Data Breach Digest Update: CMS Compromise

by John Grim
RISK Team/Verizon

The Data Breach Digest—released this past February by the Verizon RISK Team—has brought a fresh perspective to the security conversation. It’s underlying premise was that ‘many data breach victims believe they are in isolation, dealing with sophisticated tactics and zero-day malware never seen before.  The RISK Team has seen otherwise. To us, few breaches have been unique – there is tremendous commonality in real-word cyber-attacks.

Based on 18 actual cases that we’ve investigated, the Data Breach Digest makes security tangible and real to not only the technical Incident Response stakeholders, but all stakeholders who are involved in incident response. And, in doing so, it encourages everyone to become an important link within the security chain.

One of the cases we investigated involved actual pirates hacking a global shipping company’s content management system (CMS) to steal the freight records and target their theft of valuables. This Update provides recommendations on how you can mitigate the threat of a CMS attack and how you should respond if you are breached.

Download the Data Breach Digest.  Read it, learn from it, and use it to mitigate and respond to those most prevalent and lethal data breaches that we – the RISK Team – have come across.


Making the Most of Limited Security Resources

Author: Joan Ross, Managing Principal, Cybersecurity

“If your enemy has no ships, building submarines may not be the best use of your limited resources”, a CIO at a recent Verizon 2016 Data Breach Investigations Report (DBIR) session conveyed.  Accountable for building and maintaining major infrastructure, he and the chief information security officer were actively strategizing together as to how to best utilize and stretch their limited security resources for the year.  Knowing the threats to your industry is the first step in evolving the most effective security strategies, obtaining priority budget, and educating all personnel within your organization.

While the extent of security breach data represented in this year’s report is sobering, (especially, for example, internal organization detection of security breaches have greatly decreased), there is encouraging information in how to get ahead of these attacks. Eighteen of the most common attacks are detailed within the Verizon 2016 Data Breach Digest.

We know from empirical evidence that in 82% of security breaches, we found evidence leading up to the breach in the logs.  Thus, one of the significant activities security teams can do as part of their rapid response practice is gathering the last 90 days of their logs from critical and non-critical systems.

There should be standard operating procedures and training established for the team in gathering log data for two reasons:  One, it’s critical to rehearse incident response activities before an actual breach and collect evidentiary data that follows proper chain of custody handling quickly (within 24 hours).  This rehearsal gets valuable data rapidly into the expert hands of the responding experts when actual breaches may be occurring to more accurately source and defend against known attack patterns.

Secondly, and just as important, if you take the additional steps of getting the data from the rehearsal into the hands of trusted experts with the right tools, the early behaviors and reputations associated with increased attacks can be ascertained to help prevent a serious attack.  This puts valuable digital intelligence into the hands of your security team, executives and board of directors as to where potentially malicious traffic and connectivity is following known patterns.  While security incident event management systems (SIEMs) may detect perhaps up to 15% of potentially malicious activity, being proactive in your review by hunting for known malicious patterns and behaviors is increasingly useful in getting ahead of the 85% of more sophisticated attack queries.

The best way to get ahead of security breaches is to familiarize your team with these patterns, and build your strategy based on relevant, empirical evidence for your organization.

Making the Move to Managed Security Services

Author: Joan Ross, Managing Principal, Cybersecurity

One of the hardest realities for chief information security officers (CISOs) to confront is what concrete protections can be achieved with the annual resources available to them.  Theirs is a vital function, albeit typically with a smaller staff and budget than other divisions.  One must constantly evaluate and protect against the ongoing concern that someone with malicious intent will breach or disrupt the organization’s operations, and obtain sensitive customer information and secret business intellectual property.  Being a CISO is not for the faint of heart.

Prioritizing relevant risk to their organization and determining appropriate treatment with their executive team is an ongoing process. When necessary security funding is not allocated, or resources are few, the CISO is in a difficult position.  Ultimately, they bear the responsibility of a breach, even should it occur through a business supplier on systems outside of their control.  There may be limited people and mitigating controls to provide quality information security assurance.

