one-time passwords for IT admin access to endpoint systems, employ Web content filtering and blacklisting, and conduct security awareness training to help end users avoid being infected by a keylogger.
There have been a number of high-profile cybercriminal arrests in the U.S. and other countries in recent years. Spam was drastically reduced following the arrest in 2010 of Vladislav Horohorin and Maksym Yastremsky, alleged credit card thieves and handlers of the Bredolab botnet. Law enforcement has been working to infiltrate black markets and criminal communications in an attempt to weaken the underground community.
The combination of malware, the use of a keylogger and the use of stolen credentials was the most seen by Verizon investigators, accounting for 252 data breaches analyzed in the 2012 Verizon Data Breach Investigations Report. Malware can be programmed to do a variety of functions, from eavesdropping on victims to causing their system to crash. The attacker typically installs various types of malware to escalate privileges, set up remote access and control mechanisms and move throughout the victim's network to find sensitive data.
Organizations that experience a breach typically find out about it from external sources. Studies show that organizations are frequently contacted by law enforcement that a breach is suspected following reports of fraudulent activity. Third-party partners also play a role in notifying an organization it had a breach. Security forensics investigators say that a majority of data security breaches could have been detected and contained earlier if the company was simply monitoring its logs for suspicious activity. Many organizations have deployed a security information event management system (SIEM) as part of compliance initiatives, but very few actively monitor those systems.
Security researchers that conduct malware analysis say malware writers are increasingly using code obfuscation in an attempt to make reverse engineering more difficult and in turn avoid being detected by antivirus. Some custom malware is designed with full encryption capabilities to mask its presence and make analysis more difficult. The obfuscation is working. Antivirus detected less than 12 percent of the targeted malware samples collected during Trustwave SpiderLabs' 2011 investigations, according to the firm's 2012 Global Security Report.
A password management program that requires employees to use strong passwords or even pass phrases can help mitigate the threat of an attack. Multifactor authentication, such as the use of software or hardware tokens and knowledge-based authentication -- giving employees a challenge question -- also can make it more difficult for cybercriminals. Too often, organizations use weak and default passwords. Employees should never use a username and password on multiple sites, said Graham Cluley, senior security consultant at security firm Sophos. Avoid using dictionary words and don't choose common passwords such as "1234," Cluley said. A password should be a minimum of eight characters long and include some form of punctuation. Use mixed-case passwords if possible and include a number for additional strength.
A Qualified Security Assessor receives training from the PCI Security Standards Council and assesses an organization's payment transaction systems and architecture to ensure that it meets the control objectives of the PCI Data Security Standard. The standard prohibits the storage of credit card data and requires encryption of credit card track data.
Internet-facing point-of-sale systems with weak or default passwords frequently give cybercriminals an easy entry point into a corporate network. A Trustwave review of 300 breaches it investigated in 2011, as part of its 2012 Global Security Report, found remote access solutions "the most widely used method of infiltration into target networks." Poorly configured and protected remote access applications or VPNs are often an easy way in, the firm said. Trustwave also found that routers, network switches, firewalls and other devices are frequently remotely probed for configuration issues or default passwords, allowing easy access.
The Night Dragon attacks in 2011 targeting global oil, energy and petrochemical companies began with a spearphishing attack and enabled attackers to remain stealthy on some systems for as long as four years. The Google Aurora attack, which impacted Adobe and dozens of other firms in 2009, was believed to have started with a spearphishing attack. Several RSA employees were targeted with custom phishing messages leading to the RSA SecurID breach. Spearphishing works because it is coupled with social engineering and designed to lure the victim into opening a malicious file attachment or click on a malicious link. The best defense is end-user security awareness training, said Randy Abrams, research director at security vendor testing firm NSS Labs. Technology alone cannot thwart targeted attacks. Security-minded people help bolster defenses, Abrams said.
A Miami-based hacker was sentenced to 20 years in prison for carrying out the attack that bilked TJX Companies of millions of credit and debit cards. Albert Gonzalez and others used a hacking technique called wardriving, targeting weak wireless implementations at TJX, OfficeMax, Barnes & Noble and other stores. The high-profile data security breach served as the poster child for the need for better security controls to protect sensitive data. The case also pointed out the need to carefully deploy wireless LANs with appropriate protections. In total, more than 45 million credit cards were stolen.
Unified threat management appliances or next-generation firewalls typically provide firewall, antivirus, content filtering, spam filtering and application control. The simplified appliances appeal to small and midsize businesses seeking multiple security capabilities in one box. Like any technology, unified threat management is no panacea. It should be combined with other security controls, enforceable policies and proactive log management to detect and contain suspicious threats before they become a serious problem.
Security researchers have identified a number of software vulnerabilities and configuration weaknesses in VoIP devices, enabling an attacker to eavesdrop on an individual or use the VoIP-enabled device to hop to more sensitive systems. VoIP phishing, or vishing, involves tricking a person into giving up sensitive information over voice email, VoIP or cellphone. Much like a standard phishing attack, the victim is asked to verify their identity, ultimately resulting in giving up some personal information.
A worm is a self-replicating virus designed to spread quickly, infecting as many systems as possible. The Conficker/Downadup Trojan acted as a worm, infecting millions of Microsoft systems beginning in 2008. It spread via USB stick and storage devices. Once infected, it sought out other systems containing the Microsoft vulnerability that it was exploiting. A security consortium worked to disrupt Conficker by blocking its communication delivery algorithm to ensure that a payload would never be delivered. Conficker may have been a victim of its own success, say experts. It spread too quickly and gained too much attention to make it possible to deliver an attack payload to steal data. Investigators have never found the source of the Conficker worm.
The Open Web Application Security Project defines cross-site scripting (XSS) as a type of injection problem in which malicious scripts are injected into otherwise benign and trusted websites. Coding errors that allow this kind of attack are frequent and are often used to infiltrate a website and set up an attack platform for drive-by attacks or access a poorly protected Web server to steal information. A review of 939 application builds conducted by Burlington, Mass.-based Veracode from January 2011 to June 2012 found 78 percent containing information leakage, 71 percent having XSS errors and 67 percent with cryptographic errors.
Financially motivated cybercriminals conduct their operations like a business. The goal is to yield as much revenue as possible using the least amount of resources. Law enforcement and security experts are working to make targeting specific systems too cost-prohibitive. By simply increasing the difficulty of hacking into corporate systems, organizations can reduce the risk of financially driven cyberattacks. A determined attacker with enough resources will get in, explained Eugene Kaspersky (pictured), CEO of Kaspersky Lab, speaking at a recent press event in Boston.
Zero-day attacks attempt to exploit a software vulnerability that is undisclosed to the software vendor and, therefore, no patch is available at the time of the attack. Zero-days have been demonstrated in a number of targeted attacks, including the Stuxnet attack, which exploited four zero-day vulnerabilities in Microsoft Windows while targeting Iran's nuclear centrifuge facility. Zero-day attacks are normally used by well-funded nation-state cybercriminal groups in cyberespionage activities. They also pose a serious threat to business intellectual property because the custom malware bypasses detection by traditional antivirus. The aim of the attacks is to collect as much data as possible, remaining stealthy over an extended period of time.