I recently attended two IT security conferences:
- ITAG (Innovative Technology Action Group): Information Security and Computer Forensics: In Depth Case Studies and Best Practices
- Ziff Davis Enterprises: Security: Threat Horizon 2011
The one thing that these kinds of conferences do is justify any paranoia that you might have: the world really is trying to get you, and is pretty darn good at it.
If you are still able to sleep at night, you might read the US Secret Service / Verizon RISK Team “2010 Data Breach Report.” It contains some interesting facts about an analysis of over 900 data breaches in 2009:
- 70% resulted from external agents (down 9% from 2008)
- 48% were caused by insiders (up 26%)
- 48% involved privileged misuse (up 26%)
You probably noticed the similarity in the last two stats. Two things to take away: the weakest link is your own people, compounded by a general sloppiness in controlling passwords and changing privileges when appropriate. Half of the insiders were just regular employees or end-users. The other half came from finance and auditors (13%), system and network administrators (12%), your own support and software development staff (8%), your executives (7%), and unidentified insiders (9%).
- 98% of the records stolen came from external agents, and 85% of those by organized criminal groups
- 3% of the records stolen came from insiders, but 90% of those breaches were deliberate
(The alert reader would have noticed that it adds up to more than 100%, but some breaches are due to a combination of insider and external agent actions.)
The bad thing here is that 83% of all stolen records were taken by organized criminal groups, and they will come back to haunt you. As we said earlier, the Ponemon Institute measures the actual costs to companies of data breaches at more than $200 per lost record. If, or rather when, you have a breach, it will cost you.
- 40% resulted from hacking (down 24%)
- 38% utilized malware (unchanged from 2008), but malware was used to capture 94% of the stolen records
- 28% employed social tactics (up 16%)
(There are other categories, but these were the largest. A lot of the malware attacks were initiated through hacking so the percentages won’t add up to 100%.)
Social tactics include old style activities like solicitation, bribery and extortion, and computer-age social engineering tricks like phising, pretexting, spoofing, spam, etc.
- 96% of breaches were avoidable through simple or intermediate controls (up 9%)
- 61% were discovered by a third party (down 8%)
- 86% of victims had evidence of the breach in their log files
This would imply that a whole lot of organizations aren’t paying enough, or maybe any, attention. Over half of the breaches were not discovered by the attacked organization, but were reported by a third party. Strangely, 96% of the breaches could have been avoided with only moderate expense and effort.
While only 25% of breaches were due to a compromised database server, they accounted for 92% of the stolen records.
One important characteristic of an attack is the timespan, usually measured in three stages:
- Point of entry to compromise: how much time you have until you start to lose data. 31% of the time this is measured in minutes, 60% of the time you have minutes to days to stop it before it does damage.
- Compromise to discovery: how much time actually occurs before you notice. 60% of the time this is measured in weeks or months.
- Discovery to containment: how much time it takes you to stop the loss after you discover it. 85% of the time this is measured in days to months.
If your organization is one of those who has done nothing about this problem, there are some simple things you can do to make yourself safer:
- Keep your OS and application software up to date.
- Keep your virus / malware protection software up to date and make sure it is running on every system. Configure it to be automatically updated – the era of updating the malware signatures every week is long gone.
- Concentrate on protecting your database servers and controlling who has any access to them.
- Train your employees on the value of your and your customers’ data and the fairly simple social attacks they will see. Emphasize that they must control their passwords. Remind them of your security policy. Create one if you don’t have one.
Going beyond these simple and inexpensive steps:
- Restrict and monitor privileged users.
Trust but verify. Make sure you know who your employees really are. Don’t give users more privileges than they need. Separate duties to limit what any one person can do alone. Make sure all privileged use is logged. Then you must monitor and review those logs.
- Watch for even minor policy violations.
Every policy violation may be an indicator that there is something sinister behind it, or could be preparation work for a major attack, soon.
- Implement measures to prevent the stealing of credentials and the use of stolen credentials.
Keep your malware protection software up to date to prevent credential-stealing software off your systems. Use two-factor authentication for everybody. Two-factor authentication means that the user needs two private things in order to gain access. One is usually a password. The other could be a fingerprint or a small thumb-nail sized device that generates a unique number that changes frequently. Restrict administrator connections to and from specific internal sources.
- Monitor and filter traffic leaving your network.
You are probably filtering incoming network traffic, even if it just via a firewall and your email spam filter. Are you also filtering your outgoing network traffic, looking for suspicious data or unknown destinations?
- Actually monitor and analyze your logs.
Most organizations generate fairly complete logs, but don’t look at them. The good news is that you have some time to stop an attack before it compromising your data, and you have information about the attack in your logs. The bad news is that most organizations don’t monitor these logs so over half of the breaches are reported by someone else. Now you are in the “compromise to discovery” phase and continuing to lose data. There are some fairly simple things that you can do to monitor logs in near real time to detect anomalies and report them. This could be a simple script that looks for things like an unusual number of log entries at an unusual time of day and sends an alert.
Some possibly good news with a probably bad undercurrent: payment card information breaches fell noticeably in 2009. The report suggests that this is due to the flooding of the market in stolen payment card information over the past years: there simply isn’t a demand to keep up with the supply, and the cost to buy payment card information on the black market is dropping. However, each lost payment card record causes the consumer a lot of grief. Surprisingly, companies don’t seem to be paying attention. Companies that process payment card information, from the small store to the major processing centers, must be Payment Card Industry Data Security Standard (PCI DSS) compliant and pass an annual audit. Verizon found that 79% of such companies were not compliant at their last audit.
One important discovery: the report can’t find a link between data breaches and Cloud or virtualized infrastructure. In other words, moving to the virtualized world of the Cloud does not by itself make things any worse in terms of your security concerns. Nor does it make it any better.
The last word:
Be paranoid. Do something. When you are attacked you will have to explain it to stakeholders. These stakeholders may be just your boss, or include shareholders, customers, regulatory organizations, or law enforcement. If you have done nothing, you have no defense to offer any of them.
In coming blogs we’ll talk in more detail about some specific security threats in the Cloud and how to mitigate them.
Keep your sense of humor.