2016 is the year more CISOs are making an honest evaluation of their team’s core security competencies and annual funding.  While difficult to relinquish control, the realization is they have no control or insight if the security functions are not being fulfilled.  This is when the tough decision is made to move the most time-consuming and burdensome security activities to a quality managed security services provider (MSSP).

In hindsight, CISOs relay moving to a MSSP has been one of the best decisions for the organization, given they select a strong MSSP.  They’re able to obtain more actionable security intelligence by experts at recognizing patterns and events, and if frees up their limited resources to devote their efforts to the evolving business security strategy and improvements.

Expanding access capabilities, burgeoning security devices, and the continual monitoring of threats and vulnerabilities takes a toll, both professionally and financially. MSSPs are an acceptable option provided the CISO conducts the appropriate due diligence on the third-party provider.  This is where experience, skill, certifications, reputation and investment in ongoing personnel training of the MSS provider matters, the selection criteria must be greater than any cost efficiencies.

At a minimum, today’s CISO needs a rapid response retainer in place.  Established organizations are moving to contractually require these contracts with their critical business partners.  The reason for this is simple: preventing, detecting, containing and managing information security requires trained professionals, reliable processes, chain of custody expertise, and forensics experts available at a moment’s notice.  With a retainer in place, organizations can report suspicious activity and have it qualified, or have response on course of action within minutes.  In seventy-percent of the targeted breaches we analyzed, the incident spread to the secondary victim(s) in twenty-four hours once the attack was successful – a risk no CISO takes lightly in consideration of their organization, customers, and business partners.

Briefing the Board: Directing Security Evolvement

Author: Joan Ross, Managing Principal, Cybersecurity

If an organization’s CISO is not regularly updating the Board of Directors (BoD), there is an inherent disconnect in the security viability of the organization.  The function of the BoD is to act on the behalf of the best interests of shareholders and stakeholders in validating a well-managed company.

A CISO’s agenda for the BoD begins with three primary areas:

  1. What we know and have tested recently regarding security controls.
  2. What we don’t know or haven’t effectively evaluated at this time.
  3. Priorities for risk, budget, and evolving strategy based on a combination of #1, #2, current and planned business model, and current threat intelligence for your industry.

Verizon publishes the Data Breach Investigations Report (DBIR) on an annual basis for the greater good of the security community at no cost. This intelligence is heavily leveraged for the empirical research and investigation findings it provides, including trends in the common attack patterns.  Every security organization has it available to them to utilize as the basis for their BoD presentations and ongoing security awareness training for the organization.

CISOs convey that the most important graphic for them to begin their BoD presentation is the DBIR Incident Classification Patterns and percentages for their industry.  Annual budgets and periodic new budget needs can leverage the attack trends to justify requests.  While many security professionals may be aware of the proliferation of these patterns and methods, rarely is the BoD.  Today’s CISO educates their BoD as part of every briefing opportunity on how the organization remains potentially vulnerable.

The BoD are responsible for gaining the understanding of the routine occurrence of many of these data breaches and asking their organization the tough questions on risk reduction to prevent, detect, defend against and mitigate these intrusions.  Verizon’s Data Breach Digest illustrates twelve of the most common recurring attacks and methods, and six of the emerging more sophisticated attack types to guard against.

With the publication of these reports and truly brief reads, there is no reason for top leadership, including the BoD, not to be aware of the risk, commonality and methods of the majority of security breaches to their industry.  The measurement of a well-managed company is evolving to where these attacks risks are mitigated based on BoD support.

What’s in your wallet?

Author: Mark Rasch, Managing Principal, Cybersecurity

When workers were tearing down the old Apollo Theater in Times Square, they discovered a cache of men’s wallets and women’s purses hidden in the attic.  Apparently in New York in the 1940’s and 1950’s, the Apollo was the epicenter for pickpockets – targeting tourists and residents alike.  The cache represented a time capsule of sorts, with photographs of sweethearts, friends and family members, stored fortune cookie fortunes, paycheck stubs, utility receipts, social security cards, and handwritten driver’s licenses.  Gone of course was any hint of cash – after all that was what the pickpockets were after.  Also conspicuously missing for 21st century mentalities are loyalty program cards, access cards, or credit cards (although Bank AmeriCard and Diner’s Club both existed back then).

