IS 376 NOVEMBER 5, 2013 2013 DATA BREACH INVESTIGATIONS REPORT By The Verizon RISK Team Research Investigations Solutions Knowledge
Mar 29, 2015
IS 376NOVEMBER 5, 2013
2013 DATA BREACH INVESTIGATIONS REPORTBy The Verizon RISK Team
Research Investigations Solutions Knowledge
COMPUTER SECURITYCOMPUTERS AND NETWORKS WERE ORIGINALLY DEVELOPED TO FACILITATE ACCESS,
NOT TO RESTRICT IT.
SOFTWARE/HARDWARE SYSTEMS KNOWN AS FIREWALLS ARE OFTEN USED TO PROVIDE “CHOKE POINTS” FOR COMPUTER SYSTEMS.
• THEY PREVENT UNAUTHORIZED LOGINS FROM THE OUTSIDE WORLD.
• THEY AUDIT THE TRAFFIC ENTERING AND EXITING THE SYSTEM.
• THEY MAY BE USED TO BLOCK OUTGOING DATA TO UNAUTHORIZED DESTINATIONS.
IS 37611/5/13PAGE 2
IS 37611/5/13PAGE 3
DENIAL OF SERVICE ATTACKS“DENIAL OF SERVICE” ATTACKS CONSIST OF THE CONSUMPTION OF A
LIMITED RESOURCE, USUALLY NETWORK CONNECTIVITY, IN AN EFFORT TO DENY LEGITIMATE ACCESS TO THAT RESOURCE.
IN THIS TYPE OF ATTACK, THE ATTACKER BEGINS THE PROCESS OF ESTABLISHING A CONNECTION TO THE VICTIM MACHINE, BUT DOES IT IN SUCH A WAY AS TO PREVENT THE ULTIMATE COMPLETION OF THE
CONNECTION.
IN THE MEANTIME, THE VICTIM MACHINE HAS RESERVED ONE OF A LIMITED NUMBER OF DATA STRUCTURES
REQUIRED TO COMPLETE THE IMPENDING CONNECTION.
THE RESULT IS THAT LEGITIMATE CONNECTIONS ARE DENIED WHILE THE VICTIM MACHINE IS WAITING TO
COMPLETE BOGUS "HALF-OPEN" CONNECTIONS.
IS 37611/5/13PAGE 4
VIRUSESA VIRUS IS A COMPUTER PROGRAM FILE CAPABLE OF ATTACHING TO
DISKS OR OTHER FILES AND REPLICATING ITSELF REPEATEDLY, TYPICALLY WITHOUT USER KNOWLEDGE OR PERMISSION.
SOME VIRUSES ATTACH TO FILES
SO WHEN THE INFECTED FILE EXECUTES, THE
VIRUS ALSO EXECUTES.
OTHER VIRUSES SIT IN A COMPUTER'S
MEMORY AND INFECT FILES AS THE COMPUTER OPENS,
MODIFIES OR CREATES THE FILES.
SOME VIRUSES DISPLAY SYMPTOMS, AND SOME VIRUSES DAMAGE FILES AND COMPUTER SYSTEMS.
IS 37611/5/13PAGE 5
HOW DO VIRUSES WORK?A COMPUTER VIRUS PIGGYBACKS ON ANOTHER FILE TO “INFECT” A SYSTEM.
WHEN A USER RUNS AN INFECTED PROGRAM, THE COMPUTER STARTS BY COPYING THE
PROGRAM FROM THE DISK (OR THE WEB), WHERE IT IS STORED AND INACTIVE, INTO
RAM, WHERE IT CAN BE EXECUTED.
THE VIRAL CODE BEGINS RUNNING FIRST, WHILE THE INFECTED
PROGRAM IS STILL QUIESCENT.
THE VIRUS COPIES ITSELF IN A PART OF RAM SEPARATE FROM THE PROGRAM SO THAT IT CAN CONTINUE ITS WORK EVEN AFTER THE USER STARTS RUNNING OTHER SOFTWARE.
