A couple of weeks ago, I wrote a post on how we in the security industry make decisions. After a bit of waxing philosophical, I proposed a list of decision “methods” I regularly see in use among organizations. I also created a small survey (that contained a few additional methods) to capture your experiences for comparison. The response was not overwhelming by any stretch but the results are below (click the image to make it bigger).

(more…)

As a student of both the fields of Information Technology/Security and Management Science, I often find myself looking at security issues through a “decision-oriented” lens. For the most part, these two disciplines make good bedfellows – especially when one considers that engineers dominate the Information Security field. Please don’t misinterpret this; I have a healthy respect for, and advocate our need of, engineers (I’ve even helped teach and graduate some of them). However, not all of our problems are engineering problems and I do believe that our ability to truly manage information risk is hindered by a shortage of input from other disciplines (though I’ve seen at least some improvement in recent years).

One area where the engineering and management mindset clash is in decision-making. The engineer asks, “What do I need to know to precisely formulate all factors in this decision?” Meanwhile, the management scientist asks “What do I need to know to make a good decision?” In such matters, I side heavily with the management scientist. (more…)

Hollywood calls it “Re-imagining”.  The creative types call it “rebooting”.  We might settle for “re-thinking”. But since it seems to be all the rage these days to take a second look at a subject, I thought I’d apply the concept to one of our favorite topics, Information Security Standards.

I admit that this is an incomplete thought, but I’d like to share it with you for two reasons:

1.)  At the end of a podcast I was part of recently, one of the other panelists challenged our industry to stop whining about our current state of affairs and do something better.

2.)  To request your feedback on the idea.

So here’s my thought: if we’re going to re-imagine InfoSec standards, as if we could do it all over again, I think there are three basic requirements any standard needs in order to be useful at all:

1.) A standard must provide for its own obsolescence/evolution (falsification and a transparent falsification process must be built in)

2.) A standard must provide means of measurement (both for the outcome of the standard, and to measure the quality of standard adherence)

3.) A standard must reference, and be able to be referenced in, vernacular and in measurement (the language of the standard has to make sense to other standards)

(more…)

by William Murray

Recent headlines have reported on denial of service attacks against Twitter, Facebook and several other social networking sites.  These follow attacks in July against various government sites in the US and South Korea.  The headlines have elicited all kinds of commentary, most of it stopping just short of concluding that the sky is falling.  In all of this coverage, I have seen almost nothing about what this means to the average enterprise or what one ought to do about it.

Denial of service attacks work by exhausting finite resources.  (They are different from an attack that compromises a system and then breaks it or shuts it down.) Historically we thought of them as exhausting system resources.  For example, “Syn  flood” attacks against servers work by exhausting memory until the server dies.   However, modern distributed denial of service (“DDoS”) attacks (“distributed” modifies “attack,” not “denial of service”) work by exhausting network bandwidth, usually the “last mile” to the victim.

(more…)

by William Murray

Not so long ago, but in a different era, the rogue hackers were building tools to automate the creation of viruses and worms to exploit newly publicized vulnerabilities.  They boasted that these tools were enabling them to develop malicious code faster and faster and that soon they would be able to create an attack within twenty-four hours of the identification of a vulnerability. Thus was born the idea of the “zero-day” attack.  Note that “zero-day” is a term of art, that it modifies attack, and that it is relative to the identification of the vulnerability.  

While it is sometimes used to refer to a previously unknown vulnerability, the words have no meaning in that context. “Zero-day” relative to what?  To yesterday?  The term has lost its original meaning without gaining a new one.  It became an expression that, not only carried no meaning of its own, but confused the meaning of any terms with which it was used.  This aggravates the general problem in security that our terms of art, e.g. threat, attack, vulnerability, and risk are used without distinction, not to say interchangeably.  Multiple times a week I find myself parsing quotes about security in the media, in a sometimes vain attempt to figure out what the source intends.

(more…)

Despite the release of numerous tools intended to make things easier for forensic investigators, there’s also development on the other side of the law. I’ve personally given multiple presentations on the topic of anti-forensics at various conferences and have also attended my fair share as well. No matter where you go, it always seems to be a very polarized discussion.

You have the folks on one side of the room that go to the presentations seemingly just to heckle the speakers. They claim that anti-forensics doesn’t exist, and that it’s a myth propagated by the companies that do investigations. Let’s just say for argument’s sake they’re right. Can anybody out there prove that it’s not happening?

Now let’s look at it from the other side. Do we have cases where we have confirmed that anti-forensics was in use? Yes – and we’re not talking about a meager amount either. Based on just our metrics, we see anti-forensics is involved in more than a third of our caseload. And considering that, by its very nature, it’s designed to never be found, we can reasonably assume that the actual presence of anti-forensics is probably much higher.

On what side of the room are you? Any experiences you wish to share regarding AF?

Microsoft has announced that they have discovered a vulnerability in DirectShow. Exploitation of the vulnerability could allow a criminal to run code of their choice in the victim’s security context simply by the victim browsing to a website while allowing scripts to run. The browser being used doesn’t matter providing it allows scripting. Microsoft is aware of limited attacks in-the-wild. Patches are being developed.

All versions of Windows are vulnerable, except Vista and Server 2008. It is worth noting that DirectShow was patched for similar vulnerabilities in April 2009, and previously in December of 2007. Neither of those vulnerabilities was ever significantly exploited.

(more…)

Multiprotocol Label Switching (MPLS) security is not for the faint hearted. However, like most information technology, understanding basic principles and having a policy founded on sound principles allows an administrator to sleep at night knowing the networks are secure.  A policy for employing thoughtful and conservative essential practices and having quality assurance practices to ensure continuity of secure operations is one of those basic principles.  An antithetical principle is that when a criminal takes control of your systems, bad things are going to happen.

(more…)

Get it free of charge with no sign-up requirements here.

Creating the single-year sequel to a four-year report on over 500 breach investigations is a daunting prospect. While it would be impossible to trump the sheer scope of the original 2008 DBIR, we’ve sought to preserve its strengths and introduce some key enhancements for 2009. Here is some of what you can expect in this release:

First, you’ll notice the report is quite a bit larger than last year. Hopefully it’s worth the extra disk space (which isn’t saying much given current prices) and/or toner (which *is* saying a lot given current prices). Rather than platitudes and pitches, we’ve worked to fill those extra pages with real substance. Everyone loves data.

(more…)

In our minds, there are two very interesting items with regard to demographics in this years report.  The first is that the number of attacks in the financial services industry more than doubled in 2008.  More importantly, an amazing 93% of compromised records were the result of breaches in the financial services industry.  As we said in our report, this is largely due to a few cleverly designed and executed attacks which yielded huge payloads.  It will be interesting to see if this trend continues or if the bigger players in the financial services field will be more successful in avoiding these attacks in the coming year.
On a side note, we have seen a few comments from our readers in which they question why we included size of industry in our demographics section.  This was done simply to illustrate that the caseload didn’t all come from very large or very small companies, but was spread across a wide range.
The other noteworthy item is that 13% of the organizations in our caseload had recently changed hands as a result of an acquisition or merger.  While we make no bones about the fact that we cannot draw any ‘scientific’ conclusions from this data point, we find it relevant and of great interest.  Anyone with any experience of large scale change in any company can testify to the fact that they rarely (nice way of saying NEVER) go smoothly. Hopefully, any insight our investigators can lend to what commonalities exist between the breach victims of recently merged companies can be applied to prevent future crimes from occurring.  What are your thoughts?

I’ve been reading reviews of the 2009 DBIR today and I gotta say – I’m surprised at the lack of snarling and teeth gnashing over our stats on who’s behind all these breaches and lost records. Last year, we received no shortage of comments (positive and negative) about insiders causing the fewest breaches. I won’t go into all the various reasons behind our findings here since that is done in the report. I would like to say that I was surprised at the disproportionality of Fig 8.

