Financially motivated attackers who steal credit card data and state-sponsored cyberespionage campaigns intent on intellectual property theft have one thing in common: Both cybercriminal groups exploit the path of least resistance into organizations.
Phishing attacks and stolen account credentials are at the core of most data breaches and are commonly used to gain an initial foothold on an enterprise network, according to more than 600 breaches analyzed by Verizon in the firm's 2013 Data Breach Investigation Report. Security experts told CRN that enterprises large and small need to focus on weeding out Web application vulnerabilities and configuration weaknesses that are often the path into the corporate network.
The trend has been toward exploiting vulnerabilities on the client, and the statistics are reflecting what security experts at Veracode are seeing, said Chris Wysopal, chief technology officer at the Burlington, Mass.-based vulnerability management vendor "An attacker is much more likely to ask you to open up a zip file or word file than browse to a malicious website," Wysopal said.
The Verizon analysis found 71 percent of breaches involving an initial attack on user devices. The firm said 78 percent of initial intrusions into corporate networks were relatively easy. And 76 percent of breaches exploited weak or stolen passwords. The Verizon data is skewed toward retailers and small businesses where credit card data is being targeted rather than the highly skilled attacks seeking intellectual property, Wysopal said. Focusing on application security can alleviate much of the risk, he said.
"The basics haven't changed in a few years with static analysis in the SDL and dynamic analysis to scan Web applications you have in production," Wysopal said. "Today the tools are more consumable and can scale over lots of applications."
Software makers need to continue to build security mechanisms into applications, said Brad Arkin, chief security officer at Adobe Systems. Arkin and his team have focused on bolstering Adobe Reader and Acrobat software, which have been highly targeted by attackers, as well as increasing security of Adobe's growing cloud-based services. Studying how cybercriminals carry out campaigns could lead to new security defenses that slow down attackers and increase the chance of detection before a breach takes place, Arkin said. Software will never be perfect, he said.
"Banks take steps to slow down bank robbers and make it more likely that they get caught, and enterprises can take a lesson from that," Arkin said. "All of the extra layers of defense that we're putting into our software ensures that we're driving up the cost for the exploit authors."
NEXT: Proactive Monitoring, Network Security Improvements Needed