I am totally fascinated that, as sophisticated as our enterprises are, computer crime follows the same basics as water (seeks the lowest point, leaks from the softest spot) and chains (that break at their weakest link). We chant and rant these sort of ditties endlessly, yet our spending and protection strategies often make security stronger where it is already strong, and ignore, or don’t even look for, the weak spots.

Figure 30 in this year’s study shows that in over half of all cases (and a much higher percent of records lost) the data that was breached involved relatively simple things that took the victim company by complete surprise. In Figure 30 (pg 34), “Unknown Data” was a problem in over 1/3 of cases and about 2/3 of all records lost.

When we get called in to handle a case we typically meet with the IT staff on the first morning to reassure them and to get some basic information so that we can quickly diagnose the issue. Usually someone knows that records were lost, but doesn’t know how. We ask: “Where would records like those be stored and processed??” The staff answers something like “over there on machines A, B, C and D.” We ask if we can put a sniffer on the network among machines A, B, C, and D. When we do, we typically see 95%+ of the traffic moving among these devices, but we often see a small percent of traffic also going to machines “P,Q, R, S, and T.” (more…)

The Time Span of Breach Events section is particularly interesting to me because there is a significant applicability of this sort of information to threat, control, and risk modeling/analysis (I think time-framing is a critical element that many models tend to overlook or minimize the importance of).

So let’s take a quick look at Time Span of Breach Events and what we might do with this information. We’ve broken Time Span of Breach Events into what might be called the four stages of an attack (rather than re-hash their definitions here, I’ll refer you to p 36-37 of the report). They are:

• Pre-Attack Research
• Point of Entry to Compromise
• Compromise to Discovery
• Discovery to Containment

(more…)

Start or join a conversation about the PCI DSS and you’re going to get a broad range of opinions on the subject. It can be a sensitive topic that people tend to get very passionate about.

We were glad to be able to include a section in this year’s report and we hope you are finding the results informative and useful.

We’ve put up this blog post for your opinions on the data and questions concerning the data. You might also want to check out what others have been writing about the PCI information in the DBIR. A couple that I enjoyed:

Anton Chuvakin on his blog >>here<<

and

Martin Mckeay (of the excellent Network Security Podcast fame) on his blog >>here<<.

By Chris Porter

Take care of the low hanging fruit!  That seems to be the concluding mantra of analysis of over 600 cases from 2004-2008.

At the conclusion of the original DBIR, we made a number of recommendations based on the findings from the 2004-2007 breach investigations.  All of these recommendations are still pertinent to the 2008 caseload, and we have kept an abbreviated version in this year’s report.  2008 Recommendations can be found on pages 26-27 of the 2008 DBIR.

In addition to these “oldies but goodies,” we offer the following new or expanded recommendations based on our analysis of 2008 data. None are revolutionary but they are based on the failings of many organizations. It’s often the ordinary that we neglect (to our harm). Looking back on years of data, we’ve found that the simple things, done consistently and comprehensively, are very effective at keeping companies out of the headlines. Below are the recommendations from the 2009 Data Breach Investigations Report: (more…)

I’ve been reading, with no small amount of interest, about the congressional hearings surrounding the Payment Card Industry Data Standards (PCI DSS) that took place on March 30th. Over the last six months, various incidents and data breaches have renewed discussion about the Payment Card Industry’s Security Standards Council and the value of PCI DSS. It all came to a head on Tuesday in various testimonies given to the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology (or ‘SETCAST’ – see http://www.homeland.house.gov/hearings/index.asp?ID=185). I thought I’d take the opportunity to write my first blog post for Verizon Business to discuss why I think the PCI DSS is just fine.

(more…)

Verizon Business customers, and security professionals generally, should resist succumbing to a herd mentality and fear of the unknown surrounding the Conficker worm. In most respects, Conficker (a.k.a. Downadup or Kido) is just another piece of crimeware threatening Windows computers. The known risks it represents are minimal; so far, versions A and B simply spread and version C is presently dormant. They impact the integrity of infected systems but the costs are limited to disinfection. Our defenses are set and we are alert for significant changes in the risk environment if they come, but risk has changed little at this time regardless of the apparent desire of the technical press and the blogosphere to indicate otherwise.

Conficker is not generating spam revenue for the outlaws, nor is it exporting data from infected systems or any of the other myriad of hostile activities current crimeware usually exhibits. Infected systems are under the control of a criminal and could begin executing more criminal instructions. On April 1st, 2009, version C is expected to begin listening for instructions from its master(s) using a new Command and Control (C&C) method.

(more…)

It was easy to find fault with the coverage and hacker worship that accompanied a recent exploit-writing contest held at a security conference, but it was tough to decide on a title for this post. A few came to mind, such as the following:

• News flash: Computer users can hurt themselves!
• Warning: Hackers can pwn boxes to which they have physical access!
• Amazing! Computers can do things quickly!

Two individuals are receiving accolades because they wrote code that exploits a very old attack vector and received laptop computers as a reward. The code is new but the story is old.

(more…)

So rumors abound that a paper and exploit code will be published today that use a vulnerability in a processor’s caching mechanism to install code that is being called “undetectable.”

