Simple information security mistakes can cause data loss, says expert

By Ron Condon, U.K. Bureau Chief 21 May 2009 | SearchSecurity.co.uk

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

Matthjis van der Wel is head of forensics at Verizon Business, which has carried out investigations into more than 600 data breaches over the last five years, including a large proportion of all publicly disclosed data braches, and others that have never been released.

Van der Wel contributed to Verizon's 2009 Data Breaches Investigations Report published in April, which overturned some long-held assumptions about security, most notably showing that nearly 80% of all breaches come from outside the organisation. According to conventional wisdom, insiders always posed the biggest threat, but the Verizon report showed a sharp rise in external hackers fin...

Tags: Data Protection Solutions and Strategy,  Database Security Tools and Techniques,  Threat and Vulnerability Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data Protection Solutions and Strategy Pros and cons of Skype security for encrypted phone calls NHS smart card devices enable secure access to health care apps Company files at risk of employee data theft McAfee-Intel: Why the McAfee acquisition is being met with scepticism Mobile digital pad/pen helps secure patient data collection Hard-disk erasure: Using HDDerase and Secure Erase hard-drive eraser In any given app for smartphone, security risks are being neglected First of data loss prevention vendors touts downloadable DLP software Ministry of Justice asks for input on UK privacy laws PCI PTS: Understanding PCI PIN security requirements Database Security Tools and Techniques NuBridges update enables simultaneous data center tokenisation Database activity monitoring technology vs. SIEM tools Oracle buys database firewall vendor Secerno Considerations for buying and implementing DLP solutions Multifunction security device safeguards SOA, streamlines company's infrastructure Safend expands data leakage prevention product to plug more gaps How to prevent memory dump attacks Database activity monitoring lacks security lift Report: Firms avoid encrypting backup tapes, databases Cryptography for the rest of us Threat and Vulnerability Management Social networking: Workplace productivity, security no match for Facebook McAfee-Intel: Why the McAfee acquisition is being met with scepticism Network security 101: Default router settings, network hardening Network security 101: Password policy best practices, security documents Adobe vulnerability: Pen test firm finds ColdFusion admin page flaw ISACA issues mobile smartphone security policy guidance Zeus Trojan: Data-stealing malware transfers £675,000 from UK bank Survey: Web 2.0 security issues cause concern Spy recording devices can be thwarted by portable USB security policy Microsoft issues temporary fix for Windows Shell zero-day

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Data Protection Act 1998  (SearchStorageUK.com) Information Commissioner's Office (ICO)  (SearchStorageUK.com) UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ding ways to compromise confidential records.

In 2008, Verizon recorded 285 million compromised records in 90 data breach investigations -- more than all four preceding years combined. According to van der Wel, that statistic signals a growing sophistication amongst cybercriminals that is not matched currently by organisations trying to protect their own data. "Organisations are making what I can only describe as stupid mistakes," he said.

For example, failing to patch vulnerabilities, using default passwords and forgetting to close down user accounts when employees leave the organisation can cause data loss.

The flood of stolen personal and financial data on the black market has driven down prices, he said. A stolen credit record could've fetched up to $16 four years ago, but now the price is 50 cents. That has prompted organised crime to become more sophisticated and to go after more valuable information in more targeted attacks.

"Cybercriminals are now investing a lot of time, resources and money into targeting some very high-profile victims," he said. "In one recent case I investigated, cybercriminals accessed the network of a major organisation and spent a year looking around the network, learning everything they could about each and every system before they initiated their first attack. They probably had a better picture of the network than the organisation itself."

Despite the growing sophistication of the attacks, van der Wel said many of the organisations affected could easily have averted a data breach or reduced the damage.

In many cases, the solution would be just a question of monitoring system log files or analysing alerts from intrusion detection systems, but few organisations bother to do it.

"When we do an investigation and look at log files, the evidence is there," he said. "Organisations would be better off hiring people to do the log file analysis. There is such a wealth of information you can learn from log files, especially application or database logs. But many organisations just collect them and don't do anything with them, or they turn them off to save disk space, or they have rotating log files so they are constantly overwritten."

In one case he investigated, an IDS raised 1,800 alerts about an SQL injection attack that was ignored by the victim organisation. "The logs show you what has gone on. The organisation could have seen that for themselves. That's why they got the box in the first place. It's very frustrating."

In other cases, where targeted attacks have been able to evade antivirus software and penetrate systems, companies can still pick up the tell-tale signs if they know what to look for, he said.

For instance, he discovered a 30 GB file in a system where malware was storing information it had intercepted. "Nobody in the organisation asked why there was a 30 GB file that kept growing every day. Or why so much data was leaving the organisation," he said.

His advice is to examine the IP addresses of outgoing connections, analyse their physical locations, and then plot them using Google Maps. "You then ask: Why do we have a connection to Romania every Saturday morning? Or a connection every week to Italy after office hours? They could be for an off-shore back-up service, but you need to examine it."

In the event, 70% of organisations do not detect security breaches themselves, instead relying on third parties, such as police, customers or business partners, to spot that something is wrong. As the report pointed out: "The opportunity for detection is there; investigators noted that 66% of victims had sufficient evidence available within their logs to discover the breach had they been more diligent in analysing such resources."

Van der Wel's advice is to use your own staff to spot the systems' weaknesses. "Sit down with a couple of knowledgeable IT guys and come up with different attack scenarios. Ask how they would attack their own organisation. Imagine how that would show up in the log files. After that, go and look in the log files to see if anyone has done it. If you can think of it, so could others. We don't see many IT organisations spending their money doing things like that. They would rather spend the money on a new box."