Turning Scary Data into Actionable ITOctober 25, 2012 No Comments
By Nicole Pauls, SolarWinds Director of Product Management for Security Information & Event products
Data breach reports throw a lot of data into the world that busy IT admins just hear as noise. Reports from third parties (such as the Verizon and Identity Theft Resource Center reports) tend to be dense, while reports sponsored or provided by vendors that also offer related products are faced with skepticism. Buried among a lot of facts and figures is really useful data that can be used to avoid becoming a statistic in the next breach report. Most of these breach reports are based on calendar year data and were released between February and April 2012, with one report covering the first half of 2012 posted in June.
Most of the world’s business – and therefore, IT – is done in small to midsize organizations where security is seen as a cost center and done with minimal resources. These same IT organizations are also tasked with compliance, attempting to reign in mobile devices and laptops, and in their spare time, help the organization grow. In this article, we’ll explore the latest data breach and security reports, identify key points that relate especially well to the small to midsize IT organizations, and lay out some best practices to help busy administrators get ahead of the game.
Just the Facts Ma’am
Each breach report has a different approach to gathering and reporting data, though the goal of each is to categorize reported breaches and identify some commonalities that we can take recommendations from. Some reports go as far as to make recommendations based on the investigations, while others just present facts and let us draw our own conclusions. The Verizon Data Breach Investigation Report (DBIR) accumulated data from Verizon’s own investigative team as an incident-handling service provider and is very broad in scope, while reports from Ponemon (sponsored by Symantec) and Trustwave were smaller in scope. The Identity Theft Resource Center accumulates disclosed breaches from the media and state governmental agencies, so the information is fairly broad, but less detailed than the DBIR or Trustwave reports in knowledge about the breach discovery details.
Rather than let you wade through each of these reports, we’ve picked out highlights from four different reports. We’ve especially focused our attention on statistics and issues that are relevant to our goal of helping small to midsize IT administrators identify critical issues and breach prevention (or at the least, improved detection) methods.
Verizon offers the overall most dense end-to-end set of breach report data, covering 855 incidents and 174 million compromised records. Smaller organizations (fewer than 1,000 employees) reported over two thirds of breaches in the Verizon report. Most of the breaches were in regulated industries (those with audit and compliance requirements), with 54 percent in hotel and food, 20 percent in retail, 10 percent in finance, and seven percent in healthcare. These organizations often face unique challenges with distributed networks, limited IT staff across their remote sites, users that don’t necessarily have a lot of experience, outsource and contract services, and in the case of retail, hotel, and food, an expectation of customer service that includes access to network resources for untrusted third parties.
Most breaches reported in the Verizon report were determined to be external agents (i.e. not that disgruntled employee, but someone who actually wants to steal from the outside), and most were targets of opportunity, people with weaknesses that were easily exploited (i.e. not “seek and destroy” targets). Some breaches still resulted from internal users and privilege misuse, but they were much smaller in number. Usually, the target was being exploited for financial or personal gain, especially in the case of the smaller organizations. Sadly, most of these breaches (85 percent) also took more than two weeks to discover, and were discovered by a third party (92 percent – for example, a third party credit card processing agency or consumer reports of misuse/fraud). In most breaches (84 percent) there was evidence in event log data of the breach that went undiscovered until the investigation started. Verizon’s conclusion was that 97 percent of breaches were avoidable through simple or intermediate controls – things that sound easy. For busy IT organizations, even simple controls can seem overwhelming, but if we combine detection and prevention techniques, we aren’t left trying to be 100 percent secure (which is virtually impossible unless you cut the cord and go back to sneakernet).
Trustwave Global Security Report
Trustwave’s 2012 Global Security Report uses investigation and research activity from Trustwave’s SpiderLabs in 2011, consolidating breach reports from more than 300 investigations. Trustwave and SpiderLabs also provides research insight into penetration test results, vulnerability scans, publicly disclosed breaches, antivirus reliability, emails, and other security issues indirectly related to breaches. In the Ponemon study, the food and beverage industry accounted for 44 percent of breach investigations, the highest percentage overall for the second year in a row. Franchised environments (common in retail and food and beverage) are also seeing a rise in breaches, with over 30 percent of breach investigations attributed to these environments. Additionally, a very large percentage – 76 percent – of breaches involved security deficiencies introduced by a third party responsible for system support, development, and/or maintenance. SQL Injection remains the most popular Web attack method, and amusingly the most common password used by global businesses is “Password1” – a password that meets default password policies, but is nonetheless extremely guessable.