If it appears that we’re obviously not stating names and vendors, you’re right, we aren’t. At the time of writing all we’ve seen is speculation.

But let’s just take one aspect of the current hoopla: “Can something be installed on your computer and become undetectable?”

(more…)

I was reading Graham Cluely’s blog post about Jack Straw’s email account being hacked. At the end of the entry Graham has included a video describing how he comes up with a very strong password which, he says, is easy to remember. See:
http://www.sophos.com/blogs/gc/g/2009/02/24/nigerian-scammers-hack-jack-straws-email-account/

Well, after watching it I realized that we computer security folks are definitely a bunch of nerds, particularly if you think what Graham suggests is “easy” for the average person.

(more…)

By default, Internet Explorer 7 sets sites in the Internet Zone where “Protected Mode” (PM) is enabled. PM prevents IE from saving files and/or settings via IE without prompting the user for approval. PM is a good thing.

Sites in the Trusted Sites Zone, by default, do not have PM on. Consider it like this, if you trust a site enough to put it in the Trusted Sites Zone then why have PM on?

MS09-002 is the latest Cumulative Update for IE. In that patch, we believe Microsoft introduced a modification to the way it treats the About: page. Thus far no details can be found other than what is contained in their KnowledgeBase article 967941, so our interpretation may not be strictly accurate.

(more…)

If you’re thinking “What is the population of the United States near the turn of the millennium?” your collection of trivial knowledge is truly impressive and I wouldn’t want to oppose you in Final Jeopardy. In this case, however, you’d have the wrong answer…er, question. The question we’re looking for here is “How many records were compromised among breaches investigated by Verizon Business in 2008?”.

Yes, you read that correctly. I’m as flabbergasted as you are. We knew the number was big when we recently started combing through last year’s statistics in preparation for the upcoming 2009 Data Breach Investigations Report (DBIR), but I don’t think we quite knew it was THAT big. To put this number in perspective, that means 9 records were compromised for every second that ticked by in 2008 – and that’s just among the cases Verizon Business investigated! To put that in further perspective, you may remember that in the 2008 DBIR we reported a figure of 230 million records from cases we worked between 2004 and 2007.

What happened? We’re currently up to our data-loving eyeballs trying to put together an answer to that question. We will have it to you on April 15 in the form of the 2009 Data Breach Investigations Report…so stay tuned.

An interesting question went out to one of my favorite mailings lists a few days ago (SecurityMetrics.org) regarding a definition for “effectiveness”. It’s one of those words that we in the security profession use constantly but there seem to be differing opinions on what qualities a control (or group of controls) must have in order to be ‘effective’. For instance, does it need to be foolproof? Prevent at least 90% of attacks? Provide more value than it costs? Satisfy its purchasers? Make auditors happy? Something else?

After thinking over it a bit, I offered up the following definition to the group:

“If it does what it’s supposed to, to the degree it’s supposed to, it’s effective (no matter how much risk, or what % of attacks, etc it reduces). If it does that for a cost that is low relative to its effectiveness, it’s efficient. At the point where the cost of increasing effectiveness exceeds the incremental benefit of doing so, it’s optimal.”

I know this isn’t a new question nor do I feel I’ve offered up some novel, ultra-insightful definition. I’d simply like to know what other folks out there think. Agree / Disagree? Have something better?

A number of organizations take the end of the year as an opportunity to publish predictions about what will happen in the security space during the subsequent year. The RISK Team engages in that exercise every Thursday as part of our weekly Risk call, during which we analyze emerging threats and vulnerabilities. So instead of generating a new list, we’ll share one that was refined over the course of 50 weekly meetings. In addition, we’ll share our predictions from the prior five years.

(more…)

Bottom line up front: Risk has not changed significantly as a result of research into rogue Certificate Authority attacks. This is a significant attack on an obsolete hash algorithm, but there is no known threat, and countermeasures are already taking place to reduce and possibly eliminate the potential that a threat actor will succeed using this attack.

There are numerous explanations of the technical vulnerability announced Tuesday, December 30, 2008 at the Chaos Communications Congress in Berlin. Brian Krebs at the Washington Post has done his customary superb job of making this understandable to the average Internet user. Professor Ed Felten at Princeton University crafted a version for those security professionals not normally earlobe-deep in cryptography and PKI. And Professors Gene Spafford at Purdue University and Steve Bellovin at Columbia University each have perspectives beyond the technical to explain how this happened and what information professionals can and should do now. They explain how this problem has been stalking us since 1996 and how we hit the snooze alarm then, in 2004, 2005, and last year.

(more…)

by Dave Kennedy and Russ Cooper

I just checked, and so far not one member of the Verizon Business RISK Team has moved into their apocalyptic redoubts over the latest vulnerability in Internet Explorer (IE).  Our assessment is that this latest vulnerability isn’t very different than many of the IE vulnerabilities we’ve seen in the past.  IE has historically been a popular target for criminals, and we don’t doubt some are using/will use this latest vulnerability to take over users’ systems.  We assess the threat  volume as small, with locations isolated, and believe that several mitigations are available to reduce overall risk.

(more…)