US Secret Service shows business how to fight cyberthreats

Business needs to be more proactive in its approach to security in the face of increased insider threats and customised malware, says Verizon Business.

Business needs to be more proactive in its approach to security in the face of increased insider threats and customised malware, says Verizon Business.

Both types of attack have increased in the past year, according to the 2010 Verizon Data Breach Investigations report in partnership with the US Secret Service.

This is the first time private and commercial data has been combined in a data breach report, said Matthijs Van der Wel, head of the EMEA forensics team at Verizon Business.

The data from the financial crime investigations from the Secret Service has enabled a broader and deeper perspective on cybercrime, he said.

"Most breaches are caused by external sources, but we now see a lot more cases that involve insiders combined with social engineering that we did not see in our previous data set," said Van der Wel.

The data also highlights an increased use of customised malware in smaller attacks to avoid detection by anti-virus and intrusion detection software, he said.

"Detection is extremely difficult, especially when mixed with stolen credentials, which enable attackers to mimic legitimate traffic," said Van der Wel.

The report recommends a more proactive approach to security in which businesses actively monitor log files for anomalies.

A sudden increase in the size and volume log files is usually a good indication of malicious activity, according to Van der Wel.

In most cases, businesses have a small window of opportunity of about a day between the compromise and the theft of data, which should not be missed, he said.

Cases involving insiders show data theft is often preceded by a series of minor policy violations, the research shows.

Keeping track of minor policy violations is another way businesses can identify potentially malicious activities, said Van der Wel.

Businesses also need to move away from authentication methods that rely on usernames and passwords. Instead they should move to two and three-factor authentication, he said.

"The time for passwords is gone because they can be captured easily by password sniffers, no matter how long and complex they are," he said.

The breach report includes a list of recommendations for businesses to improve their information security and background information on how the cybercrime world works.

Key findings of the 2010 report:

Most data breaches (69%) caused by external sources

Many breaches (48%) involved privilege misuse

Nearly all data is breached from servers and online applications

Most breaches (85%) were not difficult to carry out

Most victims (87%) missed evidence of security breaches in their log files

Recommendations for enterprises:

Restrict and monitor privileged users

Watch for minor policy violations

Implement measures to stop the use of stolen credentials

Focus on the size and volume of log files

Share incident information with other organisations

Read more on IT risk management