Lessons from Recent Data Breaches
As 2010 closes, we are given a chance to reflect on the past year of breaches. (For this column we focus on breaches as a result of EXTERNAL hacks, not internal) But something interesting has occurred which will surprise many: there has been a 93.7% drop in the volume of data stolen from 2009 to 2010. An analysis from the Privacy Clearinghouse, a public database which records all breaches of personal and sensitive information belonging to US citizens, shows that about 230M data records were taken in 2009 and only 13M so far this year. You might be wondering: WTF?
There are two reasons for the drop. First, we didn’t experience any mega-breaches along the lines of Heartland (130M lost records) or Veteran’s Administration (30M records lost on a laptop). The biggest breach this year came from malware sucking out 3M data records from the FAA. Second, as we transition from 2009 to 2010, we see the value of data shifting. In October, Kroll's Annual Global Fraud Report revealed that 2010 was the first year that the value of digital assets stolen actually exceeded the value of physical assets.
As 2010 is just about to end, let’s take a look at some hacks from the previous year and see what we can learn from them.
Interesting Breach #1: Federal Aviation Administration (FAA)
In the case of an employee-based breach, the resulting damage is not only outward-facing but also has an internal impact. We, as employees, hold our employers responsible and have the full right to expect complete protection for the private data we have supplied to the workplace. The biggest incident of this year, encompassing 3 million records, pertains to an employer mishap. In June, the FAA published its security investigations findings. The private details of these airmen – including, but not limited to, their social security numbers and healthcare information - was available for access by former staff and to the hacker industry, through the installation of malicious code. Although much smaller than last year’s biggest breach, the Heartland Payment Systems breach, the information gathered is very damaging. With a full arsenal of information—hackers can do much more on the black market, commanding higher prices.
What can be done to avoid such a future exposure?
Security controls should be set to -
• Enforce data is accessed only by authorized parties - At a minimum, they should block access from former staff, or from other employees attempting to access the data beyond their need-to-know level.
• Block access from any illegitimate application – Security controls should be able block an unauthorized process (the malicious code).
Interesting Breach #2: SQL Injection 2.0 (a.k.a., SQL Injection becomes industrialized) Why Interesting? Highlights a simple truth few have grasped: all web apps will get hacked eventually
In August 2010 over 1 million websites, including Apple’s, were hit by a wave of mass SQL Injection attacks. In such a SQL Injection attack scenario, an attacker inserts malicious scripts into the vulnerable websites. Consequently, when a user visits the targeted application, the script may lead to the installation of crime-ware on the individual’s machine. We’ve seen many such waves of attack throughout the past few years. Automation is the key in the hacker industry. In this case, the automation aid is Google which is used to search for the vulnerable websites. The search engine is even employed as the platform of malicious code distribution.
It's in a company’s best interest to provide a safety-zone for their online visitors. A site known to lead to malware will prevent users from returning to the site, or from performing business with the company. As companies attempt to secure their online applications, they still leave open gaps which allow the hacker industry to exploit.
In order to provide the required safety-zone for online users, organizations should protect their security controls with the following capabilities –
• Block abnormal requests – for example, the injection of a malicious script.
• Virtual Patching – this capability patches a known vulnerability externally by disallowing users to exploit the certain vulnerability.
• Incorporates reputation controls – blocks or alerts requests originating from suspected malicious sources, or containing similar attack vector patterns.
Interesting Breach #3: Network Solutions Widget Why Interesting? Hackers targeted SMBs, highlighting what the bad guys saw as low-hanging fruit.
In the summer of 2010, Network Solutions admitted to malicious code appearing in an application building widget. The widget helps small businesses build their own site and as a consequence up to 5 million websites were affected. There are two interesting aspects to this breach. The first is that it was enough for the hackers to target just one application. The sheer amounts of resulting breaches was bound to follow due to the dependency of the created sites on the application. The second is that Network Solutions had previously suffered from a breach. When it comes to attacks, lightening may strike twice.
Key Lessons To prevent Network Solutions-style mishaps, companies should -
• Provide secure applications – companies should make sure that the applications they are creating and disseminating are secure. This includes a vulnerability mitigation process.
• Continuously be on alert - companies should take heed that if they suffered from a single attack, it does not make the organization immune to a second attack. In fact, if we look again at the Ponemon Research Institute 2009 survey, they showed how 82% of their respondents suffered from more than one data breach which involved the loss of over 1000 sensitive records.
Coming up Next...
We discussed the impact to companies suffering from a data breach due to hackers. Next column we return to the hacker industry where we will delve into the development of the malware known to target financial institutions. However, their application to other online services is only a matter of time. So stay tuned as I talk about the most recent trojans – Man in the Browser.