Why has cyber crime become organised and turned into a big black hat business? Does this mean there is money to be made (if so, how much?) and that major enterprises have a lot of work to do to protect themselves?
• Cyber crime is definitely involved in a lot of the data breach cases we work on these days, and more so in recent years. Organised crime is a business and therefore exists to make profit. Recent attacks have yielded an extremely large number of stolen payment card records, and we have therefore seen a dramatic drop in the price of payment card data or “dumps” on the black market. The asking price per payment card record is one per cent of last year’s price in some instances. As stated before, organised crime is a business and is therefore switching to more profitable targets, such as PIN data. By targeting PIN data, organised crime is able to directly withdraw cash from the consumer’s account whether it be a checking, savings, or brokerage account. This is much more of a concern from a consumer point of view as PIN fraud typically places a larger share of the burden upon the consumer to prove that transactions are fraudulent. This makes the recovery of lost assets more difficult than with standard credit-fraud charges. On the brighter side, we are happy to report that our investigative efforts in collaboration with law enforcement led to arrests in at least 16 cases (and counting) in 2008.
• Major enterprises do have a lot of work to do. But a large proportion of vulnerabilities would be neutralised if organisations followed their own policies. The three highest yielding attacks (Unauthorized Access via Default or Shared Credentials, SQL Injection, and Improperly Constrained or Misconfigured ACLs) are preventable through simple remediation efforts, and would be not permitted to exist in every organisation’s policy. Additionally, these vulnerabilities are detectable through simple scanning techniques. We believe that the complexity and business demands of technology environments often lead to omissions or an incomplete job being performed in the deployment and review of a technology environment. If the three simple vulnerabilities (Unauthorized Access via Default or Shared Credentials, SQL Injection, and Improperly Constrained or Misconfigured ACLs) were eliminated, it is likely that more than 90 per cent of the 285 million records in our case load from last year would not have been breached.
Who are the major bad guys and where are they based? What is being done by the authorities to track them down and how successful have governments been in doing this?
• The three main areas of bad guys that we see are (in order):
o Eastern Europe, who tend to target consumer data (payment card records, PIN data, and personally identifiable information);
o East Asia, who tend to focus on botnet, staging point and scripted attacks and target whatever data they happen to cross; and
o North America, who tend to target organisations in their own country. We also see fraud spending in the same country as a key indicator to the involvement of organised crime.
• Authorities are working on collaborative efforts across jurisdictions to make it more difficult for criminals to ‘hide’ across the borders of another country. When attacks are performed across a border, it makes the investigative effort significantly more complicated as there are multiple legal jurisdictions involved with differing laws and the cost of extradition can be prohibitive in many instances. One of the big advances Verizon Business has been able to make in investigative techniques is to use intelligence information from our network. The Verizon Business network encompasses almost one million route km, and therefore a lot of network traffic crosses our Internet backbone at some stage. In the past, staging point attacks (where the attacker hides behind an unrelated compromised system) have meant that hackers have been able to hide their IP address from being disclosed. Now with the netflow data from the Verizon Business network, we are able to quickly determine who has been communicating with the compromised machines (staging points) and locate the real culprit. In a recent case, Verizon Business was able to provide law enforcement with the real IP address, the attackers service provider and the attackers address (within 150m) through our geo-location database and we provide law enforcement with an aerial photo of the attacker apartment block thanks to Google Earth. We believe we are the only investigative organisation that can provide this extremely valuable intelligence to our customers and law enforcement.
What are the major surprises in these latest cyber crime findings? Why have these new trends emerged? Do these figures paint a true picture or are many data breaches still kept secret?
• There are no surprises but we see a significant shift over a 12-month period. There is a dramatic increase in sophistication and complexity in the attacks that we investigated. We are seeing more customised malware attacks that are not detectable by anti-virus.
• Almost 60 per cent of these malware attacks are not detectable by anti-virus because they are repacked, modified or custom-coded. Some examples include RAM scrappers, unallocated space scrapers and customised network sniffers.
