There's always chatter concerning the sophistication of malware and the advanced hacking techniques attackers use to steal payment information or sensitive corporate data. While which might be true for targeted attacks against high-value targets reminiscent of government agencies, the defense industrial base or financial institutions, the vast majority of victims, based on the 2012 Verizon Data Breach Investigations Report (DBIR), are smaller companies that fall prey to commodity attacks that expose shortcomings in basic information security best practices. The innovation is within the automation and process refinement behind attacks, and never necessarily inside the sophistication of the malware involved, the report suggests.
Small businesses are worried concerning the base line. It is a matter of workmanship, time and resources that they are unable to defend themselves.Christopher Porter, principal, Verizon RISK team
The Verizon DBIR 2012, released publicly today, said attackers have found a specific soft spot by attacking point-of-sale (POS) and remote access systems, lots of which lack a firewall or other security controls, using large-scale automated attacks. Labelling these as “opportunistic attacks,†the DBIR data suggests, because it did a year ago, that small- and medium-size organizations are within the crosshairs of attackers, particularly those within the food services and hotel industries.
Accommodation and food services accounted for 54% of breaches investigated by Verizon's RISK team; retail was next at 20%. In contrast, most targeted attacks that ended in data breaches were achieved against the financial and insurance sectors, most of which have been larger businesses (more than 1,000 employees); greater than 50% of attacks against larger organizations were targeted versus opportunistic.
Christopher Porter, principal with Verizon's RISK team, said organized cybercrime groups have automated attacks end to finish. These groups will scan the net searching for exposed PoS or remote administration services, equivalent to remote desktop management, and should use brute force attacks against the logins to realize access. Since many use easy-to-guess, or default passwords on these systems, gaining access would be trivial. Once inside, malware-usually a keylogger-is installed and begins collecting data. The malware also is preconfigured to send data outbound, either via FTP or email, to an internet server under the attacker's control. The info is then sold at the black market, or, if credentials are stolen, deeper attacks are conducted against bank accounts or other systems within an enterprise.
“We joke that there need to be some kind of old crime groups which have gotten their MBAs,†Porter said. “In the last several years of those forms of industrialized attacks, we're seeing innovation within the process and methodology used. All the process is end to finish and it's massive in scale. Typically, it's smaller businesses which might be getting hit with this because small businesses are worried concerning the final analysis. It is a matter of workmanship, time and resources that they are not ready to defend themselves.â€
Porter said in some cases prevention means changing a default or existing password to something complex and putting an access control list in front of a remote access service. These tactics would buffer potential victims from commodity attacks that scale easily for an attacker who would rather not customize malware for every victim. The DBIR points out that customization is nearly exclusively in targeted attacks where malware is written from scratch or existing code is changed.
“In these large-scale, multiple-victim compromises, attackers simply need not bother with customizing malware since they will successfully use ‘canned' attacks against thousands of victims,†the report said.
Attackers also are less more likely to spend a number of time inside a smaller organization, the DBIR said. Unlike large organizations rich in data and system interdependencies, all of the data stored on servers inside smaller organizations is normally stolen and attackers then move on. In attacks against larger organizations, they're likely to perform quieter attacks usually involving backdoors which are used to achieve repeated access.
“These are relatively easy attacks that require little in-depth knowledge or creativity. They are frequently scripted, geared toward many targets, and, if unsuccessful, exhibit little persistence,†the report said. “In fact, the thief often doesn't even know what he's stolen until checking the remote server to which his scripts were sending the captured data. The targets simply aren't worth much effort to the attacker, since few records are stolen in such incidents; scale of targets is what matters.â€
Nessun commento:
Posta un commento
Comments links could be nofollow free