Verizon Business Security Blog

Ask the Data: Justification for screen timeouts?

Wade Baker — Wed, 16 May 2012 15:17:51 +0000

Question:
Do you happen to have any metrics on internal breaches caused by employees not locking their screens, or failure to implement an idle/inactivity screen saver lock? We recently devised, communicated, and implemented a 15 minute inactivity screensaver lock, so that users would be required to sign in after their screen saver started. We’re receiving some complaints that this is unwarranted and unneeded. I am hoping you guys could help me shed some light on the security implications of not having this in place. Thanks for your time and the great resource!

Answer:
Dear Searching Screensaver,

The data does not have an exact answer for you due to several reasons, but there is some information on related threat events that I hope will be helpful. First of all, if you’ve read the DBIR, you’re aware we use the VERIS framework to classify incidents. One of the things we classify about an incident is the particular threat actions involved. The threat actions related to what you describe below would be “local access” and “snooping” (see definitions here). In fact, your scenario below is the exact example we give for “local access”. Both of these are in the Physical threat action category.

In terms of frequency, these are not among the most common of all threat actions tracked across our IR investigations and cases supplied by our law enforcement partners. We’ve seen a little over 30 incidents in the last several years involving one or both of these threat actions. However, the majority of those did not specifically trace back to screen/session timeouts (e.g., snooping also includes rummaging through one’s desk for sensitive info).

While 30-ish may seem low, it should also be noted that such events are less likely to require a paid forensic investigation by Verizon. There’s a caseload bias here. Plus, most organizations have a timeout policy, and if they didn’t, I imagine the number of related incidents would go up.

I am fairly conservative in recommending or requiring controls, but I tend to put this one in the “essential” category. There’s decent evidence available outside our case data to support the benefits of screen timeouts. For instance, lost and stolen devices are among the most commonly-reported incidents leading to data exposure on lists that track public disclosures like datalossdb.org. Not only does it prevent unauthorized access from curious or malicious insiders, but it’s an effective control against the office prankster who likes to send embarrassing emails (or worse) when you head for a coffee refill. I won’t go into detail, but let’s just say I have a decent set of priors on this one. Furthermore, I consider it a must have for portable devices like laptops that are used in public settings (I recommend keeping the device with you during potty breaks, but it always amazes me how many folks leave their laptops active and unattended).

Maybe you could respond to those complaining about the policy with “perhaps you should just consider doing some work at least every 15 minutes” and CC their supervisor.

Weekly Intelligence Summary: 2012-05-11

Dave Kennedy — Fri, 11 May 2012 20:49:41 +0000

Apple, Adobe, and Microsoft dominated InfoSec headlines this week by releasing multiple security updates to patch dozens of vulnerabilities. Microsoft led the pack with 7 bulletins for 23 vulnerabilities. Last week’s Adobe Flash Player vulnerability continues to be exploited in targeted attacks. And attacks on last week’s PHP-CGI vulnerability emerged this week. The PHP Group released another patch this week after last week’s patch failed to eliminate the flaw. The U.S. Department of Homeland Security issued warnings of a targeted campaign against gas pipelines in progress since December 2011. Following last fall’s debunked reports of a hack on a Springfield, Illinois water pump it’s easy to be skeptical, however, there’s too much evidence to simply disregard the threat. In other hacking news, Ustream, Virgin Media, and the Kremlin were all targeted by DDoS attacks, the latter two were at the hands of Anonymous. Speaking of DDoS attacks and hacktivism, Sam Bowne’s four part Defcon presentation (1,2,3,4) on both topics is the best intelligence collected this week and is more actionable than the FBI’s vague warnings on the malware risk posed by foreign hotels.

Weekly Intelligence Summary: 2012-05-04

Dave Kennedy — Fri, 04 May 2012 19:25:00 +0000

InfoSec risk was substantially unchanged this week. Intell collections generally fell under the categories of “more of the same,” or “vulnerability without a problem.” Ransomware, drive-by-downloads of known Trojans, and Android malware reports were simultaneously new and not new. May’s Microsoft Tuesday forecast is for seven bulletins, Google updated Chrome and OpenX ad platform is serving up malware again. Oracle released an out of cycle update for TNS Listener but the back-story is just too weird to bother with. There have been no reported attacks on it, nor are they likely over the short-medium term. Required reading: Symantec’s Internet Security Threat Report 17 for 2011, but they decided to “go for the gold” (pardon the pun) in graphics at the expense of content. It’s still good, just not as good. If you’re from Pittsburgh, you’ll love the look.