I say this as my wallet gets thinner and thinner.  I keep a newly “secure” driver’s license with digital pictures, holograms and other security devices for identification.  And corporate and personal credit cards with a digital chip which occasionally gets scanned.  A box store membership card and a too infrequently used health club membership card.  And that’s it.  My kids, on the other hand have bulging thick wallets filled with nothing – or nothing important.

When we think of the items in our wallet or purse, we should consider them to be tokens.  A driver’s license is a token issued by the state indicating that we passed a minimum competence examination to operate a motor vehicle in that jurisdiction.  A credit card is a token issued by a bank indicating that we have an account (a bank account if a debit card, a revolving credit account if a credit card) with that institution and allowing third party merchants to interact with that account.  Loyalty cards are similarly tokens for accounts which establish a relationship with a particular merchant or club.  Even the cash in your wallet is a token issued by the government with whatever value society decides to imbue on it.

Every one of these tokens will soon be obsolete – if they aren’t already.  This doesn’t mean that they will disappear.  We have invested billions in the infrastructure necessary to issue, read, and interact with these tokens.  A folded note will still be easier to read than a file stored on an Android phone.  A tangible physical object serves as a reminder of our loyalty to a particular institution.   But the functionality of these tokens has already been duplicated in things like Apple Pay and Wallet, Android Pay, and other electronic wallet substitutes.  Our family pictures are on our devices and/or in the cloud (sometimes without or knowledge).  Electronic substitutes exist for identity, relationship, affiliation, authority, and access control.  There are even electronic substitutes for cash (like Bitcoin) despite the fact that a Florida court recently ruled that laundering Bitcoin does not constitute “money laundering.”

This move from physical objects to their electronic substitute is not without risk.  The Apollo theater attendees knew (or soon realized) that they had been robbed.  The contents of my electronic “wallet” can be stolen without my knowledge.  The Times Square visitors knew (or should have known) that the Times Square of the 40’s though 50’s was a wretched hive of scum and villainy.  For electronic records there is no safe haven.  If someone stole a 1950s wallet, there was little chance of false personation and identity theft.  Since much of our modern interaction is virtual; you steal my token, you steal my identity.  What’s worse, I can now get new credentials and new tokens in your name, and become you online.  And now new crimes of false personation, identity theft, identity fraud, and synthetic and virtual identity fraud exist that could not have been contemplated back then.

All of this is by way of saying that, in designing any token system – whether it’s a driver’s license, a financial instrument, an access card, or a user id and password, we must take particular care in determining how it will be used, and how it can be abused.  We misplace our trust in the token, rather than in the person presenting the token.  Multi-channel and

multi factor systems, sometimes with a biometric component should be considered – but the privacy and anonymity implications of such systems should also be considered.  We must preserve the right and the ability for people to interact without a permanent record of their actions.

When we think of information security, we have to think not only of computers and networks, but of how people interact with them – in the virtual and physical world.  And you can take that sentiment and put it on a note and stick it in your wallet.  The movie playing at the Apollo Theater in the summer of 1958 was Ben-Hur.  Some things never change.

Hospitality Customizing the Perfect Guest Experience

Author: Joan Ross, Managing Principal, Cybersecurity

The hospitality industry is moving full-speed ahead in creating the ideal travel experience. Utilizing Internet of things (IoT) design and technology communication, the goal is to attain greater customer loyalty by tailoring the patron’s experience to their preferences as they arrive and travel through their extended establishments.

Since many hospitality vendors have various tiers of property brands, designing and enabling a secure entrance into customized experiences requires significant planning, expertise and is fraught with risk. Both the physical as well as the sensitive data protections of their guests are paramount to their brand reputation.

Technology is enabling a more comfortable and scalable travel era.  Imagine the business or vacation travel experience enabling your transport as it detects your plane has landed to minimize your wait time. The hotel check-in is a red-carpet luxury experience straight to your favorite room which is already at your preferred temperature. An easy touch-interface performs immediate digital concierge services such as obtaining reservations to the restaurant you desire, tickets to a particular show, or booking the perfect golf tee-time.

