siliconindia

Tracking Data Flow Today for Business Peace of Mind Tomorrow

Author: Mark Goudie
Managing Principal, Investigative Response, Asia Pacific, Verizon Business
There is more risk involved in extended enterprises and the level of risk is more for those information that are accessed without authorization.
The extended enterprise has created more business opportunities, but it also carries with it an extended threat of risk: the more the information enterprises have to distribute and manage in more places, the greater the risk of that information being accessed by unauthorized parties.

There are very few businesses that have not yet been hit by some form of electronic attack - from very minor bits of spam email that appear in the inboxes to potentially business-threatening malware and viruses. When such incidents are discovered, the response to them is critical. The damage must be contained quickly - customer data protected, the root cause found, and an accurate record of events and losses produced for the authorities. Furthermore, the investigation process must collect this evidence without adversely affecting the integrity of the information assets involved in the crime. Thus, such forensics provide not just a sense of what has happened but also vital clues as to how recurrence of such attacks could be prevented.

The 2008 Verizon Business Data Breach Investigations Report draws from over 500 forensic investigations handled by the Verizon Business Investigative Response team over a four-year period. This factual evidence offers an objective, first-hand view of real-life data breaches. From the multitude of data collected, the company was able to weave together the stories and statistics from compromise victims around the world, interpreting their tales and aiming to allow fellow IT professionals to avoid what happened to them.

In terms of risks faced by individual industries, the retail, food, and beverage industries account for more than half of all cases in the research. Financial services, though certainly the keepers of great monetary assets, are also well protected in comparison to other industries; they account for 14 percent of breaches. Technology services - including software firms, data warehousing companies, and telecommunication providers - form the only other industry sector with over 10 percent of breaches.

The team also reported a marked increase in forensic engagements outside North America, which was regarded as a part of a broader trend of the world becoming more interconnected through information technologies. As enterprises aggressively seek global partnerships, and as the laws governing the handling and disclosure of such incidents mature, it is likely that this trend will continue.

It is a matter of fact that ever since outside parties were given access to networks, external attacks have vastly outnumbered those from insiders. Almost three-quarters of data breaches investigated were caused by external sources; this was almost four times the number of breaches attributed to insiders (18 percent). However, although these were fewer in numbers, inside breaches had a greater impact than those caused by outsiders when they did occur. With the drive to seek partnerships becoming more important to many organizations, what is also alarming, if not disquieting, to companies that either have or are extending their enterprises, is that business partners were behind over a third of breaches (39 percent), a figure that rose five-fold over the time period of the study.

Even though the percentage of insider attacks remained relatively stable, the number of breaches that originated from an external source or from a partner have changed significantly. The general downward trend of external incidents is mitigated by the trend of breaches involving business partners increasing five-fold between 2004 and 2007. It can be deduced that the decline in the percentage of breaches from external sources is simply the by-product of the rise of compromises from partners.

From network intrusion to laptop theft to administrative errors, sensitive data continue to be compromised from enterprises all over the world. Most breaches result from a combination of distinct yet related events, for example someone who utilizes several types of hacking, rather than a single action. The research revealed that there were seven broad threat categories: malcode (identified as the cause of 31 percent of breaches), hacking (59 percent), deceit (10 percent), misuse (22 percent), physical (15 percent), environmental (0.4 percent), and direct error (3 percent).

Even though direct errors, the errors that directly led to the data compromise, only accounted for a small number of breaches, in 62 percent of breaches there was an internal error that significantly contributed to the breach in some way. These included poor decisions, mis-configurations, omissions, non-compliance, and process breakdowns. Significant omissions contributed to over three quarters of data breaches, where an organization believed that standard security procedures or configurations had been implemented when in fact this was not the case. Mis-configuration was apparent in 15 percent of cases, usually manifested in the form of erroneous system settings. Though accidental disclosure, user blunders, and technical glitches occur frequently, they amounted only to a small portion of errors leading to data compromise.

In terms of deliberate action against information systems, hacking and malcode proved to be the attack method of choice among cyber criminals. In fact, hacking leads to more data breaches than any other category by a margin of almost two to one. The forensics showed that many tools are available to help automate and accelerate the attack process. Attacks targeting applications, software, and services were by far the most common technique, representing 39 percent of all hacking activity leading to data compromise. This apparently follows a trend as attacks in recent years are moving up the stack but operating system, platform, and server-level attacks still account for a sizable portion of breaches.

Nearly a fifth (18 percent) of hacks exploited a specific known vulnerability while 5 percent exploited unknown vulnerabilities for which a patch was not available at the time of the attack. Evidence of re-entry via backdoors, which enable prolonged access to and control of compromised systems, was found in 15 percent of breaches. Furthermore, 90 percent of known vulnerabilities exploited by these attacks had patches available since at least six months prior to the breach, a clear indication of the need to maintain a robust and regular patching program. No breaches were caused by the exploit of vulnerabilities patched within a month or less of the attack, a clear sign that a patch deployment strategy focusing on coverage and consistency is far more effective at preventing data breaches than ‘fire drills’ that attempt to patch particular systems as soon as patches are released.