ITS INITIAL WORK DONE, THE VIRUS PASSES CONTROL BACK TO THE
INFECTED PROGRAM.
WHEN THE USER RUNS A DIFFERENT PROGRAM, THE DORMANT VIRUS
BEGINS RUNNING AGAIN.
IT INSERTS A COPY OF ITSELF INTO THE PREVIOUSLY UNINFECTED
SOFTWARE SO THAT THE CYCLE OF VIRULENCE CAN REPEAT.
IS 37611/5/13PAGE 6
FIGHTING VIRUSESVARIOUS TECHNIQUES HAVE BEEN DEVELOPED TO COMBAT
COMPUTER VIRUSES.
GENERIC ANTIVIRAL PROGRAMFLAGS ACTIVITIES - SUCH AS THE
ALTERATION OF CRITICAL SITES IN RAM OR PARTICULAR FILES ON DISK - THAT ARE LIKELY TO ARISE FROM A
VIRUS IN ACTION. PREVENTING THESE ILLICIT ACTS WILL NOT
ELIMINATE THE VIRUS BUT CAN STOP IT FROM INFECTING ADDITIONAL
PROGRAMS OR INTERFERING WITH THE COMPUTER'S NORMAL
OPERATION.
SIGNATURE SCANNERSEARCHES A USER'S DISKS
LOOKING FOR FRAGMENTS OF PROGRAM CODE THAT APPEAR
IN KNOWN VIRUSES.
ANTIVIRAL SNAPSHOTSCAPTURE MATHEMATICAL
"FINGERPRINTS" OF CRUCIAL PROGRAMS AND DATA. SUBSEQUENT CHANGES
STRONGLY SUGGEST VIRAL INFECTION. ADVANCED
ALGORITHMS CAN USE THE ORIGINAL FINGERPRINTS TO
RECOVER A PRISTINE PROGRAM FROM THE VIRUS-ALTERED
VERSION.
WORMSWORMS ARE PARASITIC COMPUTER PROGRAMS THAT
REPLICATE, BUT UNLIKE VIRUSES, DO NOT INFECT OTHER COMPUTER PROGRAM FILES.
WORMS CAN CREATE COPIES ON THE SAME COMPUTER, OR CAN SEND THE COPIES TO OTHER
COMPUTERS VIA A NETWORK.
WORMS OFTEN SPREAD VIA E-MAIL OR CHAT APPLICATIONS.
IS 37611/5/13PAGE 7
IS 37611/5/13PAGE 8
PROTECTION AGAINST WORMS
STEP ONEA WORM FINDS A TARGET BY SCANNING
INTERNET ADDRESSES AT RANDOM UNTIL IT FINDS ONE LEADING TO A
LOCAL NETWORK.
IT THEN ISSUES REQUESTS TO A LOCAL SERVER PROGRAM, SUCH AS ONE
GOVERNING E-MAIL OR FILE EXCHANGES.
WHEN THE PROGRAM ANSWERS, THE WORM TRIES TO CRAWL IN.
PART ONE: DETECTION
STEP TWOWHEN THE WORM ATTACKS A NETWORK PROTECTED BY A DEDICATED MACHINE USING WORM-DETECTION SOFTWARE, SOME OF ITS RANDOM REQUESTS WILL TARGET THAT MACHINE’S ADDRESSES,
WHICH ARE UNLISTED.
THE MACHINE CAN THUS DETERMINE, WITH HIGH RELIABILITY, THAT THE
REQUESTS ARE HOSTILE.
IS 37611/5/13PAGE 9
PROTECTION AGAINST WORMS
STEP THREETHE DEDICATED MACHINE RESPONDS WITH FAKE SERVICES THAT PRESENT
THE WORM WITH THE APPEARANCE OF A NETWORK FULL OF MACHINES AND
SERVICES.
THE FALSE FAÇADE TRICKS THE WORM INTO REVEALING ITS IDENTITY, SO THAT
IT CAN BE TRACKED TO EVERY MACHINE IN THE NETWORK.
