The 2010 Verizon Data Breach Report was released recently and like previous iterations, it was well worth the time to read it. For those who have not seen it, this report looks analyzes corporate level data breaches to show us what happened, how it happened and makes recommendations on how to stop them in the future. I also saw a shorter yet equally interesting article on Last Watchdog that discussed the challenges the banking industry has in keeping our personal banking accounts safe.
The element that ties these two items together is the level of patience that the attackers exhibited in their quest to achieve their goals and the level of vigilance that we need to continue to exert to defend the corporate network as well as our personal assets.
In both cases, the attackers patiently collected information on their targets, taking any length of time to collect the desired data points using a combination of traditional social engineering techniques, updated for today’s web 2.0 world. Social networking sites can help uncover corporate roles or answers to security questions. Hijacked social networking user credentials can be used to convince a user to click on a URL with embedded malware, thinking it was from a friend. The malware in turn collects data such as user names and passwords that is used to help achieve the objectives. Some telling statistics from the data breach report
• Zeus successfully stole more passwords than phishing and SQL injection attacks by a 2:1 margin.
• 54% of the malware found was customized specifically to the target.
• Database servers represented 25% of the breaches investigated, and 92% of the records stolen.
• Most surprisingly, none of the breaches were achieved because of an un-patched vulnerability.
There are several bright spots that can be taken from the report and they revolve around vigilance. In the banking article, users profiled were vigilant about keeping their money safe. Working with the bank, acting quickly when something strange occurred, such as an email verification of an address change.
In the corporate world, vigilance is clearly being exhibited by the fact that no vulnerability exploits were used to affect the breach. So either servers are being patched more effectively, or attackers merely ignore or avoid those high profile targets. Unfortunately, the report also showed that in some case, vigilance was lacking. There were signs found in log files (after the fact) that could have been used to uncover the attack in process, or sooner than the original discovery. So we as a profession need to either find the time to sift through logs, or the tools need to do a better job. Or perhaps both?
Take a read for yourself. We’d love to hear your views.