Ask the Data: Log Analysis

jayjacobs — Thu, 03 May 2012 21:02:15 +0000

Hello World.

I’m Jay Jacobs and I joined the Verizon RISK Intelligence team in January of this year. It was good timing because it was right after the (tedious) data collection for 2011 was completed and right before the (fun) data analysis and writing commenced on the 2012 Data Breach Investigations Report (DBIR). While the VERIS framework has a lot of obvious things to say (see the DBIR), I suspect there are quite a few subtle secrets still hidden in the data just waiting to be discovered, and discussed.

To that end I wanted to roll up my sleeves and attempt to shed some light on a question I was asked around how many breaches were discovered through active log monitoring and analysis. Within the VERIS framework, we ask the question “How was the incident discovered?” and in 2011, the answer is overwhelmingly from external entities. In 2011, Law Enforcement and external fraud detection topped the list contributing to the 92% of breaches that were notified by external entities, but what about that other 8%? Could we learn something by looking at some successful and active incidents being internal discovered?

VERIS contains a list of 20 ways a breach can be discovered, of which we classify 9 as an “internal active” method. Which means the victim was actively seeking information or implementing a process intended to educate the organization about their environment. Of those 9 methods, I’m going to focus the 7 incidents (out of 855 in 2011) that were discovered from “Log analysis and/or review process”. That’s right, we had a record setting 7 breaches in this category.

The first thing that jumps out is company size: 5 of the 7 organizations have over 1,000 employees and the remaining 2 were in the “101 to 1000” employees, so still not small organizations. With only 7 cases it’s hard to attribute meaning to these numbers, but could this indicate that actively watching or reviewing logs is challenging for smaller organizations? Possibly, but let’s keep going.

The next odd little set of numbers that stands out is that all of the attacks were carried out by external agents and 6 out of the 7 were targeted attacks. The external isn’t so surprising (98% of 2011 data is external agents), but 6 out of the 7 being targeted makes one my eyebrows rise up a bit. To throw more weirdness on that, 6 out of the 6 incidents (one didn’t provide data on the question), listed the actions after initial compromise as either “moderate” or “high” difficulty. Let me repeat those stats: 6 out of 7 were targeted, 6 out 6 were moderate or high difficulty (after initial compromise). While my mind races with all sorts of reasons why that could be, I’m going to let that stand all on its own.

The final data point I looked at was the timeline of the attack. Surely, if the company found out about the breach through an internal active method, it’d have a shorter time from compromise to discovery, right? Nope, only 2 were ranked as the expected “days” between initial compromise and discovery. Four of them still listed “months” in that category. Digging into those 4 specific cases I think I figured how that could be plausible – remember we’re dealing mostly with larger organizations here. In one of the cases, the review process didn’t even identify the evidence of the attack for over a month from the initial compromise (presumably it was a process executed monthly). In another case, evidence was found of malicious software shortly after the initial compromise, but discovery of the breach itself was delayed by (as best I can tell) underestimation of the incident and the malware chasing took some time. Even though analysis and responses were a bit delayed for these lucky 7, the review process triggered an investigation that helped remediate faster than any other method.

Perhaps we should be taking solace in the fact there were seven breaches detected by an internal process like this. Seven is more than double the amount we saw in 2010 and perhaps this is the start of an upward trend… right?

Ask the Data: A New Series

jayjacobs — Wed, 02 May 2012 19:10:19 +0000

Every once in a while we get questions that go above and beyond the information provided in our data breach investigations report. Usually the questions center around some particular slice or view that the reader would like to see, a specific security control question or queries about a particular vertical market, and when we receive them we answer them as best as we can. But we’re going to try something new this year, we’re going to kick off a series of blog posts we’re calling “Ask the Data.” As questions arise and are submitted to us by our readers, we’re going to dig into the data and see what kind of information we can pull out and communicate our findings via posts. So keep an eye on the blog for posts in our “Ask the Data” series. And, oh yeah, got a question for the data? Let us know!