(more…)

by Chris Porter

The relative difficulty of attacks leading to data compromise is an excellent indicator of both the current threat environment and the state of modern security programs. After each forensic investigation, our VzB investigators assess the attack and classify the difficulty into the following categories: None, Low, Moderate and High.

There are several rather interesting finds within the data this year. One is that attackers used simple methods of attack in over 50% of the breaches. The basic conclusion from this is that attackers still do not have to work very hard to get the data they desire.

Another interesting find in this data set is related to a new metric that we have added. This year the attacks have also been analyzed for the number of records breached. If you look at the highly difficult attacks in this data set, they are responsible for 95% of the 285 million records breached.

I also found it interesting that when you look at an attack from end to end, the difficult part typically occurs after the criminal penetrates the perimeter. Most highly difficult attacks were given that classification because of the elaborate nature of the malware used to capture data rather than the hack used to get in the door. The latter is usually involves more run-of-the-mill techniques.

What did you find interesting? Please share in the comments section below.

In our report we found it helpful to further break down the standard classifications of attacks, opportunistic and targeted, into three categories:
Random opportunistic – victim randomly selected
Directed opportunistic – victim selected, but only because they were known to have a particular exploitable weakness
Fully targeted – victim was chosen and then attack planned

In 2008, fully targeted attacks rose to a 5 year high, and accounted for 90% of total records compromised in 2008 (by comparison, it was 14% in last years model).  We have said in the past that if criminals (particularly organized crime with its vast resources) take aim at your organization and attack you with enough intensity over a long enough time span it is likely that they will breach your perimeter.  The caseload for this report seems to go a long way toward proving this to be true.
At the same time, the majority of attacks were not fully targeted, but were of the more opportunistic variety.  The old adage of the deer and the bear applies here.  When being chased by a bear you don’t have to be the fastest deer, you just have to be faster than the one next to you.  In other words, set up your defenses in such a way as to minimize your chances of being the target for these kinds of attacks.  This can be attempted in a variety of ways.  One important element is to retain as little data as possible in the first place. If you don’t absolutely have to have if for business reasons, or if your legal department doesn’t insist on it (good luck), then get rid of it.   Also, know where your critical information resides at all times, and who has access to it.  You may feel that you don’t have the time or resources to do this.  Relax, if you don’t find it the criminals will do it for you for free.

Figure 25 in the 2009 Data Breach Investigations Report (p30) shows that for the big computer crime cases in 2008, the vast majority involved data from servers (Online Data 94% of cases).  In only 17% of all cases were End-User Systems involved in any part of a target.  In only about 1% of cases (one case out of 90, Figure 16) were End-User Systems part of the attack pathway.  The very same data, when viewed by the percent of records lost, shows that 99.9% of records were taken from servers, while just 0.01% of the records were taken from End-User systems.  Wow!

(more…)

To my mind, this section included several areas of interest. The sheer number of compromised records we investigated in 2008 is surprising – even to us. Only time will tell how the numbers will stack up in 2009 but we’ve already worked several large cases this year.

One of the things we discussed internally when analyzing the data from 2008 was how useful the “% of records” statistics would be since it was so dominated by a few large breaches (the largest 4 or 5 breaches exceed 90% of all 285 million records). We thought about removing them. We thought about pulling them out and presenting them separately alongside the smaller yet more numerous breaches. In the end, we decided keep everything together and provide distributions, measures of central tendency, etc to describe the data set.

The breakdown of data types shown in Figure 29 of the report was not unexpected and probably not surprising to many. However, I have fielded a huge amount of questions and interest with respect to the discussion around PIN data. In retrospect, it would have been wise to call this out separately and we will do so in the next report. Attacks targeting this type of data were, without a doubt, one the defining developments in the world of cybercrime in 2008. Unfortunately, I feel we will be dealing with it for some time to come.