It’s that time of year again – new 2013 IT Security reports – trends, breach investigations, and more on 2012 data from Verizon, Symantec, Ponemon, Mandiant, PWC (focused on Europe) – and others have been published. In the interest of those of us with short attention spans, in this post I’ll focus on Verizon’s 2013 Data Breach Investigations Report™ (DBIR).
There are five “Quick Wins” (in SANS 20 Critical Security Controls (CSC) parlance) that CISOs/CIOs and their teams might want to take today, helping you to avoid being a participant in the 2014 IT Security reports.
Quick Win #1 – Address Credentials, Admin Privileges, and Password Hygiene
Here’s some context:
Pair this trifecta of credential fail with the fact that 78% of the methods attackers used were low and very low levels of sophistication and it just makes sense that this could be one of the most fruitful places to shore up. Stated bluntly, you have to strictly and unyieldingly enforce strong credentials, supportive IT processes, and educate around it. And, it applies to literally everyone – employees, partners, and IT personnel.
Quick Win #2 – Protect Key Assets
OK – so this is truly obvious, and sadly not much different from prior DBIR data. And of course, no ‘one size fits all’ for hardening your unique environment.
Skipping the ATM stat, the investigation trends showed that ‘data at rest’ was most at risk, not ‘data in motion.’
Over two thirds (66%) of exfiltrated data was in databases and file servers – and BTW commonly accessed through legitimate (but misused) credentials. Every environment will have its solutions to these problems, and they will evolve.
Quick Win #3 – Prepare Against the Most Common Attack Types
Physical – Businesses that use POS or ATM devices will need to read the report to address the ATM skimming devices or POS ethics fail by workers who succumb to criminal influence.
When USBs or other external hardware is involved, just know that 41% of the “Physical” category of attack methods involved malicious code that auto-runs upon insertion/attach. Prepare against this common, low sophistication attack method by setting all your system configurations for
1) Auto anti-malware scanning on all external media upon insert
2) Disable auto-run content for USB and other external hardware
Malware – The “Assured Penetration Technique” is a combination of phishing-malware-entrenchment. Email delivery of multi-function malware was the most prevalent, and upon delivery of the payload – quiet, ongoing, often difficult-to-detect breach activity.
Note that in the figure below, spy/keylogging malware was used 75% of the time if email scanning and safeguards were overcome. Here, strong system configuration management, file integrity monitoring, and frequent scanning help immensely with early detection.
Hacking – Over 52% of all breaches were accomplished by hacking. Notice below that only five methods account for 94% of hacks. The DBIR said it best: “…the easiest and least-detectable way to gain unauthorized access is to leverage someone’s (or something’s) authorized access. Why reinvent the wheel? So it really comes as no surprise that authentication-based attacks (guessing, cracking, or reusing valid credentials) factored into about four of every five breaches involving hacking in our 2012 dataset.” Again, with the recommendation to harden credentials.
Quick Win #4 – Detect and Contain Breaches Early
Detecting a breach in your organization requires essential technology, processes, and personnel in order to assure early detection and containment. It’s one of the most elemental purposes for having an IT Security group – ultimately it’s about protecting the organization.
It took months to years for over two thirds of breached organizations to figure it out. Imagine burglars having that period of time to roam about in your home unnoticed.
And, in about one third of the cases, it took attackers seconds to minutes before they’d both breached and exfiltrated data.
So that’s like someone getting into your home and finding/removing valuables while you’re in the kitchen getting a sandwich, only worse.
Quick Win #5 – Choose and Begin Implementing a Security Framework
The DBIR recommends implementation of the SANS 20 Critical Security Controls (CSC). However, since there is no ‘one size fits all’ solution, your organization may need to be more aligned with NIST SP 800-53 or even ISO 27002 guidelines. Choose one and start. What I like about the SANS 20 CSC:
- Collaboratively developed with wide participation, and continues to be updated for evolving conditions.
- Broadly applicable regardless of organization size, industry, public/private, security posture maturity level, budget, or most likely threat weakness.
- Offers high-level control categories, implementation priority, and sub-controls.
- Prioritized and organized sub-controls according to process maturity categories (Quick-Win, Visibility/Awareness, Control/Hygiene, and Advanced)
- Implementation diagrams and testing guidance is provided, and actual step order to follow.
- Automation procedures and tool suggestions are provided.
- Specific and detailed document references to NIST Special Publications (800-53), and associated NSA Manageable Network Plan Milestones and Network Security Tasks.
All this said, and with the goal in mind of not being part of anyone’s breach or threat report for 2014, these final thoughts may be the most protective and preventative against the low sophistication attack vectors:
- Given that 76% of intrusions and the top five hacking methods all leveraged weak/misused credentials; it just seems natural to focus on credentials first.
- Next, assure you address ‘unauthorized’ hardware, and email phishing since these are two of the most common methods to deliver malware payload.
Finally, if you haven’t adopted a security framework, at least familiarize yourself with the SANS 20 CSC.