PART TWO: DISINFECTION
STEP FOURONCE THE WORM IS CORNERED,
ADMINISTRATORS ISOLATE INFECTED MACHINES, CLEAN THEIR FILES OF EVERY TRACE OF THE WORM, AND PATCH THE OUTER WALL
OF THE NETWORK SO THAT THE SAME KIND OF WORM CAN NEVER PENETRATE THAT FAR
AGAIN.
IS 37611/5/13PAGE 10
TROJAN HORSESA TROJAN HORSE IS A MALICIOUS PROGRAM
THAT PRETENDS TO BE A BENIGN APPLICATION.
A TROJAN HORSE PROGRAM PURPOSEFULLY DOES SOMETHING THE
USER DOES NOT EXPECT.
TROJAN HORSES ARE NOT VIRUSES SINCE THEY DO NOT REPLICATE, BUT THEY CAN BE
JUST AS DESTRUCTIVE.
ONE TYPE OF TROJAN HORSE, KNOWN AS A LOGIC BOMB, IS SET TO EXECUTE WHENEVER A SPECIFIC EVENT OCCURS
(E.G., A CHANGE IN A FILE, A PARTICULAR SERIES OF
KEYSTROKES, A SPECIFIC TIME OR DATE).
IS 37611/5/13PAGE 11
PORT SCANNERSA NETWORKED COMPUTER
GENERALLY HAS ONE PHYSICAL CONNECTION (E.G., A CABLE)
CONNECTING IT TO THE NETWORK.
BEFORE CLOGGING THE NETWORK WITH HEAVY TRAFFIC,
TRANSMITTING MACHINES WILL SEND A SHORT MESSAGE TO MAKE
SURE THAT THE RECEIVING MACHINE WILL ACCEPT THE TYPE OF MESSAGE BEING SENT, I.E., TO SEE IF
THE RECEIVER’S PORT FOR THAT TYPE OF MESSAGE IS “OPEN”.
PORT SCANNER SOFTWARE IS USED TO DETERMINE WHETHER A MACHINE HAS ANY
OPEN PORTS AND, IF SO, A MALICIOUS SENDER CAN EXPLOIT THAT VULNERABILITY
BY FLOODING THE PORT WITH TRAFFIC, CAUSING A BUFFER OVERFLOW IN THE
RECEIVER’S MEMORY, WHICH CAN CAUSE THE MACHINE’S MEMORY TO BE OVERWRITTEN WITH BITS THAT CAN ALTER THE MACHINE’S
BEHAVIOR.
HOWEVER, THE MACHINE HAS SEVERAL NETWORK PORTS, 16-BIT
PREFIXES THAT INDICATE WHAT KIND OF MESSAGES ARE BEING
COMMUNICATED (E-MAIL, FILE TRANSFER, WEB PAGE, ETC.).
IS 37611/5/13PAGE 12
PACKET SNIFFERS ARE SOFTWARE PROGRAMS THAT INTERCEPT
AND LOG TRAFFIC PASSING OVER A NETWORK.
PACKET SNIFFERS
COMMONLY USED BY NETWORK ADMINISTRATORS TO ANALYZE NETWORK TRAFFIC PROBLEMS AND TO DETECT ATTEMPTS AT
NETWORK INTRUSION, THEY CAN ALSO BE USED TO GAIN INFORMATION TO ASSIST SOMEONE WHO WISHES TO INTRUDE, TO
SPY ON OTHER NETWORK USERS, AND TO COLLECT SENSITIVE INFORMATION (E.G., PASSWORDS).
IS 37611/5/13PAGE 13
2013 DATA BREACH REPORT - A4 Threat Overview: ACTORS
IS 37611/5/13PAGE 14
2013 DATA BREACH REPORT - A4 Threat Overview: ACTIONS
IS 37611/5/13PAGE 15
2013 DATA BREACH REPORT - A4 Threat Overview: ASSETS
IS 37611/5/13PAGE 16
2013 DATA BREACH REPORT - A4 Threat Overview: ATTRIBUTES