© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Matthijs van der Wel MBA CISSP® CISA® RON® QSA® QFI® Managing Principle Forensics EMEA Data breaches.

© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09

Matthijs van der Wel MBA CISSP® CISA® RON® QSA® QFI®

Managing Principle Forensics EMEA

Data breachesShocking numbers from the 2009 Data Breach Report

7 types of intel

• External Threat & Vulnerability Data - We continuously track new vulnerabilities and related attacks to assess how they impact information risk.

• Underground Intelligence - Surveillance of numerous online groups help us know what the bad guys are discussing, sharing, planning and doing.

• Net Intelligence - Over one million sensors are dispersed throughout our Internet backbone, enabling us to gather information on nefarious activity around the globe.

• Managed Security Services - Verizon Business manages and monitors firewalls, IDS, IPS, and other network devices for many of the world’s largest companies.

• Global Services - Internal data collection across Verizon’s extensive range of IT and security services. This is “real-world” data harvested as a byproduct of delivery.

• Investigative Response – Forensics & computer crime Investigations. Extensive metrics are systematically recorded on hundreds of data breach cases per year.

• ICSA Labs - ICSA Labs, an independent division of Verizon Business, performs vendor-neutral testing of hundreds of security products.

© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09

WARNING: This is a true story. Based upon actual events.

URL - http://www.verizonbusiness.com/databreach/

Blog - http://securityblog.verizonbusiness.com/

IR Case Data

• All data collected during cases worked by the Verizon Business

• Investigative Response team during 2008

• Objective, credible, first-hand information on actual breaches

• 2008 Caseload:

• 90 confirmed breaches (>150 total engagements)

• 285 million compromised records (confirmed – not “data-at-risk”)

• 1/3 of these cases have been publicly disclosed (so far)

• About 50% of caseload comprised of sets of interrelated incidents– Same attacker(s), shared connections, identical circumstances, etc

• 15 arrests (and counting)

• 31% Retail, 30% Financial, 14% Food & Bev, remaining mixed

• Over 1/3 of investigations conducted outside the US

2009 DBIR: What’s New?

• Periodic data collection allowed for more detail– Much more info within the Hacking and Malware sections

• Responded to public requests and questions– Results also shown in % of records (was just % of breaches)

• New lines of study– PCI, Incident detection and response practices

• More thorough treatment and analysis

• More mature presentation– Better charts and graphs – No more pastel colors

• Plus, the bad guys were really busy (and, unfortunately, really successful)

After a 4-year study of 500 breaches, what makes the 1-year sequel interesting?

Breach Sources

• External sources– Most breaches, nearly all records– 90+% of breached records attributed to organized crime activity

• Internal sources– Roughly equal between end-users and admins

• Partner sources– Mostly hijacked third-party accounts/connections

Impact

Likelihood

Threats and Attacks

• Similar to previous 4 years for breach percentages

• Most breaches and records linked to Hacking & Malware

• Misuse is fairly common– Mostly admin abuse

• Deceit and social attacks– Involved a range of methods,

vectors, and targets

• Physical attacks – Represent minority of caseload– Portable media in one case

(but not essential to breach)

• Error is extremely common– Rarely the direct cause– Usually contributing factor (67%)

Breakdown of Hacking(64% of breaches)

• Default credentials and SQL injection most common

• Few and old vulnerabilities exploited

• Web Apps & Remote Access are main vectors

Techniques

Vectors

Vulnerability Exploits

Breakdown of Malware(38% of breaches)

• Most malware installed by remote attacker

• Malware captures data or provides access/control

• Increasingly customized

Malcode: focus on softer targets

• Data in running memory: RAM scrapers. Created well after initial point of entry. Filter out string patterns & sequences within memory. Dump to file, encrypt and exfiltrate. Difficult to locate without forensic tools.

• Data in-transit: Simple packet-capture utilities. Exploit compliance-driven encryption requirements (ie. PCI:DSS, HIPAA). Footprint always unique. Undetectable by current anti-virus. Found only by searching for output data.

• Data in unallocated space: Capture data patterns from unused portion of disk. Example – expanding / contracting pagefiles. Windows particularly vulnerable. Sidesteps encryption of data at-rest & in-transit.

10

04 0 0 0 0 1 2 3

20

24 5 6 2 9 0 9 1

30

10 1 5 4 3 2 9 9 9

35

8 7 6

Track II

Attack Vectors & Targeting

• Directed attacks are last major evolution

• Cases seen in clearly related “groupings”

• Attacks leverage human staging point- “the insider” and ‘the vendor”

• Increasing at almost 1:1 rate with Partner sources

1999 2009

2000 2001 2002 2003 2004 2005 2006 2007 2008

2007 - 2009Fully Targeted

1999 - 2002

Fully Targeted

2001 - 2009

Opportunistic Random

2006 - 2009

Opportunistic (Directed)

More simultaneous attack vectors from 2008 than ever before.

What’s next??

Unknown Unknowns

• Unknown data lower than ’04-’07

• rates, but still accounts for 2/3 of compromised records– Discovery and classification

• Unknown privileges up– Account review

An asset unknown to the organization

Data unknowingly stored on an asset

Unknown or forgotten external IT connections

Accounts and Privileges not known to exist

Recommendations

•Recap from previous report • (They still apply)

• Align process with policy

• Achieve “Essential” then worry about “Excellent”

• Secure Business Partner Connections

• Create a Data Retention Plan

• Control data with transaction zones

• Monitor event logs

• Create an Incident Response Plan

• Increase awareness

• Engage in mock incident testing

Recommendations, Cont’d

•New recommendations • (Based on 2008 cases)

• Changing default credentials is key

• Avoid shared credentials

• User Account Review

• Application Testing and Code Review

• Smarter Patch Management Strategies

• Human Resources Termination Procedures

• Enable Application Logs and Monitor

• Define “Suspicious” and “Anomalous” (then look for whatever “It” is)

Summary

• 2008 saw much of the same, but new twists and trends were observed

• Sources: Similar distribution; organized crime behind most large breaches– Organized criminal groups driving evolution of cybercrime

• Attacks: Criminals exploit errors, hack into systems, install malware– 2008 saw more targeted attacks, especially against orgs processing or storing large volumes of

desirable data – Highly difficult attacks not common but very damaging– Large increase in customized, intelligent malware

• Assets and Data: Focus is online cashable data– Nearly all breached from servers & apps– New data types (PIN data) sought which requires new techniques and targets

• Discovery: Takes months and is accomplished by 3rd parties

• Prevention: The basics–if done consistently–are effective in most cases– Increasing divergence between Targets of Opportunity and Targets of Choice

» ToO: Remove blatant opportunities through basic controls» ToC: Same as above but prepare for very determined, very skilled attacks

– Initial hack appears the easiest point of control

Questions?

1818In case of an incident, please call our worldwide 24/7 Incident Response Hotline: +1.866.912.6565