Weekly Intelligence Summary: 2012-04-27

Dave Kennedy — Fri, 27 Apr 2012 22:42:27 +0000

Required reading: Microsoft Security Intelligence Report 12 for the last half of 2011. The SIR is second to none as an InfoSec intell source and has few equals. The Microsoft Security Blog has begun running weekly summaries most of our readers should find useful. Most current intelligence collections come from outside North America. Iran’s oil ministry was targeted by malware and hackers, and they preemptively disconnected from the Internet. Nissan and Al-Arabiya announced they were victims of cyber attacks. Chinese and Filipino hackers are carrying out cyber attacks against each other over the two nations’ spat over the Spratly Islands in the South China Sea. And a Chinese hacker leaked old VMWare source code, but VMWare’s enigmatic statement neither confirms nor denies a breach took place. They stated the leak “does not necessarily mean that there is any increased risk.” “Holy doublespeak Batman!”

Weekly Intelligence Summary: 2012-04-20

Dave Kennedy — Fri, 20 Apr 2012 19:33:19 +0000

An Iranian engineer threw a tantrum and dumped the credit card information of 3 million of his countrymen and women on his blog and fled the country. In all the fuss and finger-pointing over the Flashback malware, another OS X Trojan is “getting legs.” Some users, having applied Apple’s Java patch and Flashback removal tool, may not grasp OS X.SapPub doesn’t exploit Java. It does exploit a 34-month old, patched, vulnerability in MS Word. Kaspersky reports SapPub is related to an APT, LuckyCat. It’s a big election year in the States, so a report emerging from University of California-San Marcos of election hacking may “get legs” as well. Some Chinese hackers took a break from “hacking every major US company,” to hack three Chinese pharmaceuticals they perceive are responsible for tainted drugs. Some good news: none of the major data centers in the Dallas Texas area experienced major disruptions when at least 21 tornadoes swept the area on 2012-04-03.

Weekly Intelligence Report: 2012-04-13

Dave Kennedy — Sat, 14 Apr 2012 01:17:38 +0000

Vulnerabilities and patches dominated the InfoSec environment this week. Microsoft, Adobe, and Cisco all released major security bulletins. Google released another update to Chrome. Over the last couple weeks, patches have been released for almost every Mac and Windows computer on earth. Now Linux/Unix admins won’t feel left out as they have a Samba update to apply. In malware developments, targeted attacks are continuing against Tibetan activists and the Flashback Mac Trojan continues to make headlines. Kaspersky Labs reported over the weekend that it observed only 237,000 active bots connecting to Flashback’s C&C servers (down from 650,000). But then again it was the weekend. Speaking of the weekend, Anonymous carried out several DDoS attacks against UK government sites in response to last week’s news that the government wanted to expand its internet surveillance powers. TeaMp0isoN got its name in the headlines for allegedly “phone bombing” MI-6 headquarters in London and going so far as to record a conversation between an MI-6 officer and an individual believed to be an FBI agent. What were they discussing? TeaMp0isoN, and just before midnight Thursday, The Telegraph reported two TeaMp0isoN arrests; there’s probably a lesson in there somewhere. And finally, a new hacking collective introduced itself this week by carrying out attacks against several websites. MalSec is the name of the group and it claims to sympathize with the ideals of Anonymous while being in it for “more than the lulz.” Plus they disapprove of stealing personal information and harming the public. How noble.

Weekly Intelligence Summary: 2012-04-06

Dave Kennedy — Sat, 07 Apr 2012 04:38:14 +0000

The reported breach of 1.5 million credit card records from payment processor Global Payments leads this week’s OSINT. Adobe pre-announced security advisories for Acrobat and Adobe Reader, and their new priority ratings indicate Reader and Acrobat version 9 on Windows is already under attack. In addition to Adobe advisories, we’re expecting six Microsoft security bulletins on Tuesday. Russian anti-virus Dr. Web reported 500K OS X systems are infected with the Flashback Trojan which exploits a Java-related vulnerability on OS X. Apple released a patch for their Java implementation on Monday and updated it early Friday. Australia’s Defence Signals Directorate released iOS hardening guidelines. Criminals claiming Anonymous affinity compromised hundreds of government sites in the People’s Republic of China and internal files from a PRC defense contractor were posted online. Schadenfreude has no place in our profession, no one deserves to be a victim. The usually very reliable DEBKA reports a Stuxnet mutation is attacking the Iranian Fordow facility. Helpful collections this week include tips from Cyveillance for protecting your company’s reputation on Google+.