This custom capability evolution requires significant data protections that not all owner-operators will be able to comprehend or afford.  Since security breaches would negatively impact the entire brand, leading hospitality providers will move towards providing security-as –a-service for their owner-operators. This provides consistent levels of protections, similar to the Payment Card Industry Data Security Standard (PCI-DSS) for credit card transaction capabilities. The hospitality industry should move quickly and efficiently to lead the opportunity effort on customer experience IoT standardization and API integration.

The brand name leaders in this effort will provide governance and oversight to provide reliable and cost-effective safeguards such as advanced automation, strong authentication, limited access, pseudo-anonymous profiles, encryption, and non-repudiation.  Without privacy and security, there is no perfect guest experience. Consistent governance and control implementation requirements across all tiers of property operations, especially smaller affiliated owner-operated properties , helping clear the path for additional business revenue through utilization of global economies of scale while providing protections consistent with the brand’s requirements for essential customer privacy and information security.

Information Security for SMB’s…Who Me?

By Mark Rasch
Security Evangelist
Verizon Enterprise Solutions
July 29, 2016

The biggest obstacle to building an effective information program at many institutions – particularly small and medium sized businesses (SMB’s) – is not a lack of resources, a lack of knowledge, or a lack of technology.  Typically, the biggest obstacle is complacency.  When meeting with senior corporate or government officials (in non-regulated environments) you will often hear expressions of concepts like “we would never be a target of hackers,” or “we don’t have anything anyone would want” or “we’re too small for anyone to care about.”

While the security demands of SMB’s are different from large government agencies or multinational corporations, the vulnerabilities are potentially more severe.  SMB’s that suffer significant attacks may never recover – they may be forced to close up shop because of a ransomware attack, or because their clients and customers have lost faith and confidence in their ability to do their job or to protect their data.  That’s why attention must be paid.

The answer to the “we don’t have anything anyone would want” argument is easy to address.  Ask the question, “What would happen to my enterprise if… what would happen if the data I collected (including HR data, sales, costs, marketing, compliance, and strategy information) was no longer confidential.”  And, as we have learned from the recent DNC hack, there’s much more in your information systems than you think – and much more potential damage from its release than you think.  Company employees can be DOX’ed, targeted, harassed and otherwise attacked as a result of (or as the goal of) a data breach.

So the first step is a comprehensive assessment.  But not the kind you’re likely thinking of.  It’s not sufficient to assess your technology – how many servers, how many computers, how many ports open, etc.  That’s a technology assessment.  What you want to do is to assess the business impact of a potential breach as well.  What are the critical systems AND the critical data in those systems – and why is it critical?  When DNC officials were sending routine emails discussing strategy and tactics they probably didn’t consider these emails (or the email system on which they resided or were transported) to be particularly critical.  And that points out another problem with how we typically prioritize security.  We look at securing the device – the container – the transport channel, rather than looking to secure the information in it.  We treat e-mail, for example as a system that needs to be secured, documents as another system, stored files as another, and so on.  But e-mail is just a means for communicating.  There are sensitive e-mails and non-sensitive e-mails.  As a result, we either secure the trivial with a degree of security more reasonable for critical communications (a waste of resources) or secure the critical data at the level of the trivial security (vulnerability).  More often, we do a bit of both.  That’s why data classification and data segregation is also important; layers on layers of security. Even for SMB’s.

Security need not be prohibitively expensive.  Nor need it be unnecessarily complex.  But it should be done right to facilitate business.  And at the end of the day, isn’t that why you are in business in the first place?

Phishing license: training and awareness

by Wesley Hamrick
Analyst, Enterprise
Verizon Enterprise Solutions

The Verizon Data Breach Investigations Report (DBIR) has consistently shown that the number one threat to companies– is malicious code injected via successful phishing attacks.  It’s number one in 2016.  It was number one in 2015.  It was number one in 2014.  And so on, and so on.  So if a company were to target one vector and one solution to fix above all others, it would be phishing.

Easier said than done.

Successful phishing attacks exploit vulnerabilities and weaknesses in hardware, software, people and processes.  At the outset, they use data acquired through other means to engage in social engineering attacks against authorized users.  They use “legitimate” channels of communication – email, text, etc. to further their objectives.  They can use stolen or compromised accounts or credentials, spoofed or faked email addresses, or other indications of validity to trick users into clicking on or otherwise taking action in response to the communication.

