Third-party outsourcers pose the greatest risk to an organisation’s data security regime, according to a report drawing on the experiences of over 500 corporate data breaches examined by forensic investigators.
The report by Verizon’s business division found that, while insider threats typically had the biggest impact and external attacks were common but rarely caused major damage, most breaches involved partners, making these incidents a much greater source of risk.
“Business partners were involved in 39% of the data breaches handled by our investigators,” the report stated. “In a scenario witnessed repeatedly, a remote vendor’s details were compromised, allowing an external attacker to gain high levels of access to the victim’s systems.”
A typical case of a partner security breach, explains Bryan Sartin, Verizon Business’s director of investigative response, involves a crime ring approaching disgruntled employees in call centres or support positions.
That use of ‘partial insiders’ at outsourcing partners is a hard system to detect and a fairly safe tactic for crime rings, says Sartin, because “the person behind it is just a pawn. Once someone gets in they stay until they can’t take out any more data, or the market is flooded.”
And despite being preventable through good access control on the part of the outsourced service provider, “a good nine out of 10 victims of partial insider security breaches believe that they have controls [over the outsourcer in place]. But sometimes they don’t even know where their data is located,” Sartin says.
According to the report, when a breach does occur, in almost two-thirds of cases it takes several months to uncover.
“In 70% of cases it’s a third party that notifies the business – banks, customers or law enforcement. Often we don’t even need specialist forensic tools as the answers are in the logs,” says Sartin.
Partial insiders may be an opaque area, but it seems that external ‘hacking’ is becoming a more manageable threat as their sophistication is plummeting. Verizon Business reports that only 17% of attempts are ‘high-difficulty’ hacks. Low-difficulty attacks, commonly attributed to opportunistic ‘script kiddies’, account for 52% of incidents.
“It’s a boring part of the job now,” says Verizon’s principal manager for forensics, Matthijs van der Wel. “You’d expect attacks to be getting more sophisticated, but from a criminal perspective it’s easier to go for the weakest link.”
Attacks most commonly observed included ‘PHP extensions’, attempts to compromise vulnerable web servers and ‘SQL injections’ – which have been a well understood factor for over a decade.
Only 15% of hacking attempts observed during the investigations were ‘fully targeted’ against a specific organisation. Directed attacks, says Sartin, could simply come from a person learning of a vulnerability in a particular version of a software package, then going to the vendor’s website and pulling a target from its customer list. This approach, the report says, was effective – and avoidable – because “90% of known vulnerabilities exploited [in the cases examined in the report] had patches available for at least six months prior to the breach.”
Misconfigured systems, or even a complete lack of security, “contributes to a huge number of data breaches”, according to the report.
“It’s not about the technology as much as the processes,” van der Wel says. “Abuse of power is a big problem.”
One case he examined involved the CEO at a large organisation who had set up unsecured wireless access in his office just like the one he had at home. “No one had the guts to say, ‘You shouldn’t do that’. It was a brilliant example of misuse of power,” says van der Wel.
Another big risk centres on employees who take home laptops that contain sensitive data. Many such users allow their children to use the device to surf the web, and that can result in programs being installed on the machine. “Kids don’t adhere to corporate policy on the sites not to visit,” van der Wel says.
Trying to control users’ activities in the wrong way can also cause security problems. “Be afraid of the creativity of your users,” van der Wel advises. “For instance, some organisations don’t allow large file attachments on email – which means people will use Google Mail instead. And if your users want remote access and you don’t give it to them, they will install a program like ‘Log Me In’.”
Sometimes users break security rules out of necessity: “Some have to misuse their access privileges to get access to data they need to do their job.”
New technologies like virtualisation also pose challenges. “If you have one machine running 14 virtual servers and one person managing them, they might use the same username and password for all 14,” says Sartin. “But you can patch across multiple systems.”
The report found that the online activities of criminal groups are more than doubling each year, with increasing attention towards ‘softer targets’, or “the path of least resistance”, according to Sartin.
One increasingly common example is the ‘restaurant case’. “If two out of three customers complaining of fraud attended the same restaurant in the third week of December, we go in and ask the owner if someone stole the bowl of business cards left on the counter,” he says, explaining that matching credit card numbers to business cards lets a fraudster develop a valuable picture of a victim’s identity.
“Payment card data is easy to sell to the black market, but a combination of identity records is the most valuable,” says Sartin.
The retail and the food and beverage industries accounted for 55% of the investigations, while financial firms and the technology services sector made up 14% and 13% respectively.
“The 1999 angle was to protect the perimeter; now the focus is data loss prevention,” says Sartin. “We were hired by a retailer who had stores in 2,000 locations, and someone had used one store to get in a hit on the others. The retailer had just spent $250,000 on firewalls, but when we plugged in [to their network], we found no one had activated the store-to-store controllers.”
While the rising opportunistic attacks can be thwarted by measures as basic as regular software updates, new “very sophisticated” techniques are being used to catch intruders running vulnerability scans from behind staging areas.
“Verizon has more than 485,000 route miles of cable, so chances are traffic related to the breach has crossed our network,” Sartin explains. “We can corroborate IP addresses and see past staging areas.”
At the same time, Verizon investigators observed the rise of ‘anti-forensic’ tools, which are “readily available and operationally intuitive” and used in 39% of cases. The report says, “this will be a trend to watch over the next few years”.
IT often unfairly takes the blame for data breaches, Sartin says, which could be limiting the responsibility IT is willing to take for data security.
“It always surprises me in the investigations we do, especially the [serious] ones, how little impact there is on senior executives. There are no consequences on the C-level; it’s blamed on IT,” he concludes.
Clear sourcing An absence of benchmarking makes outsourcing contracts difficult to judge, says Metri Measurement Consulting
The Jericho Forum’s demolition framework After four years in gestation, the Jericho Forum delivers a blueprint for perimeterless IT security
Find more stories in the Security & Continuity Briefing Room