Weekly Intelligence Summary: 2012-03-30

Dave Kennedy — Fri, 30 Mar 2012 19:08:59 +0000

“Keep Calm and Carry On” was a classic propaganda poster in the UK during the Second World War. InfoSec professionals: consider dusting it off and posting it in your office because intel collections this week paint a dire picture. Shawn Henry, Assistant Director of the FBI declared “We’re not winning,” in the Wall Street Journal. James Lewis at the Center for Strategic and International Studies is “a little bit gloomier.” Oh, oh, another water district was hacked, but hold on, it was the district’s CFO; does that count? Dick Clarke told The Sminthsonian Magazine the US may already be losing the cyberwar. The Sydney Morning Herald says 10,000 Australians face web blackout; wow, that’s like 5 one-hundredths of one percent of the country. LulzSec is back (maybe), and Occupy is in “spring training” for May Day. Adobe dropped another Flash Player update and Oracle revised their January CPU for the hash collision vulnerability that we have no attack reports of. Do not lose heart, the RISK Team and thousands of your colleagues are solving problems 24×7x365; we’ll still be here next week. Listen to The Chairman and Carry On. (Bonus: ID the RISK Team member in the video?)

Weekly Intelligence Summary: 2012-03-23

Dave Kennedy — Fri, 23 Mar 2012 20:51:57 +0000

It’s that time of year again. Spring is upon us, flowers are budding, and The RISK Team and Verizon have released the 2012 Data Breach Investigations Report. Be sure to add it to your reading list. Speaking of data breaches, the University of Tampa reported that it mistakenly exposed information on 30,000 individuals for 8 months due to a server error and the UK-based Student Loans Company copped to leaking 8,000 customer email addresses. As for things that got attacked this week, a Saudi hacking group claimed to steal data on 400,000 Israelis from the Israeli sports website One, S3rver.exe defaced the website of the International Police Associate of Australia, and BlackJester has electronically taken a Qwest data center server hostage so that the company will contact him about its vulnerabilities. Not too long ago BlackJester walked into a UN office to report vulnerabilities in the organization’s website. Reporting vulnerabilities is one thing, taking a server hostage is a different beast altogether. A recently compiled Duqu driver was observed in the wild by Symantec and Kaspersky got answers to a question it had crowd sourced about the malware’s code. And finally, in a case of pot calling kettle black, China said it has observed an uptick in cyber-attacks recently and blames the United States, Japan, and South Korea.

2012 Data Breach Investigation’s Report Released

Dave Hylender — Thu, 22 Mar 2012 15:36:07 +0000

It’s hard to believe, but it’s time again for another installment of Verizon’s annual Data Breach Investigations Report. This year’s report represents our largest dataset ever, with 855 confirmed security breaches accounting for a combined 174 million compromised records. As always, we analyze the data and attempt to explain what happened, who did it and who was affected. We are very pleased to announce that the 2012 DBIR again includes data provided by our valued collaborators, the U.S. Secret Service and the Dutch High Tech Crime Unit. We are even more pleased to announce that these agencies are joined this year by the Irish Reporting and Information Security Service, the Australian Federal Police, and the Police Central e-Crime Unit of the London Metropolitan Police. The inclusion of data provided by these agencies allows for the most geographically diverse DBIR to date.

We welcome these collaborators and firmly believe the more data we can share with the industry, the better we can understand and prepare for the threats we collectively face. With the addition of Verizon’s 2011 caseload and the combined data from our collaborating agencies, the DBIR series now encompasses 2,500+ breaches, 8 years and over ONE BILLION compromised records. As always, the DBIR includes only confirmed data breaches worked either by Verizon or one of the aforementioned agencies. We believe that with each passing year, the data grows and evolves helping to paint a more complete picture of the current state of cybercrime. We always look forward to sharing the resulting analysis with our readers and hope you find it informative, enjoyable and helpful to the planning and implementation of your security efforts. You can pick a copy up here. Please let us know what you think either via this blog, on twitter (#dbir) or at the email address listed in the report.

