Data breach investigations show no-one is immune

Nearly every industry, country and type of data was involved in a breach of some kind in the past year, according to security firm Trustwave

Nearly every industry, country and type of data was involved in a breach of some kind in the past year, according to security firm Trustwave.

The retail industry is now the top target for cyber criminals, according to the 2013 Trustwave Global Security Report on 450 global data breach investigations.

Some 45% of investigations involved businesses in retail, followed by food & beverage (24%) and hospitality (9%).

Reasons for this include the sheer volume of payment cards used in these industries and that the main focus of those businesses is customer service, not data security.

There is also a misconception that these organisations and others are not a target because they are not related to government or industry such as military, energy or pharmaceuticals.

“Many businesses still doubt that they will be targeted but for financially-motivated cyber criminals, all companies have data that is of value,” said John Yeo, Trustwave's European director.

“Criminals are industry agnostic; they continually look for weaknesses that are easy to exploit. If a weakness exists, it is only a matter of time before they do,” he told Computer Weekly.

In the past year, e-commerce platforms and websites emerged as the most popular assets to compromise so any organisations with either of these is likely to be targeted, said Yeo.

Compromises of e-commerce platforms and websites accounted for 48% of Trustwave’s investigations in the past year, according to the report.

However, Yeo said most of the attacks involved the exploitation of legacy-type vulnerabilities and well-known attack methods.

SQL injection attacks on websites and e-commerce platforms, and the exploitation of insecure remote access systems, for example, were involved in 73% of the incidents covered in the report.

“To a certain extent, network security has been figured out by people familiar with protecting the perimeter, but there is still a lot to do in the web application security space, with applications running on top of that network still presenting a lot of vulnerabilities,” he said.

Most web security tends to be focused on the main corporate websites, said Yeo, but organisations typically also have many web-facing applications, and any one of those could provide an entry point for attackers, who will always look for the weakest link in the chain.

“Cyber criminals look for any web application with a vulnerability that they can exploit to get into an environment and then use that foothold to penetrate deeper into an organisation,” he said.

The report highlights a correlation between the increased adoption of an outsourced, third-party IT operations model and data breaches.

Some 63% of investigations revealed that a third party responsible for system support, development or maintenance had introduced security vulnerabilities exploited by hackers.

The report shows that organisations are still taking a long time to detect intrusions, but the average time between intrusion and containment has increased to 210 days, up from 175 days in 2011.

Nearly two-thirds of organisations investigated took more than 90 days to identify criminal activity and 5% took more than three years.

“This is a serious problem as hackers are able to harvest data for long periods of time before anyone knows they are there,” said Yeo.

He ascribes this to failings in user practices, business processes, technology or a combination of these.

“In some cases SIEM (security information and event management) solutions are deployed, but the organisation may not have the right skills and processes in place to benefit from that data,” said Yeo.

It is essentially a “big data” problem, he said, with thousands of events being generated that have to be correlated with expert rules configured on the technology and then analysed to identify anomalous patterns.

“Subsequent to that, you need the processes to ensure that an appropriate response is carried out rather than a purely IT-focused response, because in reality, a good response typically runs across several departments or functions,” said Yeo.

While business continuity plans tend to be mature and tested regularly, IT security incident readiness is a relatively new area, businesses are just beginning to understand what incident readiness means, and not all organisations have plans in place.

“If they do have plans, they are rarely, if ever tested; so the only time a response plan comes into play is when a breach occurs, but that is really not the time you want to discover it doesn’t work,” said Yeo.

Other key findings in the report include:

  • Mobile malware has increased 400% in the past year
  • Half of business users are still using easily-guessed passwords
  • Employees remain a weak link due to susceptibility to social engineering

Read more on Hackers and cybercrime prevention