Is protecting your business information from increasingly sophisticated hackers a top priority? If not, consider this statistic: Last year, more than 90% of all records breached involved groups identified by law enforcement as organized crime.1
While well-meaning insiders continue to represent the bulk of data loss incidents (in fact, 67% of data breaches in 2008 were aided in part by well meaning insiders2), targeted attacks aimed at stealing information for the purpose of identity theft are rising sharply.
Continue reading to learn why your business needs to maintain a continual state of high alert and how to recognize and respond to the latest threats.
Here’s the best argument for being zealous when it comes to protecting your company’s information: In 2008, Symantec created more than 1.6 million new malicious code signatures - more than in the previous 17 years combined
– and blocked an average of more than 245 million attempted malicious code attacks worldwide per month.3
According to recent research, by far the most frequent types of attack involved exploiting system vulnerabilities, unauthorized access using default or shared credentials, improperly constrained access control lists (ACLs), and SQL injection attacks.4
Incursion into an organization’s infrastructure is typically perpetrated in one of four ways:
- System vulnerabilities – In many cases, laptops, desktops, and servers do not have the latest security patches deployed, which creates a gap in the overall security posture. Gaps or system vulnerabilities can also be created by improper computer or security configurations. Cyber-criminals search for and exploit these weaknesses in order to gain access to the corporate network and confidential information.
- Improper credentials – Passwords on Internet-facing systems such as email, Web, or FTP servers are often left on factory default settings, which are easily obtained by hackers. Under-constrained or outdated ACLs provide further opportunities for both hackers and malicious insiders.
- SQL injection – By analyzing the URL syntax of targeted websites, hackers are able to embed instructions to upload malware that gives them remote access to the target servers.
- Targeted malware – Hackers use spam, email, and instant message communications often disguised as known entities to direct users to websites that are compromised with malware.
Following an incursion phase, hackers then map out an organization’s systems and scan for confidential information. Exposed data on unprotected systems is immediately accessed. In some cases, rootkits are then surreptitiously installed on targeted systems and network access points to capture confidential information as it flows through the organization. Finally, confidential information is sent back to a home base wrapped in encrypted packets or in zipped files that are password-protected.
In what is thought to be the world’s largest data breach, cyber-criminals late last year stole more than 100 million records from Heartland Payment Systems, zipped the information up, looked for an unused port on the company’s firewall, and sent the information out.
Recently, a panel of Symantec researchers was convened
to discuss the current threat landscape and to predict the top security threats for 2010. Among their findings:
- Ready-made malware on the rise – 2009 saw malware become easier than ever to create. This was largely due to the availability of popular user-friendly toolkits that enable even novice hackers to create malware and botnets. Many ready-made threats are in reality a conglomeration of components from other, more established malware. This trend has also made malware more disposable, with a threat appearing then disappearing sometimes within just a 24-hour period.
- Current events leveraged more than ever – Valentine’s Day, NCAA March Madness, the H1N1 Flu, the crash of Air France Flight 447, the death of Michael Jackson, Tiger Woods’ car accident. These events along with countless others were used by malware authors and spammers in 2009 to try and lure unsuspecting Internet users into downloading malware, buying products, and falling for scams. More of the same can be expected in 2010.
- Social engineering as the primary attack vector – More and more, attackers are going directly after end users and attempting to trick them into downloading malware or divulging sensitive information under the auspice that they are doing something perfectly innocent. Social engineering’s popularity is at least in part spurred by the fact that it is the actual user being targeted, not necessarily vulnerabilities in a machine. Symantec estimates that the number of attempted attacks using social engineering techniques will increase in 2010.
- Expect more specialized malware – Highly specialized malware was uncovered in 2009 that was aimed at exploiting certain ATMs, indicating a degree of insider knowledge about their operation and how they could be exploited. Expect this trend to continue in 2010, including the possibility of malware targeting electronic voting systems, both those used in political elections and public telephone voting, such as that connected with reality television shows and competitions.
Contrary to the impression left by sensationalist news coverage, data breaches are not an inevitable byproduct of our information age. In working with customers to discover potential data loss incidents, quickly respond to threats, and proactively protect their confidential information, Symantec has learned three important lessons:
- Breaches are preventable. In all breach scenarios investigated by Symantec, there were key points of intervention where countermeasures could have prevented the breach – and in some cases did so. That’s cause for optimism.
- The only strategies with a chance of success are those that are both risk-based and content-aware. Preventing data breaches is all about risk reduction. To reduce risk, you must have knowledge of where your data is stored, where it is going, and how it is being used. Only then will you be able to clearly identify problematic practices, prioritize data and groups for phased remediation, and begin to staunch the flow of proprietary data leaving your organization.
- Preventing data breaches requires multiple solutions working together to solve the problem. This means much more than defense-in-depth. It means that the solutions your organization deploys – whether to monitor information, protect endpoints, check technical controls, harden core systems, or provide real-time alerts – must be integrated to create a centralized view of information security so you can make correlations and discover root causes quickly and decisively.
The first step in creating a prevention and response plan is to identify the types of information you want to protect and where that information is exposed in your organization. Once you have identified your organization’s priority information and determined your level of risk of data loss, the next step is to assess your network and understand what areas of the infrastructure are leaving you vulnerable to external attacks.
For many organizations, this process begins with an onsite risk assessment. Symantec's Information Exposure Assessment provides customers with a holistic and data-centric view of their organization’s information risk. By combining industry-leading advisory consulting services and data loss prevention technologies, Symantec can provide customers with not only a detailed analysis of their exposure to internal and external data breaches, but also a quantitative assessment of actual data loss risk across networks, Web applications, storage, and endpoints.
This combined approach allows Symantec to deliver a detailed and comprehensive risk mitigation plan focused on priority data loss and data exposure concerns. The result is a detailed plan of action that includes guidance on addressing internal and external risks and recommended activities to reduce and eliminate areas of exposure across the entire organization.
Targeted attacks are increasingly aimed at stealing information for the purpose of identity theft. These attacks typically exploit system vulnerabilities, improper credentials, SQL injections, and targeted malware in order to get access to your data.
The good news is that targeted attacks can be defeated. By taking precautions against the discovery, capture, and exfiltration of data, your organization can significantly bolster its defenses against targeted attacks.
- 1 Ponemon Institute, 2008 Annual Study: Cost of a Data Breach, February 2009
- 2 Ponemon Institute, Data Loss During Downsizing, February 2009
- 3 Symantec Internet Security Threat Report XIV
- 4 Verizon Business Risk Team, 2009 Data Breach Investigations Report