Weekly Intelligence Summary: 2012-03-16

Dave Kennedy — Fri, 16 Mar 2012 18:19:57 +0000

Cyber warfare was the dominant theme in risk intelligence this week. The BBC reported a denial of service attack on both Internet and telephone systems with indications of Iranian involvement. Alienvault reported targeted attacks on Tibetan dissidents. Almost three years ago the Wall Street Journal reported attacks appearing to come from the People’s Republic of China had stolen Joint Strike Fighter (JSF) plans from Lockheed Martin. The second of three primary JSF contractors, Northrop Grumman was named in both the Aurora attacks and, with Lockheed, in post-RSA attacks last summer. Completing the trio this week, loose lips at the dinner table confirmed BAE Systems was also breached, also apparently from the PRC. Déjà vu? No, it’s the same story retold, three times now. The Virtual Israeli Air Force School (private sector) was breached to the tune of about 9Mb of data. Islamic Nasheed Bank (not a financial institution) was compromised. And unaffiliated irandefense.net was compromised and 2800+ account details posted to pastebin.

Weekly Intelligence Summary: 2012-03-09

Dave Kennedy — Fri, 09 Mar 2012 19:22:38 +0000

At the very end of the credits for the film “Ferris Bueler’s Day Off“, Matthew Broderick’s character, a Chicago native, shoo’s the audience home. Contrary to the headlines, Chicago native Jeremy Hammond won’t be shooing us all home as if the world’s computer security problems have been solved with his arrest along with the arrests of four LulzSec confederates. To be sure, LulzSec had to go, but our most threatening adversaries are still in business. Worth reading: Microsoft’s “The evolution of malware and the threat landscape – a ten year review,” Mandiant’s annual M-Trends report and a trio of DOS bot analyses from Arbor Networks. Criminals stole £71K in bitcoins from UKweb host Linode. The Library of Congress, Panda Security and the Vatican were all cyber attack victims. We have six Microsoft security bulletins coming next week. Adobe released a new Flash Player update. And someone is targeting malware at opponents of newly re-elected Russian President Vladimir Putin.

Breaking down the wall of words (or at least hanging some pictures on it)

Wade Baker — Thu, 08 Mar 2012 14:12:31 +0000

This past week, several RISK Team members descended upon the lovely city of San Francisco for the annual RSA/Mini-Metricon/B-Sides pilgrimage.

On Monday, we did a quick lightening talk at Mini-Metricon on some of the things we’ve been doing lately with respect to attack modeling and analysis. If you missed it, you can check out Appendix A in the soon-to-be-published 2012 DBIR for a recap.

At B-Sides, we presented a talk titled “Your IR Team: More than Firemen and Maids.” The central principle was that organizations should use their incident responders for more than putting out fires and cleaning up messes. Instead, also think of them as generators of valuable data that can inform security decision-making. In working with both the IR and risk
management sides of many organizations, we so often find that these two groups do not share information to the degree they could/should. Decision-makers constantly decry the lack of useful security data at their disposal, yet they have a “treasure trove” right under their noses. We’ll post the preso once the B-Sides crew has the chance the get it up. Until then, you can check out the hand-sketched version here.

Regarding that talk, one attendee had the following to say:

“By my count, the fourth B-Sides SF talk this year to heavily feature
statistics and suggest setting metrics. The presentation made an argument
for formally tracking and classifying incidents, for instance using the
VERIS framework. The talk was quite compelling and did a good job
illustrating how incidents can be charted and visualized.

Unfortunately, when I visited the VERIS wiki I found it rather
disorganized. To me, the wiki doesn’t do a good job of communicating how
the framework can be implemented and throws up a wall of words rather than
diagrams and practical implementations. In all fairness it is under
construction, and does give some example, but more concrete tools would be
welcome. If someone would release a spreadsheet template or simple app
(Python, Ruby, etc) to jump-start organizations on their incident
classification, that would be a huge public service.”

This is a fair critique, and not the first time we’ve heard these sentiments expressed. We definitely realize we have some work to do to make VERIS as usable as we know it can be. To start, we are updating the wiki to reflect the latest version of the VERIS Community framework. It is still, however, a “wall of words.” Over the last several months, we’ve made strides to change that. We’ve created an XML schema of the VERIS framework (currently in beta), a UML diagram to better help visualize the structure, and have begun conversations about open source tools. We’ve also realized that if we’re really going to achieve our goal of widespread VERIS adoption, we need to up our development and support of it. We’re making hires and prioritizing efforts to do that.

Bottom line – we hear you. We’re working on it. If you’d like to give us some input on what we can do to make VERIS more useful to your organization, please let us know. If you’d like to use and provide feedback on the beta XML schema, we’ll be glad to point you in the right direction. For either of these, or to register any other helpful criticism, we’re all ears at veris@verizon.com or @verisframework.