The Biggest Hacks of 2012

December 19, 2012

With 2012 coming to a close, I decided to take a look back at some of the year’s more significant hacks. Two of the largest heists involved thefts of millions of records of personal data. In March, Global Payments, a credit card processor, revealed a breach in which at least 1.5 million credit card numbers were exported. And the year began when hackers targetedZappos, the online shoe retailer, and relieved this e-tailer of over 24 million rows of email addresses and other data.

Based on these gigantic incidents, I thought this was the year of the Big Hack and a unique turning point. For perspective, I reviewed two years’ worth of Verizon’s indispensable Data Breach Investigations Reports. The DBIR is based on data collected from the US Secret Service and the Dutch National High Tech Crime Unit. For 2011, Verizon reported over 855 incidents and 174 million records compromised. Last year was the second highest data loss recorded since Verizon began this study in 2004.

I’m not sure if 2012 hacking levels will surpass 2011, and neither of these two years will come close to the 360 million records compromised in 2008. However, there are other trends that seem to have remained relatively constant.

In recent years, the top three industry sectors breached have been hospitality (read: restaurants), retail, and financial services. No surprises here.

Another common theme in the report is that poor authorization monitoring and procedures often broaden the damage done by attackers. Verizon suggests that companies should constantly be on the lookout for new files, especially growing archive and log files, with unusual attribute settings. These often indicate an attack in progress.

The DBIR also tells us that straightforward hacking—using default passwords, stolen login credentials, or backdoor attacks—is still a very effective way to extract protected data.

One revealing stat is that most of the records hacked in the last few years have not involved credit card numbers. The winner in the most-hacked-data category instead goes to plain old PII—name, address, and social security number.

So how do Global Payments and Zappos match up with the overall trends? Depressingly, these two incidents fit it like a glove. Financial or retail? Check. External attack? Yes.  Straightforward hack? It seems so, and no malware was involved that we know about.

For both Global Payments and Zappos, the actual exploits used are still a  little fuzzy. According to Gartner Research’s Avivah Litan, the Global Payments attacker may have been able to get through the company’s knowledge-based authentication layer by answering questions correctly. This is still just speculation. Here’s what we do know: Global Payments was PCI-DSS compliant.Visa and Mastercard have since revoked their certification.

Zappos, which is also PCI-DSS compliant, kept their credit card numbers encrypted and separated from other personal information. Hackers were not able to access the “PANs”—PCI lingo for the card numbers. Zappos has kept their certification.

The most eye-opening part of Verizon’s DBIR can be found in their conclusions. Not to put too fine a point on this, but companies are simply not making the attackers work very hard. It’s not that they are so clever; it’s that IT has been a bit lax.

Here’s some of their all-too-familiar advice:

  • change default credentials
  • review user accounts on a regular basis
  • restrict and monitor privileged users

On that last point, I’ll quote the actual text from the DBIR:

“Don’t give users more privileges than they need (this is a biggie) and use separation of duties. Make sure they have direction (they know policies and expectations) and supervision (to make sure they adhere to them). Privileged use should be logged and generate messages to management.”

Speaking as a Varonis blogger, I couldn’t have said it better.

Let’s hope some of this advice takes hold, and 2013 will be a more forgettable year in hacking annals.

Related articles

Leave a Comment » | Application Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , , , , , , , | Permalink
Posted by david ricketts

PCI DSS do not become the Weakest link

October 24, 2012

By David Ricketts Head of Marketing C24

All merchants and service providers who store, process and transmit credit card information must comply with PCI DSS which was developed as part of a collaboration by MasterCard Worldwide, Visa International, American Express, Discover Financial Services and JCB.  The standard serves as directive and guideline to help organisations prevent the misuse of credit card data.  To comply retailers must undergo quarterly self-assessments as well as audits (vulnerability scans) by an Approved Scanning Vendor (ASV) and in accordance with PCI DSS Scanning Procedures.

 

Large merchants (i.e. more than 6 million transactions per year for all outlets including e-commerce) and service providers (i.e. more than 1 million transactions per year) must also undergo annual on-site audits performed by a PCI DSS Qualified Security Assessor (QSA). The audit is inclusive of all systems, applications and technical measures, as well as policies and procedures used in the storing, processing and transmission of cardholder and credit card information.

 

What Is Considered Sensitive Data

Per the standard, the following information is considered sensitive:

 

  • Primary Account Number (PAN)
  • Cardholder name
  • Service code
  • Expiration date
  • Pin Verification Value (PVV)
  • Security code (3 or 4 digit)

 

In accordance with the standard, merchants or service providers are not allowed to store the PVV or the security code that uniquely identifies the piece of plastic in the cardholder’s possession at the time of the transaction. However, the PAN, cardholder name, service code and expiration date may be stored.

