Serious data breaches take months to spot, analysis finds

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://news.techworld.com/security/3425734/serious-data-breaches-take-months-spot-analysis-finds/

More than six out of ten organisations hit by data breaches take
longer than three months to notice what has happened with a few not
uncovering attacks for years, a comprehensive analysis of global
incidents by security firm Trustwave has found.

During 2012, this meant that the average time to discover a data
breach for the 450 attacks looked at was 210 days, 35 more than for
2011, the company reported in its 2013 Global Security Report
(publically released on 20 February).

Incredibly, 14 percent of attacks aren’t detected for up to two years,
with one in twenty taking even longer than that.

Almost half – 45 percent – of breaches happened in retailers with
cardholder data the main target. The food and beverage sector
accounted for another 24 percent, hospitality 9 percent, and financial
services 7 percent.

Questions arise from this; how are attackers getting into
organisations so easily and why do IT staff not notice until long
after the event?

The ‘how’ is probably the easiest bit to explain, caused mainly bt the
bewildering complexity of the supply and support  chains companies in
sectors such as retail become tied to.

Password discipline on infrastructure such as remote access (used by
third-parties and partners, say) remains especially woeful, with up to
half of businesses still securing access using easy-to-guess
passwords.

Trustwave also puts it finger on a seeming paradox; investigators seem
able to spot breaches that admins didn’t. Why?

The part-answer seems to be that too many organisations rely on
automated protection such as antivirus or a firewall that don't fail
gracefully. If attackers beat that security layer there is no other
system to notice that something unusual has happened.

“All developers, particularly in the e-commerce industry, should
implement a full lifecycle security plan that includes thoroughly
educating themselves and their employees, equipping themselves with
the best tools to protect themselves against attacks and making sure
they are using the most reliable resources for zero day detection,”
commented Trustwave CEO, Robert J. McCullen.

Firms should unify the logs used to monitor systems rather than
relying on a fragmented patchwork dedicated to different parts, he
said.

The report also found that it’s not only dodgy horsemeat that comes
out of Romania these days either; the country is the top source of
criminal attacks, or at least the IP addresses that appear to be
associated with them.

Seventy percent of all client-side attacks were connected to the
Blackhole Exploit Kit, the leviathan of the cybercrime world. Six in
ten attacks targeted software flaws in Adobe’s PDF Reader.

Seeing what’s leaving the networks isn’t necessarily going to be easy
as a quarter of data is exfiltrated (i.e. stolen) using an encrypted
channel designed to hide activity.

In addition to analysing 450 data breaches, the report crunched data
from 2,500 penetration tests, nine million web application attacks,
two million network scans and five million malicious websites.

A year ago, Trustwave itself became embroiled in a controversy with
Mozilla around the issuing of a digital certificate that some
developers believed breached the terms of its certificate policy.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.