A Consolidated View of Data Breaches in 2012 – Part 2

It seems that many of you found my previous post of interest, so as promised, here’s the second part. But first, let’s all have a look at this 2min 48s video: Security Threats by the Numbers from the Cisco 2013 Annual Security Report. Unsurprisingly, the Trustwave GSR highlights that e-commerce sites were the most targeted asset, accounting for 48% of all investigations…

Oh, what a tangled web we weave… (?)

The GSR notes that most of the web client attacks exploited the java web browser plug in (How to turn off Java on your browser – and why you should do it now) and Adobe products (mostly Acrobat), and Adobe added an auto-updating mechanism to help reduce this vulnerability.

On the web server side, targeted attacks for publically disclosed breaches nearly doubled from 289 in 2011 to 400 in 2012 and were primarily aimed at disrupting normal business operations:

Attack Outcomes- Trustwave GSR 2013

The above graph confirms the trend in my previous post (i.e. better at protecting assets looking at the information leakage trend), but the monetary loss trend should be looked at in context, inasmuch as it refers to direct monetary loss as it occurs in, say, account hijacking, but not to consequential monetary loss as a result of all the other attacks. The report also highlights (Yes!) the need for better fraud detection capabilities to identify abnormal behaviours (see my older post on the subject).

The downtime and defacement trend also confirms the resurgence of hacktivism we have seen in 2012.
Again, confirming what we suspect, the GSR categorise the attacks methods by industry sector:

  • Denial of Service: Government, Finance, Hosting Providers, Media and Politics
  • SQL Injection (here we go again…): Entertainment, Retail, Technology and Education. And looking the new trend towards omnichannel commerce and increased interconnectivity, security professionals are hurtling towards bigger headaches…
  • Brute Force: Social Networks

The progression of web attack methods between 2011 and 2012 is interesting:

Attacks Methods- Trustwave GSR 2013

A substantial increase in the “Unknown” category – where the incident reported did not specify an attack method – denotes either insufficient or non-existent logging, or resistance to public disclosure. Well, logging has always been one of my biggest bugbears (well, after SQLi that is…), so sad to see there is still a lack of it. As for disclosure, with all the regulations in place, being implemented or proposed, there soon will be nowhere to hide, so better bite the bullet…

Also note the small, but not insignificant, increase in stolen credentials, and this was regular headline fodder in 2012. Which brings me neatly to the subject of passwords…

Open Sesame…

So, here’s something to make you laugh (or cry…): the Trustwave GSR shows that Welcome1 is the most commonly used password by count (followed closely by STORE123 and Password1), whereas Password1 is still most widely used when looking at percentage of unique active directory samples (followed closely by password1 and Welcome1). The rest of the list is no less mirth inducing (see page 54). And everyone is still mostly sticking to the 8 character limit. Trustwave’s recommendation are around the use of passphrases (“HereIsMyPassPhraseGuessIt), user education, elimination of legacy unsecure encryption methods and random salts. As for me, I leave it to the experts like Per Thorsheim 😉 (@Thorsheim). In many of the investigations, the initial point of entry was not the ultimate target but merely a means of gathering information to penetrate deeper into the target’s infrastructure exploiting, sadly, the same old vulnerabilities:

  • Shared or default administrative credentials
  • Unsecure remote access utilities
  • Remote command utilities

In fact, remote access remained the most widely used method of infiltration in 2012, which points neatly to the use of third party support…

Faith, Trust, and Pixie Dust…

Third parties responsible for system support, development, and/or maintenance caused 63% of the breaches as they introduced the vulnerabilities exploited by the attackers. This is a decrease from 76% in 2011, so maybe organisations are being more diligent in their selection of partners, but it’s still not good. Small businesses and franchises within Food & Beverage were mostly affected as they typically outsource services and are often unaware of the security best practices or compliance mandates by which their partners were required to abide or that the third party was only responsible for a subset of security controls, leaving them open to attacks. (see my earlier post on the subject)

News: email is not dead…

According to a recent report by the Radicati Group there were more than 2 billion email users worldwide and more than 140 billion emails sent daily in 2012. Whilst 2012 has seen a substantial reduction in spam volumes to levels lower than those in 2007, spam still represented more than 75% of an organisation’s inbound email, with 10% spam messages found to be malicious. In addition, targeted attacks often start with email and Trustwave found that this trend showed no sign of abating in 2012.

