Data protection: It's often about locking the front door

Organisations face costly data breaches, but attacks are not necessarily sophisticated. How are criminals accessing corporate networks?

Organisations, regardless of industry and size, continue to face costly data breaches, but the common attack methods are not necessarily sophisticated and obscure.

So what are the most common ways criminals are getting access to corporate networks?

In many cases, it is through obvious doors into the organisation, such as legitimate remote access applications, according to John Yeo, director of Trustwave SpiderLabs, Europe.  

In the past year, his team has collected data from 300 data breach investigations in 18 countries, 2,000 penetration tests and more than two million vulnerability scans, and published its findings in the Trustwave 2012 Global Security Report.

Remote access entry points

The data reveals that in 62.5% of cases, attackers were able to harvest data in transit within the victim organisation through remote access applications used by internal staff, contractors and supply chain partners.

"The first problem is that most of the organisations targeted in this way do not understand the implications of providing insecure remote access, and remote access is typically just one – albeit important – component of an organisation's internet-facing presence," Yeo told Computer Weekly.

In many cases, he said, access points are set up by individual business units or support organisations that those responsible for IT security are not aware of. 

According to the Trustwave report, a third party responsible for system support, development or maintenance of business environments introduced the security deficiencies exploited by attackers in 76% of cases investigated.

"Outsourcing of system admin is a major risk factor associated with compromise," said Yeo. "Non-functional security requirements are often left out of outsourcing contracts because the focus is on getting the job done."

Weak passwords leave systems open to attack

In several cases, investigators found that systems integrators had used the same password across all customers. "Criminals know this, so when they find a password, they will try that password on all the customer organisations they are able to identify," said Yeo.

This make many of the organisations relatively easy to target because they are still using weak or default administrator passwords, he said.

Analysis of two million real-world passwords used within corporate information systems found that 5% of them used weak passwords such as "Password1" and 1% based on the word "welcome".

"Password1 is commonly used by admins because it satisfies the minimum requirements of eight characters, at least one upper-case letter and at least one number," said Yeo.  

Many companies set up passwords such as "Wecome123" for new starters, which users often fail to change, but it all boils down to poor administration, he said.

In one instance, TrustWave SpiderLabs found that attackers were able to compromise as many as 250 unique critical systems at a single target location by exploiting duplicate credentials.

Breach detection should be better managed

The next weakness shared by 84% of organisations hit by breaches investigated by Trustwave SpiderLabs was the inability to detect that their IT systems had been compromised.

According to the Trustwave Global report, only 16% of the organisations breached had detected the data compromise themselves. The remainder had been informed of the breach by third parties.

"There is still a huge reliance by organisations on regulatory bodies, law enforcement and credit card payment processors to know if they have been compromised," said Yeo.

Investigations show that on average the time between intrusion and detection is about six months, compared with just 43 days in organisations that have self-detection capabilities.

There is still a huge reliance by organisations on regulatory bodies, law enforcement and credit card payment processors to know if they have been compromised

John Yeo, Trustwave SpiderLabs

An allied problem, said Yeo, is that often when someone within an organisation has noticed an anomaly, nothing has been done. "It is not just about having detection technologies, organisations also need to have the correct processes in place to ensure action is taken when required," he said.

Central control is desirable

In this regard, Yeo said it is also important for organisations to be able to correlate security information across all IT systems. "It is difficult to take action when relevant data is isolated in various silos within the business," he said.

The absence of a central information security view or control over applications is common among highly vulnerable organisations, according to Yeo.

A single top-down approach to applications is enabled only when organisations have visibility across their entire application portfolio. "Knowing what you have got is essential to being able to rate applications according to their criticality to the business or of the information they process, and assign the appropriate protections based on that rating," he said.

Yeo said organisations should have a more data-centric approach to security because data is what they ultimately want to secure. "In theory, at least, if data is secure, it is less important who has access to the network," he said.

Tips for protecting corporate networks

What other simple things can organisations do to improve their resistance to attack?

There are several quick wins, said Yeo. First, organisations need to set up systems in such a way that it is impossible to use weak, blank or easily guessable passwords.

"If an attacker is able to get into a network user's account, even if they are on a low level, it is just a matter of time before they can work their way up to getting into an admin account, and then it is game over," he said.

Second, organisations should standardise on the hardware and software used by everyone to make security and management easier. "In a standardised environment, it is less likely that IT will forget to update systems as they will have a better view and understanding of what is going on," said Yeo.

Third, organisations should continually work to raise the security awareness of IT users that is appropriate to each individual's role in the business, including contractors and other third parties that have access to corporate systems.

It is also worth noting that organisations which score highly in penetration testing typically use two-factor authentication methods. "This makes it more difficult for attackers to gain entry through automated password guessing," he said.

More resilient organisations also typically use web application firewalls, which provide a base level of protection against many common web-based attacks, said Yeo.

New data protection rules

Will the proposed EU data protection framework help foster better security?

Yeo believes it will. "In many organisations, data protection is seen as an IT problem, but the proposed regulations require company directors to take ownership," he said.

The regulations also make breach disclosures mandatory, which means ignorance is not a defence for non-disclosure, therefore knowing what is going on will be a basic requirement of company leaders.

Read more on Privacy and data protection