I was pleased to see the release of the Trustwave
2012 Global Security Report as I find it always a very good source of information! This year’s report analyses 300 data breach investigations across
18 countries and, unsurprisingly, 89% of
the breaches involved the theft of customer records, including payment card
data and other personally identifiable information such as email addresses.
Trend alert...
As per previous years, 85% of the caseload originated from
the food & beverage (43.6%), retail (33.7%) and hospitality (8%) industries.
Disappointingly, and also in line with previous years, criminals continue to
focus on these industries due to well-known payment system vulnerabilities and
poor security practices. New for 2011 is
the targeting of businesses operating franchise models and these
represented more than one-third of breached entities in food and beverage,
retail, and hospitality. The use of common infrastructure in such models is widespread
and when vulnerabilities are present, they will be duplicated across the entire
franchise base. Cyber-criminals took full advantage of this in 2011.
Who, me?... Or the case for incident
response
Similarly to previous years, as many as 84% of organisations were notified of the breaches by external entities
(e.g. regulatory, law enforcement, third party or public) and within those 84%,
attackers had an average of 173.5 days within the victim’s environment before
detection occurred. That’s a staggering 6 months in which to harvest valuable
information assets!!! In addition, the number
of self-detected compromises decreased by 4% since 2010 and this may indicate
a decline in resources allocated to the detection and management incidents. By
contrast, businesses that detected the breaches themselves were able to
identify attackers within their systems 43 days on average after the initial
compromise; or one fourth of the time that attackers would have had in the previous
scenario; or one fourth of the information that could have been harvested
otherwise; or one fourth of whatever the business really cares about. In any
instance, that’s a readymade business case for the development and maintenance
of a robust incident response plan and cutting cost in this space really isn’t
a good idea... If you’re interested, see my previous
post on the subject...
Passing the buck...
76% of the breaches were caused by third
parties responsible for system support, development and/or maintenance who
introduced the security deficiencies exploited by attackers. The report notes
that merchants were unaware of the security best practices or compliance
mandates by which their partners were required to abide or that the third party
was only responsible for a subset of security controls. In addition, many third-party
IT service providers still use standard passwords across their client base and
in one 2011 case, more than 90 locations were compromised due to shared
authentication credentials. 80% of the
breaches were due to weak and/or default administrative credentials. With the prominence of outsourced services and cloud computing, I cannot stress enough the importance of:
- Selecting the right partners and make sure they have the right security posture and credentials (e.g. compliance with the PCI DSS, etc.
- Reviewing contractual clauses (including liability shift) with partners handling any valuable assets.
EMV/
Chip & PIN gets the thumbs up...
In contrast to data compromise trends in the Americas, the
report acknowledges that very few data compromises occurred in POS networks in
Europe, the Middle East and Africa (EMEA) as a result of higher adoption of Chip
& PIN (EMV) which gives fewer opportunities in these markets for the theft
of track data used in mag-stripe transactions. Therefore, the majority of data
breaches in EMEA occur at e-commerce merchants.
SQL injection again...
Yes, the SQLi was the number one attack vector found in both
the Web Hacking Incident Database and the number one Web-based method of entry
in incident response investigations. Combined with the potential impact of bulk
extraction of sensitive data, the SQL injection was the number one Web
application risk of 2011...
And finally...
Criminals are increasingly automating the process of finding
victims (through the identification of basic vulnerabilities) and extracting
valuable data which lowers the cost of performing attacks, which in turn lowers
the minimum yield for a victim to be of interest. Unsurprisingly therefore, the
report’s number one recommendation is the education
of employees: “The best intrusion detection systems are neither security
experts nor expensive technology, but employees. Security awareness education for
employees can often be the first line of defence.” If all else fails, remember that suffering a data breach is not necessarily the end of the world, and you might just be able to recover from it very nicely, but that's the subject of another post...
Until next time...
No comments:
Post a Comment