Every year, Verizon compiles data from a list of prominent contributors for its annual report highlighting trends and statistics around data breaches and intrusions from the past year. The 70-page Data Breach Investigations Report (DBIR) covers a myriad of data points related to victim demographics, breach trends, attack types, and more. Reviewing these shifting security trends can give indications as to how well-postured one’s organization is against future threats. And just in case you’ve got your hands full patching server vulnerabilities, we’ve done the legwork of expanding on a few critical key points from the report.
The list of 2015 DBIR contributors reads like a who’s who in information security: McAffee, Splunk, Crowdstrike, Tripwire, Fortinent, FireEye, Kaspersky Labs, and Palo Alto Networks, among others. Based on Verizon’s analysis of the data sourced from these companies, it’s clear that a rethinking of information security is long past due. 2015’s data reveals that current security models are failing, with hackers increasingly outpacing the remedial efforts of security professionals in fixing vulnerabilities and weaknesses. Here are some highlights of the report’s findings:
RAM Scraping on the Rise
Retail giants Nieman Marcus and Target have both been recent victims of this malware type. In the case of the latter, infected point-of-sale (POS) systems at retail outlets resulted in the personal and financial information exposure of over 110 million customers. RAM scraping involves tapping into the memory banks of POS systems in order to capture information such as credit card numbers and addresses. Because this data is unencrypted when stored in memory, the typical end-to-end data encryption used by such systems is useless in the presence of RAM scrapers.
“Back in 2010, malware was all about the keylogger, and we saw very few examples of phishing or RAM-scraping malware being used. Fast forward to today, and RAM scraping has grown up in a big way. This type of malware was present in some of the most high-profile retail data breaches of the year, and several new families of RAM scrapers aimed at point-of-sale (POS) systems were discovered in 2014.”
There are several ways RAM scraping malware finds its way into an environment. An unsuspecting employee might have opened an email attachment containing the malware, or existing system vulnerabilities left unpatched may have allowed intruders to gain access. It’s also quite common for an insider to opened a backdoor on the network for RAM scrapers to be installed. Whichever the case may be, closing the security gaps that can lead to RAM scraping requires proactive monitoring of suspicious changes: both in user privileges, as well as on the POS system itself.
Take a peek at the screen of your local grocer’s POS system—the odds are you’ll see a familiar default background. More often, POS terminals are just specialized Windows machines outfitted with retail-specific software and peripherals. POS systems—just like any other critical endpoint—should be regularly scanned and monitored for new and existing vulnerabilities.
“Unfortunately, the proportion of breaches discovered within days still falls well below that of time to compromise.”
This is particularly alarming for a couple reasons: first, because hackers are accelerating in their ability to compromise systems while IT security is trailing in its ability to discover said compromises. Secondly, these statistics have consistently gotten worse since 2004. IT security has been steadily losing the battle on this front for years due to ineffective solutions and tactics for staving off attacks.
Time to Compromise vs. Time to Discover. Source: Verizon, “2015 Data Breach Investigations Report,” April 2015
“We found that 99.9% of the exploited vulnerabilities had been compromised more than a year after the associated CVE was published.”
In addition to zero day responsiveness, one also needs comprehensive and continuous security validation against old common vulnerabilities and exposures (CVE) to round out security efforts. Bolstering one’s security posture should involve both monitoring for new vulnerabilities as well as making sure older vulnerabilities have been fixed. To this end, staying on top of CVEs should be a regular ongoing activity. MITRE maintains an up-to-date dictionary of CVEs as well as the OVAL repository: a datastore of vulnerability definitions as identified in the CVE list. UpGuard provides comprehensive vulnerability scanning and monitoring against OVAL’s up-to-date repository, ensuring that one’s security posture has been shored up against the latest threat definitions.
“Ten CVEs account for almost 97% of the exploits observed in 2014...but beyond the top 10 are 7 million other exploited vulnerabilities that may need to be ridden down.”
The omnipresent 80–20 rule is in play here: by remediating the ten CVEs in question, one has effectively bolstered the organization’s infrastructure security against 97% of exploit attempts observed last year. That said, the sole focus of one’s remediation efforts should not just be these 10 CVEs—one should cover all bases, starting from the most regularly occurring exploits.
“70–90% of malware samples are unique to an organization.”