Given enough time, resources, and inclination, criminals can breach virtually any single organization they choose; but they cannot breach all organizations. Money is the prime motivator in attacks and security compromises are maximized when the effort to prevent is minimized. Unless the value of the information to criminals is inordinately high, it is not optimal for them to expend limited resources on a harder target when a softer one is available. The goal, then, is to implement security measures in such a way that it costs the criminal more to breach your organization than other available targets.

Going forward, there are three main areas on which firms should focus: ensuring that essential controls are met; finding, tracking, and assessing data; and monitoring event logs. Given the current opportunistic nature and difficulty (or rather lack thereof) of attacks leading to data breaches, organizations are wise to focus on ensuring that essential controls are met across the organization and throughout the extended enterprise. This includes following through on security policies so that they are actually implemented and ensuring that a basic set of controls is consistently implemented across the organization.

Accomplishing these goals will make it much more likely that attackers will look at less challenging targets.

Data is everywhere in the modern organization and keeping track of it is an extremely complex challenge. The fundamental principle, however, is quite simple - if you don’t know where data is, you certainly can’t protect it. Based on the hundreds of breaches investigated, efforts to locate, catalogue, track, and assess the risk of data stored in and flowing through information assets are highly beneficial in reducing the likelihood of data compromise.

Though crucial, data protection efforts cannot stop with discovery. Once critical data repositories and flows are identified, they must be monitored. Rather than seeking information overload, organizations should strategically identify what systems should be monitored and what events should cause alerts. Steps should then be taken to ensure alerts are noticed and acted upon when they do happen.

The forensics team concluded that in 87 percent of cases, breaches could have been avoided if reasonable security controls had been in place at the time of the incident. This calls for a fundamental shift in data protection and incident response mentality. While a strong network perimeter is important, it cannot be the only or even the main layer of protection around sensitive information assets. Information itself, wherever it flows in the extended enterprises, must be the focus of security efforts.

About Author
Mark Goudie
Managing Principal, Investigative Response, Asia Pacific, Verizon Business
Next article
 
Write your comment now

Email    Password: 
Don't have SiliconIndia account? Sign up    Forgot your password? Reset
  Cancel
Reader's comments(1)
1: From: Mrs. Mary David

This mail may be a surprise to you because you did not give me the permission to do so and neither do you know me but before I tell you about myself I want you to please forgive me for sending this mail without your permission. I am writing this letter in confidence believing that if it is the will of God for you to help me and my family, God almighty will bless and reward you abundantly. I need an honest and trust worthy person like you to entrust this huge transfer project unto.

My name is Mrs. Mary David, The Branch Manager of a Financial Institution. I am a Ghanaian married with 3 kids. I am writing to solicit your assistance in the transfer of US$7,500,000.00 Dollars. This fund is the excess of what my branch in which I am the manager made as profit last year (i.e. 2010 financial year). I have already submitted an annual report for that year to my head office in Accra-Ghana as I have watched with keen interest as they will never know of this excess. I have since, placed this amount of US$7,500,000.00 Dollars on an Escrow Coded account without a beneficiary (Anonymous) to avoid trace.

As an officer of the bank, I cannot be directly connected to this money thus I am impelled to request for your assistance to receive this money into your bank account on my behalf. I agree that 40% of this money will be for you as a foreign partner, in respect to the provision of a foreign account, and 60% would be for me. I do need to stress that there are practically no risk involved in this. It's going to be a bank-to-bank transfer. All I need from you is to stand as the original depositor of this fund so that the fund can be transferred to your account.

If you accept this offer, I will appreciate your timely response to me. This is why and only reason why I contacted you, I am willing to go into partnership investment with you owing to your wealth of experience, So please if you are interested to assist on this venture kindly contact me back for a brief discussion on how to proceed.

All correspondence must be via my private E-mail (dmary4love1@yahoo.fr) for obvious security reasons.

Best regards,
Mrs. Mary David.
Posted by: mary lovely david - Monday 26th, September 2011
More articles
by Kaushal Mehta - Founder & CEO, Motif Inc..
The retail industry is witnessing an increased migration of customers from traditional brick and mortar retail to E-commerce (online retail)...more>>
by Samir Shah - CEO, Zephyr .
You probably do because you are on the phone with them! For all of you working in some technical management capacity here in Silicon Valley,...more>>
by Raj Karamchedu - Chief Operating Officer, Legend Silicon .
These days are a mixed bag for me. Of late I have been considering "doing something bigger and better," in my life, perhaps seriously though...more>>
by Madhavi Vuppalapati - CEO of Prithvi Information Solutions .
IT Services Rise of Tier II companies The Indian IT outsourcing industry is going through very exciting phase in its business life...more>>
by Bhaskar Bakthavatsalu- Country Manager, India and SAARC of Check Point Software Technologies.
Data loss occurs every day through corporate email. In fact, given the sheer number of emails an organization sends every day, data loss inc...more>>