NTT Group Study Finds Simple Mistakes Causing Costly Security Breaches In Businesses

Costly malware infections, business disruptions and data breaches stem from fundamental lapses in an organization's vulnerability and patch-management processes, and simple mistakes are having a significant financial impact, according to a security incident study conducted by NTT Group.

Application security has become a bearer and, in some cases, the source of corporate risk, according to an examination of log, event, attack, incident and vulnerability data from more than 6,000 NTT Group clients globally. The firm found incidents due to missing or improperly functioning basic endpoint security controls and other measures, such as antivirus software, which resulted in 43 percent of incident response engagements. In addition, more than three-quarters of organizations that the company provided assistance to had no incident response plan, said Rob Kraus, director of the engineering research team at Omaha, Neb.-based managed security services provider Solutionary, a subsidiary of NTT Group and one of the lead authors of the report.

"We're not talking about incident response for small mom-and-pop banks; we're talking about Fortune 100 companies," Kraus told CRN. "What usually happens is we typically warn the organization of an attack and those organizations don't have any plans in place, not even policy documents or business continuity plans that address incident response for cyberattacks."

[Related: Breach Stats Prompt Need For Vulnerability, Configuration Assessment: Report ]

The NTT Group 2014 Global Threat Intelligence Report also found that attackers are having consistent success exploiting vulnerabilities that have long been patched by the software maker, but never addressed by an organization. The study found poorly executed and nonexistent patch-management processes. Half of the coding errors identified in vulnerability scans in 2013 were at least two years old. They were first discovered between 2004 and 2011, the firm said.

"This isn't new concepts and we believe there are new technologies for malware detection out there, but if you are not doing the basics right, we don't see how that is going to benefit the advanced," Kraus said. "If doing the basics right you are going to be able to avoid 80 percent of the problem, and the 20 percent is what your incident response processes are for."

In addition, the makers of automated attack toolkits also have improved their processes, adding exploits that target newer vulnerabilities. NTT Group found that 78 percent of current exploit kits are taking advantage of vulnerabilities less than two years old.

NEXT: Basic Lapse Costs One Firm $196,000 In Direct Costs

Failing to focus on software security can be costly, the study found. In one case, an organization failed to address a website flaw. Missing the common coding error resulted in breach remediation, incident response and other expenses totaling $196,000 in direct costs, according to the study. Losses can be reduced by almost 95 percent, Kraus said.

The attack against the firm lasted 10 weeks, but the firm lacked basic security measures that would have likely warned of suspicious activity or a malware infection, according to Kraus. After nearly 60 days remaining on the organization's systems, the attacker finally removed the data from 11 databases, resulting in the breach of tens of thousands of records.

There was a significant amount of discovery time, Kraus said. Reasonable monitoring of logs could have detected the attack in its initial phases. If developers fixed the weakness that enabled the SQL injection attack, the incident may not have taken place, he said.

"It was a very loud attack, and easy to notice, even if you were just eyeballing the records," Kraus said. "It was a very basic control that could have been enabled."

Basic security control lapses also resulted in widespread attack types. Client botnet activity was the largest type of attack, making up 34 percent of attacks, according to the NTT Group analysis. Botnet activity typically means that an attacker can control the system remotely, adding malware or using the infected system in a distributed-denial-of-service attack that can take down systems, the firm said. Other top attacks included those against a firm's domain name system and IP address spoofing.

Patch management ranked as the most frequent lapse uncovered by the firm, followed by application configuration errors and firewall management issues.

Vulnerability scans conducted by the firm in 2013 most frequently uncovered outdated Apache Tomcat servers followed by Apache Web Server errors and cross-site scripting vulnerabilities. The firms scan of internal systems uncovered frequent Windows flaws, followed by Adobe Reader vulnerabilities and content management system component vulnerabilities. Oracle Java installations also were found to be out of date and frequently targeted by attackers.

Kraus said patch management isn't an easy process, and often needs to be supported with an awareness of ongoing issues being actively targeted by attackers so the affected software can receive priority. All organizations need to document, test and maintain effective incident response procedures, even if security management is outsourced to a service provider, Kraus said.

In addition, service providers are only going to provide support outlined in the service level agreement. Businesses often have to elevate their level of support, which can be a costly process.

PUBLISHED MARCH 27, 2014