That being the case, most signature-based intrusion detection and malware protection solutions are minimally effective at best when faced with unique malware. Platforms like UpGuard that provide constant monitoring and assessment of an infrastructure’s state and security posture are the only reliable mechanisms for self-defense in these scenarios.
“It may not be obvious at first glance, but the common denominator across the top four patterns—accounting for nearly 90% of all incidents—is people. Whether it’s goofing up, getting infected, behaving badly, or losing stuff, most incidents fall in the PEBKAC and iD-10T uber-patterns.”
The old throwback PEBCAK is in play here, or “problem lies between keyboard and chair.” People can be intuitive, intelligent, but are also mistake-prone—every last one of them. And when it comes to security, these mistakes can have devastating consequences for the enterprise. To reduce the risks of human error, mechanisms like UpGuard are necessary to constantly check for these mistakes through constant monitoring and validation.
Miscellaneous errors account for 29.4% of all intrusion causes. Source: Verizon, “2015 Data Breach Investigations Report,” April 2015
As 29.4% of security incidents and 8.1% of confirmed data breaches were due to miscellaneous errors, it’s clear that many security issues are caused by carelessness rather than malice. The analogy is simple: if an expensive car is left unlocked in a questionable neighborhood, the chances of it being stolen skyrocket. One must assume that the external environment is inherently insecure and the enterprise is afloat in a sea of threats. Security holes must be discovered and filled—no matter size or cause—to avoid taking on water. An enterprise may have not been an initial direct target for a breach, but weaknesses may have nonetheless drawn intruders attention.
“Larger breaches tend to be a multi-step attack with some secondary system being breached before attacking the POS system.”
Indeed, POS endpoints must be secured, but tactical threats often involve access to target systems through another secondary system or subsystem. For example, in the case of the Target breach, hackers were able to gain access to POS systems via an HVAC provider’s system account. Because of Target’s failure to properly segregate its systems, intruders were able to gain access to the network, and hence—an avenue for attack into the POS systems.
This statistic is alarming when considering the types of systems potentially vulnerable to multi-step attacks. Data loss is one thing, but the potential for loss of life raises the ante to new heights. The danger of wifi on planes has been a hot topic of discussion as of late, understandably: the coexistence of avionics systems and onboard wifi networks could possibly lead to a multi-step attack—with graver consequences than any data breach could ever have.
A network is only as strong as its weakest link. One must be vigilant in testing all infrastructure components and applications, even if those that serve a seemingly ancillary function. Some systems might seem unimportant, but nonetheless may interface with other more critical systems where sensitive data resides. UpGuard enables enterprise infrastructure visibility and monitoring to ensure that all systems are securely configured and hardened to-spec.
“A long time ago in a DBiR far, far away, we began to see high-profile instances of hackers targeting web servers just to set up an attack on a different target, a tactic known as a Strategic Web Compromise.We began to track this type of attack last year (so, it shows up in this year’s data) and we’re seeing that secondary attacks make up nearly two-thirds of Web App Attacks. Virtually every attack in this data set (98%) was opportunistic in nature, all aimed at easy marks. information, Financial Services, and Public entities dominate the victim demographics, but only a few industries fully escaped the attention of these criminal empires.”
Similar to attacks such as the Target breach, strategic web compromises go after web servers to gain access and/or target a different server. Intrusions attempts may not start with the goal asset, but will almost certainly target the more weakly protected ones; again—comprehensive vulnerability assessment on all systems in the environment is imperative.
“Get a complete inventory of every component of your web presence (honestly, it’s not that hard) and ensure they are all in a regular patch cycle. Three-quarters of web app compromises are opportunistic, so this falls squarely under “the cost of doing business.”
From a security perspective, getting one’s infrastructure in line requires first gaining an understanding of what’s in place—servers, network devices, cloud apps, and their underlying configurations: packages, services, patches, et al. To remediate security issues, clearly one needs to know the state of the systems in their environment. This infrastructure insight is what UpGuard provides—as the definitive system of record for DevOps, the platform not only offers superior discovery and tracking capabilities, but also delivers cutting-edge vulnerability assessment and monitoring.
So how do events like 000webhost's massive data breach involving free web hosting providing 000webhost transpire? In a word, negligence. Gross negligence, to be precise.
Read Blog >
Access to free vulnerability assessment should be a basic right in a world where computing is integral to social and economic life. For our part, we're offering our full product, including vulnerability assessment, free forever for a user's first ten machines.
Read Blog >