Hacking and automatic attacks made simple by poor password management practices were on the root of most 2011 data breaches, and lots of firms didn't detect the intrusion, in accordance with an analysis conducted by Verizon's breach investigators.
“[Logs are] one of the crucial valuable ways in which companies can improve their possibilities of catching breaches.Wade Baker, director of RISK intelligence, Verizon
The Verizon Investigative Response Caseload Review is a primary-ever preview of the company's Data Breach Investigation Report (DBIR), that's due out  later this year.
The analysis relies on 90 breaches investigated by Verizon last year, which makes up about 10% of the greater than 850 included inside the 2012 DBIR. While the trends evident within the Caseload Review is usually reflected within the larger Verizon data breach report, the numbers themselves should be different, said Wade Baker, director of RISK intelligence at Verizon Business.
The report detailed how hacking and malware often interact to cause an information breach, and likewise identified a few of the common security weaknesses exploited by attackers. “A whopping 99% of all stolen data involved using some variety of hacking and malware,†per the report. Verizon also noted that social tactics, which target individual people, corresponding to phishing, were tied to over half all data loss within the 90 breaches.
“Phishing results in malware and results in hacking by utilizing a backdoor or stolen credentials,†Baker said. “An attack might include all of these things.â€
Weak, default passwords and stolen credentials were on the root of greater than half the breaches investigated by the Verizon team. Attackers used default or guessable credentials in about 29% of the knowledge breaches. Stolen credentials were at the heart of 24% of the breaches.
Baker said that exploiting user credentials has been a growing trend.
“Attackers seem to be looking for ways to exploit the mechanisms we use to authenticate users,†he said. “If they gain access to an account and it looks like they've just logged in, they look like a real user; that gives them a real advantage.â€
Once the attacker is inside the system as a credentialed user, Baker said, the potential for damage increases.
“Getting in makes you look legitimate,†Baker said.  An attacker gains almost unfettered access without being detected as a possible threat or looking unusual in security information event management (SIEM) logs, he said
Another 49% of breaches were a result of some form of backdoor exploitation. Backdoors, while sometimes stumbled upon by a hacker after already being installed, are also often created by the attacker themselves through vulnerability detection or phishing.
If the attempt is successful, the backdoor gives the attacker unhindered access to everything allowed by the user's account. It's also another way to avoid detection by SIEM logs.
SIEM Logs going unmonitored
That's only worrisome for an attacker, however, if they are targeting a company with an IT staff that actually analyzes the logs. Most companies have SIEM in place to meet compliance obligations, but many don't monitor logs regularly.
“I'm a fan of using logs much, much more than we do,†Baker said. “I think a lot of companies save logs … but they don't have people actually using them.†This is a shame, he said, because “that's one of the most valuable ways that companies can improve their chances of catching breaches.â€
Because of the lack of regularly monitoring SIEM system logs, breach detection took months or years in nearly 60% of breaches; only about 20% were detected within days.
Of the 90 breaches investigated by Verizon in 2011, only 5 were detected by IT teams that regularly monitor their SIEM system logs. Two thirds of the breaches were detected by an external party -- usually a customer who received identity fraud notification, or law enforcement that was already tracking a suspected cybercriminal or group, Baker said.
Baker sees the five instances as a slight glimmer of hope for the future of enterprise security. The Verizon RISK team also noted thon the number of breaches detected through log analysis, “while still small, represents the highest such event we have ever seen in our caseload.â€
Baker hopes that trend will continue, even with the introduction of mobile devices to the corporate world. Monitoring smartphones and tablets is only different, he said, because an additional threat is the risk of them being lost or stolen.
Although the Caseload Report noted that nearly half of the breaches included the compromise of user devices, it is more common that devices “provide a foothold into the organization,†rather than stealing data directly from a device. Attackers often use a keylogger to steal user credentials, and then gain access to the internal application server directly.
For essentially the most part, Baker sees future threats to mobile devices because the same problems that currently plague workplace PCs and laptops.
“It's only a matter of time until they become the norm,†he said.
Nessun commento:
Posta un commento
Comments links could be nofollow free