Matthjis van der Wel is head of forensics at Verizon Business, which has carried out investigations into more than 600 data breaches over the last five years, including a large proportion of all publicly disclosed data braches, and others that have never been released.
Van der Wel contributed to Verizon's 2009 Data Breaches Investigations Report published in April, which overturned some long-held assumptions about security, most notably showing that nearly 80% of all breaches come from outside the organisation. According to conventional wisdom, insiders always posed the biggest threat, but the Verizon report showed a sharp rise in external hackers finding ways to compromise confidential records.
In 2008, Verizon recorded 285 million compromised records in 90 data breach investigations -- more than all four preceding years combined. According to van der Wel, that statistic signals a growing sophistication amongst cybercriminals that is not matched currently by organisations trying to protect their own data. "Organisations are making what I can only describe as stupid mistakes," he said.
For example, failing to patch vulnerabilities, using default passwords and forgetting to close down user accounts when employees leave the organisation can cause data loss.
The flood of stolen personal and financial data on the black market has driven down prices, he said. A stolen credit record could've fetched up to $16 four years ago, but now the price is 50 cents. That has prompted organised crime to become more sophisticated and to go after more valuable information in more targeted attacks.
"Cybercriminals are now investing a lot of time, resources and money into targeting some very high-profile victims," he said. "In one recent case I investigated, cybercriminals accessed the network of a major organisation and spent a year looking around the network, learning everything they could about each and every system before they initiated their first attack. They probably had a better picture of the network than the organisation itself."
In many cases, the solution would be just a question of monitoring system log files or analysing alerts from intrusion detection systems, but few organisations bother to do it.
"When we do an investigation and look at log files, the evidence is there," he said. "Organisations would be better off hiring people to do the log file analysis. There is such a wealth of information you can learn from log files, especially application or database logs. But many organisations just collect them and don't do anything with them, or they turn them off to save disk space, or they have rotating log files so they are constantly overwritten."
In one case he investigated, an IDS raised 1,800 alerts about an SQL injection attack that was ignored by the victim organisation. "The logs show you what has gone on. The organisation could have seen that for themselves. That's why they got the box in the first place. It's very frustrating."
In other cases, where targeted attacks have been able to evade antivirus software and penetrate systems, companies can still pick up the tell-tale signs if they know what to look for, he said.
For instance, he discovered a 30 GB file in a system where malware was storing information it had intercepted. "Nobody in the organisation asked why there was a 30 GB file that kept growing every day. Or why so much data was leaving the organisation," he said.
His advice is to examine the IP addresses of outgoing connections, analyse their physical locations, and then plot them using Google Maps. "You then ask: Why do we have a connection to Romania every Saturday morning? Or a connection every week to Italy after office hours? They could be for an off-shore back-up service, but you need to examine it."
In the event, 70% of organisations do not detect security breaches themselves, instead relying on third parties, such as police, customers or business partners, to spot that something is wrong. As the report pointed out: "The opportunity for detection is there; investigators noted that 66% of victims had sufficient evidence available within their logs to discover the breach had they been more diligent in analysing such resources."
Van der Wel's advice is to use your own staff to spot the systems' weaknesses. "Sit down with a couple of knowledgeable IT guys and come up with different attack scenarios. Ask how they would attack their own organisation. Imagine how that would show up in the log files. After that, go and look in the log files to see if anyone has done it. If you can think of it, so could others. We don't see many IT organisations spending their money doing things like that. They would rather spend the money on a new box."