• As well, there is big increase in hackers now hacking in their own backyard. These hackers are hacking in the same country they live in which therefore makes prosecution much easier. In the past, we used to see hackers crossing international boundaries which made arrests and prosecution difficult and complex and expensive.
• The other significant shift was the size of the data breaches. Last year, our case load consisted of 285 million compromised records, and the previous four years combined was ‘only’ 235 million records.
• We believe that organised crime is behind 90 per cent of all compromised records in the last year. This is another dramatic shift in that last 12-month statistics. We also see that organised crime is hacking into businesses in their own country. Typical attacks a few years ago used to use a staging point in another country to minimise the risk of prosecution, but this is becoming common as time goes by.
• The nature of data compromise and that almost three quarters of all data breaches are notified by third parties leads us to believe that the data breaches that we see and those that are publicly disclosed are just the tip of the iceberg. The most common type of record compromised in our caseload is payment cards. There are sophisticated mechanisms and a financial imperative to recognise payment card fraud, and therefore breaches of payment card data. Typically a pattern of payment card data can only have been stolen from a single place, so it is relatively simple to recognise the breached location. This mechanism does not exist for other breached record types. For example, should an individual’s personal information be breached, how would you know which location, of the many that store your information, was breached? A perfect example of this is spam. Where did the spammer get your e-mail address?
What specific findings have been made relating to the cyber crime environment in the Asia Pacific? What unique situation and different trends do enterprises in this region face, compared to the US and Europe? Is the Asia Pacific better or worse off?
• Asia Pacific is an interesting region in that we see different trends in different countries. Some countries have deployed Chip and PIN payment cards, so we see very little card present fraud in those countries, in other countries, we see a lot of card skimming occurring. From an external sources point of view, the Asia Pacific region sees a lot of scripted, botnet and staging point attacks. The attacks tend to be less complex than those from Eastern Europe, but they still yield a great number of records. Australia, in particular, sees a fair proportion of attacks from Japan due to the good connectivity between the two countries. The big rise in data breaches in Asia Pacific is from employees who have been terminated and who steal information before they leave the organisation.
What do the latest research findings say about the attitude of major enterprises towards being PCI-compliant? Why is it that 81 per cent of affected organisations subject to the Payment Card Industry Data Security Standard (PCI-DSS) had been found non-compliant prior to being breached?
• The research shows that 81 per cent of the cases that were subject to PCI-DSS compliance had not been found compliant prior to the breach. Either they had had an assessment and not been found compliant, or had not completed an assessment yet. The most interesting statistics regarding PCI are the two critical parts of the data security standard:
o Requirement 3: Protect stored data with 11 per cent compliance; and
o Requirement 10: Track and monitor all access to network resources and cardholder data with five per cent compliance.
These two requirements are the cornerstones of the PCI programme and have extremely low compliance when reviewed by our investigators. Even a simple requirement such as Requirement 5: Use and regularly update AV has only 62 per cent compliance. Therefore 38 per cent of the organisations we worked with did not even have anti-virus software functioning properly on the environment that was compromised.
What needs to be done by the IT industry and major enterprises to rectify the issues highlighted in this research?
• One of the main issues is that organisations are typically not compliant with their own policies. The vast majority of data breaches would not happen if they were compliant with their own policies. Unauthorized Access via Default or Shared Credentials, SQL Injection, and Improperly Constrained or Misconfigured ACLs are the three leading causes of data breach and are preventable with proper coding, configuration and regular testing. Organisations should also realise when they can perform a necessary security function and when they cannot. For example, only six per cent of data breaches are discovered by the victim organisation through event monitoring or log analysis. The events are almost always in the logs, so why are organisations unable to pick up are the signs of data breach in logs? We believe this is because event monitoring and log analysis is a function that requires specialists to set up and monitor. If organisations cannot do log analysis properly, they should seek the assistance of an expert third party. Lastly, many organisations still think of information security in a 1990s network perimeter paradigm. With the Web 2.0 world and the explosion of B2B/B2C and partner connections, the traditional network perimeter no longer exists and organisations need to focus on data security of which the first step is to identify your critical data. This is done extremely poorly by victim organisations—67 per cent of the 285 million unique breached records were stolen from data stores the victim organisation was unaware they had. This is a staggering figure to us, and unfortunately has not changed materially over the course of the study.
