The Hindu Business Line : ‘Ensure security basics everywhere’

If you are looking for advice on how data breaches can be averted, here is a simple one-liner from Mark Goudie: Ensure security basics are deployed everywhere.

“Companies need to avoid peaks of security excellence while also having troughs of poor security,” adds Goudie, Verizon Business managing principal for Investigative Response in Asia-Pacific.

The attacker only needs to find one single point of weakness to launch his attack, Goudie cautions, during the course of a quick e-mail interview with eWorld, shortly after the recent release of ‘2009 Data Breach Investigations Report’ by Verizon Business ( www.verizonbusiness.com). The report reasons how, from a security point of view, it is better to do the essential everywhere, and then look to being excellent.

Excerpts from the interview:

What is ‘data breach’? Has the definition of data breach been evolving over the years?

Data breach may include incidents such as theft or loss of data that resides in various media including computer systems. Data breach is a significant proportion of our caseload (90/250 p.a.) where company records are inappropriately disclosed to third party and a proportion of the caseload proves or incriminates someone on data breach.

Typically, payment card data (81 per cent of breaches and 98 per cent of records), personal information (36 per cent of breaches and 1.5 per cent of records), and authentication credentials (31 per cent of breaches and <0.1 per cent of records) form the largest compromised data types in our report.

Are there surprises in the recent study, compared to the earlier ones?

There are no surprises but we see a significant shift over the 12-month period. There is a dramatic increase in the sophistication and complexity of the attacks that we investigated.

We are seeing more customised malware attacks that are not detectable by antivirus.

Almost 60 per cent of these malware attacks are not detectable by antivirus because they are repacked, modified or custom-coded. Some examples include RAM scrappers, unallocated space scrapers and customised network sniffers.

There is a big increase in the hackers now hacking in their own backyard. These hackers are hacking in the same country they live in, which therefore makes prosecution much easier.

In the past, we used to see hackers crossing international boundaries which made arrests and prosecution difficult, complex and expensive.

The other significant shift is the size of the data breaches. Last year our caseload consisted of 285 million compromised records, and the previous four years combined was ‘only’ 235 million records.

We believe that organised crime is behind 90 per cent of all compromised records in the last year. This is another dramatic shift in that last 12 months’ statistics.

Did your methodology meet with any specific challenges? How much of data breach does get reported?

As our Data Breach Investigations Report goes, we have to maintain the anonymity of customers we work with. This necessity makes it difficult for us to reveal our sources of data and we are not able to either confirm or deny any case involvement.

Where are the gaps in the controls instituted by the financial services industry?

Financial institutions are more likely to be attacked by internal (staff) and partners (e.g. Outsourcers). Shared and default credentials through remote access and management prove to be the weakest links that are often exploited within the financial services industry.

With partners, it is typically the partners’ asset or connection that is compromised which leads to the data breach in the financial institution. For example, the partner connects to the financial institution through a VPN and the VPN credentials are compromised.

Do we have any estimates of the losses entailed by data breaches? Also, any estimate of successful tracking of perpetrators and recovery of money lost?

As we don’t investigate financial losses for customers, we do not record this information. We believe that only less than 3 per cent of breach is detected.

Many people think cardholder data is primary data that is breached; but cardholder data is often the tip of the iceberg, and far more personally identifiable information (for example name/address, passport information) is more breached than cardholder data.

Typically card details are stolen from a location where a valid purchase was made from. When banks analyse card fraud trends they look for a common point of valid purchase where cards that are now exhibiting fraudulent transactions were used. This common point has often been compromised.

Does the study offer any insights about Indian enterprises?

Companies in India are having experience similar to those in other markets. Our observation is that individuals who are laid off often tend to steal data while they still have access to data before they leave the organisation.

Individuals who have been given notice, but have not yet left the organisation, have been found to have stolen data in a number of cases. We believe this will only become more prevalent, given the global economic situation.

Are the existing standards that govern data security enough?

Existing standards are good and getting better. PCI has been attacked in the media, as there is a perception that PCI has failed. This is not the case.

Consider that if a custom sniffer has been placed on a server to steal unencrypted data over the network (a perceived weakness in PCI) we recommend customers to review the number of PCI non-conformances for the malware to be planted on the server and the data to be removed from the organisation.

Any other points of interest?

We are at a time where we are starting to see a reduction in successful SQL injections. Investigators are also now using their network expertise to see beyond the starting point attack, and they are able to provide more detailed information.

dmurali@thehindu.co.in

Related Stories:
New data encryption technique
mChek achieves PCI-DSS standard