printer friendly version

Is it your turn now?

There is a continual stream of news about who has just been hacked, who has had their Twitter or Facebook account compromised (the latest was the CEO of Twitter, preceded ironically enough by the CEO of Facebook) and who has lost money or brand prestige as a result of cybercrime.

While we tend to shake our heads and perhaps even have a good chuckle about breaches, such as the RSA (a security company) breach a few years ago that cost the company millions, the reality is nobody is safe and breaches affect everyone, not only the companies concerned. In fact, back in 2013, South Africa ranked third in the world when it came to the number of cybercrime victims (after Russia and China) according to the 2013 Norton Cybercrime report, so we have nothing to be complacent about when it comes to cybercrime, no matter how unimportant you think you are to criminals.

The Verizon 2016 Data Breach Investigations Report (DBIR), an annual report backed by the leading security operations globally, from EuroPol to US-CERT (Computer Emergency Readiness Team) and many more (the report can be found at http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/), delivers some frightening statistics about the risks we face in the cyber world and the apparent ease with which the cyber criminals gain access to almost anything.

Far from the old idea that breaches are just hackers showing off, the DBIR found that “89% of breaches had a financial or espionage motive”. The most unpleasant fact about the report, if one can choose one fact from the many presented, was that the researchers found in “93% of cases, it took attackers minutes or less to compromise systems. Organisations, meanwhile, took weeks or more to discover that a breach had even occurred – and it was typically customers or law enforcement that sounded the alarm, not their own security measures.”

Allowing criminals to stay in your system for days or weeks simply enables them to infiltrate more of your systems, obtaining access to more sensitive data which they can sell or use in their financial or espionage pursuits. It’s worth noting that espionage refers to ‘spying’ from a national perspective, such as the American NSA snooping on everything they can find, as well as industrial espionage where competitors can download your IP, your plans, your pricing models and your customer database, among other interesting things you would prefer they don’t have. Of course, certain countries have intelligence agencies that steal IP to assist their own country’s businesses.

Stopping these breaches is therefore critical; however, we know that no system is invulnerable. Let’s remember that Standard Bank was hit for around R300 million recently, and one would assume its security is a notch or two above that of your average company.

Nine patterns

The DBIR reports that 95% of the security breaches and 86% of the incidents included in its 2016 report fit into nine patterns, which may be a good place for vulnerable companies to start planning their defensive strategies. It’s also worth noting that the criminal element is always improving its game and looking for new information to sell or use, so information security is a continual process of improvement.

In short, the nine patterns highlighted in the DBIR are as follows:

1. Miscellaneous errors: These are unintentional mistakes that compromise security. This can include a shortage of server capacity where key applications crash during spikes in activity, or it can be a simple or careless mistake on the part of an employee – and not always those with administrator privileges. The industries most affected by these vulnerabilities include the public sector, healthcare and information sectors (these are global findings and not specific to South Africa or Africa).

2. Insider and privilege misuse: In this pattern, insiders are part of the plot to either make themselves a buck or part of a team looking for profit or intellectual property. Collusion often allows outsiders to access the organisation’s network and the damage is done from there. Another entry point is from contractors and business partners who have been granted access in order to streamline the companies’ interactions with the host. DBIR notes that healthcare, public sector and administrative industries are the most affected.

3. Physical theft and loss: It’s not all hacking and gaining access to the corporate network. The loss of laptops, mobile devices, USB sticks and even paper documents with sensitive information on them is also a factor in information crimes. Interestingly, DBIR found that 39% of this theft is from victim’s work areas and 34% from their personal vehicles. Once again, healthcare and the public sector are the primary targets.

4. Denial of service (DoS): DoS attacks bring IT systems to their knees by flooding them with requests for information, such as millions of requests for a web page. According to the DBIR: “The median traffic of a DoS attack is 1.89 million packets per second – that’s like over 113 million people trying to access your server every minute.” Normal operations grind to a halt and chaos ensues. These attacks are mostly used to cause problems and not to steal data or money, but can also be used as a diversion. DBIR found that they are the fourth most common attack pattern and they mostly affect the entertainment, professional and educational sectors.

5. Crimeware: The DBIR defines crimeware as any malware (malicious software) that “doesn’t fit into a more specific pattern”. The attacks are opportunistic, such as an email containing an infected attachment and so forth. The report shows that 39% or crimeware in 2015 involved ransomware, a statistic which is sure to be higher in 2016 given the profitability of this form of attack. While everyone is a target, including consumers, the DBIR notes that the most affected industries are the public, manufacturing and information sectors.

6. Web app attacks: These attacks focus on the weaknesses in web applications, such as content management systems or e-commerce platforms, where malware is introduced to the organisation’s server through these vulnerabilities. The majority (95%) are motivated by financial motives and the most common targets are the financial services, retail and information sectors.

7. Point-of-sale (PoS) intrusions: These attacks, such as the famous Target attack in the US, are targeted at PoS applications and aim to capture payment data, such as credit card information. The attacks are mostly aimed at retail and hospitality (accommodation) organisations where security is often not the top concern. The DBIR report notes that 95% of confirmed breaches in 2015 in the hospitality sector were via PoS intrusions.

8. Cyber espionage: These attacks are mostly carried out by national players on the lookout for intellectual property of various sorts. The attacks start with the other patterns mentioned here, but then take a far more sophisticated turn once the criminals are in. The manufacturing, information and professional sectors are most affected, with DBIR finding “47% of all confirmed breaches in manufacturing could be classified as cyber espionage”.

9. Payment card skimmers: A firm favourite in South Africa, skimmers can be used at ATMs or PoS stations, or even with handheld card scanners. The favourite destinations for these attacks are the financial services, hospitality and retail sectors.

With most of the cyber attacks focused on these areas, companies have a place to start in developing a security strategy. However, it’s always wise to remember the basics. The DBIR reports: “The top 10 vulnerabilities [Common Vulnerabilities and Exposures, or CVEs] accounted for 85% of successful exploit traffic. The other 15% comprises over 900 CVEs.”

Keeping your software patches up-to-date is therefore a ‘simple’ task that will offer protection from many attacks. Of course, it’s not always easy to know when a new patch is available for various applications and what the knock-on effects on other applications may be, but there are solutions to assist organisations in this process. Using intelligence is key to remaining informed and secure.

Interestingly, the DBIR report states that vulnerabilities in Adobe products were the quickest to be exploited, while Mozilla (developers of the Firefox browser) applications took the longest time to be breached.

The information in this article is a small sample from the 2016 Data Breach Investigations Report from Verizon. The full report is packed with information and advice on information security and is well worth the effort to read. To download the report and sign up for additional information, go to http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/ (short URL: securitysa.com/*vz16si”).

Share this article:

Further reading: