IT Account Monitoring Control with C24

April 29, 2013

By coincidence, Verizon’s Data Breach Investigations Report (DBIR) for 2012 was released this week along with the results of our Privacy Survey. So it’s a good  time for a quick tour of the state of the breach. In reviewing this latest DBIR, much has stayed the same. However, Verizon’s report emphasizes two key points that caught my attention: 80% of breaches could be easily prevented with two-factor authentication; and it still takes months for most breaches to be discovered.

As in past DBIRs, hacking and malware again make it into the top threat categories, and the difficulty level of the hack-craft employed is still very primitive. This is a polite way of saying that vanilla password cracking—guessing or re-using credentials—is by far the most popular way to pass through the security gate. According to Verizon, this particular type of attack accounted for four out of five breaches involving  hacked data.

The solution is, in Verizon’s words, “to overthrow single-factor passwords” with a new king, two-factor authentication. Varonis is also hoping that TFA will gain the throne.

There are some encouraging signs, however. In our just-published Privacy Survey, over 47% told us they use multi-factor authentication for their personal email accounts. If this trend can carry over to corporate email and intranet access, then we may finally see a dip in these low-skill, but still very effective, password-based hacks.  It’s a stat will check again next year.

Another critical point made by Verizon is that companies must think beyond prevention, and come up with a second line of defense involving rapid discovery and response. Prevention is still important, but no security barrier is hack-proof.

They note that for most breaches the lag between the initial hack and the first action is far too long: 67% of incidents take several months to be discovered.  And perhaps even more dispiriting is that companies more often than not—about 70% of the time—find out about breaches through their customers and third parties (law enforcement, government agencies) instead of their own IT departments.

The obvious (and depressing) brick-and-mortar analogy?  A jewelry store owner puts a toy lock on the door, fails to install an alarm system, and then waits for a customer to say that the diamond ring she was interested in is not in its case anymore.

I’ll end this post with a link to the SANS Institute’s security controls, which were mentioned in the DBIR and which we also recommend as well. The Account Monitoring Control is a good starting point in any breach mitigation program.

The principle in account tracking and auditing is simple to state, but practically impossible to implement efficiently with standard techniques: monitor who is accessing file data and alert administrators as soon as unusual patterns of behavior are detected, likely indicating a breach-in-progress.

And by the way, I just happen to know of software that efficiently handles this problem.

Image credit: Paligari

Related articles

1 Comment | Application Hosting, Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , , , | Permalink
Posted by david ricketts

The State of the Breach

April 26, 2013

By coincidence, Verizon’s Data Breach Investigations Report (DBIR) for 2012 was released this week along with the results of our Privacy Survey. So it’s a good  time for a quick tour of the state of the breach. In reviewing this latest DBIR, much has stayed the same. However, Verizon’s report emphasizes two key points that caught my attention: 80% of breaches could be easily prevented with two-factor authentication; and it still takes months for most breaches to be discovered.

As in past DBIRs, hacking and malware again make it into the top threat categories, and the difficulty level of the hack-craft employed is still very primitive. This is a polite way of saying that vanilla password cracking—guessing or re-using credentials—is by far the most popular way to pass through the security gate. According to Verizon, this particular type of attack accounted for four out of five breaches involving  hacked data.

The solution is, in Verizon’s words, “to overthrow single-factor passwords” with a new king, two-factor authentication. Varonis is also hoping that TFA will gain the throne.

There are some encouraging signs, however. In our just-published Privacy Survey, over 47% told us they use multi-factor authentication for their personal email accounts. If this trend can carry over to corporate email and intranet access, then we may finally see a dip in these low-skill, but still very effective, password-based hacks.  It’s a stat will check again next year.

Another critical point made by Verizon is that companies must think beyond prevention, and come up with a second line of defense involving rapid discovery and response. Prevention is still important, but no security barrier is hack-proof.

They note that for most breaches the lag between the initial hack and the first action is far too long: 67% of incidents take several months to be discovered.  And perhaps even more dispiriting is that companies more often than not—about 70% of the time—find out about breaches through their customers and third parties (law enforcement, government agencies) instead of their own IT departments.