Previous recent studies have found that the highest risk to enterprises is from within, from disgruntled or incompetent employees and partners. Why do you think this seems to have changed?
• We agree that partners are the single biggest threat to organisations. The dip in the partner breaches in our study was an effect of our case load bias and that we investigated a lot of very large cases that tied up a large number of our investigative resources. If we could have taken on every case that was offered to us last year we would have had a situation where the number of partner breaches would have gone up last year. We expect that external and partner breaches will reach parity in the next 18 months to two years.
• Insiders are a significant threat in recent times. Layoffs due to the effects of the global financial crisis have seen a jump in insider breaches. We have seen an increase in the number of insider end-user cases in 2008 and expect this to rise again in 2009. Most of these insider end user cases were where employees that have been terminated, and not had their access to critical data removed, have stolen data in the period between when they are given notice and when they exit the organisation.
Explain what is meant by the finding that ‘most breaches resulted from a combination of events rather than a single action’. What lessons should major enterprises learn from this?
• The typical external and partner data breach is made up of a number of moving parts. There is usually hacking to gain access to the systems and then malware is placed on the systems to steal data. The best approach to information security is defence in depth, but most organisations in our experience do not practice a good defence in depth strategy. Rather, they rely on a single control and when this is compromised, they are unaware until a third party taps them on the shoulder and notifies them that their environment has been compromised. Even then most organisations continue along in ignorance and deny the event until pressure becomes overwhelming from their customers, law enforcement and other regulatory bodies.
With “99 per cent of all breached records being compromised from servers and applications”, how do major enterprises generally need to change their security strategies to combat this?
• The biggest single issue we see is the inability for organisations to control the lifecycle of their data. Sixty-seven per cent of breached records were in locations the victim organisation did not know existed on their systems. This shows systematic failure in the data management lifecycle.
The research found that in 69 per cent of cases, the breach was discovered by third parties, not by the victims. How should enterprises adapt their security strategies based on this information?
• The biggest statistic in that finding is that only six per cent of data breaches were discovered by active monitoring systems such as event and log analysis, and the typical data breach takes seven months for the organisation to discover. This is seven months of log records and critical records and files leaving the organisation. In one recent case we saw a CEO’s PST mail file going out of the organisation through our log analysis. In the vast majority of cases, forensic tools are not required to determine what has happened. Most cases are solved through reading log records. If organisations actually read their log records they would greatly reduce the chances of being a victim of data breach and reduce the impacts should they actually be breached. We believe log analysis requires specialists as the evidence suggests that most organisations cannot perform this function internally.
Is there anything else you think that enterprises should take into consideration given the messages from this latest survey? What are they doing so wrong that has led to this overall situation?
• Organisations need to focus on doing a good and consistent job of information security. Many organisations that we see do an excellent job or information security in some areas, do not have even the simplest of controls in others. Our message to those organisations is to focus on the essential first and then worry about excellence later. Other organisations do a spring clean before an audit. In other words, they clean up the information security sins of the last 12 months prior to the annual audit. Unfortunately, the bad guys don’t work to the same schedule, they work 24 hours a day, 365 days a year and need just one vulnerability to penetrate the organisation. If you think of information security like your hair, if you get a hair cut every 12 months, there is going to be 10 months a year where you look scruffy and two months where you look good. Information security is like that, it is a 12-month-per-year effort and not an annual hair cut to get a tick in the box from an auditor.