 

PCI Compliance Is More Than Just Securing Cardholder Information Within Databases

Many organisations naturally focus efforts for protecting cardholder information within databases, a challenge for which technical solutions abound. However, as breaches like Citigroup’s[1] and Pfizer’s have shown, enterprises also face challenges controlling access to and dissemination of spreadsheets and documents that contain cardholder information. Exporting sensitive cardholder data out of databases is all too common, often done so that the information may be analysed as part of market research or be imported into other applications. In fact, 42 percent of enterprises hold customer data in spreadsheets as a matter of course according to Ventana Research[2], and these figures don’t include the individual users who conduct such exports on their own for business analytics or other purposes.

 

In the case of PCI, it is important to protect not only databases, but also file shares and SharePoint sites that house these spreadsheets and documents. Organisations need to implement a comprehensive system for not only finding the PCI information that resides outside of databases, but also for authorization, access control and auditing of all unstructured & semi-structured data stores. When file shares contain any of the PCI-designated sensitive information, organisations need to audit, review, and tighten up access to these shared networked resources as part of their PCI compliance efforts.

 

What Are The Costs/Risks Of Non-Compliance

Credit card fraud and misuse reaches into the billions of dollars annually. While the costs per incident may vary by merchant size, they include:

 

  • Loss of income from fraudulent transaction
  • Cost to reissue cards
  • Costs of investigation and possible litigation
  • Possible fines imposed by credit card companies
  • Loss of reputation, customer confidence and business
  • Possible loss of ability to accept credit cards for payment

 

PCI Compliance the Easy Way

There are five principles organisations need to address when seeking to comply with PCI DSS:

 

  • Continual identification of relevant data
  • A process to identify and revoke unwarranted access
  • A process to configure and review logical access controls
  • Proper separation of duties
  • Evidence that these processes are being followed

 

Logical access control objectives are based on the principal of least privilege; access should be granted to only those resources that are required to perform a user’s function. Many audit regulations now focus on proper access and use of unstructured data on file systems and SharePoint servers.

 

It stands to reason that wherever the organisation has permissions to write or read data, a data owner, or steward, should be designated to make decisions about who gets access, acceptable use, etc. Otherwise, decisions about that data are left up to members of IT, who have little organisational context about the data they are trying to manage and protect.

In order to identify an owner/steward, IT needs to know who is making use of data—analysing data usage over time provides actionable business intelligence on the probable data owner of any folder. Using these statistics, administrators can quickly see the most active users of a data container. Often, one of the active users is the data owner. If none of the active users is the business owner, he or she will likely work for the data owner, or at least know who the data owner is likely to be.

 

Data Owners/stewards need to be automatically involved in the authorisation workflows and reviews for their data. Automation should enable users to request access to data, route the requests to the data owner and other appropriate parties, execute the appropriate actions, and track each requests. Entitlement reviews, or attestations, should also be similarly automated and auditable.

 

While this may all seem an insurmountable task, software solutions are available to find PCI data, aggregate user and group information, permissions information, access information, and content information (which files actually contain PCI data) from directories and file servers. Sophisticated analytics can then be applied to reveal detailed data use, misuse, and determine rightful access based on business need. Using this intelligence, organisations can then:

 

  • Continually scan for PCI data (the audit trail enables true incremental scanning for only changed or modified files)
  • Protect data by removing overly permissive access controls
  • Ensure on-going compliance with automated entitlement reviews, and authorization workflows
  • Restrict unstructured data access to those with a business need for that data
  • Automatically update access controls to account for changes in roles and file server contents
  • Track and monitor file touches for each and every user
  • Alert on behavioural deviations that may signal a possible data breach

 

Securing your customers sensitive information is not only important for PCI DSS compliance it is also good business sense, as a breach doesn’t just affect the person whose account has been emptied— it will affect your reputation and your partners if the violation is traced to doing business with you. Compliance is important, for every one in the chain, and it is easier than many people realize to not be the weakest link.

 

If you require further information about PCI or solution from C24 please visit www.c24.co.uk

[1] Citigroup Customer Data Leaked on LimeWire (2007): http://www.eweek.com/c/a/Security/Citigroup-Customer-Data-Leaked-on-LimeWire/

 

5 Comments | Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Follow

Get every new post delivered to your Inbox.

Join 746 other followers