Simple information security mistakes can cause data loss, says expert

By Ron Condon, U.K. Bureau Chief 21 May 2009 | SearchSecurity.co.uk

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

Matthjis van der Wel is head of forensics at Verizon Business, which has carried out investigations into more than 600 data breaches over the last five years, including a large proportion of all publicly disclosed data braches, and others that have never been released.

Van der Wel contributed to Verizon's 2009 Data Breaches Investigations Report published in April, which overturned some long-held assumptions about security, most notably showing that nearly 80% of all breaches come from outside the organisation. According to conventional wisdom, insiders always posed the biggest threat, but the Verizon report showed a sharp rise in external hackers finding ways to compromise confidential records.

In 2008, Verizon recorded 285 million compromised records in 90 data breach investigations -- more than all four preceding years combined. According to van der Wel, that statistic signals a growing sophistication amongst cybercriminals that is not matched currently by organisations trying to protect their own data. "Organisations are making what I can only describe as stupid mistakes," he said.

For example, failing to patch vulnerabilities, using default passwords and forgetting to close down user accounts when employees leave the organisation can cause data loss.

The flood of stolen personal and financial data on the black market has driven down prices, he said. A stolen credit record could've fetched up to $16 four years ago, but now the price is 50 cents. That has prompted organised crime to become more sophisticated and to go after more valuable information in more targeted attacks.

"Cybercriminals are now investing a lot of time, resources and money into targeting some very high-profile victims," he said. "In one recent case I investigated, cybercriminals accessed the network of a major organisation and spent a year looking around the network, learning everything they could about each and every system before they initiated their first attack. They probably had a better picture of the network than the organisation itself."

Simple rules for reducing damage * Do not use default passwords.   * Ensure that third-party suppliers (such as maintenance companies) do not use default passwords or shared credentials for all their clients. * Do regular network scans to check what servers you have. If you don't know what you have, you can't protect it. * Patch regularly, using an up-to-date network diagram to ensure all systems are covered.   *  Ensure user accounts are closed when employees leave. "In the majority of the cases we've seen, a terminated employee was involved," says van der Wel. "Go through the user accounts list and check that all users are still employed within your organisation." * Examine system file logs to establish what is normal behaviour on the system. Then you will be in a better position to recognise abnormal behaviour. * Get IT staff to come up with different attack scenarios.   * Analyse IDS alerts, or outsource the process to a specialist service company. Do not just ignore the alerts like an annoying car alarm that keeps going off. * Analyse IP addresses of outgoing connections.

Despite the growing sophistication of the attacks, van der Wel said many of the organisations affected could easily have averted a data breach or reduced the damage.

In many cases, the solution would be just a question of monitoring system log files or analysing alerts from intrusion detection systems, but few organisations bother to do it.

"When we do an investigation and look at log files, the evidence is there," he said. "Organisations would be better off hiring people to do the log file analysis. There is such a wealth of information you can learn from log files, especially application or database logs. But many organisations just collect them and don't do anything with them, or they turn them off to save disk space, or they have rotating log files so they are constantly overwritten."

In one case he investigated, an IDS raised 1,800 alerts about an SQL injection attack that was ignored by the victim organisation. "The logs show you what has gone on. The organisation could have seen that for themselves. That's why they got the box in the first place. It's very frustrating."

In other cases, where targeted attacks have been able to evade antivirus software and penetrate systems, companies can still pick up the tell-tale signs if they know what to look for, he said.

For instance, he discovered a 30 GB file in a system where malware was storing information it had intercepted. "Nobody in the organisation asked why there was a 30 GB file that kept growing every day. Or why so much data was leaving the organisation," he said.

His advice is to examine the IP addresses of outgoing connections, analyse their physical locations, and then plot them using Google Maps. "You then ask: Why do we have a connection to Romania every Saturday morning? Or a connection every week to Italy after office hours? They could be for an off-shore back-up service, but you need to examine it."

In the event, 70% of organisations do not detect security breaches themselves, instead relying on third parties, such as police, customers or business partners, to spot that something is wrong. As the report pointed out: "The opportunity for detection is there; investigators noted that 66% of victims had sufficient evidence available within their logs to discover the breach had they been more diligent in analysing such resources."

Van der Wel's advice is to use your own staff to spot the systems' weaknesses. "Sit down with a couple of knowledgeable IT guys and come up with different attack scenarios. Ask how they would attack their own organisation. Imagine how that would show up in the log files. After that, go and look in the log files to see if anyone has done it. If you can think of it, so could others. We don't see many IT organisations spending their money doing things like that. They would rather spend the money on a new box."

Tags: Data Protection Solutions and Strategy,  Database Security Tools and Techniques,  Threat and Vulnerability Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data Protection Solutions and Strategy Enterprise data management: Prevent data loss and insider threats NSA, cryptoexperts jab at RSA Conference 2010 Cryptographers' Panel Make PCI DSS compliance easier by reducing scope, outsourcing data Data Protection Act fines likely limited, audit powers may expand Websense integrated security system aims to simplify security management Full disk encryption: Safer and easier than file and folder encryption No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Annual security reports offer some hope Database Security Tools and Techniques Multifunction security device safeguards SOA, streamlines company's infrastructure Safend expands data leakage prevention product to plug more gaps How to prevent memory dump attacks Database activity monitoring lacks security lift Report: Firms avoid encrypting backup tapes, databases Cryptography for the rest of us Recent breaches show data theft prevention basics lacking Unpatched vulnerability discovered in Microsoft SQL Server How to use Excel for security log data analysis SQL injection continues to trouble firms, lead to breaches Threat and Vulnerability Management Considering two-factor authentication? Do cost, risk analysis Clientless SSL VPN vulnerability and Web browser protection Microsoft's Charney details new botnet protection, IdM technology at RSA Look into SIEM services to cut costs, comply with PCI DSS, HIPAA Cloud security issues, targeted attacks to be hot-button topics at RSA Zeus Trojan continues reign infecting 74,000 PCs in global botnet How to use Google Webmaster tools to help protect your site New Community Security Policy aims to reduce computer misuse The value of booting from a VHD in Windows 7 What to do with network penetration test results

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary