Symantec Internet Security Threat Report - 2011

Introduction | 2011 In Review | 2011 In Numbers | Executive Summary | Safeguarding Secrets: Industrial Espionage in Cyberspace | Against the Breach: Securing Trust and Data Protection | Consumerization and Mobile Computing: Balancing the Risks and Benefits in the Cloud | Spam Activity Trends | Malicious Code Trends | Closing the Window of Vulnerability: Exploits and Zero-day Attacks | Conclusion: What’s Ahead in 2012

Against the Breach: Securing Trust and Data Protection

Political activism and hacking were two big themes in 2011; themes that are continuing into 2012. There were many attacks last year that received lots of media attention. Hacking can undermine institutional confidence in a company, and loss of personal data can result in damage to an organization’s reputation.
Although not the most frequent cause of data breaches, hacking attacks had potentially the greatest impact and exposed more than 187.2 million identities, the greatest number for any type of breach in 2011, analysis from the Norton Cybercrime Index revealed. Despite the media interest around these breaches, old-fashioned theft was the most frequent cause of data breaches in 2011.

Data Breaches in 2011

2011 was the year of data breaches. Analysis of the industry sectors showed that companies in the Computer Software, IT and healthcare sectors accounted for 93.0% of the total number of identities stolen. It is likely that hackers perceived some of the victims as softer targets, focused on consumer markets and not information security. Theft or loss was the most frequent cause, across all sectors, accounting for 34.3%, or approximately 18.5 million identities exposed in 2011.
Worldwide, approximately 1.1 million identities were exposed per breach, mainly owing to the large number of identities breached though hacking attacks. More than 232.4 million identities were exposed overall during 2011. Deliberate breaches mainly targeted customer-related information, primarily because it can be used for fraud.
A recent studyvii from the Ponemon Institute, commissioned by Symantec, looked at 36 data breaches in the UKviii and found the average per capita cost was GBP £79 and an average incident costs GBP £1.75 million in total. Similarly in the US, Ponemon examined 49 companies and found the per capita cost of a breach was USD $194 and an average incident costs USD $5.5 million in total. Echoing the Norton Cybercrime Index data above, the Ponemon study also found that negligence (36% of cases in the UK and 39% in the US) and malicious or criminal attacks (31% in the UK and 37% in the US) were the main causes.
The study’s findings revealed that more organizations were using data loss prevention technologies in 2011 and that fewer records were being lost, with lower levels of customer churn than in previous years. Taking steps to keep customers loyal and repair any damage to reputation and brand can help reduce the cost of a data breach.
Figure 6: Timeline of data breaches showing identities breached in 2011. Source: Symantec
Figure 7: Top-ten sectors by number of data breaches, 2011. Source: Symantec
Figure 8: Top-ten sectors by number of identities exposed, 2011. Source: Symantec

Certificate Authorities under attack

Certificate Authorities (CAs), which issue SSL certificates that help encrypt and authenticate websites and other online services, saw an unprecedented number of attacks in 2011.
Notable examples of attacks against CAs in 2011 included:
  • March: An attack compromised the access credentials of a Comodo partner in Italy and used the partner’s privileges to generate fraudulent SSL certificates .
  • May: It was reported that another Comodo partner was hacked: ComodoBR in Brazilx.
  • June: StartCom, the CA operating StartSSL was attacked in Junexi.
  • June: Diginotar was hacked in June. But no certificates were issued at firstxii.
  • July: An internal audit discovered an intrusion within DigiNotar’s infrastructure indicating compromise of their cryptographic keys. Fraudulent certificates are issued as a result of the DigiNotar hack for Google, Mozilla add-ons, Microsoft Update and othersxiii.
  • August: Fraudulent certificates from the DigiNotar compromise are discovered in the wild. Hacker (dubbed ComodoHacker) claims credit for Comodo and DigiNotar attacks and claims to have attacked other certificate authorities as well. Hacker claims to be from Iran.
  • September: Security researchers demonstrate “Browser Exploit Against SSL/TLS” (BEAST for short)xiv, a technique to take advantage of a vulnerability in the encryption technology of TLS 1.0, a standard used by Browsers, Servers and Certificate Authorities.
  • September: GlobalSign attacked, although the Certificate Authority was not breached, their web server was compromisedxv., but nothing elsexvi. ComodoHacker claims credit for this attack as well.
  • September: Dutch government and other Diginotar customers suddenly had to replace all Diginotar certificates as the major Web browser vendors removed Diginotar from their trusted root storesxvii. DigiNotar files for bankruptcy.
  • November: DigiCert Sdn. Bhd. (DigiCert Malaysia) an intermediate certificate authority that chained up to Entrust (and is no relation to the well-known CA, DigiCert Inc.) issued certificates with weak private keys and without appropriate usage extensions or revocation information. As a result Microsoft, Google and Mozilla removed the Digicert Malaysia roots from their trusted root storesxviii. This was not as the result of a hacking attack; this was a result of poor security practices by DigiCert Sdn. Bhd.
These attacks have demonstrated that not all CAs are created equal. These attacks raise the stakes for Certificate Authorities and require a consistently high level of security across the industry. For business users, they underline the importance of choosing a trustworthy, well-secured Certificate Authority. Lastly, consumers should be using modern up-to-date browsers and become more diligent about checking to verify that sites they visit are using SSL issued by a major trusted CA and we have included some advice in the best practices section at the end of this report.