The fraudsters lie, cheat, steal, cajole, and hack to get in and to get the user to click a link, go to a website, install software, provide information or otherwise respond.  These attacks can be as simple as installing clickbait, or as targeted and sophisticated as spear phishing (email that appears to come from someone you know) or whale phishing (emails targeted at company executives). Just as the attacks are layered and sophisticated, the defenses need to be as well.

Many phishing defenses rely on technology.  They block email from known spammers or known “bad” email addresses.  They filter, block and quarantine communications from suspicious sites, or which contain suspicious content or links.  E-mail links are disabled by default, executables are not supposed to run on the clean system, and known bad IP addresses are not supposed to be resolved.

But much of that is in theory.  You see, phishing attacks are dynamic and ever-changing.  The goal of the phisher is to get in without being noticed.  The phisher takes into account these known technology defenses.  Phishing mail will originate from a trusted IP address and email account, with a compelling subject line, and the link will not self-execute.  The malware will approximate “normal” behavior to avoid detection.  The IP address may be spoofed, proxied or from an anonymous source.

At heart, phishing is a human problem exacerbated by and potentially solved by humans.  Humans presented with phishing attacks often are easily deceived.  And the phishing attacks come back and in greater numbers.  The problem is that users who are the primary vehicle for phishing are poorly  trained.  By that, I mean that we “check the box” that the user sat through a 15 to 50 minute slide show or video extolling the harms of phishing, and then answered a few random multiple choice questions about the problem.  Even when effective,  such training, has a shelf-life of maybe a few weeks.

Anti-phishing awareness is best when  coupled with a bit of “light touch” testing.  A corporate-sponsored phishing attempt can redirect those who click links back to the training program as a refresher.  If it is not reinforced, it won’t be remembered.

Like everything else in security, it’s a matter of people, processes, technology, and policy.  But don’t forget the people because if you forget to teach the people security, they will forget to secure the network.

The Spirit and Intent of the DBIR

Author: Marc Spitler

May 12, 2016

After publishing the Data Breach Investigations Report for the ninth time, we have been on the business end of some sharp criticism for some data in the Vulnerability section. Specifically, a reference to the exploitation rates of vulnerabilities, which included a footnote with specific CVEs. This post is not an assault on any of the people in the information security community who called this out, the fact is valid points were raised and there is a lot that we agree on.

Using the CVEs listed in the footnote as the basis for decision making is not the key to success in vulnerability management and this was not the intended focus on the section. The issues with the underlying data that the list was derived from were acknowledged by the data contributor in several blog posts.  Relying on any Top X list of vulnerabilities is not recommended for any organization.

We felt (admittedly incorrectly) that relegating them this year to a footnote would direct the focus on the other points we wanted to make in this section. We are not discounting the criticism and, in hindsight, should have made our intended focus for the section more clear.

The intended focus of the section, as in the prior year, was to get readers thinking about vulnerabilities and patch management in a different way – to discourage merely playing vuln whack-a-mole and establish a more thought-out approach.

Our security incident and data breach data does not have a lot of CVE-level information in it, so we look to non-incident data to attempt to supplement and support the incident and breach data that is the core of the report. Addressing the specific CVE issue first, one of the main goals of the report is to highlight use of data to make your own decisions and the best data for an organization is going to be their own.

If you need to know what vulnerabilities are likely to affect your organization, don’t use the footnote, use your own vulnerability scan data and analyze those findings in the context of your organization. Prioritize findings with active exploits or proof-of-concept code available. Figure 10 shows at a high-level, that some types of vulnerabilities are typically exploited quicker than others. Again this is a start, no patch management philosophy should be ultra-focused on a single figure/study.

The desired takeaways from the section were designed to improve patching processes by providing data that:

  1.  Offers high-level estimates on how quickly to patch new vulnerabilities
  2.  Ensures older vulnerabilities are not ignored
  3.  Promotes acceptance that some vulnerabilities will likely never be patched and to not assume eventual 100% patch implementation as part of your organization’s security strategy.

Bottom line: We don’t want this section to lead readers down an incorrect and/or myopic path any more than our harshest critics. When we reviewed this section we already had the goals in our minds and should have done better to look at it from the standpoint of a reader. This was made apparent by some of the readers and we appreciate your views. Seriously.

I also want to write about the reason that we started this publication in the first place. In 2008, there was a glaring need to arm the public with a study on what was actually happening in the real world. We realized that we had this data available to us in the form of case reports from our Investigative Response team (now RISK Team). Our goal then, as it remains today, was to provide readers information on the actors, their tactics or actions and what assets are targeted and affected. We strive to remain vendor-neutral, not shill our services within the report, be transparent with our methodologies and acknowledge bias.

The 2015 DBIR featured a large section on studies of non-incident/breach data outside of the typical data that underpinned the prior seven publications. This year we put the emphasis back on the incident corpus and the Incident Classification Patterns and hope that the criticism of one section, which is independent of the rest of the report, does not prevent the readership from starting discussions on what we hope will get the most of the attention moving forward.

These include:

  • Static, single-factor authentication was a component of almost two-thirds of the confirmed data breaches. Whether credentials were the data variety compromised, or legitimate credentials were used (either via prior theft or brute forced) our data continues to show that actors are going after credentials to advance their attacks and stronger authentication needs to be more prevalent, not that it or any other control will solve all of our problems, but would disrupt a common attack method.
  • Phishing continues to trend upwards as well. 41% of breaches involved phishing as a threat action leveraged by remote attackers.
  • The combination of Phishing, leading to dropping of malware in the form of a backdoor and/or C2, leading to capture and reuse of credentials is one that we find used across several patterns, and in data breaches that are highly targeted, as well as opportunistic. This provides a foothold onto a desktop/laptop. A major issue is that we are not doing enough to make the attackers invest time and effort once the initial access is gained.

Lastly, I want to reiterate one of the main overarching goals of the report is to encourage organizations to use  their own data to make security decisions. The data that underpins the report is a sample, with all associated biases along for the ride. We do however, believe  that the DBIR  is the best representation (thanks to the diversification of incident data achieved by partnering with numerous organizations) of what is occurring in the real world. That being said, we really want people to try this at home. Having an understanding of what incident patterns are more closely associated with your industry is good. Collecting your own security incident data and incorporating your own analysis as part of your security decision-making process is even better.

Security maintenance: more valuable than gold

Author:  Joan Ross, Managing Principal, Cybersecurity
May 10, 2016

Verizon’s recent annual Data Breach Investigations Report validates what has been a documented and disturbing reality – the lack of methodical security maintenance activities over operations and data — leads to the majority of security breaches.  The empirical evidence proves this out, but after so many years of security practice, why are professionals still struggling?

Kurt Vonnegut’s quote “everyone wants to build and no one wants to do maintenance” partially explains it. Maintenance is not as valued by organizations that are intent on new or more profitable lines of business, it’s not as exciting  as the leader painting grand new visions.  And yet, as those visions are compromised, the leader has turned his or her  attention toward something new, requiring others to mend the security flaws and reinforce the system to operate reliably. CISOs are the pragmatic technologists in an organization, aware that with every change, update and new code release, no business fulfillment vision is complete if it’s not continually secured. Meantime the resources devoted to the implementation have often moved on without ongoing maintenance consideration.

Security requirements and design are essential as part of any business strategy.  To forego these activities predictably leads to weaknesses and vulnerabilities harder to rectify once a system is built and operational.  Is your CISO part of your engineering design team?  Is a security engineer assigned ongoing activities for maintenance? If not, weaknesses will form and be found by others. It’s predictable and inevitable.

Gary Klein has produced notable research into adaptive decisions and incident response that explains the seemingly lack of commitment to maintenance.  Even with multiple safety features engineered to prevent disasters, time and use will often wear these protections down.  Humans are enamored with the rush to perform under adversity and become heroes, but in fact, the heroes he documents undergo rigorous maintenance and testing activities beforehand as normal course.  This focus and practice is what security professionals have to emulate to be successful in preventing data breaches. It’s time to make security maintenance, as ephemeral as it may seem, part of any ROI  equation.