Ponemon Cost of Data Breach Study (Sponsored by Symantec)
The Ponemon Cost of Data Breach Study (for 2011 breaches) was relatively small in scope, with information from 49 breaches investigated via extensive interviews after breach disclosures required by law. The focus of the Ponemon report was around the monetary effect of breaches on breaches where fewer than 100,000 records were exposed, but they also investigated the cause. Thirty-nine percent of organizations said negligence was the cause of the breach. Malicious or criminal attacks accounted for more than 30 percent of breaches, also accounting for the most costly breaches. As a part of the cost impact measured in the study, it was found that an additional cost factor on top of the base $194/record could be attributed to the first breach (costing an additional $37/record), notifying customers before the breach was fully understood ($33/record), stolen devices ($22/record), and breaches caused by third parties ($26/record). The Ponemon study also found that the cost of detection has gone down, attributing that to better processes and detection mechanisms. This study also noted that third parties were the cause for breaches in 41 percent of organizations, but more frighteningly, that 78 percent of organizations had been breached before and were not reporting their first breach. Most breaches were in the industries you’d expect: finance, retail, healthcare, services, and consumer categories accounting for well over 50 percent.
Identity Theft Resource Center
In a recent study, the Identity Theft Resource Center (ITRC) investigated 213 breaches over the first half of 2012. While the banking industry represented only four percent of those breaches (down from eight percent in 2010), healthcare was at 27 percent and climbing (up from 17 percent in 2010 and the previous high of 24 percent in 2011). Interestingly, the ITRC report found an increase in third party involvement in breaches, up to 14 percent in 2012 – double the 2011 number. As far as malicious attacks or “hacking,” ITRC noted an increase, with 31 percent of breaches (up from 28 percent) involving some component of malicious activity. Insider theft, however, was down for 2012 (eight percent in 2012, 17 percent in 2011).
The ITRC takes their breach report one step further, identifying the type of records breached. Forty-five percent of breaches exposed Social Security Numbers, down from 65 percent in 2011, while 19 percent of breaches exposed credit/debit card data, down from 35 percent in 2011. The remainder of breaches are across multiple categories, including passwords, email addresses, financial data, and other personal information.
Verizon and Trustwave included recommendations in their reports, and we’ve combined those with information from the other reports and some of our own thoughts to help busy IT teams figure out what to do and where to start.
Document and Verify Remote Access
In the DBIR, 88 percent of breaches that leveraged hacking techniques, which was 81 percent overall, affected remote access services. Several factors combine to make remote access – either directly through the firewall or through things like VPN technology – a necessity for any organization, but especially the small to midsize one. If you combine this with the ITRC and Ponemon notes about third party involvement in a large (increasing) segment of breaches, we clearly need to keep an eye on remote access methods.
- Contractor, service provider, and third party support: often small IT teams end up outsourcing setup and maintenance to third parties, which can leave the perimeter looking like Swiss cheese, and leave issues like insecure passwords behind.
- Distributed networks: links to remote offices, franchisees, and small offices mean we have to maintain some kind of constant external connectivity. These sources can also be used against us if we haven’t done our homework to make sure we’re only allowing what we think we are.
- Remote Access via VPN (IPSec or SSL), Thin Client, Direct connection: Allowing employees to work from home, the road, remote offices, and even mobile devices via VPN and other technologies is now the norm, but we’ve got to make sure there are policies in place to ensure this communication is as secure as we think it is.
If you find yourself with any of these situations, you should go through your firewall, router, and/or VPN access control lists and make sure they are as tight as possible. If you haven’t already implemented egress filtering, do so – if you can’t catch it coming in, maybe you can catch it going out. With filtering, you can prevent situations you know shouldn’t exist, like servers or POS (Point of Sale) systems accessing untrusted Internet sites.
