Businesses are failing to take basic security precautions in spite of the well-publicized cost of such
negligence.
A recent survey of 2008 security breaches by Verizon Business’ Response
Intelligence Solutions Knowledge (RISK) team found serious security lapses in many cases.
Some of the 90 victims studied by Verizon had deployed intrusion detection systems
(IDS)
Others had IDS deployed, but the IDS was not monitoring the area affected by the breach.
Of the 90 breaches covered in the study, only five were detected by event monitoring and log analysis. In 69 percent of cases, a third party discovered the breach rather than the victim. In the majority of those cases, the third party notified the victim because the third party discovered fraudulent activity.
Complicating matters, few organizations had plans for dealing with a breach, Verizon said.
“We found it especially surprising that only 28 percent of victims had an incident response plan in place,” the report said.
The report said that many intrusions exploit security failures, especially in identity management. Hacking was the top cause of breaches, although hackers themselves don’t receive all of the blame: A third of the hacks used “Unauthorized access via default, shared, or stolen credentials,” which accounted for over 50 percent of all compromised data.
In one case, the team found the same break-in occurring with multiple customers and determined that a third-party vendor had “neglected to change the default user name and password — and used the same credentials across multiple clients.”
In addition to using shared or stolen credentials, hackers also prey on businesses using several typical exploits.
The most commonly exploited weakness involved SQL injection attacks. These exploit flaws in software that are difficult to fix, even when identified, Verizon said. Fixing apps, the report noted, “can be challenging, costly, and time consuming.”
And even security vendors can fall victim to such attacks. Kaspersky was hit by a SQL injection attack
Even more sophisticated attacks target areas of systems that some businesses may believe to be impregnable, like RAM.
“Most application vendors do not encrypt data in memory and for years have considered RAM to be safe,” Verizon said in its report. “With the advent of malware capable of parsing a system’s RAM for sensitive information in real-time, however, this has become a soft-spot in the data security armor.”
While the most sophisticated attacks occur only rarely, they result in the greatest losses, the report said. Hacks requiring the most advanced skills accounted for 95 percent of all compromised records but only for 17 percent of all attacks.
In a similar comparison between targeted attacks and random or opportunistic attacks, targeted attacks accounted for 90 percent of all compromised records but only 28 percent of all attacks.
Attackers also are focusing their efforts, Verizon found: Breaches of database servers accounted for 75 percent of all records lost and breaches of application servers accounted for 19 percent of all records lost: combined, they accounted for 94 percent of all records lost in the study.
“The criminals appear to be going for the ‘crown jewels,'” said the report.
That’s enabled attackers to make off with ever-increasing amounts of data. The total data loss covered by the report grew to over 285 million customer records, exceeding the total loss in breaches investigated by the RISK team during the preceding three years.
Locking down
The report’s recommendations are not surprising: Businesses should have a data retention plan and an incident response plan, according to Verizon. They should monitor event logs and make sure employees are aware of the risks of data breaches and know that they can play a role in their prevention and discovery.
What is surprising is that so few companies are not already doing what the report recommends. For instance, Verizon urged companies to ensure that they never use default passwords or share passwords with third parties. They need to test their applications regularly and be up to date with patch management, and should use logging, according to the company.
Although only a couple companies that Verizon surveyed did so, the report recommends that companies stage “mock incidents” so that employees understand how to identify and react to a problem.
They also need to identify and define suspicious behavior. “Discover what is critical, identify what constitutes normal behavior, and then set focused mechanisms in place to look for and alert upon deviations from normality,” the report said.
Verizon had not responded to requests for further comment by press time.