Breach Stats Prompt Need For Vulnerability, Configuration Assessment: Report
Financially motivated attackers who steal credit card data and state-sponsored cyberespionage campaigns intent on intellectual property theft have one thing in common: Both cybercriminal groups exploit the path of least resistance into organizations.
Phishing attacks and stolen account credentials are at the core of most data breaches and are commonly used to gain an initial foothold on an enterprise network, according to more than 600 breaches analyzed by Verizon in the firm's 2013 Data Breach Investigation Report. Security experts told CRN that enterprises large and small need to focus on weeding out Web application vulnerabilities and configuration weaknesses that are often the path into the corporate network.
The trend has been toward exploiting vulnerabilities on the client, and the statistics are reflecting what security experts at Veracode are seeing, said Chris Wysopal, chief technology officer at the Burlington, Mass.-based vulnerability management vendor "An attacker is much more likely to ask you to open up a zip file or word file than browse to a malicious website," Wysopal said.
[Related: Verizon Analysis: Top 10 Causes Behind Data Breaches ]
The Verizon analysis found 71 percent of breaches involving an initial attack on user devices. The firm said 78 percent of initial intrusions into corporate networks were relatively easy. And 76 percent of breaches exploited weak or stolen passwords. The Verizon data is skewed toward retailers and small businesses where credit card data is being targeted rather than the highly skilled attacks seeking intellectual property, Wysopal said. Focusing on application security can alleviate much of the risk, he said.
"The basics haven't changed in a few years with static analysis in the SDL and dynamic analysis to scan Web applications you have in production," Wysopal said. "Today the tools are more consumable and can scale over lots of applications."
Software makers need to continue to build security mechanisms into applications, said Brad Arkin, chief security officer at Adobe Systems. Arkin and his team have focused on bolstering Adobe Reader and Acrobat software, which have been highly targeted by attackers, as well as increasing security of Adobe's growing cloud-based services. Studying how cybercriminals carry out campaigns could lead to new security defenses that slow down attackers and increase the chance of detection before a breach takes place, Arkin said. Software will never be perfect, he said.
"Banks take steps to slow down bank robbers and make it more likely that they get caught, and enterprises can take a lesson from that," Arkin said. "All of the extra layers of defense that we're putting into our software ensures that we're driving up the cost for the exploit authors."
NEXT: Proactive Monitoring, Network Security Improvements Needed
While attackers are using malware-laden email and often targeting Web application vulnerabilities, the Verizon report concluded that organizations need to eliminate "sloppy configurations, needless services and exposed vulnerabilities." The firm acknowledged that its data may be under reporting configuration weaknesses. Server misconfiguration, mundane mistakes and glitches leveraged by attackers are rarely investigated or reported, the firm said.
Enterprise IT teams need to get back to the basics of understanding what is on the network and whether it is configured properly, said Ron Gula, CEO of Tenable Network Security. Configuration and vulnerability management goes a long way to solving the most prevalent problems, Gula said.
"A lot of organizations can't tell you if the configuration of their routers and switches are appropriate let alone the status of all the desktops and other devices on the network," Gula said. "The industry needs to move to more of a real-time basis for vulnerability analysis if we're going to make strides in getting it right."
More proactive network monitoring should also be a priority, experts say. The Verizon analysis found that 66 percent of the compromised incidents took months or more to discover, up from 55 percent in 2011 and 41 percent in 2010.
Detecting a breach is not a problem that can be solved with pure technology, said Jim Butterworth, chief information security officer at Sacramento, Calif.-based security firm HBGary.
"I think that a lot of companies are expecting that they can go out and buy an Easy Button and put it in place and it will work," Butterworth said. "We're dealing with determined adversaries, and their intentions are no longer strictly financially motivated."
The Verizon report recommends organizations apply, in large part, the "20 Critical Security Controls," a document that outlines key security initiatives being employed by federal agencies and agreed upon by a consortium of security experts as an effective way to mitigate serious risks.
Employees may also be part of the answer, the Verizon report suggests. Training to help employees recognize phishing emails and better monitoring for malicious websites when employees click on links could be effective, according to the report. Employees can also spot suspicious behavior before it becomes a serious problem.
The Verizon breach analysis shouldn't be a big surprise to any security professionals, said Amit Yoran, senior vice president and general manager of the security management and compliance business unit at RSA. Most networking security appliances fail to gain visibility, especially when attackers are gaining access to networks with valid credentials, Yoran said.
"It's perhaps supports the realization made by many of us in the industry that more traditional approaches to monitoring are not getting the job done; current technologies are not capable of detecting rapidly evolving threats," Yoran said, adding that enterprises depend far too much on intrusion detection systems that heavily rely on signatures to detect threats. "Technology by itself won't solve these problems because it's about appropriate processes and the right technology that empowers people and can scale to rapidly address threats."
PUBLISHED MAY 1, 2013