Quantcast
Channel: Security Boulevard
Viewing all articles
Browse latest Browse all 37364

THE TRUTH BEHIND DATA BREACHES…

$
0
0
I was pleased to see the Trustwave2012 Global Security Report, released a coupleof days ago as I find it always a very good source of information! This year’s report analyses 300 data breach investigations across18 countries and, unsurprisingly, 89% ofthe breaches involved the theft of customer records, including payment carddata and other personally identifiable information such as email addresses.

Trend alert...
As per previous years, 85% of the caseload originated fromthe food & beverage (43.6%), retail (33.7%) and hospitality (8%) industries.Disappointingly, and also in line with previous years, criminals continue tofocus on these industries due to well-known payment system vulnerabilities andpoor security practices. New for 2011 isthe targeting of businesses operating franchise models and theserepresented more than one-third of breached entities in food and beverage,retail, and hospitality. The use of common infrastructure in such models is widespreadand when vulnerabilities are present, they will be duplicated across the entirefranchise base. Cyber-criminals took full advantage of this in 2011.

Who, me?... Or the case for incidentresponse
Similarly to previous years, as many as 84% of organisations were notified of the breaches by external entities(e.g. regulatory, law enforcement, third party or public) and within those 84%,attackers had an average of 173.5 days within the victim’s environment beforedetection occurred. That’s a staggering 6 months in which to harvest valuableinformation assets!!! In addition, the numberof self-detected compromises decreased by 4% since 2010 and this may indicatea decline in resources allocated to the detection and management incidents. Bycontrast, businesses that detected the breaches themselves were able toidentify attackers within their systems 43 days on average after the initialcompromise; or one fourth of the time that attackers would have had in the previousscenario; or one fourth of the information that could have been harvestedotherwise; or one fourth of whatever the business really cares about. In anyinstance, that’s a readymade business case for the development and maintenanceof a robust incident response plan and cutting cost in this space really isn’ta good idea... If you’re interested, see my previouspost on the subject...

Passing the buck...
76% of the breaches were caused by thirdparties responsible for system support, development and/or maintenance whointroduced the security deficiencies exploited by attackers. The report notesthat merchants were unaware of the security best practices or compliancemandates by which their partners were required to abide or that the third partywas only responsible for a subset of security controls. In addition, many third-partyIT service providers still use standard passwords across their client base andin one 2011 case, more than 90 locations were compromised due to sharedauthentication credentials. 80% of thebreaches were due to weak and/or default administrative credentials.  With the prominence of outsourced servicesand cloud computing, I cannot stress enough the importance of:
  • Selecting the right partners and make sure theyhave the right security posture and credentials (e.g. compliance with the PCIDSS, etc.
  • Reviewing contractual clauses (includingliability shift) with partners handling any valuable assets.

EMV/Chip & PIN gets the thumbs up...
In contrast to data compromise trends in the Americas, thereport acknowledges that very few data compromises occurred in POS networks inEurope, the Middle East and Africa (EMEA) as a result of higher adoption of Chip& PIN (EMV) which gives fewer opportunities in these markets for the theftof track data used in mag-stripe transactions. Therefore, the majority of databreaches in EMEA occur at e-commerce merchants.

SQL injection again...
Yes, the SQLi was the number one attack vector found in boththe Web Hacking Incident Database and the number one Web-based method of entryin incident response investigations. Combined with the potential impact of bulkextraction of sensitive data, the SQL injection was the number one Webapplication risk of 2011...

And finally...
Criminals are increasingly automating the process of findingvictims (through the identification of basic vulnerabilities) and extractingvaluable data which lowers the cost of performing attacks, which in turn lowersthe minimum yield for a victim to be of interest. Unsurprisingly therefore, thereport’s number one recommendation is the educationof employees: “The best intrusion detection systems are neither securityexperts nor expensive technology, but employees. Security awareness education foremployees can often be the first line of defence.”

Until next time...
neirajones



Viewing all articles
Browse latest Browse all 37364

Latest Images

Trending Articles



Latest Images