Audit Devices and their Passwords
Stolen login credentials accounted for 82 percent of breaches in the DBIR, and smaller organizations were especially affected by default or easily guessable passwords being used on devices (like that extremely common use of “Password1” that the Trustwave report uncovered). If you combine remote access with default passwords, you find yourself in a situation where you could have Internet-facing devices with the password equivalent of “1234,” making it possible to get in to the network and do further discovery (via keylogger, scans of your network, etc.). Remember that most targets were targets of opportunity, and default passwords create a huge opportunity.
After you’ve documented all of the remote access points to your network, you should know if any of those devices are Internet facing. Start here: make sure all of these devices have non-default, somewhat complex passwords. Move into the network and check all of your internal resources for the same – start with servers and network devices that have the most critical data and the most network access. If you use POS (Point of Sale) systems, these are high risk systems that very often have default, guessable passwords that given an attacker immediate access to the worst kind of data. Verizon found the POS security issue to be so common and so significant for smaller organizations that they created a handy cutout they encouraged consumers to hand to their favorite businesses.
Validate Third Party Work
Given the Trustwave report’s finding around third party contribution to breaches and the Verizon DBIR data, third party work is an ongoing issue. It’s likely impossible to bring all work in-house all the time, so a better strategy is to determine how you’re going to ensure the work being done is sufficiently secure (or at the very least, not making you less secure overall). If you’ve paid someone to set up your network, implement new services, or do either of the above two items, you need to make sure they actually did it. If you don’t feel you’re capable of performing this validation yourself (or aren’t familiar enough with tools that can), you’ll need to come up with a methodology for certifying their work. Ask for validation of their work (can they prove it to you so that you’re satisfied with their answer?), use a secondary third party to validate their work (sort of like asking a second opinion), and get everything they did in writing.
Use Tools to Monitor, Validate, and Monitor
There’s no reason you have to go it alone. With a constantly changing network to accommodate new services, internal growth, acquisitions, new technology, and a whole host of other issues, it’s extremely difficult to perform these kinds of audits regularly. Tools that can help include:
- Network Configuration Management tools: Use these tools to help you centrally maintain your firewall, router, and other device policies so that you don’t have to go to each device constantly. Here you can also implement change controls and document why changes are made so that if things get out of hand, you can troubleshoot what, when, and why. Sometimes we do what’s easiest (open a port, perform no filtering) to get things set up, but it’s easy to forget that you did and exactly what to revert or modify.
- Password databases: This seems extremely simple, but how many of us are using a notebook or spreadsheet to store the passwords to our devices? This low-end technology encourages password re-use because it’s too cumbersome to do any other way. Some password databases can provide new random passwords, limit access to passwords by user or group, or have a “check out” system where audit trails can also be formed.
- Event log monitoring: If you can’t prevent a breach, at least you can detect it. All of that evidence that was in log data can help you find a breach faster, or after one occurs, pinpoint where it started, when it started, and what may have occurred. This information is invaluable to containment, future prevention, and just good IT. Good visualization (not just review) also helps you spot problems before they become serious issues. A good log and event management solution can help you solve other problems, too, since most organizations face compliance initiatives with reporting and auditing requirements.
- Asset Inventory and Topology: Know what you have, where it is, and where it lies. If that’s a network diagram that’s internally managed, make sure to keep it up to date. Find a way to track which systems have access to the Internet or are accessed from the Internet, and document important checklist items like default password changed, firewall policy checked, etc.
It’s nearly impossible to be secure, but it’s never impossible to be more secure. When you combine data from all of the breach reports, you can see fairly conclusively that deceptively simple tasks like default passwords or firewall rule validation can actually make a huge difference in your security posture. Don’t be afraid to eat the elephant one bite at a time – don’t let new devices go out (or come in) insecurely, start working backward with your most risky elements (Internet-facing, servers, and devices like POS systems), and take steps toward implementing some kind of active monitoring. The measure that saves you from a breach becoming a front page story could be extremely low cost for extremely high value.
Nicole Pauls is a Director of Product Management for security information and event management (SIEM) at SolarWinds, an IT management software provider based in Austin, Texas. Nicole has worked in all aspects of IT from help desk support, to network, security, and systems administration, to complete IT responsibility over the span of 10 years. She became a product manager to help bring accessible IT management software to the masses. She joined SolarWinds with the acquisition of Log & Event Manager in 2011.DATA and ANALYTICS , Fresh Ink