The obvious (and depressing) brick-and-mortar analogy?  A jewelry store owner puts a toy lock on the door, fails to install an alarm system, and then waits for a customer to say that the diamond ring she was interested in is not in its case anymore.

I’ll end this post with a link to the SANS Institute’s security controls, which were mentioned in the DBIR and which we also recommend as well. The Account Monitoring Control is a good starting point in any breach mitigation program.

The principle in account tracking and auditing is simple to state, but practically impossible to implement efficiently with standard techniques: monitor who is accessing file data and alert administrators as soon as unusual patterns of behavior are detected, likely indicating a breach-in-progress.

And by the way, I just happen to know of software that efficiently handles this problem.

Leave a Comment » | Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , , , | Permalink
Posted by david ricketts

The Biggest Hacks of 2012

December 19, 2012

With 2012 coming to a close, I decided to take a look back at some of the year’s more significant hacks. Two of the largest heists involved thefts of millions of records of personal data. In March, Global Payments, a credit card processor, revealed a breach in which at least 1.5 million credit card numbers were exported. And the year began when hackers targetedZappos, the online shoe retailer, and relieved this e-tailer of over 24 million rows of email addresses and other data.

Based on these gigantic incidents, I thought this was the year of the Big Hack and a unique turning point. For perspective, I reviewed two years’ worth of Verizon’s indispensable Data Breach Investigations Reports. The DBIR is based on data collected from the US Secret Service and the Dutch National High Tech Crime Unit. For 2011, Verizon reported over 855 incidents and 174 million records compromised. Last year was the second highest data loss recorded since Verizon began this study in 2004.

I’m not sure if 2012 hacking levels will surpass 2011, and neither of these two years will come close to the 360 million records compromised in 2008. However, there are other trends that seem to have remained relatively constant.

In recent years, the top three industry sectors breached have been hospitality (read: restaurants), retail, and financial services. No surprises here.

Another common theme in the report is that poor authorization monitoring and procedures often broaden the damage done by attackers. Verizon suggests that companies should constantly be on the lookout for new files, especially growing archive and log files, with unusual attribute settings. These often indicate an attack in progress.

The DBIR also tells us that straightforward hacking—using default passwords, stolen login credentials, or backdoor attacks—is still a very effective way to extract protected data.

One revealing stat is that most of the records hacked in the last few years have not involved credit card numbers. The winner in the most-hacked-data category instead goes to plain old PII—name, address, and social security number.

So how do Global Payments and Zappos match up with the overall trends? Depressingly, these two incidents fit it like a glove. Financial or retail? Check. External attack? Yes.  Straightforward hack? It seems so, and no malware was involved that we know about.

For both Global Payments and Zappos, the actual exploits used are still a  little fuzzy. According to Gartner Research’s Avivah Litan, the Global Payments attacker may have been able to get through the company’s knowledge-based authentication layer by answering questions correctly. This is still just speculation. Here’s what we do know: Global Payments was PCI-DSS compliant.Visa and Mastercard have since revoked their certification.

Zappos, which is also PCI-DSS compliant, kept their credit card numbers encrypted and separated from other personal information. Hackers were not able to access the “PANs”—PCI lingo for the card numbers. Zappos has kept their certification.

The most eye-opening part of Verizon’s DBIR can be found in their conclusions. Not to put too fine a point on this, but companies are simply not making the attackers work very hard. It’s not that they are so clever; it’s that IT has been a bit lax.

Here’s some of their all-too-familiar advice:

  • change default credentials
  • review user accounts on a regular basis
  • restrict and monitor privileged users

On that last point, I’ll quote the actual text from the DBIR:

“Don’t give users more privileges than they need (this is a biggie) and use separation of duties. Make sure they have direction (they know policies and expectations) and supervision (to make sure they adhere to them). Privileged use should be logged and generate messages to management.”

Speaking as a Varonis blogger, I couldn’t have said it better.

Let’s hope some of this advice takes hold, and 2013 will be a more forgettable year in hacking annals.

Related articles

Leave a Comment » | Application Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , , , , , , , | Permalink
Posted by david ricketts

Follow

Get every new post delivered to your Inbox.

Join 752 other followers