Building Trust and Securing the Weakest Links

Law-abiding users have a vested interest in building a secure, reliable, trustworthy Internet. The latest developments show that the battle for end-users’ trust is still going on:
  • Always On SSL. Online Trust Alliancexix endorses Always On SSL, a new approach to implementing SSL across a website. Companies like Facebookxx, Google, PayPal, and Twitterxxi are offering users the option of persistent SSL encryption and authentication across all the pages of their services (not just login pages). Not only does this mitigate man-in-the-middle attacks like Firesheepxxii, but it also offers end-to-end security that can help secure every Web page that visitors to the site use, not just the pages used for logging-in and for financial transactions.
  • Extended Validation SSL Certificates. EV SSL Certificates offer the highest level of authentication and trigger browsers to give users a very visible indicator that the user is on a secured site by turning the address bar green. This is valuable protection against a range of online attacks. A Symantec sponsored consumer survey of internet shoppers in Europe, the US and Australia showed the SSL EV green bar increases the feeling of security for most (60%) shoppersxxiii. Conversely, in a US online consumer study, 90% of respondents would not continue a transaction if they see a browser warning page, indicating the absence of a secure connectionxxiv.
  • Baseline Requirements for SSL/TLS Certificates. The CA/Browser Forum released “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates”, the first international baseline standard for the operation of Certification Authorities (CAs) issuing SSL/TLS digital certificates natively trusted in browser software. The new baseline standard was announced in December 2011 and goes into effect July 1, 2012.
  • Code signing certificates and private key security. High profile thefts of code signing private keys highlighted the need for companies to secure and protect their private keys if they hold digital certificatesxxv. Stealing code signing keys enables hackers to use those certificates to digitally sign malware and that can help to make attacks using that malware much harder to recognize. That is exactly what happened with the Stuxnet and Duqu attacks.
  • DNSSEC. This technology is gaining momentum as a method of preserving the integrity of the domain name system (DNS). However, it is not a panacea for all online security needs, it does not provide website identity authentication nor does it provide encryption. DNSSEC should be used in conjunction with Secure Sockets Layer (SSL) technology and other security mechanisms.
  • Legal requirements. Many countries, including the EU Member Statesxxvi and the United States (46 states) have at least sectoral data breach notification legislation, which means that companies must notify authorities and, where appropriate, affected individuals if their data is affected by a data breach. As well as a spur to encourage other territories with less regulation, these requirements can reassure users that in the event of a breach they will be quickly notified and will be able take some action to mitigate against potential impact, including changing account passwords.
viiTBC: ADD URL TO UK PONEMON RESEARCH

viii2011 Cost of Data Breach Study: United Kingdom, Ponemon Institute, March 2012

ixCertificate Authority hacks (Comodohacker), breaches & trust revocations in 2011: Comodo (2 RAs hacked), https://www-secure.symantec.com/connect/blogs/how-avoid-fraudulent-ssl, http://www.thetechherald.com/articles/InstantSSL-it-named-as-source-of-Comodo-breach-by-attacker/13145/

xhttp://www.theregister.co.uk/2011/05/24/comodo_reseller_hacked/

xiStartCom attacked, http://www.internet-security.ca/internet-security-news-archives-031/security-firm-start-ssl-suffered-a-security-attack.html, http://www.informationweek.com/news/security/attacks/231601037

xiihttp://www.theregister.co.uk/2011/09/06/diginotar_audit_damning_fail/

xiiiDigiNotar breached & put out of business, https://www-secure.symantec.com/connect/blogs/why-your-ca-matters, https://www-secure.symantec.com/connect/blogs/diginotar-ssl-breach-update, http://www.arnnet.com.au/article/399812/comodo_hacker_claims_credit_diginotar_attack/, http://arstechnica.com/security/news/2011/09/comodo-hacker-i-hacked-diginotar-too-other-cas-breached.ars, http://www.darkreading.com/authentication/167901072/security/attacks-breaches/231600865/comodo-hacker-takes-credit-for-massive-diginotar-hack.html http://www.pcworld.com/businesscenter/article/239534/comodo_hacker_claims_credit_for_diginotar_attack.html

xivAttacks & Academic proof of concept demos: BEAST (http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html) and TLS 1.1/1.2, THC-SSL-DOS, LinkedIn SSL Cookie Vulnerability (http://www.wtfuzz.com/blogs/linkedin-ssl-cookie-vulnerability/),

xvhttp://www.itproportal.com/2011/09/13/globalsign-hack-was-isolated-server-business-resumes/

xvihttp://www.theregister.co.uk/2011/09/07/globalsign_suspends_ssl_cert_biz/

xviihttp://www.pcworld.com/businesscenter/article/239639/dutch_government_struggles_to_deal_with_diginotar_hack.html

xviiihttp://www.theregister.co.uk/2011/11/03/certificate_authority_banished/

xixhttps://otalliance.org/resources/AOSSL/index.html

xxhttp://blog.facebook.com/blog.php?post=486790652130

xxihttp://blog.twitter.com/2011/03/making-twitter-more-secure-https.html

xxiihttp://www.symantec.com/connect/blogs/launch-always-ssl-and-firesheep-attacks-page

xxiiiSymantec-sponsored consumer web survey of internet shoppers in the UK, France, Germany, Benelux, the US, and Australia in December 2010 and January 2011 (Study conducted March 2011).

xxivhttp://www.symantec.com/about/news/release/article.jsp?prid=20111129_01

xxvhttp://www.symantec.com/connect/blogs/protecting-digital-certificates-everyone-s-responsibility/

xxvihttp://www.enisa.europa.eu/act/it/library/deliverables/dbn/at_download/fullReport