Letting the guard down…

With criminals becoming increasingly innovative (even reverting to good old fashioned methods and old targets –see the rise in ATM fraud), organisations have their work cut out. The Trustwave report also mentions defence failures in the following areas:

  • Network: Man in the Middle, Passwords, Legacy Vulnerabilities;
  • Applications: SQLi still number 1, list of top ten vulnerabilities on page 50;
  • Mobile: Trustwave also present some top 10 mobile vulnerabilities, with insufficient cache controls, replay attacks and code injection being most prominent. Interesting to note that 87.5% of mobile applications tested had vulnerabilities;
  • Physical: Trustwave note three areas to watch out for exposure of information via social media, insecure configuration and incorrect usage of physical security devices.

Round the world we go…

  • EMEA: similarly to last year’s report, EMV/ Chip & PIN gets the thumbs up as again very few data compromises occurred in POS networks as a result of higher adoption of Chip & PIN (EMV) which gives fewer opportunities in these markets for the theft of track data used in magnetic stripe transactions. Therefore, the majority of data breaches in EMEA occurred at e-commerce merchants and SQLi was prominent (the few POS compromises remained confined to those businesses processing more magnetic stripe transactions, typically those attracting international non-EMV cardholders such as hotels and luxury retailers). It was noted that more application security programmes started to be deployed in 2012.
  • ASIA PACIFIC: in 2011, POS systems were the primary target in Australia and New Zealand, and in 2012, the trend reversed to focus on e-commerce sites again. This is due to the push from banks to encourage their merchants to use hardware encryption directly from the card acceptance terminal. Notably, most compromised e-commerce merchants in APAC were SMEs, relied on third parties to run their sites, used open source e-commerce packages and invested few resources. They all exhibited the “Why me?” syndrome…
  • LATIN AMERICA & THE CARRIBEAN: Trustwave noted better security awareness in LAC in 2012 as well as increased enforcement of regulations. Breach trends remain the same as in other regions (man in the Middle, unencrypted or shared Credentials and unencrypted  storage, weak/ default passwords), with the addition of ATM fraud perhaps due to a prominence of legacy hardware (by default inheriting legacy security flaws).

And the same conclusion as last year…

Criminals are increasingly automating the process of finding victims (through the identification of basic vulnerabilities) and extracting valuable data which lowers the cost of performing attacks, which in turn lowers the minimum yield for a victim to be of interest. Unsurprisingly therefore, the report still recommends the education of employees as a crucial step (and I agree) as well as holistic enterprise-wide approach to security, which invariably leads to good risk management(well, you didn’t really expect me to leave that out, did you?…)

You can also listen to the Trustwave webcast.

Until next time…

About Neira Jones

With more than 20 years Financial Services experience, Neira is currently Head of Payment Security at Barclaycard where she is responsible for security compliance of circa 100,000 customers & 3rd parties. She has received the Information Security Person of the Year Award in April 2012 from SC Magazine at the same time as her team scooped up the prestigious SC Magazine Award for Information Security Team of the Year for the 2nd year in a row.

Not content with this, February 2012 saw Barclaycard winning two awards at the Merchant Payments Ecosystem conference for “Data Security” & “Merchants” for successfully steering Barclaycard and its customers through the changes in payment security, and in particular with the PCI DSS (Payment Card Industry Data Security Standard). She is a member of the Infosecurity Europe Hall of Fame and has been on the PCI Security Standards Council Board of Advisors since 2009. 

Follow Neira on Twitter:@NeiraJones